@strapi/admin 5.44.0 → 5.45.0

package/dist/server/server/src/services/api-token.mjs

@@ -1,12 +1,58 @@
 import crypto from 'crypto';
-import { omit, uniq, map, difference, isEmpty, isArray, isNumber, isNil } from 'lodash/fp';
+import { pick, uniq, differenceWith, prop, omit, map, difference, isEqual, isEmpty, isArray, isNumber, isNil } from 'lodash/fp';
 import { errors } from '@strapi/utils';
 import constants from './constants.mjs';
 import { getService } from '../utils/index.mjs';
+import permissionDomain from '../domain/permission/index.mjs';
+import { validatePermissionsExist } from '../validation/permission.mjs';
 
+const { SUPER_ADMIN_CODE } = constants;
 const { ValidationError, NotFoundError } = errors;
+const assertOwnerMatchesCallingUser = async (adminUserOwner, callingUser)=>{
+    if (callingUser === undefined || callingUser === null) {
+        throw new ValidationError('adminUserOwner requires an authenticated admin user');
+    }
+    const ownerId = String(adminUserOwner);
+    const callingUserId = String(callingUser.id);
+    if (ownerId !== callingUserId) {
+        throw new ValidationError('adminUserOwner must match the authenticated admin user');
+    }
+    const existingUser = await strapi.db.query('admin::user').findOne({
+        select: [
+            'id'
+        ],
+        where: {
+            id: callingUser.id
+        }
+    });
+    if (existingUser === null || existingUser === undefined) {
+        throw new ValidationError('adminUserOwner must reference an existing admin user');
+    }
+};
+const isSuperAdmin = (user)=>user?.roles?.some((r)=>r.code === SUPER_ADMIN_CODE) === true;
+const getOwnerId = (token)=>{
+    const owner = token.adminUserOwner;
+    return String(typeof owner === 'object' ? owner.id : owner);
+};
+const toAdminTokenOwner = (owner)=>{
+    if (owner === null || owner === undefined) {
+        throw new Error('adminUserOwner is required');
+    }
+    // Bare id
+    if (typeof owner === 'number' || typeof owner === 'string') {
+        return owner;
+    }
+    return {
+        id: owner.id,
+        firstname: owner.firstname,
+        lastname: owner.lastname,
+        username: owner.username,
+        email: owner.email
+    };
+};
 const SELECT_FIELDS = [
     'id',
+    'kind',
     'name',
     'description',
     'lastUsedAt',
@@ -17,7 +63,9 @@ const SELECT_FIELDS = [
     'updatedAt'
 ];
 const POPULATE_FIELDS = [
-    'permissions'
+    'permissions',
+    'adminPermissions',
+    'adminUserOwner'
 ];
 // TODO: we need to ensure the permissions are actually valid registered permissions!
 /**
@@ -60,42 +108,381 @@ const POPULATE_FIELDS = [
     }
 };
 /**
- * Flatten a token's database permissions objects to an array of strings
- */ const flattenTokenPermissions = (token)=>{
-    if (!token) {
-        return token;
+ * Assert that a legacy-kind token body does not carry admin-only fields
+ */ const assertLegacyKindFields = (attributes)=>{
+    const raw = attributes;
+    if (raw.adminPermissions !== undefined && raw.adminPermissions !== null) {
+        throw new ValidationError('Legacy tokens cannot carry admin permissions');
+    }
+    if (raw.adminUserOwner !== undefined && raw.adminUserOwner !== null) {
+        throw new ValidationError('Legacy tokens cannot have an admin user owner');
+    }
+};
+/**
+ * Assert that an admin-kind token body does not carry legacy-only fields
+ */ const assertAdminKindFields = (attributes)=>{
+    const raw = attributes;
+    if (raw.type !== undefined && raw.type !== null) {
+        throw new ValidationError('Admin tokens cannot carry a legacy type (custom/read-only/full-access)');
+    }
+    if (raw.permissions !== undefined && raw.permissions !== null) {
+        throw new ValidationError('Admin tokens cannot carry legacy content-API permissions');
+    }
+};
+/**
+ * Assert that admin permissions are valid
+ */ const assertAdminPermissionsValidity = async (adminPermissions)=>{
+    if (!adminPermissions || adminPermissions.length === 0) {
+        return;
+    }
+    // Validate that all actions exist in the admin action provider
+    const validActions = getService('permission').actionProvider.keys();
+    for (const perm of adminPermissions){
+        if (!validActions.includes(perm.action)) {
+            throw new ValidationError(`Unknown admin action: ${perm.action}`);
+        }
+    }
+    // Use existing permission validation
+    await validatePermissionsExist(adminPermissions);
+};
+/**
+ * Enforce that every requested admin permission stays within the calling
+ * user's own permission ceiling, then return the clamped permissions.
