npm - @strapi/admin - Versions diffs - 5.43.0 → 5.45.0 - Mend

@strapi/admin 5.43.0 → 5.45.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (384) hide show

package/dist/server/server/src/services/api-token.js CHANGED Viewed

@@ -5,10 +5,56 @@ var fp = require('lodash/fp');
 var utils = require('@strapi/utils');
 var constants = require('./constants.js');
 var index = require('../utils/index.js');
+var index$1 = require('../domain/permission/index.js');
+var permission = require('../validation/permission.js');
+const { SUPER_ADMIN_CODE } = constants;
 const { ValidationError, NotFoundError } = utils.errors;
+const assertOwnerMatchesCallingUser = async (adminUserOwner, callingUser)=>{
+    if (callingUser === undefined || callingUser === null) {
+        throw new ValidationError('adminUserOwner requires an authenticated admin user');
+    }
+    const ownerId = String(adminUserOwner);
+    const callingUserId = String(callingUser.id);
+    if (ownerId !== callingUserId) {
+        throw new ValidationError('adminUserOwner must match the authenticated admin user');
+    }
+    const existingUser = await strapi.db.query('admin::user').findOne({
+        select: [
+            'id'
+        ],
+        where: {
+            id: callingUser.id
+        }
+    });
+    if (existingUser === null || existingUser === undefined) {
+        throw new ValidationError('adminUserOwner must reference an existing admin user');
+    }
+};
+const isSuperAdmin = (user)=>user?.roles?.some((r)=>r.code === SUPER_ADMIN_CODE) === true;
+const getOwnerId = (token)=>{
+    const owner = token.adminUserOwner;
+    return String(typeof owner === 'object' ? owner.id : owner);
+};
+const toAdminTokenOwner = (owner)=>{
+    if (owner === null || owner === undefined) {
+        throw new Error('adminUserOwner is required');
+    }
+    // Bare id
+    if (typeof owner === 'number' || typeof owner === 'string') {
+        return owner;
+    }
+    return {
+        id: owner.id,
+        firstname: owner.firstname,
+        lastname: owner.lastname,
+        username: owner.username,
+        email: owner.email
+    };
+};
 const SELECT_FIELDS = [
     'id',
+    'kind',
     'name',
     'description',
     'lastUsedAt',
@@ -19,7 +65,9 @@ const SELECT_FIELDS = [
     'updatedAt'
 ];
 const POPULATE_FIELDS = [
-    'permissions'
+    'permissions',
+    'adminPermissions',
+    'adminUserOwner'
 ];
 // TODO: we need to ensure the permissions are actually valid registered permissions!
 /**
@@ -62,42 +110,381 @@ const POPULATE_FIELDS = [
     }
 };
 /**
- * Flatten a token's database permissions objects to an array of strings
- */ const flattenTokenPermissions = (token)=>{
-    if (!token) {
-        return token;
+ * Assert that a legacy-kind token body does not carry admin-only fields
+ */ const assertLegacyKindFields = (attributes)=>{
+    const raw = attributes;
+    if (raw.adminPermissions !== undefined && raw.adminPermissions !== null) {
+        throw new ValidationError('Legacy tokens cannot carry admin permissions');
+    }
+    if (raw.adminUserOwner !== undefined && raw.adminUserOwner !== null) {
+        throw new ValidationError('Legacy tokens cannot have an admin user owner');
+    }
+};
+/**
+ * Assert that an admin-kind token body does not carry legacy-only fields
+ */ const assertAdminKindFields = (attributes)=>{
+    const raw = attributes;
+    if (raw.type !== undefined && raw.type !== null) {
+        throw new ValidationError('Admin tokens cannot carry a legacy type (custom/read-only/full-access)');
+    }
+    if (raw.permissions !== undefined && raw.permissions !== null) {
+        throw new ValidationError('Admin tokens cannot carry legacy content-API permissions');
+    }
+};
+/**
+ * Assert that admin permissions are valid
+ */ const assertAdminPermissionsValidity = async (adminPermissions)=>{
+    if (!adminPermissions || adminPermissions.length === 0) {
+        return;
+    }
+    // Validate that all actions exist in the admin action provider
+    const validActions = index.getService('permission').actionProvider.keys();
+    for (const perm of adminPermissions){
+        if (!validActions.includes(perm.action)) {
+            throw new ValidationError(`Unknown admin action: ${perm.action}`);
+        }
+    }
+    // Use existing permission validation
+    await permission.validatePermissionsExist(adminPermissions);
+};
+/**
+ * Enforce that every requested admin permission stays within the calling
+ * user's own permission ceiling, then return the clamped permissions.
+ *
+ * Super-admins bypass this (they hold every permission).
+ * When admin permissions are requested, an authenticated user is required (no bypass when user is missing).
+ *
+ * For each requested permission:
+ *  - action + subject must match at least one user permission
+ *  - properties.fields must be ⊆ user's properties.fields
+ *    (if the user's permission defines no fields, all fields are allowed)
+ *  - conditions are inherited from the user's matching permission(s);
+ *    the caller cannot configure conditions on their own tokens
+ *
+ * Returns the permissions with conditions enforced from the user's role.
