@strapi/admin 4.7.0-beta.0 → 4.9.0-alpha.0

package/server/services/transfer/permission.js

@@ -1,22 +0,0 @@
-'use strict';
-
-const permissions = require('@strapi/permissions');
-const { providerFactory } = require('@strapi/utils');
-
-const DEFAULT_TRANSFER_ACTIONS = ['push'];
-
-const providers = {
-  action: providerFactory(),
-  condition: providerFactory(),
-};
-
-DEFAULT_TRANSFER_ACTIONS.forEach((action) => {
-  providers.action.register(action, { action });
-});
-
-const engine = permissions.engine.new({ providers });
-
-module.exports = {
-  engine,
-  providers,
-};

package/server/services/transfer/token.js

@@ -1,409 +0,0 @@
-'use strict';
-
-const { map, isArray, omit, uniq, isNil, difference, isEmpty } = require('lodash/fp');
-const crypto = require('crypto');
-
-const {
-  errors: { ValidationError, NotFoundError },
-} = require('@strapi/utils');
-
-const constants = require('../constants');
-
-const TRANSFER_TOKEN_UID = 'admin::transfer-token';
-const TRANSFER_TOKEN_PERMISSION_UID = 'admin::transfer-token-permission';
-
-/**
- * @typedef TransferToken
- *
- * @property {number|string} id
- * @property {string} name
- * @property {string} description
- * @property {string} accessKey
- * @property {number} lastUsedAt
- * @property {number} lifespan
- * @property {number} expiresAt
- * @property {(number[]|TransferTokenPermission[])} permissions
- */
-
-/**
- * @typedef TransferTokenPermission
- *
- * @property {number|string} id
- * @property {string} action
- * @property {TransferToken|number} token
- */
-
-/** @constant {Array<string>} */
-const SELECT_FIELDS = [
-  'id',
-  'name',
-  'description',
-  'lastUsedAt',
-  'lifespan',
-  'expiresAt',
-  'createdAt',
-  'updatedAt',
-];
-
-/** @constant {Array<string>} */
-const POPULATE_FIELDS = ['permissions'];
-
-/**
- * Return a list of all tokens and their permissions
- *
- * @returns {Promise<Omit<TransferToken, 'accessKey'>[]>}
- */
-const list = async () => {
-  const tokens = await strapi.query(TRANSFER_TOKEN_UID).findMany({
-    select: SELECT_FIELDS,
-    populate: POPULATE_FIELDS,
-    orderBy: { name: 'ASC' },
-  });
-
-  if (!tokens) return tokens;
-  return tokens.map((token) => flattenTokenPermissions(token));
-};
-
-/**
- * Create a token and its permissions
- *
- * @param {Object} attributes
- * @param {string} attributes.name
- * @param {string} attributes.description
- * @param {number} attributes.lifespan
- * @param {string[]} attributes.permissions
- *
- * @returns {Promise<TransferToken>}
- */
-const create = async (attributes) => {
-  const accessKey = crypto.randomBytes(128).toString('hex');
-
-  assertTokenPermissionsValidity(attributes);
-  assertValidLifespan(attributes);
-
-  const result = await strapi.db.transaction(async () => {
-    const transferToken = await strapi.query(TRANSFER_TOKEN_UID).create({
-      select: SELECT_FIELDS,
-      populate: POPULATE_FIELDS,
-      data: {
-        ...omit('permissions', attributes),
-        accessKey: hash(accessKey),
-        ...getExpirationFields(attributes.lifespan),
-      },
-    });
-
-    await Promise.all(
-      uniq(attributes.permissions).map((action) =>
-        strapi
-          .query(TRANSFER_TOKEN_PERMISSION_UID)
-          .create({ data: { action, token: transferToken } })
-      )
-    );
-
-    const currentPermissions = await strapi.entityService.load(
-      TRANSFER_TOKEN_UID,
-      transferToken,
-      'permissions'
-    );
-
-    if (currentPermissions) {
-      Object.assign(transferToken, { permissions: map('action', currentPermissions) });
-    }
-
-    return transferToken;
-  });
-
-  return { ...result, accessKey };
-};
-
-/**
- * Update a token and its permissions
- *
- * @param {string|number} id
- * @param {Object} attributes