+ *
+ * Super-admins bypass this (they hold every permission).
+ * When admin permissions are requested, an authenticated user is required (no bypass when user is missing).
+ *
+ * For each requested permission:
+ *  - action + subject must match at least one user permission
+ *  - properties.fields must be ⊆ user's properties.fields
+ *    (if the user's permission defines no fields, all fields are allowed)
+ *  - conditions are inherited from the user's matching permission(s);
+ *    the caller cannot configure conditions on their own tokens
+ *
+ * Returns the permissions with conditions enforced from the user's role.
+ * Throws ValidationError if any permission exceeds the user's ceiling.
+ *
+ * Guaranteed postcondition: all returned permissions have conditions filtered to
+ * registered conditions only, regardless of the user type.
+ */ const enforceAdminPermissionsCeiling = async (user, requestedPermissions)=>{
+    if (!requestedPermissions || requestedPermissions.length === 0) {
+        return requestedPermissions || [];
+    }
+    if (user === undefined || user === null) {
+        throw new ValidationError('Admin permission ceiling cannot be enforced without an authenticated user');
+    }
+    if (isSuperAdmin(user)) {
+        // Sanitize conditions even for super-admins so this function is a complete boundary.
+        // createApiTokenAdminPermissions also sanitizes, but relying on that downstream
+        // is fragile — any future call path that skips it would store invalid conditions.
+        const { conditionProvider } = getService('permission');
+        const sanitize = permissionDomain.sanitizeConditions(conditionProvider);
+        return requestedPermissions.map((perm)=>{
+            const sanitized = sanitize({
+                ...perm,
+                actionParameters: {}
+            });
+            return {
+                ...perm,
+                conditions: sanitized.conditions
+            };
+        });
+    }
+    const userPermissions = await getService('permission').findUserPermissions(user);
+    const exceeding = [];
+    const clamped = requestedPermissions.map((requested)=>{
+        const requestedSubject = requested.subject || null;
+        // Find all user permissions matching action + subject
+        const matchingUserPerms = userPermissions.filter((userPerm)=>{
+            if (userPerm.action !== requested.action) return false;
+            const userSubject = userPerm.subject || null;
+            return requestedSubject === userSubject;
+        });
+        const label = requestedSubject !== null ? `${requested.action} on ${requestedSubject}` : requested.action;
+        if (matchingUserPerms.length === 0) {
+            exceeding.push(label);
+            return requested;
+        }
+        // --- Field-level ceiling ---
+        // If any matching user perm has no fields defined → all fields are allowed.
+        // Otherwise, effective user fields = union of all matching perms' fields.
+        const anyUserPermHasAllFields = matchingUserPerms.some((p)=>!p.properties?.fields || p.properties.fields.length === 0);
+        const requestedFields = requested.properties?.fields;
+        if (!anyUserPermHasAllFields) {
+            const effectiveUserFields = uniq(matchingUserPerms.flatMap((p)=>p.properties?.fields || []));
+            // When the owner is field-restricted, omitting fields would widen access to all fields.
+            // Force explicit field selection so token scope can't exceed the owner's ceiling.
+            if (requestedFields === undefined || requestedFields === null) {
+                exceeding.push(`${label} (fields are required due to owner field restrictions)`);
+                return requested;
+            }
+            if (requestedFields.length > 0) {
+                const exceedingFields = requestedFields.filter((f)=>!effectiveUserFields.includes(f));
+                if (exceedingFields.length > 0) {
+                    exceeding.push(`${label} (fields: ${exceedingFields.join(', ')})`);
+                    return requested;
+                }
+            }
+        }
+        // --- Condition-level ceiling ---
+        // Conditions are always inherited from the user's matching permission(s).
+        // If any matching user perm is unconditional → token gets no conditions.
+        // Otherwise → union of conditions across matching perms.