+ * Throws ValidationError if any permission exceeds the user's ceiling.
+ *
+ * Guaranteed postcondition: all returned permissions have conditions filtered to
+ * registered conditions only, regardless of the user type.
+ */ const enforceAdminPermissionsCeiling = async (user, requestedPermissions)=>{
+    if (!requestedPermissions || requestedPermissions.length === 0) {
+        return requestedPermissions || [];
+    }
+    if (user === undefined || user === null) {
+        throw new ValidationError('Admin permission ceiling cannot be enforced without an authenticated user');
+    }
+    if (isSuperAdmin(user)) {
+        // Sanitize conditions even for super-admins so this function is a complete boundary.
+        // createApiTokenAdminPermissions also sanitizes, but relying on that downstream
+        // is fragile — any future call path that skips it would store invalid conditions.
+        const { conditionProvider } = index.getService('permission');
+        const sanitize = index$1.default.sanitizeConditions(conditionProvider);
+        return requestedPermissions.map((perm)=>{
+            const sanitized = sanitize({
+                ...perm,
+                actionParameters: {}
+            });
+            return {
+                ...perm,
+                conditions: sanitized.conditions
+            };
+        });
+    }
+    const userPermissions = await index.getService('permission').findUserPermissions(user);
+    const exceeding = [];
+    const clamped = requestedPermissions.map((requested)=>{
+        const requestedSubject = requested.subject || null;
+        // Find all user permissions matching action + subject
+        const matchingUserPerms = userPermissions.filter((userPerm)=>{
+            if (userPerm.action !== requested.action) return false;
+            const userSubject = userPerm.subject || null;
+            return requestedSubject === userSubject;
+        });
+        const label = requestedSubject !== null ? `${requested.action} on ${requestedSubject}` : requested.action;
+        if (matchingUserPerms.length === 0) {
+            exceeding.push(label);
+            return requested;
+        }
+        // --- Field-level ceiling ---
+        // If any matching user perm has no fields defined → all fields are allowed.
+        // Otherwise, effective user fields = union of all matching perms' fields.
+        const anyUserPermHasAllFields = matchingUserPerms.some((p)=>!p.properties?.fields || p.properties.fields.length === 0);
+        const requestedFields = requested.properties?.fields;
+        if (!anyUserPermHasAllFields) {
+            const effectiveUserFields = fp.uniq(matchingUserPerms.flatMap((p)=>p.properties?.fields || []));
+            // When the owner is field-restricted, omitting fields would widen access to all fields.
+            // Force explicit field selection so token scope can't exceed the owner's ceiling.
+            if (requestedFields === undefined || requestedFields === null) {
+                exceeding.push(`${label} (fields are required due to owner field restrictions)`);
+                return requested;
+            }
+            if (requestedFields.length > 0) {
+                const exceedingFields = requestedFields.filter((f)=>!effectiveUserFields.includes(f));
+                if (exceedingFields.length > 0) {
+                    exceeding.push(`${label} (fields: ${exceedingFields.join(', ')})`);
+                    return requested;
+                }
+            }
+        }
+        // --- Condition-level ceiling ---
+        // Conditions are always inherited from the user's matching permission(s).
+        // If any matching user perm is unconditional → token gets no conditions.
+        // Otherwise → union of conditions across matching perms.
+        const anyUserPermIsUnconditional = matchingUserPerms.some((p)=>!p.conditions || p.conditions.length === 0);
+        const enforcedConditions = anyUserPermIsUnconditional ? [] : fp.uniq(matchingUserPerms.flatMap((p)=>p.conditions || []));
+        return {
+            ...requested,
+            conditions: enforcedConditions
+        };
+    });
+    if (exceeding.length > 0) {
+        throw new ValidationError(`Cannot assign admin permissions that exceed your own. ` + `Exceeding: ${exceeding.join(', ')}`);
+    }
+    return clamped;
+};
+/**
+ * Create admin permissions for an API token
+ */ const createApiTokenAdminPermissions = async (tokenId, permissions)=>{
+    const { conditionProvider } = index.getService('permission');
+    const sanitizeConditions = index$1.default.sanitizeConditions(conditionProvider);
+    const permissionsWithToken = permissions.map((perm)=>{
+        const permAsPermission = {
+            ...perm,
+            actionParameters: {}
+        };
+        const sanitized = sanitizeConditions(permAsPermission);
+        return index$1.default.create({
+            ...sanitized,
+            apiToken: tokenId,
+            role: null
+        });
+    });
+    const createdPermissions = await index.getService('permission').createMany(permissionsWithToken);
+    return createdPermissions;
+};
+/**
+ * Fields to compare when checking if two permissions are equal
+ */ const COMPARABLE_FIELDS = [
+    'conditions',
+    'properties',
+    'subject',
+    'action',
+    'actionParameters'
+];
+const pickComparableFields = fp.pick(COMPARABLE_FIELDS);
+/**
+ * Helper to clean JSON (remove undefined values)
+ */ const jsonClean = (data)=>JSON.parse(JSON.stringify(data));
+/**
+ * Compare two permissions for equality
+ */ const arePermissionsEqual = (p1, p2)=>{
+    if (p1.action === p2.action) {
+        return fp.isEqual(jsonClean(pickComparableFields(p1)), jsonClean(pickComparableFields(p2)));
     }
+    return false;
+};
+/**
+ * Assign admin permissions to an API token (similar to role permission assignment).
