npm - @strapi/admin - Versions diffs - 4.6.2 → 4.7.0-exp.3d6a31eb083e9d44afcf98f68c107fb7567e5720 - Mend

@strapi/admin 4.6.2 → 4.7.0-exp.3d6a31eb083e9d44afcf98f68c107fb7567e5720

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (97) hide show

package/server/services/transfer/token.js ADDED Viewed

@@ -0,0 +1,409 @@
+'use strict';
+const { map, isArray, omit, uniq, isNil, difference, isEmpty } = require('lodash/fp');
+const crypto = require('crypto');
+const {
+  errors: { ValidationError, NotFoundError },
+} = require('@strapi/utils');
+const constants = require('../constants');
+const TRANSFER_TOKEN_UID = 'admin::transfer-token';
+const TRANSFER_TOKEN_PERMISSION_UID = 'admin::transfer-token-permission';
+/**
+ * @typedef TransferToken
+ *
+ * @property {number|string} id
+ * @property {string} name
+ * @property {string} description
+ * @property {string} accessKey
+ * @property {number} lastUsedAt
+ * @property {number} lifespan
+ * @property {number} expiresAt
+ * @property {(number[]|TransferTokenPermission[])} permissions
+ */
+/**
+ * @typedef TransferTokenPermission
+ *
+ * @property {number|string} id
+ * @property {string} action
+ * @property {TransferToken|number} token
+ */
+/** @constant {Array<string>} */
+const SELECT_FIELDS = [
+  'id',
+  'name',
+  'description',
+  'lastUsedAt',
+  'lifespan',
+  'expiresAt',
+  'createdAt',
+  'updatedAt',
+];
+/** @constant {Array<string>} */
+const POPULATE_FIELDS = ['permissions'];
+/**
+ * Return a list of all tokens and their permissions
+ *
+ * @returns {Promise<Omit<TransferToken, 'accessKey'>[]>}
+ */
+const list = async () => {
+  const tokens = await strapi.query(TRANSFER_TOKEN_UID).findMany({
+    select: SELECT_FIELDS,
+    populate: POPULATE_FIELDS,
+    orderBy: { name: 'ASC' },
+  });
+  if (!tokens) return tokens;
+  return tokens.map((token) => flattenTokenPermissions(token));
+};
+/**
+ * Create a token and its permissions
+ *
+ * @param {Object} attributes
+ * @param {string} attributes.name
+ * @param {string} attributes.description
+ * @param {number} attributes.lifespan
+ * @param {string[]} attributes.permissions
+ *
+ * @returns {Promise<TransferToken>}
+ */
+const create = async (attributes) => {
+  const accessKey = crypto.randomBytes(128).toString('hex');
+  assertTokenPermissionsValidity(attributes);
+  assertValidLifespan(attributes);
+  const result = await strapi.db.transaction(async () => {
+    const transferToken = await strapi.query(TRANSFER_TOKEN_UID).create({
+      select: SELECT_FIELDS,
+      populate: POPULATE_FIELDS,
+      data: {
+        ...omit('permissions', attributes),
+        accessKey: hash(accessKey),
+        ...getExpirationFields(attributes.lifespan),
+      },
+    });
+    await Promise.all(
+      uniq(attributes.permissions).map((action) =>
+        strapi
+          .query(TRANSFER_TOKEN_PERMISSION_UID)
+          .create({ data: { action, token: transferToken } })
+      )
+    );
+    const currentPermissions = await strapi.entityService.load(
+      TRANSFER_TOKEN_UID,
+      transferToken,
+      'permissions'
+    );
+    if (currentPermissions) {
+      Object.assign(transferToken, { permissions: map('action', currentPermissions) });
+    }
+    return transferToken;
+  });
+  return { ...result, accessKey };
+};
+/**
+ * Update a token and its permissions
+ *
+ * @param {string|number} id
+ * @param {Object} attributes
+ * @param {string} attributes.name
+ * @param {number} attributes.lastUsedAt
+ * @param {string[]} attributes.permissions
+ * @param {string} attributes.description
+ *
+ * @returns {Promise<Omit<TransferToken, 'accessKey'>>}