+        const anyUserPermIsUnconditional = matchingUserPerms.some((p)=>!p.conditions || p.conditions.length === 0);
+        const enforcedConditions = anyUserPermIsUnconditional ? [] : uniq(matchingUserPerms.flatMap((p)=>p.conditions || []));
+        return {
+            ...requested,
+            conditions: enforcedConditions
+        };
+    });
+    if (exceeding.length > 0) {
+        throw new ValidationError(`Cannot assign admin permissions that exceed your own. ` + `Exceeding: ${exceeding.join(', ')}`);
+    }
+    return clamped;
+};
+/**
+ * Create admin permissions for an API token
+ */ const createApiTokenAdminPermissions = async (tokenId, permissions)=>{
+    const { conditionProvider } = getService('permission');
+    const sanitizeConditions = permissionDomain.sanitizeConditions(conditionProvider);
+    const permissionsWithToken = permissions.map((perm)=>{
+        const permAsPermission = {
+            ...perm,
+            actionParameters: {}
+        };
+        const sanitized = sanitizeConditions(permAsPermission);
+        return permissionDomain.create({
+            ...sanitized,
+            apiToken: tokenId,
+            role: null
+        });
+    });
+    const createdPermissions = await getService('permission').createMany(permissionsWithToken);
+    return createdPermissions;
+};
+/**
+ * Fields to compare when checking if two permissions are equal
+ */ const COMPARABLE_FIELDS = [
+    'conditions',
+    'properties',
+    'subject',
+    'action',
+    'actionParameters'
+];
+const pickComparableFields = pick(COMPARABLE_FIELDS);
+/**
+ * Helper to clean JSON (remove undefined values)
+ */ const jsonClean = (data)=>JSON.parse(JSON.stringify(data));
+/**
+ * Compare two permissions for equality
+ */ const arePermissionsEqual = (p1, p2)=>{
+    if (p1.action === p2.action) {
+        return isEqual(jsonClean(pickComparableFields(p1)), jsonClean(pickComparableFields(p2)));
     }
+    return false;
+};
+/**
+ * Assign admin permissions to an API token (similar to role permission assignment).
+ * ceilingUser is the user whose permissions act as the ceiling — always the token owner,
+ * regardless of who is making the request.
+ */ const assignAdminPermissionsToToken = async (tokenId, permissions, ceilingUser)=>{
+    await validatePermissionsExist(permissions);
+    const clampedPermissions = await enforceAdminPermissionsCeiling(ceilingUser, permissions);
+    const permissionsWithToken = clampedPermissions.map((perm)=>permissionDomain.create({
+            ...perm,
+            apiToken: tokenId,
+            role: null
+        }));
+    const existingPermissions = await getService('permission').findMany({
+        where: {
+            apiToken: {
+                id: tokenId
+            }
+        }
+    });
+    const permissionsToAdd = differenceWith(arePermissionsEqual, permissionsWithToken, existingPermissions);
+    const permissionsToDelete = differenceWith(arePermissionsEqual, existingPermissions, permissionsWithToken);
+    if (permissionsToDelete.length > 0) {
+        await getService('permission').deleteByIds(permissionsToDelete.map(prop('id')));
+    }
+    if (permissionsToAdd.length > 0) {
+        await createApiTokenAdminPermissions(tokenId, permissionsToAdd);
+    }
+    // Return all current permissions
+    const allCurrentPermissions = await getService('permission').findMany({
+        where: {
+            apiToken: {
+                id: tokenId
+            }
+        }
+    });
+    return allCurrentPermissions;
+};
+/**
+ * Reconcile a token's admin permissions against the owner's current effective ceiling.
+ *
+ * Pure / sync — no DB calls. Returns two buckets:
+ *   toDelete  – permissions that are no longer within the user's scope (action/subject missing
+ *               or requested fields exceed the allowed set)
+ *   toUpdate  – permissions that are still in scope but whose conditions must be re-clamped
+ *               to the current union of the matching user permissions' conditions
+ */ const reconcileTokenPermissionsToUserCeiling = (userPermissions, tokenPermissions)=>{
+    const toDelete = [];
+    const toUpdate = [];
+    tokenPermissions.forEach((tokenPerm)=>{
+        const tokenSubject = tokenPerm.subject || null;
+        const matchingUserPerms = userPermissions.filter((userPerm)=>userPerm.action === tokenPerm.action && (userPerm.subject || null) === tokenSubject);
+        if (matchingUserPerms.length === 0) {
+            toDelete.push(tokenPerm);
+            return;
+        }
+        // Field-level ceiling check (mirrors enforceAdminPermissionsCeiling)
+        const anyUserPermHasAllFields = matchingUserPerms.some((p)=>!p.properties?.fields || p.properties.fields.length === 0);
+        const tokenFields = tokenPerm.properties?.fields;
+        const fieldCeilingExceeded = !anyUserPermHasAllFields && tokenFields !== undefined && tokenFields !== null && tokenFields.length > 0 && (()=>{
+            const effectiveUserFields = uniq(matchingUserPerms.flatMap((p)=>p.properties?.fields || []));
+            return tokenFields.some((f)=>!effectiveUserFields.includes(f));
+        })();
+        if (fieldCeilingExceeded) {
+            toDelete.push(tokenPerm);
+            return;
+        }
+        // Condition: force conditions to be the ones of the user permission(s)
+        const anyUserPermIsUnconditional = matchingUserPerms.some((p)=>!p.conditions || p.conditions.length === 0);
+        const enforcedConditions = anyUserPermIsUnconditional ? [] : uniq(matchingUserPerms.flatMap((p)=>p.conditions || []));
+        const currentConditions = tokenPerm.conditions || [];
+        const conditionsChanged = enforcedConditions.length !== currentConditions.length || enforcedConditions.some((c)=>!currentConditions.includes(c));
+        if (conditionsChanged) {
+            toUpdate.push({
+                id: tokenPerm.id,
+                conditions: enforcedConditions
+            });
+        }
+    });
     return {
-        ...token,
-        permissions: isArray(token.permissions) ? map('action', token.permissions) : token.permissions
+        toDelete,
+        toUpdate
     };
 };
 /**
- *  Get a token
- */ const getBy = async (whereParams = {})=>{
+ * Re-sync all admin token permissions for a given user against their current effective ceiling.