+ * ceilingUser is the user whose permissions act as the ceiling — always the token owner,
+ * regardless of who is making the request.
+ */ const assignAdminPermissionsToToken = async (tokenId, permissions, ceilingUser)=>{
+    await permission.validatePermissionsExist(permissions);
+    const clampedPermissions = await enforceAdminPermissionsCeiling(ceilingUser, permissions);
+    const permissionsWithToken = clampedPermissions.map((perm)=>index$1.default.create({
+            ...perm,
+            apiToken: tokenId,
+            role: null
+        }));
+    const existingPermissions = await index.getService('permission').findMany({
+        where: {
+            apiToken: {
+                id: tokenId
+            }
+        }
+    });
+    const permissionsToAdd = fp.differenceWith(arePermissionsEqual, permissionsWithToken, existingPermissions);
+    const permissionsToDelete = fp.differenceWith(arePermissionsEqual, existingPermissions, permissionsWithToken);
+    if (permissionsToDelete.length > 0) {
+        await index.getService('permission').deleteByIds(permissionsToDelete.map(fp.prop('id')));
+    }
+    if (permissionsToAdd.length > 0) {
+        await createApiTokenAdminPermissions(tokenId, permissionsToAdd);
+    }
+    // Return all current permissions
+    const allCurrentPermissions = await index.getService('permission').findMany({
+        where: {
+            apiToken: {
+                id: tokenId
+            }
+        }
+    });
+    return allCurrentPermissions;
+};
+/**
+ * Reconcile a token's admin permissions against the owner's current effective ceiling.
+ *
+ * Pure / sync — no DB calls. Returns two buckets:
+ *   toDelete  – permissions that are no longer within the user's scope (action/subject missing
+ *               or requested fields exceed the allowed set)
+ *   toUpdate  – permissions that are still in scope but whose conditions must be re-clamped
+ *               to the current union of the matching user permissions' conditions
+ */ const reconcileTokenPermissionsToUserCeiling = (userPermissions, tokenPermissions)=>{
+    const toDelete = [];
+    const toUpdate = [];
+    tokenPermissions.forEach((tokenPerm)=>{
+        const tokenSubject = tokenPerm.subject || null;
+        const matchingUserPerms = userPermissions.filter((userPerm)=>userPerm.action === tokenPerm.action && (userPerm.subject || null) === tokenSubject);
+        if (matchingUserPerms.length === 0) {
+            toDelete.push(tokenPerm);
+            return;
+        }
+        // Field-level ceiling check (mirrors enforceAdminPermissionsCeiling)
+        const anyUserPermHasAllFields = matchingUserPerms.some((p)=>!p.properties?.fields || p.properties.fields.length === 0);
+        const tokenFields = tokenPerm.properties?.fields;
+        const fieldCeilingExceeded = !anyUserPermHasAllFields && tokenFields !== undefined && tokenFields !== null && tokenFields.length > 0 && (()=>{
+            const effectiveUserFields = fp.uniq(matchingUserPerms.flatMap((p)=>p.properties?.fields || []));
+            return tokenFields.some((f)=>!effectiveUserFields.includes(f));
+        })();
+        if (fieldCeilingExceeded) {
+            toDelete.push(tokenPerm);
+            return;
+        }
+        // Condition: force conditions to be the ones of the user permission(s)
+        const anyUserPermIsUnconditional = matchingUserPerms.some((p)=>!p.conditions || p.conditions.length === 0);
+        const enforcedConditions = anyUserPermIsUnconditional ? [] : fp.uniq(matchingUserPerms.flatMap((p)=>p.conditions || []));
+        const currentConditions = tokenPerm.conditions || [];
+        const conditionsChanged = enforcedConditions.length !== currentConditions.length || enforcedConditions.some((c)=>!currentConditions.includes(c));
+        if (conditionsChanged) {
+            toUpdate.push({
+                id: tokenPerm.id,
+                conditions: enforcedConditions
+            });
+        }
+    });
     return {
-        ...token,
-        permissions: fp.isArray(token.permissions) ? fp.map('action', token.permissions) : token.permissions
+        toDelete,
+        toUpdate
     };
 };
 /**
- *  Get a token
- */ const getBy = async (whereParams = {})=>{
+ * Re-sync all admin token permissions for a given user against their current effective ceiling.