- * @param {string} attributes.name
- * @param {number} attributes.lastUsedAt
- * @param {string[]} attributes.permissions
- * @param {string} attributes.description
- *
- * @returns {Promise<Omit<TransferToken, 'accessKey'>>}
- */
-const update = async (id, attributes) => {
-  // retrieve token without permissions
-  const originalToken = await strapi.query(TRANSFER_TOKEN_UID).findOne({ where: { id } });
-
-  if (!originalToken) {
-    throw new NotFoundError('Token not found');
-  }
-
-  assertTokenPermissionsValidity(attributes);
-  assertValidLifespan(attributes);
-
-  return strapi.db.transaction(async () => {
-    const updatedToken = await strapi.query(TRANSFER_TOKEN_UID).update({
-      select: SELECT_FIELDS,
-      where: { id },
-      data: {
-        ...omit('permissions', attributes),
-      },
-    });
-
-    const currentPermissionsResult = await strapi.entityService.load(
-      TRANSFER_TOKEN_UID,
-      updatedToken,
-      'permissions'
-    );
-
-    const currentPermissions = map('action', currentPermissionsResult || []);
-    const newPermissions = uniq(attributes.permissions);
-
-    const actionsToDelete = difference(currentPermissions, newPermissions);
-    const actionsToAdd = difference(newPermissions, currentPermissions);
-
-    // TODO: improve efficiency here
-    // method using a loop -- works but very inefficient
-    await Promise.all(
-      actionsToDelete.map((action) =>
-        strapi.query(TRANSFER_TOKEN_PERMISSION_UID).delete({
-          where: { action, token: id },
-        })
-      )
-    );
-
-    // TODO: improve efficiency here
-    // using a loop -- works but very inefficient
-    await Promise.all(
-      actionsToAdd.map((action) =>
-        strapi.query(TRANSFER_TOKEN_PERMISSION_UID).create({
-          data: { action, token: id },
-        })
-      )
-    );
-
-    // retrieve permissions
-    const permissionsFromDb = await strapi.entityService.load(
-      TRANSFER_TOKEN_UID,
-      updatedToken,
-      'permissions'
-    );
-
-    return {
-      ...updatedToken,
-      permissions: permissionsFromDb ? permissionsFromDb.map((p) => p.action) : undefined,
-    };
-  });
-};
-
-/**
- * Revoke (delete) a token
- *
- * @param {string|number} id
- *
- * @returns {Promise<Omit<TransferToken, 'accessKey'>>}
- */
-const revoke = async (id) => {
-  return strapi.db.transaction(async () =>
-    strapi
-      .query(TRANSFER_TOKEN_UID)
-      .delete({ select: SELECT_FIELDS, populate: POPULATE_FIELDS, where: { id } })
-  );
-};
-
-/**
- *  Get a token
- *
- * @param {Object} whereParams
- * @param {string|number} whereParams.id
- * @param {string} whereParams.name
- * @param {number} whereParams.lastUsedAt
- * @param {string} whereParams.description
- * @param {string} whereParams.accessKey
- *
- * @returns {Promise<Omit<TransferToken, 'accessKey'> | null>}
- */
-const getBy = async (whereParams = {}) => {
-  if (Object.keys(whereParams).length === 0) {
-    return null;
-  }
-
-  const token = await strapi
-    .query(TRANSFER_TOKEN_UID)
-    .findOne({ select: SELECT_FIELDS, populate: POPULATE_FIELDS, where: whereParams });
-
-  if (!token) return token;
-  return flattenTokenPermissions(token);
-};
-
-/**
- * Retrieve a token by id
- *
- * @param {string|number} id
- *
- * @returns {Promise<Omit<TransferToken, 'accessKey'>>}
- */
-const getById = async (id) => {
-  return getBy({ id });
-};
-
-/**
- * Retrieve a token by name
- *
- * @param {string} name
- *
- * ^@returns {Promise<Omit<TransferToken, 'accessKey'>>}
- */
-const getByName = async (name) => {
-  return getBy({ name });
-};
-
-/**
- * Check if token exists
- *
- * @param {Object} whereParams
- * @param {string|number} whereParams.id
- * @param {string} whereParams.name
- * @param {number} whereParams.lastUsedAt