+ *
+ * Skips super-admins (no ceiling). For each admin token owned by the user:
+ *   - Deletes permissions that are no longer within the user's scope
+ *   - Updates conditions on permissions whose conditions have drifted from the role's current set
+ */ const syncApiTokenPermissionsForUser = async (userId)=>{
+    const user = await strapi.db.query('admin::user').findOne({
+        where: {
+            id: userId
+        },
+        populate: [
+            'roles'
+        ]
+    });
+    if (user === null || user === undefined) return;
+    if (isSuperAdmin(user)) return;
+    const userEffectivePermissions = await getService('permission').findUserPermissions(user);
+    const tokens = await strapi.db.query('admin::api-token').findMany({
+        where: {
+            kind: 'admin',
+            adminUserOwner: {
+                id: userId
+            }
+        },
+        populate: [
+            'adminPermissions'
+        ]
+    });
+    const tokensWithPermissions = tokens.filter((token)=>Array.isArray(token.adminPermissions) && token.adminPermissions.length > 0);
+    for (const token of tokensWithPermissions){
+        const tokenPermissions = token.adminPermissions;
+        const { toDelete, toUpdate } = reconcileTokenPermissionsToUserCeiling(userEffectivePermissions, tokenPermissions);
+        if (toDelete.length > 0) {
+            await getService('permission').deleteByIds(toDelete.map((p)=>p.id));
+        }
+        for (const { id, conditions } of toUpdate){
+            await strapi.db.query('admin::permission').update({
+                where: {
+                    id
+                },
+                data: {
+                    conditions
+                }
+            });
+        }
+    }
+};
+/**
+ * Re-sync admin token permissions for all admin users who hold a given role.
+ * Called after role permissions are updated.
+ */ const syncApiTokenPermissionsForRole = async (roleId)=>{
+    const users = await strapi.db.query('admin::user').findMany({
+        where: {
+            roles: {
+                id: roleId
+            }
+        },
+        populate: [
+            'roles'
+        ]
+    });
+    await Promise.allSettled(users.map((user)=>syncApiTokenPermissionsForUser(user.id)));
+};
+/**
+ * Flatten a token's database permissions objects to an array of strings
+ */ const flattenTokenPermissions = (permissions)=>{
+    return isArray(permissions) ? map('action', permissions) : [];
+};
+/**
+ *  Get a token.
+ *  By default the plaintext accessKey is NOT included.
+ *  Pass { includeDecryptedKey: true } to decrypt and return it (owner-only paths).
