npm - @strapi/admin - Versions diffs - 4.4.0-beta.3 → 4.4.0-rc.0 - Mend

@strapi/admin 4.4.0-beta.3 → 4.4.0-rc.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (92) hide show

package/server/content-types/api-token-permission.js ADDED Viewed

@@ -0,0 +1,36 @@
+'use strict';
+module.exports = {
+  collectionName: 'strapi_api_token_permissions',
+  info: {
+    name: 'API Token Permission',
+    description: '',
+    singularName: 'api-token-permission',
+    pluralName: 'api-token-permissions',
+    displayName: 'API Token Permission',
+  },
+  options: {},
+  pluginOptions: {
+    'content-manager': {
+      visible: false,
+    },
+    'content-type-builder': {
+      visible: false,
+    },
+  },
+  attributes: {
+    action: {
+      type: 'string',
+      minLength: 1,
+      configurable: false,
+      required: true,
+    },
+    token: {
+      configurable: false,
+      type: 'relation',
+      relation: 'manyToOne',
+      inversedBy: 'permissions',
+      target: 'admin::api-token',
+    },
+  },
+};

package/server/content-types/api-token.js CHANGED Viewed

@@ -26,6 +26,7 @@ module.exports = {
       minLength: 1,
       configurable: false,
       required: true,
+      unique: true,
     },
     description: {
       type: 'string',
@@ -38,7 +39,7 @@ module.exports = {
       type: 'enumeration',
       enum: Object.values(constants.API_TOKEN_TYPE),
       configurable: false,
-      required: false,
+      required: true,
       default: constants.API_TOKEN_TYPE.READ_ONLY,
     },
     accessKey: {
@@ -47,5 +48,28 @@ module.exports = {
       configurable: false,
       required: true,
     },
+    lastUsedAt: {
+      type: 'datetime',
+      configurable: false,
+      required: false,
+    },
+    permissions: {
+      type: 'relation',
+      target: 'admin::api-token-permission',
+      relation: 'oneToMany',
+      mappedBy: 'token',
+      configurable: false,
+      required: false,
+    },
+    expiresAt: {
+      type: 'datetime',
+      configurable: false,
+      required: false,
+    },
+    lifespan: {
+      type: 'integer',
+      configurable: false,
+      required: false,
+    },
   },
 };

package/server/content-types/index.js CHANGED Viewed

@@ -5,4 +5,5 @@ module.exports = {
   user: { schema: require('./User') },
   role: { schema: require('./Role') },
   'api-token': { schema: require('./api-token') },
+  'api-token-permission': { schema: require('./api-token-permission') },
 };

package/server/controllers/api-token.js CHANGED Viewed

@@ -24,6 +24,8 @@ module.exports = {
       name: trim(body.name),
       description: trim(body.description),
       type: body.type,
+      permissions: body.permissions,
+      lifespan: body.lifespan,
     };
     await validateApiTokenCreationInput(attributes);
@@ -37,6 +39,21 @@ module.exports = {
     ctx.created({ data: apiToken });
   },
+  async regenerate(ctx) {
+    const { id } = ctx.params;
+    const apiTokenService = getService('api-token');
+    const apiTokenExists = await apiTokenService.getById(id);
+    if (!apiTokenExists) {
+      ctx.notFound('API Token not found');
+      return;
+    }
+    const accessToken = await apiTokenService.regenerate(id);
+    ctx.created({ data: accessToken });
+  },
   async list(ctx) {
     const apiTokenService = getService('api-token');
     const apiTokens = await apiTokenService.list();
@@ -59,7 +76,6 @@ module.exports = {
     if (!apiToken) {
       ctx.notFound('API Token not found');
       return;
     }
@@ -108,4 +124,11 @@ module.exports = {
     const apiToken = await apiTokenService.update(id, attributes);
     ctx.send({ data: apiToken });
   },
+  async getLayout(ctx) {
+    const apiTokenService = getService('api-token');
+    const layout = await apiTokenService.getApiTokenLayout();
+    ctx.send({ data: layout });
+  },
 };