+ *
+ * Skips super-admins (no ceiling). For each admin token owned by the user:
+ *   - Deletes permissions that are no longer within the user's scope
+ *   - Updates conditions on permissions whose conditions have drifted from the role's current set
+ */ const syncApiTokenPermissionsForUser = async (userId)=>{
+    const user = await strapi.db.query('admin::user').findOne({
+        where: {
+            id: userId
+        },
+        populate: [
+            'roles'
+        ]
+    });
+    if (user === null || user === undefined) return;
+    if (isSuperAdmin(user)) return;
+    const userEffectivePermissions = await index.getService('permission').findUserPermissions(user);
+    const tokens = await strapi.db.query('admin::api-token').findMany({
+        where: {
+            kind: 'admin',
+            adminUserOwner: {
+                id: userId
+            }
+        },
+        populate: [
+            'adminPermissions'
+        ]
+    });
+    const tokensWithPermissions = tokens.filter((token)=>Array.isArray(token.adminPermissions) && token.adminPermissions.length > 0);
+    for (const token of tokensWithPermissions){
+        const tokenPermissions = token.adminPermissions;
+        const { toDelete, toUpdate } = reconcileTokenPermissionsToUserCeiling(userEffectivePermissions, tokenPermissions);
+        if (toDelete.length > 0) {
+            await index.getService('permission').deleteByIds(toDelete.map((p)=>p.id));
+        }
+        for (const { id, conditions } of toUpdate){
+            await strapi.db.query('admin::permission').update({
+                where: {
+                    id
+                },
+                data: {
+                    conditions
+                }
+            });
+        }
+    }
+};
+/**
+ * Re-sync admin token permissions for all admin users who hold a given role.
+ * Called after role permissions are updated.
+ */ const syncApiTokenPermissionsForRole = async (roleId)=>{
+    const users = await strapi.db.query('admin::user').findMany({
+        where: {
+            roles: {
+                id: roleId
+            }
+        },
+        populate: [
+            'roles'
+        ]
+    });
+    await Promise.allSettled(users.map((user)=>syncApiTokenPermissionsForUser(user.id)));
+};
+/**
+ * Flatten a token's database permissions objects to an array of strings
+ */ const flattenTokenPermissions = (permissions)=>{
+    return fp.isArray(permissions) ? fp.map('action', permissions) : [];
+};
+/**
+ *  Get a token.
+ *  By default the plaintext accessKey is NOT included.
+ *  Pass { includeDecryptedKey: true } to decrypt and return it (owner-only paths).
+ */ const getBy = async (whereParams = {}, options = {})=>{
     if (Object.keys(whereParams).length === 0) {
         return null;
     }
+    const { includeDecryptedKey = false } = options;
+    const selectFields = includeDecryptedKey ? [
+        ...SELECT_FIELDS,
+        'encryptedKey'
+    ] : SELECT_FIELDS;
     const token = await strapi.db.query('admin::api-token').findOne({
-        select: [
-            ...SELECT_FIELDS,
-            'encryptedKey'
-        ],
+        select: selectFields,
         populate: POPULATE_FIELDS,
         where: whereParams
     });
     if (!token) {
         return token;
     }
-    const { encryptedKey, ...rest } = token;
-    if (!encryptedKey) {
-        return flattenTokenPermissions(rest);
+    // Tokens created before kind introduction case: force kind to be content-api
+    const computedKind = token.kind ?? 'content-api';
+    const result = fp.omit([
+        'accessKey',
+        'encryptedKey',
+        'type',
+        'permissions',
+        'adminPermissions',
+        'adminUserOwner'
+    ], token);
+    if (computedKind === 'content-api') {
+        Object.assign(result, {
+            kind: 'content-api',
+            type: token.type,
+            permissions: flattenTokenPermissions(token.permissions)
+        });
+    } else if (computedKind === 'admin') {
+        Object.assign(result, {
+            kind: 'admin',
+            adminPermissions: token.adminPermissions,
+            adminUserOwner: toAdminTokenOwner(token.adminUserOwner)
+        });
     }
-    const accessKey = index.getService('encryption').decrypt(encryptedKey);
-    return flattenTokenPermissions({
-        ...rest,
-        accessKey
-    });
+    if (includeDecryptedKey && token.encryptedKey) {
+        Object.assign(result, {
+            accessKey: index.getService('encryption').decrypt(token.encryptedKey)
+        });
+    }
+    return result;
 };
 /**
  * Check if token exists
@@ -119,54 +506,116 @@ const getExpirationFields = (lifespan)=>{
         throw new ValidationError('lifespan must be a positive number or null');
     }
     return {
-        lifespan: lifespan || null,
+        lifespan: lifespan ?? null,
         expiresAt: lifespan ? Date.now() + lifespan : null
     };
 };
 /**
  * Create a token and its permissions
- */ const create = async (attributes)=>{
+ */ const create = async (attributes, callingUser)=>{
     const encryptionService = index.getService('encryption');
     const accessKey = crypto.randomBytes(128).toString('hex');
     const encryptedKey = encryptionService.encrypt(accessKey);
-    assertCustomTokenPermissionsValidity(attributes.type, attributes.permissions);
     assertValidLifespan(attributes.lifespan);
-    // Create the token
+    if (attributes.kind === 'content-api') {
+        const castedContentApiApiTokenBody = attributes;
+        assertLegacyKindFields(castedContentApiApiTokenBody);
+        assertCustomTokenPermissionsValidity(castedContentApiApiTokenBody.type, castedContentApiApiTokenBody.permissions);