+ */
+const update = async (id, attributes) => {
+  // retrieve token without permissions
+  const originalToken = await strapi.query(TRANSFER_TOKEN_UID).findOne({ where: { id } });
+  if (!originalToken) {
+    throw new NotFoundError('Token not found');
+  }
+  assertTokenPermissionsValidity(attributes);
+  assertValidLifespan(attributes);
+  return strapi.db.transaction(async () => {
+    const updatedToken = await strapi.query(TRANSFER_TOKEN_UID).update({
+      select: SELECT_FIELDS,
+      where: { id },
+      data: {
+        ...omit('permissions', attributes),
+      },
+    });
+    const currentPermissionsResult = await strapi.entityService.load(
+      TRANSFER_TOKEN_UID,
+      updatedToken,
+      'permissions'
+    );
+    const currentPermissions = map('action', currentPermissionsResult || []);
+    const newPermissions = uniq(attributes.permissions);
+    const actionsToDelete = difference(currentPermissions, newPermissions);
+    const actionsToAdd = difference(newPermissions, currentPermissions);
+    // TODO: improve efficiency here
+    // method using a loop -- works but very inefficient
+    await Promise.all(
+      actionsToDelete.map((action) =>
+        strapi.query(TRANSFER_TOKEN_PERMISSION_UID).delete({
+          where: { action, token: id },
+        })
+      )
+    );
+    // TODO: improve efficiency here
+    // using a loop -- works but very inefficient
+    await Promise.all(
+      actionsToAdd.map((action) =>
+        strapi.query(TRANSFER_TOKEN_PERMISSION_UID).create({
+          data: { action, token: id },
+        })
+      )
+    );
+    // retrieve permissions
+    const permissionsFromDb = await strapi.entityService.load(
+      TRANSFER_TOKEN_UID,
+      updatedToken,
+      'permissions'
+    );
+    return {
+      ...updatedToken,
+      permissions: permissionsFromDb ? permissionsFromDb.map((p) => p.action) : undefined,
+    };
+  });
+};
+/**
+ * Revoke (delete) a token
+ *
+ * @param {string|number} id
+ *
+ * @returns {Promise<Omit<TransferToken, 'accessKey'>>}
+ */
+const revoke = async (id) => {
+  return strapi.db.transaction(async () =>
+    strapi
+      .query(TRANSFER_TOKEN_UID)
+      .delete({ select: SELECT_FIELDS, populate: POPULATE_FIELDS, where: { id } })
+  );
+};
+/**
+ *  Get a token
+ *
+ * @param {Object} whereParams
+ * @param {string|number} whereParams.id
+ * @param {string} whereParams.name
+ * @param {number} whereParams.lastUsedAt
+ * @param {string} whereParams.description
+ * @param {string} whereParams.accessKey
+ *
+ * @returns {Promise<Omit<TransferToken, 'accessKey'> | null>}
+ */
+const getBy = async (whereParams = {}) => {
+  if (Object.keys(whereParams).length === 0) {
+    return null;
+  }
+  const token = await strapi
+    .query(TRANSFER_TOKEN_UID)
+    .findOne({ select: SELECT_FIELDS, populate: POPULATE_FIELDS, where: whereParams });
+  if (!token) return token;
+  return flattenTokenPermissions(token);
+};
+/**
+ * Retrieve a token by id
+ *
+ * @param {string|number} id
+ *
+ * @returns {Promise<Omit<TransferToken, 'accessKey'>>}
+ */
+const getById = async (id) => {
+  return getBy({ id });
+};
+/**
+ * Retrieve a token by name
+ *
+ * @param {string} name
+ *
+ * ^@returns {Promise<Omit<TransferToken, 'accessKey'>>}
+ */
+const getByName = async (name) => {
+  return getBy({ name });
+};
+/**
+ * Check if token exists
+ *
+ * @param {Object} whereParams
+ * @param {string|number} whereParams.id
+ * @param {string} whereParams.name
+ * @param {number} whereParams.lastUsedAt
+ * @param {string} whereParams.description
+ * @param {string} whereParams.accessKey
+ *
+ * @returns {Promise<boolean>}