package/server/controllers/content-api.js ADDED Viewed

@@ -0,0 +1,15 @@
+'use strict';
+module.exports = {
+  async getPermissions(ctx) {
+    const actionsMap = await strapi.contentAPI.permissions.getActionsMap();
+    ctx.send({ data: actionsMap });
+  },
+  async getRoutes(ctx) {
+    const routesMap = await strapi.contentAPI.getRoutesMap();
+    ctx.send({ data: routesMap });
+  },
+};

package/server/controllers/index.js CHANGED Viewed

@@ -9,4 +9,5 @@ module.exports = {
   role: require('./role'),
   user: require('./user'),
   webhooks: require('./webhooks'),
+  'content-api': require('./content-api'),
 };

package/server/routes/api-tokens.js CHANGED Viewed

@@ -56,4 +56,15 @@ module.exports = [
       ],
     },
   },
+  {
+    method: 'POST',
+    path: '/api-tokens/:id/regenerate',
+    handler: 'api-token.regenerate',
+    config: {
+      policies: [
+        'admin::isAuthenticatedAdmin',
+        { name: 'admin::hasPermissions', config: { actions: ['admin::api-tokens.regenerate'] } },
+      ],
+    },
+  },
 ];

package/server/routes/content-api.js ADDED Viewed

@@ -0,0 +1,20 @@
+'use strict';
+module.exports = [
+  {
+    method: 'GET',
+    path: '/content-api/permissions',
+    handler: 'content-api.getPermissions',
+    config: {
+      policies: ['admin::isAuthenticatedAdmin'],
+    },
+  },
+  {
+    method: 'GET',
+    path: '/content-api/routes',
+    handler: 'content-api.getRoutes',
+    config: {
+      policies: ['admin::isAuthenticatedAdmin'],
+    },
+  },
+];

package/server/routes/index.js CHANGED Viewed

@@ -7,6 +7,7 @@ const users = require('./users');
 const roles = require('./roles');
 const webhooks = require('./webhooks');
 const apiTokens = require('./api-tokens');
+const contentApi = require('./content-api');
 module.exports = [
   ...admin,
@@ -16,4 +17,5 @@ module.exports = [
   ...roles,
   ...webhooks,
   ...apiTokens,
+  ...contentApi,
 ];