+        // content api tokens have no owner
+        const apiToken = await strapi.db.query('admin::api-token').create({
+            select: SELECT_FIELDS,
+            populate: POPULATE_FIELDS,
+            data: {
+                ...fp.omit([
+                    'permissions',
+                    'adminPermissions',
+                    'adminUserOwner'
+                ], attributes),
+                accessKey: hash(accessKey),
+                encryptedKey,
+                adminUserOwner: null,
+                ...getExpirationFields(castedContentApiApiTokenBody.lifespan ?? null)
+            }
+        });
+        const result = {
+            ...apiToken,
+            accessKey
+        };
+        // If this is a custom type token, create the related content-API permissions
+        if (castedContentApiApiTokenBody.type === constants.API_TOKEN_TYPE.CUSTOM) {
+            // TODO: createMany doesn't seem to create relation properly, implement a better way rather than a ton of queries
+            await Promise.all(fp.uniq(castedContentApiApiTokenBody.permissions).map((action)=>strapi.db.query('admin::api-token-permission').create({
+                    data: {
+                        action,
+                        token: apiToken
+                    }
+                })));
+            const currentPermissions = await strapi.db.query('admin::api-token').load(apiToken, 'permissions');
+            if (currentPermissions) {
+                Object.assign(result, {
+                    permissions: flattenTokenPermissions(currentPermissions)
+                });
+            }
+        }
+        // Casted to any to avoid complex type duplication
+        return fp.omit([
+            'adminPermissions',
+            'adminUserOwner'
+        ], result);
+    }
+    // kind === 'admin'
+    assertAdminKindFields(attributes);
+    const castedAdminTokenBody = attributes;
+    await assertAdminPermissionsValidity(castedAdminTokenBody.adminPermissions);
+    const clampedAdminPermissions = await enforceAdminPermissionsCeiling(callingUser, castedAdminTokenBody.adminPermissions);
+    // Owner: when explicitly provided, it must match the caller.
+    // When omitted, always defaults to the calling user (including super admins).
+    let ownerId;
+    if (castedAdminTokenBody.adminUserOwner !== undefined && castedAdminTokenBody.adminUserOwner !== null) {
+        await assertOwnerMatchesCallingUser(castedAdminTokenBody.adminUserOwner, callingUser);
+        ownerId = castedAdminTokenBody.adminUserOwner;
+    } else {
+        if (callingUser === undefined || callingUser === null) {
+            throw new ValidationError('Creating an admin token requires an authenticated admin user');
+        }
+        ownerId = callingUser.id;
+    }
     const apiToken = await strapi.db.query('admin::api-token').create({
         select: SELECT_FIELDS,
         populate: POPULATE_FIELDS,
         data: {
-            ...fp.omit('permissions', attributes),
+            ...fp.omit([
+                'permissions',
+                'adminPermissions',
+                'adminUserOwner'
+            ], attributes),
             accessKey: hash(accessKey),
             encryptedKey,
-            ...getExpirationFields(attributes.lifespan)
+            adminUserOwner: ownerId,
+            ...getExpirationFields(castedAdminTokenBody.lifespan ?? null)
         }
     });
     const result = {
         ...apiToken,
         accessKey
     };
-    // If this is a custom type token, create and the related permissions
-    if (attributes.type === constants.API_TOKEN_TYPE.CUSTOM) {
-        // TODO: createMany doesn't seem to create relation properly, implement a better way rather than a ton of queries
-        // const permissionsCount = await strapi.db.query('admin::api-token-permission').createMany({
-        //   populate: POPULATE_FIELDS,
-        //   data: attributes.permissions.map(action => ({ action, token: apiToken })),
-        // });
-        await Promise.all(fp.uniq(attributes.permissions).map((action)=>strapi.db.query('admin::api-token-permission').create({
-                data: {
-                    action,
-                    token: apiToken
-                }
-            })));
-        const currentPermissions = await strapi.db.query('admin::api-token').load(apiToken, 'permissions');
-        if (currentPermissions) {
+    // Handle admin permissions (using ceiling-clamped permissions with inherited conditions)
+    if (clampedAdminPermissions.length > 0) {
+        await createApiTokenAdminPermissions(apiToken.id, clampedAdminPermissions);
+        const currentAdminPermissions = await strapi.db.query('admin::api-token').load(apiToken, 'adminPermissions');
+        if (currentAdminPermissions) {
             Object.assign(result, {
-                permissions: fp.map('action', currentPermissions)
+                adminPermissions: currentAdminPermissions
             });
         }
     }
-    return result;
+    // Casted to any to avoid complex type duplication
+    return {
+        ...fp.omit([
+            'permissions'
+        ], result),
+        adminUserOwner: toAdminTokenOwner(result.adminUserOwner)
+    };
 };
 const regenerate = async (id)=>{
     const accessKey = crypto.randomBytes(128).toString('hex');
@@ -208,50 +657,114 @@ For security reasons, prefer storing the secret in an environment variable and r
     }
 };
 /**
- * Return a list of all tokens and their permissions
- */ const list = async ()=>{
+ * Return a list of tokens visible to the calling user.
+ * Super-admins see all tokens; regular admins see only ownerless tokens and their own.