+ */ const getBy = async (whereParams = {}, options = {})=>{
     if (Object.keys(whereParams).length === 0) {
         return null;
     }
+    const { includeDecryptedKey = false } = options;
+    const selectFields = includeDecryptedKey ? [
+        ...SELECT_FIELDS,
+        'encryptedKey'
+    ] : SELECT_FIELDS;
     const token = await strapi.db.query('admin::api-token').findOne({
-        select: [
-            ...SELECT_FIELDS,
-            'encryptedKey'
-        ],
+        select: selectFields,
         populate: POPULATE_FIELDS,
         where: whereParams
     });
     if (!token) {
         return token;
     }
-    const { encryptedKey, ...rest } = token;
-    if (!encryptedKey) {
-        return flattenTokenPermissions(rest);
+    // Tokens created before kind introduction case: force kind to be content-api
+    const computedKind = token.kind ?? 'content-api';
+    const result = omit([
+        'accessKey',
+        'encryptedKey',
+        'type',
+        'permissions',
+        'adminPermissions',
+        'adminUserOwner'
+    ], token);
+    if (computedKind === 'content-api') {
+        Object.assign(result, {
+            kind: 'content-api',
+            type: token.type,
+            permissions: flattenTokenPermissions(token.permissions)
+        });
+    } else if (computedKind === 'admin') {
+        Object.assign(result, {
+            kind: 'admin',
+            adminPermissions: token.adminPermissions,
+            adminUserOwner: toAdminTokenOwner(token.adminUserOwner)
+        });
     }
-    const accessKey = getService('encryption').decrypt(encryptedKey);
-    return flattenTokenPermissions({
-        ...rest,
-        accessKey
-    });
+    if (includeDecryptedKey && token.encryptedKey) {
+        Object.assign(result, {
+            accessKey: getService('encryption').decrypt(token.encryptedKey)
+        });
+    }
+    return result;
 };
 /**
  * Check if token exists
@@ -117,54 +504,116 @@ const getExpirationFields = (lifespan)=>{
         throw new ValidationError('lifespan must be a positive number or null');
     }
     return {
-        lifespan: lifespan || null,
+        lifespan: lifespan ?? null,
         expiresAt: lifespan ? Date.now() + lifespan : null
     };
 };
 /**
  * Create a token and its permissions
- */ const create = async (attributes)=>{
+ */ const create = async (attributes, callingUser)=>{
     const encryptionService = getService('encryption');
     const accessKey = crypto.randomBytes(128).toString('hex');
     const encryptedKey = encryptionService.encrypt(accessKey);
-    assertCustomTokenPermissionsValidity(attributes.type, attributes.permissions);
     assertValidLifespan(attributes.lifespan);
-    // Create the token
+    if (attributes.kind === 'content-api') {
+        const castedContentApiApiTokenBody = attributes;
+        assertLegacyKindFields(castedContentApiApiTokenBody);
+        assertCustomTokenPermissionsValidity(castedContentApiApiTokenBody.type, castedContentApiApiTokenBody.permissions);
+        // content api tokens have no owner
+        const apiToken = await strapi.db.query('admin::api-token').create({
+            select: SELECT_FIELDS,
+            populate: POPULATE_FIELDS,
+            data: {
+                ...omit([
+                    'permissions',
+                    'adminPermissions',
+                    'adminUserOwner'
+                ], attributes),
+                accessKey: hash(accessKey),
+                encryptedKey,
+                adminUserOwner: null,
+                ...getExpirationFields(castedContentApiApiTokenBody.lifespan ?? null)
+            }
+        });
+        const result = {
+            ...apiToken,
+            accessKey
+        };
+        // If this is a custom type token, create the related content-API permissions
+        if (castedContentApiApiTokenBody.type === constants.API_TOKEN_TYPE.CUSTOM) {
+            // TODO: createMany doesn't seem to create relation properly, implement a better way rather than a ton of queries
+            await Promise.all(uniq(castedContentApiApiTokenBody.permissions).map((action)=>strapi.db.query('admin::api-token-permission').create({
+                    data: {
+                        action,
+                        token: apiToken
+                    }
+                })));
+            const currentPermissions = await strapi.db.query('admin::api-token').load(apiToken, 'permissions');
+            if (currentPermissions) {
+                Object.assign(result, {
+                    permissions: flattenTokenPermissions(currentPermissions)
+                });
+            }
+        }
+        // Casted to any to avoid complex type duplication
+        return omit([
+            'adminPermissions',
+            'adminUserOwner'
+        ], result);
+    }
+    // kind === 'admin'
+    assertAdminKindFields(attributes);
+    const castedAdminTokenBody = attributes;
+    await assertAdminPermissionsValidity(castedAdminTokenBody.adminPermissions);
+    const clampedAdminPermissions = await enforceAdminPermissionsCeiling(callingUser, castedAdminTokenBody.adminPermissions);
+    // Owner: when explicitly provided, it must match the caller.
+    // When omitted, always defaults to the calling user (including super admins).