- * @param {string} whereParams.description
- * @param {string} whereParams.accessKey
- *
- * @returns {Promise<boolean>}
- */
-const exists = async (whereParams = {}) => {
-  const transferToken = await getBy(whereParams);
-
-  return !!transferToken;
-};
-
-/**
- * @param {string|number} id
- *
- * @returns {Promise<TransferToken>}
- */
-const regenerate = async (id) => {
-  const accessKey = crypto.randomBytes(128).toString('hex');
-  const transferToken = await strapi.db.transaction(async () =>
-    strapi.query(TRANSFER_TOKEN_UID).update({
-      select: ['id', 'accessKey'],
-      where: { id },
-      data: {
-        accessKey: hash(accessKey),
-      },
-    })
-  );
-
-  if (!transferToken) {
-    throw new NotFoundError('The provided token id does not exist');
-  }
-
-  return {
-    ...transferToken,
-    accessKey,
-  };
-};
-
-/**
- * @param {number} lifespan
- *
- * @returns { { lifespan: null | number, expiresAt: null | number } }
- */
-const getExpirationFields = (lifespan) => {
-  // it must be nil or a finite number >= 0
-  const isValidNumber = Number.isFinite(lifespan) && lifespan > 0;
-  if (!isValidNumber && !isNil(lifespan)) {
-    throw new ValidationError('lifespan must be a positive number or null');
-  }
-
-  return {
-    lifespan: lifespan || null,
-    expiresAt: lifespan ? Date.now() + lifespan : null,
-  };
-};
-
-/**
- * Return a secure sha512 hash of an accessKey
- *
- * @param {string} accessKey
- *
- * @returns {string}
- */
-const hash = (accessKey) => {
-  return crypto
-    .createHmac('sha512', strapi.config.get('admin.transfer.token.salt'))
-    .update(accessKey)
-    .digest('hex');
-};
-
-/**
- * @returns {void}
- */
-const checkSaltIsDefined = () => {
-  if (!strapi.config.get('admin.transfer.token.salt')) {
-    throw new Error(
-      `Missing transfer.token.salt. Please set transfer.token.salt in config/admin.js (ex: you can generate one using Node with \`crypto.randomBytes(16).toString('base64')\`).
-For security reasons, prefer storing the secret in an environment variable and read it in config/admin.js. See https://docs.strapi.io/developer-docs/latest/setup-deployment-guides/configurations/optional/environment.html#configuration-using-environment-variables.`
-    );
-  }
-};
-
-/**
- * Flatten a token's database permissions objects to an array of strings
- *
- * @param {TransferToken} token
- *
- * @returns {TransferToken}
- */
-const flattenTokenPermissions = (token) => {
-  if (!token) return token;
-
-  return {
-    ...token,
-    permissions: isArray(token.permissions) ? map('action', token.permissions) : token.permissions,
-  };
-};
-
-/**
- * Assert that a token's permissions are valid
- *
- * @param {TransferToken} token
- */
-const assertTokenPermissionsValidity = (attributes) => {
-  const permissionService = strapi.admin.services.transfer.permission;
-  const validPermissions = permissionService.providers.action.keys();
-  const invalidPermissions = difference(attributes.permissions, validPermissions);
-
-  if (!isEmpty(invalidPermissions)) {
-    throw new ValidationError(`Unknown permissions provided: ${invalidPermissions.join(', ')}`);
-  }
-};
-
-/**
- * Assert that a token's lifespan is valid
- *
- * @param {TransferToken} token
- */
-const assertValidLifespan = ({ lifespan }) => {
-  if (isNil(lifespan)) {
-    return;
-  }
-
-  if (!Object.values(constants.TRANSFER_TOKEN_LIFESPANS).includes(lifespan)) {
-    throw new ValidationError(
-      `lifespan must be one of the following values: 
-      ${Object.values(constants.TRANSFER_TOKEN_LIFESPANS).join(', ')}`
-    );
-  }
-};
-
-module.exports = {
-  create,
-  list,
-  exists,
-  getBy,
-  getById,
-  getByName,
-  update,
-  revoke,
-  regenerate,
-  hash,
-  checkSaltIsDefined,
-};