+ */ const list = async (callingUser, { filter } = {})=>{
+    const ownershipWhere = isSuperAdmin(callingUser) ? {} : {
+        $or: [
+            {
+                adminUserOwner: null
+            },
+            {
+                adminUserOwner: {
+                    id: callingUser.id
+                }
+            }
+        ]
+    };
+    // Tokens without a persisted kind are content-api tokens (pre-migration rows).
+    let kindWhere = {};
+    if (filter?.kind === 'content-api') {
+        kindWhere = {
+            $or: [
+                {
+                    kind: 'content-api'
+                },
+                {
+                    kind: {
+                        $null: true
+                    }
+                }
+            ]
+        };
+    } else if (filter?.kind !== undefined) {
+        kindWhere = {
+            kind: filter.kind
+        };
+    }
+    const where = {
+        ...ownershipWhere,
+        ...kindWhere
+    };
     const tokens = await strapi.db.query('admin::api-token').findMany({
         select: SELECT_FIELDS,
         populate: POPULATE_FIELDS,
         orderBy: {
             name: 'ASC'
-        }
+        },
+        where
     });
     if (!tokens) {
         return tokens;
     }
-    return tokens.map((token)=>flattenTokenPermissions(token));
+    return tokens.map((token)=>token.kind === null || token.kind === 'content-api' ? fp.omit([
+            'adminPermissions',
+            'adminUserOwner'
+        ], {
+            ...token,
+            // Tokens created before kind introduction case: force kind to be content-api
+            kind: 'content-api',
+            permissions: flattenTokenPermissions(token.permissions)
+        }) : {
+            ...fp.omit([
+                'permissions'
+            ], token),
+            adminUserOwner: toAdminTokenOwner(token.adminUserOwner)
+        });
 };
 /**
  * Revoke (delete) a token
  */ const revoke = async (id)=>{
-    return strapi.db.query('admin::api-token').delete({
+    const token = await strapi.db.query('admin::api-token').findOne({
+        where: {
+            id
+        },
+        select: [
+            'id'
+        ],
+        populate: [
+            'adminPermissions'
+        ]
+    });
+    if (token !== null && token !== undefined) {
+        const permissionIds = (token.adminPermissions ?? []).map((p)=>p.id).filter((permId)=>permId !== null && permId !== undefined);
+        if (permissionIds.length > 0) {
+            await index.getService('permission').deleteByIds(permissionIds);
+        }
+    }
+    const deletedToken = await strapi.db.query('admin::api-token').delete({
         select: SELECT_FIELDS,
         populate: POPULATE_FIELDS,
         where: {
             id
         }
     });
-};
-/**
- * Retrieve a token by id
- */ const getById = async (id)=>{
-    return getBy({
-        id
-    });
-};
-/**
- * Retrieve a token by name
- */ const getByName = async (name)=>{
-    return getBy({
-        name
-    });
+    if (deletedToken === null || deletedToken === undefined || deletedToken.kind !== 'admin') {
+        return deletedToken;
+    }
+    return {
+        ...deletedToken,
+        adminUserOwner: toAdminTokenOwner(deletedToken.adminUserOwner)
+    };
 };
 /**
  * Update a token and its permissions
  */ const update = async (id, attributes)=>{
-    // retrieve token without permissions
     const originalToken = await strapi.db.query('admin::api-token').findOne({
+        select: SELECT_FIELDS,
+        populate: [
+            'adminUserOwner'
+        ],
         where: {
             id
         }
@@ -259,55 +772,112 @@ For security reasons, prefer storing the secret in an environment variable and r
     if (!originalToken) {
         throw new NotFoundError('Token not found');
     }
-    const changingTypeToCustom = attributes.type === constants.API_TOKEN_TYPE.CUSTOM && originalToken.type !== constants.API_TOKEN_TYPE.CUSTOM;
-    // if we're updating the permissions on any token type, or changing from non-custom to custom, ensure they're still valid
-    // if neither type nor permissions are changing, we don't need to validate again or else we can't allow partial update
-    if (attributes.permissions || changingTypeToCustom) {
-        assertCustomTokenPermissionsValidity(attributes.type || originalToken.type, attributes.permissions || originalToken.permissions);
+    const raw = attributes;
+    // kind is immutable after creation
+    if (raw.kind !== undefined && raw.kind !== null && raw.kind !== originalToken.kind) {
+        throw new ValidationError('kind is immutable after creation');
     }
     assertValidLifespan(attributes.lifespan);
+    let clampedAdminPermissions;
+    let tokenOwnerUser;
+    if (originalToken.kind === 'content-api') {
+        assertLegacyKindFields(attributes);
+        const incomingType = raw.type;
+        const incomingPermissions = raw.permissions;
+        const resolvedType = incomingType ?? originalToken.type;
+        const changingTypeToCustom = incomingType === constants.API_TOKEN_TYPE.CUSTOM && originalToken.type !== constants.API_TOKEN_TYPE.CUSTOM;
+        // Only re-validate if permissions or type are being changed
+        if (incomingPermissions !== undefined || changingTypeToCustom) {
+            assertCustomTokenPermissionsValidity(resolvedType, incomingPermissions ?? originalToken.permissions);
+        }
+    } else if (originalToken.kind === 'admin') {
+        assertAdminKindFields(attributes);
+        const incomingAdminPermissions = raw.adminPermissions;
+        if (incomingAdminPermissions !== undefined) {
+            await assertAdminPermissionsValidity(incomingAdminPermissions);
+            // Ceiling is always the owner's permissions, not the calling user's.