package/server/services/api-token.js CHANGED Viewed

@@ -1,9 +1,13 @@
 'use strict';
 const crypto = require('crypto');
+const { isNil } = require('lodash/fp');
+const { omit, difference, isEmpty, map, isArray, uniq } = require('lodash/fp');
+const { ValidationError, NotFoundError } = require('@strapi/utils').errors;
+const constants = require('./constants');
 /**
- * @typedef {'read-only'|'full-access'} TokenType
+ * @typedef {'read-only'|'full-access'|'custom'} TokenType
  */
 /**
@@ -11,20 +15,135 @@ const crypto = require('crypto');
  *
  * @property {number|string} id
  * @property {string} name
- * @property {string} [description]
+ * @property {string} description
  * @property {string} accessKey
+ * @property {number} lastUsedAt
+ * @property {number} lifespan
+ * @property {number} expiresAt
  * @property {TokenType} type
+ * @property {(number|ApiTokenPermission)[]} permissions
  */
+/**
+ * @typedef ApiTokenPermission
+ *
+ * @property {number|string} id
+ * @property {string} action
+ * @property {ApiToken|number} token
+ */
+/** @constant {Array<string>} */
+const SELECT_FIELDS = [
+  'id',
+  'name',
+  'description',
+  'lastUsedAt',
+  'type',
+  'lifespan',
+  'expiresAt',
+  'createdAt',
+  'updatedAt',
+];
 /** @constant {Array<string>} */
-const SELECT_FIELDS = ['id', 'name', 'description', 'type', 'createdAt'];
+const POPULATE_FIELDS = ['permissions'];
+// TODO: we need to ensure the permissions are actually valid registered permissions!
+/**
+ * Assert that a token's permissions attribute is valid for its type
+ *
+ * @param {ApiToken} token
+ */
+const assertCustomTokenPermissionsValidity = (attributes) => {
+  // Ensure non-custom tokens doesn't have permissions
+  if (attributes.type !== constants.API_TOKEN_TYPE.CUSTOM && !isEmpty(attributes.permissions)) {
+    throw new ValidationError('Non-custom tokens should not reference permissions');
+  }
+  // Custom type tokens should always have permissions attached to them
+  if (attributes.type === constants.API_TOKEN_TYPE.CUSTOM && !isArray(attributes.permissions)) {
+    throw new ValidationError('Missing permissions attribute for custom token');
+  }
+  // Permissions provided for a custom type token should be valid/registered permissions UID
+  if (attributes.type === constants.API_TOKEN_TYPE.CUSTOM) {
+    const validPermissions = strapi.contentAPI.permissions.providers.action.keys();
+    const invalidPermissions = difference(attributes.permissions, validPermissions);
+    if (!isEmpty(invalidPermissions)) {
+      throw new ValidationError(`Unknown permissions provided: ${invalidPermissions.join(', ')}`);
+    }
+  }
+};
+/**
+ * Assert that a token's permissions attribute is valid for its type
+ *
+ * @param {ApiToken} token
+ */
+const assertValidLifespan = ({ lifespan }) => {
+  if (isNil(lifespan)) {
+    return;
+  }
+  if (!Object.values(constants.API_TOKEN_LIFESPANS).includes(lifespan)) {
+    throw new ValidationError(
+      `lifespan must be one of the following values:
+      ${Object.values(constants.API_TOKEN_LIFESPANS).join(', ')}`
+    );
+  }
+};
+/**
+ * Flatten a token's database permissions objects to an array of strings
+ *
+ * @param {ApiToken} token
+ *
+ * @returns {ApiToken}
+ */
+const flattenTokenPermissions = (token) => {
+  if (!token) return token;
+  return {
+    ...token,
+    permissions: isArray(token.permissions) ? map('action', token.permissions) : token.permissions,
+  };
+};
 /**
+ *  Get a token
+ *
  * @param {Object} whereParams
- * @param {string|number} [whereParams.id]
- * @param {string} [whereParams.name]
- * @param {string} [whereParams.description]
- * @param {string} [whereParams.accessKey]
+ * @param {string|number} whereParams.id
+ * @param {string} whereParams.name
+ * @param {number} whereParams.lastUsedAt
+ * @param {string} whereParams.description
+ * @param {string} whereParams.accessKey
+ *
+ * @returns {Promise<Omit<ApiToken, 'accessKey'> | null>}
+ */
+const getBy = async (whereParams = {}) => {
+  if (Object.keys(whereParams).length === 0) {
+    return null;
+  }
+  const token = await strapi
+    .query('admin::api-token')
+    .findOne({ select: SELECT_FIELDS, populate: POPULATE_FIELDS, where: whereParams });
+  if (!token) return token;
+  return flattenTokenPermissions(token);
+};
+/**
+ * Check if token exists
+ *
+ * @param {Object} whereParams
+ * @param {string|number} whereParams.id
+ * @param {string} whereParams.name
+ * @param {number} whereParams.lastUsedAt
+ * @param {string} whereParams.description