+ */
+const exists = async (whereParams = {}) => {
+  const transferToken = await getBy(whereParams);
+  return !!transferToken;
+};
+/**
+ * @param {string|number} id
+ *
+ * @returns {Promise<TransferToken>}
+ */
+const regenerate = async (id) => {
+  const accessKey = crypto.randomBytes(128).toString('hex');
+  const transferToken = await strapi.db.transaction(async () =>
+    strapi.query(TRANSFER_TOKEN_UID).update({
+      select: ['id', 'accessKey'],
+      where: { id },
+      data: {
+        accessKey: hash(accessKey),
+      },
+    })
+  );
+  if (!transferToken) {
+    throw new NotFoundError('The provided token id does not exist');
+  }
+  return {
+    ...transferToken,
+    accessKey,
+  };
+};
+/**
+ * @param {number} lifespan
+ *
+ * @returns { { lifespan: null | number, expiresAt: null | number } }
+ */
+const getExpirationFields = (lifespan) => {
+  // it must be nil or a finite number >= 0
+  const isValidNumber = Number.isFinite(lifespan) && lifespan > 0;
+  if (!isValidNumber && !isNil(lifespan)) {
+    throw new ValidationError('lifespan must be a positive number or null');
+  }
+  return {
+    lifespan: lifespan || null,
+    expiresAt: lifespan ? Date.now() + lifespan : null,
+  };
+};
+/**
+ * Return a secure sha512 hash of an accessKey
+ *
+ * @param {string} accessKey
+ *
+ * @returns {string}
+ */
+const hash = (accessKey) => {
+  return crypto
+    .createHmac('sha512', strapi.config.get('admin.transfer.token.salt'))
+    .update(accessKey)
+    .digest('hex');
+};
+/**
+ * @returns {void}
+ */
+const checkSaltIsDefined = () => {
+  if (!strapi.config.get('admin.transfer.token.salt')) {
+    throw new Error(
+      `Missing transfer.token.salt. Please set transfer.token.salt in config/admin.js (ex: you can generate one using Node with \`crypto.randomBytes(16).toString('base64')\`).
+For security reasons, prefer storing the secret in an environment variable and read it in config/admin.js. See https://docs.strapi.io/developer-docs/latest/setup-deployment-guides/configurations/optional/environment.html#configuration-using-environment-variables.`
+    );
+  }
+};
+/**
+ * Flatten a token's database permissions objects to an array of strings
+ *
+ * @param {TransferToken} token
+ *
+ * @returns {TransferToken}
+ */
+const flattenTokenPermissions = (token) => {
+  if (!token) return token;
+  return {
+    ...token,
+    permissions: isArray(token.permissions) ? map('action', token.permissions) : token.permissions,
+  };
+};
+/**
+ * Assert that a token's permissions are valid
+ *
+ * @param {TransferToken} token
+ */
+const assertTokenPermissionsValidity = (attributes) => {
+  const permissionService = strapi.admin.services.transfer.permission;
+  const validPermissions = permissionService.providers.action.keys();
+  const invalidPermissions = difference(attributes.permissions, validPermissions);
+  if (!isEmpty(invalidPermissions)) {
+    throw new ValidationError(`Unknown permissions provided: ${invalidPermissions.join(', ')}`);
+  }
+};
+/**
+ * Assert that a token's lifespan is valid
+ *
+ * @param {TransferToken} token
+ */
+const assertValidLifespan = ({ lifespan }) => {
+  if (isNil(lifespan)) {
+    return;
+  }
+  if (!Object.values(constants.TRANSFER_TOKEN_LIFESPANS).includes(lifespan)) {
+    throw new ValidationError(
+      `lifespan must be one of the following values:
+      ${Object.values(constants.TRANSFER_TOKEN_LIFESPANS).join(', ')}`
+    );
+  }
+};
+module.exports = {
+  create,
+  list,
+  exists,
+  getBy,
+  getById,
+  getByName,
+  update,
+  revoke,
+  regenerate,
+  hash,
+  checkSaltIsDefined,
+};