package/server/strategies/data-transfer.js

@@ -1,107 +0,0 @@
-'use strict';
-
-const { UnauthorizedError, ForbiddenError } = require('@strapi/utils/lib/errors');
-const { castArray, isNil } = require('lodash/fp');
-
-const { getService } = require('../utils');
-
-const extractToken = (ctx) => {
-  if (ctx.request && ctx.request.header && ctx.request.header.authorization) {
-    const parts = ctx.request.header.authorization.split(/\s+/);
-
-    if (parts[0].toLowerCase() !== 'bearer' || parts.length !== 2) {
-      return null;
-    }
-
-    return parts[1];
-  }
-
-  return null;
-};
-
-/**
- * Authenticate the validity of the token
- *
- *  @type {import('.').AuthenticateFunction}
- */
-const authenticate = async (ctx) => {
-  const { token: tokenService } = getService('transfer');
-  const token = extractToken(ctx);
-
-  if (!token) {
-    return { authenticated: false };
-  }
-
-  const transferToken = await tokenService.getBy({ accessKey: tokenService.hash(token) });
-
-  // Check if the token exists
-  if (!transferToken) {
-    return { authenticated: false };
-  }
-
-  // Check if the token has expired
-  const currentDate = new Date();
-
-  if (!isNil(transferToken.expiresAt)) {
-    const expirationDate = new Date(transferToken.expiresAt);
-
-    if (expirationDate < currentDate) {
-      return { authenticated: false, error: new UnauthorizedError('Token expired') };
-    }
-  }
-
-  // Update token metadata
-  await strapi.query('admin::transfer-token').update({
-    where: { id: transferToken.id },
-    data: { lastUsedAt: currentDate },
-  });
-
-  // Generate an ability based on the token permissions
-  const ability = await getService('transfer').permission.engine.generateAbility(
-    transferToken.permissions.map((action) => ({ action }))
-  );
-
-  return { authenticated: true, ability, credentials: transferToken };
-};
-
-/**
- * Verify the token has the required abilities for the requested scope
- *
- *  @type {import('.').VerifyFunction}
- */
-const verify = async (auth, config = {}) => {
-  const { credentials: transferToken, ability } = auth;
-
-  if (!transferToken) {
-    throw new UnauthorizedError('Token not found');
-  }
-
-  const currentDate = new Date();
-
-  if (!isNil(transferToken.expiresAt)) {
-    const expirationDate = new Date(transferToken.expiresAt);
-    // token has expired
-    if (expirationDate < currentDate) {
-      throw new UnauthorizedError('Token expired');
-    }
-  }
-
-  if (!ability) {
-    throw new ForbiddenError();
-  }
-
-  const scopes = castArray(config.scope ?? []);
-
-  const isAllowed = scopes.every((scope) => ability.can(scope));
-
-  if (!isAllowed) {
-    throw new ForbiddenError();
-  }
-};
-
-/** @type {import('.').AuthStrategy} */
-module.exports = {
-  name: 'data-transfer',
-  authenticate,
-  verify,
-};

package/server/validation/transfer/index.js

@@ -1,5 +0,0 @@
-'use strict';
-
-module.exports = {
-  token: require('./token'),
-};

package/server/validation/transfer/token.js

@@ -1,34 +0,0 @@
-'use strict';
-
-const { yup, validateYupSchema } = require('@strapi/utils');
-const constants = require('../../services/constants');
-
-const transferTokenCreationSchema = yup
-  .object()
-  .shape({
-    name: yup.string().min(1).required(),
-    description: yup.string().optional(),
-    permissions: yup.array().of(yup.string()).nullable(),
-    lifespan: yup
-      .number()
-      .min(1)
-      .oneOf(Object.values(constants.TRANSFER_TOKEN_LIFESPANS))
-      .nullable(),
-  })
-  .noUnknown()
-  .strict();
-
-const transferTokenUpdateSchema = yup
-  .object()
-  .shape({
-    name: yup.string().min(1).notNull(),
-    description: yup.string().nullable(),
-    permissions: yup.array().of(yup.string()).nullable(),
-  })
-  .noUnknown()
-  .strict();
-
-module.exports = {
-  validateTransferTokenCreationInput: validateYupSchema(transferTokenCreationSchema),
-  validateTransferTokenUpdateInput: validateYupSchema(transferTokenUpdateSchema),
-};