+ * @param {string} whereParams.accessKey
  *
  * @returns {Promise<boolean>}
  */
@@ -35,6 +154,8 @@ const exists = async (whereParams = {}) => {
 };
 /**
+ * Return a secure sha512 hash of an accessKey
+ *
  * @param {string} accessKey
  *
  * @returns {string}
@@ -47,24 +168,103 @@ const hash = (accessKey) => {
 };
 /**
+ * @param {number} lifespan
+ *
+ * @returns { { lifespan: null | number, expiresAt: null | number } }
+ */
+const getExpirationFields = (lifespan) => {
+  // it must be nil or a finite number >= 0
+  const isValidNumber = Number.isFinite(lifespan) && lifespan > 0;
+  if (!isValidNumber && !isNil(lifespan)) {
+    throw new ValidationError('lifespan must be a positive number or null');
+  }
+  return {
+    lifespan: lifespan || null,
+    expiresAt: lifespan ? Date.now() + lifespan : null,
+  };
+};
+/**
+ * Create a token and its permissions
+ *
  * @param {Object} attributes
  * @param {TokenType} attributes.type
  * @param {string} attributes.name
- * @param {string} [attributes.description]
+ * @param {number} attributes.lifespan
+ * @param {string[]} attributes.permissions
+ * @param {string} attributes.description
  *
  * @returns {Promise<ApiToken>}
  */
 const create = async (attributes) => {
   const accessKey = crypto.randomBytes(128).toString('hex');
+  assertCustomTokenPermissionsValidity(attributes);
+  assertValidLifespan(attributes);
+  // Create the token
   const apiToken = await strapi.query('admin::api-token').create({
     select: SELECT_FIELDS,
+    populate: POPULATE_FIELDS,
     data: {
-      ...attributes,
+      ...omit('permissions', attributes),
       accessKey: hash(accessKey),
+      ...getExpirationFields(attributes.lifespan),
     },
   });
+  const result = { ...apiToken, accessKey };
+  // If this is a custom type token, create and the related permissions
+  if (attributes.type === constants.API_TOKEN_TYPE.CUSTOM) {
+    // TODO: createMany doesn't seem to create relation properly, implement a better way rather than a ton of queries
+    // const permissionsCount = await strapi.query('admin::api-token-permission').createMany({
+    //   populate: POPULATE_FIELDS,
+    //   data: attributes.permissions.map(action => ({ action, token: apiToken })),
+    // });
+    await Promise.all(
+      uniq(attributes.permissions).map((action) =>
+        strapi.query('admin::api-token-permission').create({
+          data: { action, token: apiToken },
+        })
+      )
+    );
+    const currentPermissions = await strapi.entityService.load(
+      'admin::api-token',
+      apiToken,
+      'permissions'
+    );
+    if (currentPermissions) {
+      Object.assign(result, { permissions: map('action', currentPermissions) });
+    }
+  }
+  return result;
+};
+/**
+ * @param {string|number} id
+ *
+ * @returns {Promise<ApiToken>}
+ */
+const regenerate = async (id) => {
+  const accessKey = crypto.randomBytes(128).toString('hex');
+  const apiToken = await strapi.query('admin::api-token').update({
+    select: ['id', 'accessKey'],
+    where: { id },
+    data: {
+      accessKey: hash(accessKey),
+    },
+  });
+  if (!apiToken) {
+    throw new NotFoundError('The provided token id does not exist');
+  }
   return {
     ...apiToken,
     accessKey,
@@ -92,25 +292,37 @@ For security reasons, prefer storing the secret in an environment variable and r
 };
 /**
+ * Return a list of all tokens and their permissions
+ *
  * @returns {Promise<Omit<ApiToken, 'accessKey'>>}
  */
 const list = async () => {
-  return strapi.query('admin::api-token').findMany({
+  const tokens = await strapi.query('admin::api-token').findMany({
     select: SELECT_FIELDS,
+    populate: POPULATE_FIELDS,
     orderBy: { name: 'ASC' },
   });
+  if (!tokens) return tokens;
+  return tokens.map((token) => flattenTokenPermissions(token));
 };
 /**
+ * Revoke (delete) a token
+ *
  * @param {string|number} id
  *
  * @returns {Promise<Omit<ApiToken, 'accessKey'>>}
  */
 const revoke = async (id) => {
-  return strapi.query('admin::api-token').delete({ select: SELECT_FIELDS, where: { id } });
+  return strapi
+    .query('admin::api-token')
+    .delete({ select: SELECT_FIELDS, populate: POPULATE_FIELDS, where: { id } });
 };
 /**
+ * Retrieve a token by id
+ *
  * @param {string|number} id
  *
  * @returns {Promise<Omit<ApiToken, 'accessKey'>>}
@@ -120,6 +332,8 @@ const getById = async (id) => {
 };
 /**
+ * Retrieve a token by name
+ *
  * @param {string} name
  *
  * @returns {Promise<Omit<ApiToken, 'accessKey'>>}
@@ -129,39 +343,106 @@ const getByName = async (name) => {