+            // A super admin editing another user's token must not overflow that user's scope.
+            const ownerId = getOwnerId(originalToken);
+            const resolvedOwner = await index.getService('user').findOne(ownerId);
+            if (resolvedOwner === null || resolvedOwner === undefined) {
+                throw new ValidationError('Token owner no longer exists');
+            }
+            tokenOwnerUser = resolvedOwner;
+            clampedAdminPermissions = await enforceAdminPermissionsCeiling(tokenOwnerUser, incomingAdminPermissions);
+        }
+        const incomingAdminUserOwner = raw.adminUserOwner;
+        if (incomingAdminUserOwner !== undefined) {
+            // Owner is immutable; the provided value must match the existing one
+            const existingOwner = originalToken.adminUserOwner;
+            const existingOwnerId = existingOwner === null || existingOwner === undefined ? null : String(typeof existingOwner === 'object' ? existingOwner.id : existingOwner);
+            const requestedOwnerId = incomingAdminUserOwner === null ? null : String(incomingAdminUserOwner);
+            if (requestedOwnerId !== existingOwnerId) {
+                throw new ValidationError('adminUserOwner cannot be changed on update');
+            }
+        }
+    }
     const updatedToken = await strapi.db.query('admin::api-token').update({
         select: SELECT_FIELDS,
         where: {
             id
         },
-        data: fp.omit('permissions', attributes)
+        // kind is immutable — strip it along with relation fields so the DB write is clean
+        data: fp.omit([
+            'kind',
+            'permissions',
+            'adminPermissions',
+            'adminUserOwner'
+        ], attributes)
     });
-    // custom tokens need to have their permissions updated as well
-    if (updatedToken.type === constants.API_TOKEN_TYPE.CUSTOM && attributes.permissions) {
-        const currentPermissionsResult = await strapi.db.query('admin::api-token').load(updatedToken, 'permissions');
-        const currentPermissions = fp.map('action', currentPermissionsResult || []);
-        const newPermissions = fp.uniq(attributes.permissions);
-        const actionsToDelete = fp.difference(currentPermissions, newPermissions);
-        const actionsToAdd = fp.difference(newPermissions, currentPermissions);
-        // TODO: improve efficiency here
-        // method using a loop -- works but very inefficient
-        await Promise.all(actionsToDelete.map((action)=>strapi.db.query('admin::api-token-permission').delete({
+    if (originalToken.kind === 'content-api') {
+        const incomingPermissions = raw.permissions;
+        // custom tokens need to have their permissions updated as well
+        if (updatedToken.type === constants.API_TOKEN_TYPE.CUSTOM && incomingPermissions !== undefined) {
+            const currentPermissionsResult = await strapi.db.query('admin::api-token').load(updatedToken, 'permissions');
+            const currentPermissions = fp.map('action', currentPermissionsResult || []);
+            const newPermissions = fp.uniq(incomingPermissions || []);
+            const actionsToDelete = fp.difference(currentPermissions, newPermissions);
+            const actionsToAdd = fp.difference(newPermissions, currentPermissions);
+            // TODO: improve efficiency here
+            await Promise.all(actionsToDelete.map((action)=>strapi.db.query('admin::api-token-permission').delete({
+                    where: {
+                        action,
+                        token: id
+                    }
+                })));
+            // TODO: improve efficiency here
+            await Promise.all(actionsToAdd.map((action)=>strapi.db.query('admin::api-token-permission').create({
+                    data: {
+                        action,
+                        token: id
+                    }
+                })));
+        } else if (updatedToken.type !== constants.API_TOKEN_TYPE.CUSTOM) {
+            await strapi.db.query('admin::api-token-permission').delete({
                 where: {
-                    action,
                     token: id
                 }
-            })));
-        // TODO: improve efficiency here
-        // using a loop -- works but very inefficient
-        await Promise.all(actionsToAdd.map((action)=>strapi.db.query('admin::api-token-permission').create({
-                data: {
-                    action,
-                    token: id
-                }
-            })));
-    } else if (updatedToken.type !== constants.API_TOKEN_TYPE.CUSTOM) {
-        await strapi.db.query('admin::api-token-permission').delete({
-            where: {
-                token: id
-            }
-        });
+            });
+        }
+        const permissionsFromDb = await strapi.db.query('admin::api-token').load(updatedToken, 'permissions');
+        return {
+            ...updatedToken,
+            permissions: permissionsFromDb ? permissionsFromDb.map((p)=>p.action) : undefined
+        };
+    }
+    // kind === 'admin'
+    if (clampedAdminPermissions !== undefined) {
+        if (tokenOwnerUser === undefined) {
+            throw new ValidationError('Updating admin permissions requires a resolved token owner');
+        }
+        await assignAdminPermissionsToToken(id, clampedAdminPermissions, tokenOwnerUser);
     }
-    // retrieve permissions
-    const permissionsFromDb = await strapi.db.query('admin::api-token').load(updatedToken, 'permissions');
+    const adminPermissionsFromDb = await strapi.db.query('admin::api-token').load(updatedToken, 'adminPermissions');
+    const adminUserOwnerFromDb = await strapi.db.query('admin::api-token').load(updatedToken, 'adminUserOwner');
     return {
         ...updatedToken,
-        permissions: permissionsFromDb ? permissionsFromDb.map((p)=>p.action) : undefined
+        adminPermissions: adminPermissionsFromDb || [],
+        adminUserOwner: toAdminTokenOwner(adminUserOwnerFromDb)
     };
 };
 const count = async (where = {})=>{
@@ -315,17 +885,151 @@ const count = async (where = {})=>{
         where
     });
 };
+/**
+ * Delete all admin API tokens owned by the given user, including their associated admin permissions.