package/server/strategies/api-token.js CHANGED Viewed

@@ -24,7 +24,8 @@ const extractToken = (ctx) => {
 /**
  * Authenticate the validity of the token
  *
- *  @type {import('.').AuthenticateFunction} */
+ *  @type {import('.').AuthenticateFunction}
+ */
 const authenticate = async (ctx) => {
   const apiTokenService = getService('api-token');
   const token = extractToken(ctx);
@@ -72,7 +73,8 @@ const authenticate = async (ctx) => {
 /**
  * Verify the token has the required abilities for the requested scope
  *
- *  @type {import('.').VerifyFunction} */
+ *  @type {import('.').VerifyFunction}
+ */
 const verify = (auth, config) => {
   const { credentials: apiToken, ability } = auth;

package/server/strategies/data-transfer.js ADDED Viewed

@@ -0,0 +1,107 @@
+'use strict';
+const { UnauthorizedError, ForbiddenError } = require('@strapi/utils/lib/errors');
+const { castArray, isNil } = require('lodash/fp');
+const { getService } = require('../utils');
+const extractToken = (ctx) => {
+  if (ctx.request && ctx.request.header && ctx.request.header.authorization) {
+    const parts = ctx.request.header.authorization.split(/\s+/);
+    if (parts[0].toLowerCase() !== 'bearer' || parts.length !== 2) {
+      return null;
+    }
+    return parts[1];
+  }
+  return null;
+};
+/**
+ * Authenticate the validity of the token
+ *
+ *  @type {import('.').AuthenticateFunction}
+ */
+const authenticate = async (ctx) => {
+  const { token: tokenService } = getService('transfer');
+  const token = extractToken(ctx);
+  if (!token) {
+    return { authenticated: false };
+  }
+  const transferToken = await tokenService.getBy({ accessKey: tokenService.hash(token) });
+  // Check if the token exists
+  if (!transferToken) {
+    return { authenticated: false };
+  }
+  // Check if the token has expired
+  const currentDate = new Date();
+  if (!isNil(transferToken.expiresAt)) {
+    const expirationDate = new Date(transferToken.expiresAt);
+    if (expirationDate < currentDate) {
+      return { authenticated: false, error: new UnauthorizedError('Token expired') };
+    }
+  }
+  // Update token metadata
+  await strapi.query('admin::transfer-token').update({
+    where: { id: transferToken.id },
+    data: { lastUsedAt: currentDate },
+  });
+  // Generate an ability based on the token permissions
+  const ability = await getService('transfer').permission.engine.generateAbility(
+    transferToken.permissions.map((action) => ({ action }))
+  );
+  return { authenticated: true, ability, credentials: transferToken };
+};
+/**
+ * Verify the token has the required abilities for the requested scope
+ *
+ *  @type {import('.').VerifyFunction}
+ */
+const verify = async (auth, config = {}) => {
+  const { credentials: transferToken, ability } = auth;
+  if (!transferToken) {
+    throw new UnauthorizedError('Token not found');
+  }
+  const currentDate = new Date();
+  if (!isNil(transferToken.expiresAt)) {
+    const expirationDate = new Date(transferToken.expiresAt);
+    // token has expired
+    if (expirationDate < currentDate) {
+      throw new UnauthorizedError('Token expired');
+    }
+  }
+  if (!ability) {
+    throw new ForbiddenError();
+  }
+  const scopes = castArray(config.scope ?? []);
+  const isAllowed = scopes.every((scope) => ability.can(scope));
+  if (!isAllowed) {
+    throw new ForbiddenError();
+  }
+};
+/** @type {import('.').AuthStrategy} */
+module.exports = {
+  name: 'data-transfer',
+  authenticate,
+  verify,
+};

package/server/strategies/index.js CHANGED Viewed

@@ -21,5 +21,6 @@
  */
 module.exports = {
   admin: require('./admin'),
+  'data-transfer': require('./data-transfer'),
   'api-token': require('./api-token'),
 };

package/server/utils/index.d.ts CHANGED Viewed

@@ -7,6 +7,7 @@ import * as token from '../services/token';
 import * as auth from '../services/auth';
 import * as apiToken from '../services/api-token';
 import * as projectSettings from '../services/project-settings';
+import * as transfer from '../services/transfer';
 type S = {
   role: typeof role;
@@ -18,6 +19,7 @@ type S = {
   metrics: typeof metrics;
   'api-token': typeof apiToken;
   'project-settings': typeof projectSettings;
+  transfer: typeof transfer;
 };
 export function getService<T extends keyof S>(name: T): S[T];

package/server/validation/api-tokens.js CHANGED Viewed

@@ -10,12 +10,7 @@ const apiTokenCreationSchema = yup
     description: yup.string().optional(),
     type: yup.string().oneOf(Object.values(constants.API_TOKEN_TYPE)).required(),
     permissions: yup.array().of(yup.string()).nullable(),
-    lifespan: yup
-      .number()
-      .integer()
-      .min(1)
-      .oneOf(Object.values(constants.API_TOKEN_LIFESPANS))
-      .nullable(),
+    lifespan: yup.number().min(1).oneOf(Object.values(constants.API_TOKEN_LIFESPANS)).nullable(),
   })
   .noUnknown()
   .strict();