 };
 /**
+ * Update a token and its permissions
+ *
  * @param {string|number} id
  * @param {Object} attributes
  * @param {TokenType} attributes.type
  * @param {string} attributes.name
- * @param {string} [attributes.description]
+ * @param {number} attributes.lastUsedAt
+ * @param {string[]} attributes.permissions
+ * @param {string} attributes.description
  *
  * @returns {Promise<Omit<ApiToken, 'accessKey'>>}
  */
 const update = async (id, attributes) => {
-  return strapi
-    .query('admin::api-token')
-    .update({ where: { id }, data: attributes, select: SELECT_FIELDS });
-};
+  // retrieve token without permissions
+  const originalToken = await strapi.query('admin::api-token').findOne({ where: { id } });
-/**
- * @param {Object} whereParams
- * @param {string|number} [whereParams.id]
- * @param {string} [whereParams.name]
- * @param {string} [whereParams.description]
- * @param {string} [whereParams.accessKey]
- *
- * @returns {Promise<Omit<ApiToken, 'accessKey'> | null>}
- */
-const getBy = async (whereParams = {}) => {
-  if (Object.keys(whereParams).length === 0) {
-    return null;
+  if (!originalToken) {
+    throw new NotFoundError('Token not found');
   }
-  return strapi.query('admin::api-token').findOne({ select: SELECT_FIELDS, where: whereParams });
+  const changingTypeToCustom =
+    attributes.type === constants.API_TOKEN_TYPE.CUSTOM &&
+    originalToken.type !== constants.API_TOKEN_TYPE.CUSTOM;
+  // if we're updating the permissions on any token type, or changing from non-custom to custom, ensure they're still valid
+  // if neither type nor permissions are changing, we don't need to validate again or else we can't allow partial update
+  if (attributes.permissions || changingTypeToCustom) {
+    assertCustomTokenPermissionsValidity({
+      ...originalToken,
+      ...attributes,
+      type: attributes.type || originalToken.type,
+    });
+  }
+  assertValidLifespan(attributes);
+  const updatedToken = await strapi.query('admin::api-token').update({
+    select: SELECT_FIELDS,
+    populate: POPULATE_FIELDS,
+    where: { id },
+    data: omit('permissions', attributes),
+  });
+  // custom tokens need to have their permissions updated as well
+  if (updatedToken.type === constants.API_TOKEN_TYPE.CUSTOM && attributes.permissions) {
+    const currentPermissionsResult = await strapi.entityService.load(
+      'admin::api-token',
+      updatedToken,
+      'permissions'
+    );
+    const currentPermissions = map('action', currentPermissionsResult || []);
+    const newPermissions = uniq(attributes.permissions);
+    const actionsToDelete = difference(currentPermissions, newPermissions);
+    const actionsToAdd = difference(newPermissions, currentPermissions);
+    // TODO: improve efficiency here
+    // method using a loop -- works but very inefficient
+    await Promise.all(
+      actionsToDelete.map((action) =>
+        strapi.query('admin::api-token-permission').delete({
+          where: { action, token: id },
+        })
+      )
+    );
+    // TODO: improve efficiency here
+    // using a loop -- works but very inefficient
+    await Promise.all(
+      actionsToAdd.map((action) =>
+        strapi.query('admin::api-token-permission').create({
+          data: { action, token: id },
+        })
+      )
+    );
+  }
+  // if type is not custom, make sure any old permissions get removed
+  else if (updatedToken.type !== constants.API_TOKEN_TYPE.CUSTOM) {
+    await strapi.query('admin::api-token-permission').delete({
+      where: { token: id },
+    });
+  }
+  // retrieve permissions
+  const permissionsFromDb = await strapi.entityService.load(
+    'admin::api-token',
+    updatedToken,
+    'permissions'
+  );
+  return {
+    ...updatedToken,
+    permissions: permissionsFromDb ? permissionsFromDb.map((p) => p.action) : undefined,
+  };
 };
 module.exports = {
   create,
+  regenerate,
   exists,
   checkSaltIsDefined,
   hash,

package/server/services/constants.js CHANGED Viewed

@@ -1,5 +1,7 @@
 'use strict';
+const DAY_IN_MS = 24 * 60 * 60 * 1000;
 module.exports = {
   CONTENT_TYPE_SECTION: 'contentTypes',
   SUPER_ADMIN_CODE: 'strapi-super-admin',
@@ -13,5 +15,13 @@ module.exports = {
   API_TOKEN_TYPE: {
     READ_ONLY: 'read-only',
     FULL_ACCESS: 'full-access',
+    CUSTOM: 'custom',
+  },
+  // The front-end only displays these values
+  API_TOKEN_LIFESPANS: {
+    UNLIMITED: null,
+    DAYS_7: 7 * DAY_IN_MS,
+    DAYS_30: 30 * DAY_IN_MS,
+    DAYS_90: 90 * DAY_IN_MS,
   },
 };