+    let ownerId;
+    if (castedAdminTokenBody.adminUserOwner !== undefined && castedAdminTokenBody.adminUserOwner !== null) {
+        await assertOwnerMatchesCallingUser(castedAdminTokenBody.adminUserOwner, callingUser);
+        ownerId = castedAdminTokenBody.adminUserOwner;
+    } else {
+        if (callingUser === undefined || callingUser === null) {
+            throw new ValidationError('Creating an admin token requires an authenticated admin user');
+        }
+        ownerId = callingUser.id;
+    }
     const apiToken = await strapi.db.query('admin::api-token').create({
         select: SELECT_FIELDS,
         populate: POPULATE_FIELDS,
         data: {
-            ...omit('permissions', attributes),
+            ...omit([
+                'permissions',
+                'adminPermissions',
+                'adminUserOwner'
+            ], attributes),
             accessKey: hash(accessKey),
             encryptedKey,
-            ...getExpirationFields(attributes.lifespan)
+            adminUserOwner: ownerId,
+            ...getExpirationFields(castedAdminTokenBody.lifespan ?? null)
         }
     });
     const result = {
         ...apiToken,
         accessKey
     };
-    // If this is a custom type token, create and the related permissions
-    if (attributes.type === constants.API_TOKEN_TYPE.CUSTOM) {
-        // TODO: createMany doesn't seem to create relation properly, implement a better way rather than a ton of queries
-        // const permissionsCount = await strapi.db.query('admin::api-token-permission').createMany({
-        //   populate: POPULATE_FIELDS,
-        //   data: attributes.permissions.map(action => ({ action, token: apiToken })),
-        // });
-        await Promise.all(uniq(attributes.permissions).map((action)=>strapi.db.query('admin::api-token-permission').create({
-                data: {
-                    action,
-                    token: apiToken
-                }
-            })));
-        const currentPermissions = await strapi.db.query('admin::api-token').load(apiToken, 'permissions');
-        if (currentPermissions) {
+    // Handle admin permissions (using ceiling-clamped permissions with inherited conditions)
+    if (clampedAdminPermissions.length > 0) {
+        await createApiTokenAdminPermissions(apiToken.id, clampedAdminPermissions);
+        const currentAdminPermissions = await strapi.db.query('admin::api-token').load(apiToken, 'adminPermissions');
+        if (currentAdminPermissions) {
             Object.assign(result, {
-                permissions: map('action', currentPermissions)
+                adminPermissions: currentAdminPermissions
             });
         }
     }
-    return result;
+    // Casted to any to avoid complex type duplication
+    return {
+        ...omit([
+            'permissions'
+        ], result),
+        adminUserOwner: toAdminTokenOwner(result.adminUserOwner)
+    };
 };
 const regenerate = async (id)=>{
     const accessKey = crypto.randomBytes(128).toString('hex');
@@ -206,50 +655,114 @@ For security reasons, prefer storing the secret in an environment variable and r
     }
 };
 /**
- * Return a list of all tokens and their permissions
- */ const list = async ()=>{
+ * Return a list of tokens visible to the calling user.
+ * Super-admins see all tokens; regular admins see only ownerless tokens and their own.
+ */ const list = async (callingUser, { filter } = {})=>{
+    const ownershipWhere = isSuperAdmin(callingUser) ? {} : {
+        $or: [
+            {
+                adminUserOwner: null
+            },
+            {
+                adminUserOwner: {
+                    id: callingUser.id
+                }
+            }
+        ]
+    };
+    // Tokens without a persisted kind are content-api tokens (pre-migration rows).
+    let kindWhere = {};
+    if (filter?.kind === 'content-api') {
+        kindWhere = {
+            $or: [
+                {
+                    kind: 'content-api'
+                },
+                {
+                    kind: {
+                        $null: true
+                    }
+                }
+            ]
+        };
+    } else if (filter?.kind !== undefined) {
+        kindWhere = {
+            kind: filter.kind
+        };
+    }
+    const where = {
+        ...ownershipWhere,
+        ...kindWhere
+    };
     const tokens = await strapi.db.query('admin::api-token').findMany({
         select: SELECT_FIELDS,
         populate: POPULATE_FIELDS,
         orderBy: {
             name: 'ASC'
-        }
+        },
+        where
     });
     if (!tokens) {
         return tokens;