+ * Called when the owner user is deleted so tokens don't linger with a dangling owner FK.
+ */ const deleteAdminTokensForUser = async (userId)=>{
+    const tokens = await strapi.db.query('admin::api-token').findMany({
+        where: {
+            kind: 'admin',
+            adminUserOwner: {
+                id: userId
+            }
+        },
+        select: [
+            'id'
+        ],
+        populate: [
+            'adminPermissions'
+        ]
+    });
+    for (const token of tokens){
+        const permissionIds = (token.adminPermissions ?? []).map((p)=>p.id).filter((id)=>id !== null && id !== undefined);
+        if (permissionIds.length > 0) {
+            await index.getService('permission').deleteByIds(permissionIds);
+        }
+        await strapi.db.query('admin::api-token').delete({
+            where: {
+                id: token.id
+            }
+        });
+    }
+};
+function createTokenService(kind) {
+    const shared = {
+        hash,
+        checkSaltIsDefined,
+        getByAccessKey: (accessKeyHash, options)=>getBy({
+                accessKey: accessKeyHash
+            }, options),
+        countAll: count,
+        reconcileTokenPermissionsToUserCeiling
+    };
+    if (kind === 'content-api') {
+        const svc = {
+            ...shared,
+            create: (attributes, callingUser)=>create({
+                    ...attributes,
+                    kind: 'content-api'
+                }, callingUser),
+            list: (callingUser)=>list(callingUser, {
+                    filter: {
+                        kind: 'content-api'
+                    }
+                }),
+            getById: (id, options)=>getBy({
+                    $and: [
+                        {
+                            id
+                        },
+                        {
+                            $or: [
+                                {
+                                    kind: 'content-api'
+                                },
+                                {
+                                    kind: {
+                                        $null: true
+                                    }
+                                }
+                            ]
+                        }
+                    ]
+                }, options),
+            getByName: (name, options)=>getBy({
+                    $and: [
+                        {
+                            name
+                        },
+                        {
+                            $or: [
+                                {
+                                    kind: 'content-api'
+                                },
+                                {
+                                    kind: {
+                                        $null: true
+                                    }
+                                }
+                            ]
+                        }
+                    ]
+                }, options),
+            update: (id, attributes)=>update(id, attributes),
+            revoke: (id)=>revoke(id),
+            regenerate: (id)=>regenerate(id),
+            exists,
+            count
+        };
+        return svc;
+    }
+    const svc = {
+        ...shared,
+        create: (attributes, callingUser)=>create({
+                ...attributes,
+                kind: 'admin'
+            }, callingUser),
+        list: (callingUser)=>list(callingUser, {
+                filter: {
+                    kind: 'admin'
+                }
+            }),
+        getById: (id, options)=>getBy({
+                id,
+                kind: 'admin'
+            }, options),
+        getByName: (name, options)=>getBy({
+                name,
+                kind: 'admin'
+            }, options),
+        update: (id, attributes)=>update(id, attributes),
+        revoke: (id)=>revoke(id),
+        regenerate: (id)=>regenerate(id),
+        exists,
+        count,
+        assignAdminPermissionsToToken,
+        syncPermissionsForUser: syncApiTokenPermissionsForUser,
+        syncPermissionsForRole: syncApiTokenPermissionsForRole,
+        deleteTokensForUser: deleteAdminTokensForUser
+    };
+    return svc;
+}
+exports.assignAdminPermissionsToToken = assignAdminPermissionsToToken;
 exports.checkSaltIsDefined = checkSaltIsDefined;
 exports.count = count;
 exports.create = create;
+exports.createTokenService = createTokenService;
+exports.deleteAdminTokensForUser = deleteAdminTokensForUser;
+exports.enforceAdminPermissionsCeiling = enforceAdminPermissionsCeiling;
 exports.exists = exists;
 exports.getBy = getBy;
-exports.getById = getById;
-exports.getByName = getByName;
 exports.hash = hash;
 exports.list = list;
+exports.reconcileTokenPermissionsToUserCeiling = reconcileTokenPermissionsToUserCeiling;
 exports.regenerate = regenerate;
 exports.revoke = revoke;
+exports.syncApiTokenPermissionsForRole = syncApiTokenPermissionsForRole;
+exports.syncApiTokenPermissionsForUser = syncApiTokenPermissionsForUser;
 exports.update = update;
 //# sourceMappingURL=api-token.js.map