package/server/validation/transfer/index.js ADDED Viewed

@@ -0,0 +1,5 @@
+'use strict';
+module.exports = {
+  token: require('./token'),
+};

package/server/validation/transfer/token.js ADDED Viewed

@@ -0,0 +1,34 @@
+'use strict';
+const { yup, validateYupSchema } = require('@strapi/utils');
+const constants = require('../../services/constants');
+const transferTokenCreationSchema = yup
+  .object()
+  .shape({
+    name: yup.string().min(1).required(),
+    description: yup.string().optional(),
+    permissions: yup.array().of(yup.string()).nullable(),
+    lifespan: yup
+      .number()
+      .min(1)
+      .oneOf(Object.values(constants.TRANSFER_TOKEN_LIFESPANS))
+      .nullable(),
+  })
+  .noUnknown()
+  .strict();
+const transferTokenUpdateSchema = yup
+  .object()
+  .shape({
+    name: yup.string().min(1).notNull(),
+    description: yup.string().nullable(),
+    permissions: yup.array().of(yup.string()).nullable(),
+  })
+  .noUnknown()
+  .strict();
+module.exports = {
+  validateTransferTokenCreationInput: validateYupSchema(transferTokenCreationSchema),
+  validateTransferTokenUpdateInput: validateYupSchema(transferTokenUpdateSchema),
+};

package/admin/src/pages/SettingsPage/pages/ApiTokens/EditView/components/FormBody/index.js DELETED Viewed

@@ -1,77 +0,0 @@
-import React from 'react';
-import PropTypes from 'prop-types';
-import { ContentLayout, Stack } from '@strapi/design-system';
-import HeaderContentBox from '../ContentBox';
-import FormApiTokenContainer from '../FormApiTokenContainer';
-import Permissions from '../Permissions';
-const FormBody = ({
-  apiToken,
-  errors,
-  onChange,
-  canEditInputs,
-  isCreating,
-  values,
-  onDispatch,
-  setHasChangedPermissions,
-}) => {
-  return (
-    <ContentLayout>
-      <Stack spacing={6}>
-        {Boolean(apiToken?.name) && <HeaderContentBox apiToken={apiToken?.accessKey} />}
-        <FormApiTokenContainer
-          errors={errors}
-          onChange={onChange}
-          canEditInputs={canEditInputs}
-          isCreating={isCreating}
-          values={values}
-          apiToken={apiToken}
-          onDispatch={onDispatch}
-          setHasChangedPermissions={setHasChangedPermissions}
-        />
-        <Permissions
-          disabled={
-            !canEditInputs || values?.type === 'read-only' || values?.type === 'full-access'
-          }
-        />
-      </Stack>
-    </ContentLayout>
-  );
-};
-FormBody.propTypes = {
-  errors: PropTypes.shape({
-    name: PropTypes.string,
-    description: PropTypes.string,
-    lifespan: PropTypes.string,
-    type: PropTypes.string,
-  }),
-  apiToken: PropTypes.shape({
-    id: PropTypes.oneOfType([PropTypes.number, PropTypes.string]),
-    type: PropTypes.string,
-    lifespan: PropTypes.oneOfType([PropTypes.number, PropTypes.string]),
-    name: PropTypes.string,
-    accessKey: PropTypes.string,
-    permissions: PropTypes.array,
-    description: PropTypes.string,
-    createdAt: PropTypes.string,
-  }),
-  onChange: PropTypes.func.isRequired,
-  canEditInputs: PropTypes.bool.isRequired,
-  isCreating: PropTypes.bool.isRequired,
-  values: PropTypes.shape({
-    name: PropTypes.string,
-    description: PropTypes.string,
-    lifespan: PropTypes.string,
-    type: PropTypes.string,
-  }).isRequired,
-  onDispatch: PropTypes.func.isRequired,
-  setHasChangedPermissions: PropTypes.func.isRequired,
-};
-FormBody.defaultProps = {
-  errors: {},
-  apiToken: {},
-};
-export default FormBody;