     }
-    return tokens.map((token)=>flattenTokenPermissions(token));
+    return tokens.map((token)=>token.kind === null || token.kind === 'content-api' ? omit([
+            'adminPermissions',
+            'adminUserOwner'
+        ], {
+            ...token,
+            // Tokens created before kind introduction case: force kind to be content-api
+            kind: 'content-api',
+            permissions: flattenTokenPermissions(token.permissions)
+        }) : {
+            ...omit([
+                'permissions'
+            ], token),
+            adminUserOwner: toAdminTokenOwner(token.adminUserOwner)
+        });
 };
 /**
  * Revoke (delete) a token
  */ const revoke = async (id)=>{
-    return strapi.db.query('admin::api-token').delete({
+    const token = await strapi.db.query('admin::api-token').findOne({
+        where: {
+            id
+        },
+        select: [
+            'id'
+        ],
+        populate: [
+            'adminPermissions'
+        ]
+    });
+    if (token !== null && token !== undefined) {
+        const permissionIds = (token.adminPermissions ?? []).map((p)=>p.id).filter((permId)=>permId !== null && permId !== undefined);
+        if (permissionIds.length > 0) {
+            await getService('permission').deleteByIds(permissionIds);
+        }
+    }
+    const deletedToken = await strapi.db.query('admin::api-token').delete({
         select: SELECT_FIELDS,
         populate: POPULATE_FIELDS,
         where: {
             id
         }
     });
-};
-/**
- * Retrieve a token by id
- */ const getById = async (id)=>{
-    return getBy({
-        id
-    });
-};
-/**
- * Retrieve a token by name
- */ const getByName = async (name)=>{
-    return getBy({
-        name
-    });
+    if (deletedToken === null || deletedToken === undefined || deletedToken.kind !== 'admin') {
+        return deletedToken;
+    }
+    return {
+        ...deletedToken,
+        adminUserOwner: toAdminTokenOwner(deletedToken.adminUserOwner)
+    };
 };
 /**
  * Update a token and its permissions
  */ const update = async (id, attributes)=>{
-    // retrieve token without permissions
     const originalToken = await strapi.db.query('admin::api-token').findOne({
+        select: SELECT_FIELDS,
+        populate: [
+            'adminUserOwner'
+        ],
         where: {
             id
         }
@@ -257,55 +770,112 @@ For security reasons, prefer storing the secret in an environment variable and r
     if (!originalToken) {
         throw new NotFoundError('Token not found');
     }
-    const changingTypeToCustom = attributes.type === constants.API_TOKEN_TYPE.CUSTOM && originalToken.type !== constants.API_TOKEN_TYPE.CUSTOM;
-    // if we're updating the permissions on any token type, or changing from non-custom to custom, ensure they're still valid
-    // if neither type nor permissions are changing, we don't need to validate again or else we can't allow partial update
-    if (attributes.permissions || changingTypeToCustom) {
-        assertCustomTokenPermissionsValidity(attributes.type || originalToken.type, attributes.permissions || originalToken.permissions);
+    const raw = attributes;
+    // kind is immutable after creation
+    if (raw.kind !== undefined && raw.kind !== null && raw.kind !== originalToken.kind) {
+        throw new ValidationError('kind is immutable after creation');
     }
     assertValidLifespan(attributes.lifespan);
+    let clampedAdminPermissions;
+    let tokenOwnerUser;
+    if (originalToken.kind === 'content-api') {
+        assertLegacyKindFields(attributes);
+        const incomingType = raw.type;
+        const incomingPermissions = raw.permissions;
+        const resolvedType = incomingType ?? originalToken.type;
+        const changingTypeToCustom = incomingType === constants.API_TOKEN_TYPE.CUSTOM && originalToken.type !== constants.API_TOKEN_TYPE.CUSTOM;
+        // Only re-validate if permissions or type are being changed
+        if (incomingPermissions !== undefined || changingTypeToCustom) {
+            assertCustomTokenPermissionsValidity(resolvedType, incomingPermissions ?? originalToken.permissions);
+        }
+    } else if (originalToken.kind === 'admin') {
+        assertAdminKindFields(attributes);
+        const incomingAdminPermissions = raw.adminPermissions;
+        if (incomingAdminPermissions !== undefined) {
+            await assertAdminPermissionsValidity(incomingAdminPermissions);
+            // Ceiling is always the owner's permissions, not the calling user's.
+            // A super admin editing another user's token must not overflow that user's scope.
+            const ownerId = getOwnerId(originalToken);
+            const resolvedOwner = await getService('user').findOne(ownerId);
+            if (resolvedOwner === null || resolvedOwner === undefined) {
+                throw new ValidationError('Token owner no longer exists');
+            }
+            tokenOwnerUser = resolvedOwner;
+            clampedAdminPermissions = await enforceAdminPermissionsCeiling(tokenOwnerUser, incomingAdminPermissions);
+        }
+        const incomingAdminUserOwner = raw.adminUserOwner;
+        if (incomingAdminUserOwner !== undefined) {
+            // Owner is immutable; the provided value must match the existing one
+            const existingOwner = originalToken.adminUserOwner;
+            const existingOwnerId = existingOwner === null || existingOwner === undefined ? null : String(typeof existingOwner === 'object' ? existingOwner.id : existingOwner);
+            const requestedOwnerId = incomingAdminUserOwner === null ? null : String(incomingAdminUserOwner);
+            if (requestedOwnerId !== existingOwnerId) {
+                throw new ValidationError('adminUserOwner cannot be changed on update');
+            }
+        }
+    }
     const updatedToken = await strapi.db.query('admin::api-token').update({
         select: SELECT_FIELDS,
         where: {
             id
         },
-        data: omit('permissions', attributes)
+        // kind is immutable — strip it along with relation fields so the DB write is clean
+        data: omit([
+            'kind',
+            'permissions',
+            'adminPermissions',
+            'adminUserOwner'
+        ], attributes)
     });
-    // custom tokens need to have their permissions updated as well
-    if (updatedToken.type === constants.API_TOKEN_TYPE.CUSTOM && attributes.permissions) {
-        const currentPermissionsResult = await strapi.db.query('admin::api-token').load(updatedToken, 'permissions');
-        const currentPermissions = map('action', currentPermissionsResult || []);
-        const newPermissions = uniq(attributes.permissions);
-        const actionsToDelete = difference(currentPermissions, newPermissions);
-        const actionsToAdd = difference(newPermissions, currentPermissions);
-        // TODO: improve efficiency here
-        // method using a loop -- works but very inefficient
-        await Promise.all(actionsToDelete.map((action)=>strapi.db.query('admin::api-token-permission').delete({
+    if (originalToken.kind === 'content-api') {
+        const incomingPermissions = raw.permissions;
+        // custom tokens need to have their permissions updated as well
+        if (updatedToken.type === constants.API_TOKEN_TYPE.CUSTOM && incomingPermissions !== undefined) {
+            const currentPermissionsResult = await strapi.db.query('admin::api-token').load(updatedToken, 'permissions');
+            const currentPermissions = map('action', currentPermissionsResult || []);
+            const newPermissions = uniq(incomingPermissions || []);
+            const actionsToDelete = difference(currentPermissions, newPermissions);
+            const actionsToAdd = difference(newPermissions, currentPermissions);
+            // TODO: improve efficiency here
+            await Promise.all(actionsToDelete.map((action)=>strapi.db.query('admin::api-token-permission').delete({
+                    where: {
+                        action,
+                        token: id
+                    }
+                })));
+            // TODO: improve efficiency here
+            await Promise.all(actionsToAdd.map((action)=>strapi.db.query('admin::api-token-permission').create({
+                    data: {
+                        action,
+                        token: id
+                    }
+                })));
+        } else if (updatedToken.type !== constants.API_TOKEN_TYPE.CUSTOM) {
+            await strapi.db.query('admin::api-token-permission').delete({
                 where: {
-                    action,
                     token: id
                 }
-            })));
-        // TODO: improve efficiency here
-        // using a loop -- works but very inefficient
-        await Promise.all(actionsToAdd.map((action)=>strapi.db.query('admin::api-token-permission').create({
-                data: {
-                    action,
-                    token: id
-                }
-            })));
-    } else if (updatedToken.type !== constants.API_TOKEN_TYPE.CUSTOM) {
-        await strapi.db.query('admin::api-token-permission').delete({
-            where: {
-                token: id
-            }
-        });
+            });
+        }
+        const permissionsFromDb = await strapi.db.query('admin::api-token').load(updatedToken, 'permissions');
+        return {
+            ...updatedToken,
+            permissions: permissionsFromDb ? permissionsFromDb.map((p)=>p.action) : undefined
+        };
+    }
+    // kind === 'admin'
+    if (clampedAdminPermissions !== undefined) {
+        if (tokenOwnerUser === undefined) {
+            throw new ValidationError('Updating admin permissions requires a resolved token owner');
+        }
+        await assignAdminPermissionsToToken(id, clampedAdminPermissions, tokenOwnerUser);
     }
-    // retrieve permissions
-    const permissionsFromDb = await strapi.db.query('admin::api-token').load(updatedToken, 'permissions');
+    const adminPermissionsFromDb = await strapi.db.query('admin::api-token').load(updatedToken, 'adminPermissions');
+    const adminUserOwnerFromDb = await strapi.db.query('admin::api-token').load(updatedToken, 'adminUserOwner');
     return {
         ...updatedToken,
-        permissions: permissionsFromDb ? permissionsFromDb.map((p)=>p.action) : undefined
+        adminPermissions: adminPermissionsFromDb || [],
+        adminUserOwner: toAdminTokenOwner(adminUserOwnerFromDb)
     };
 };
 const count = async (where = {})=>{
@@ -313,6 +883,135 @@ const count = async (where = {})=>{
         where
     });
 };
+/**
+ * Delete all admin API tokens owned by the given user, including their associated admin permissions.
+ * Called when the owner user is deleted so tokens don't linger with a dangling owner FK.
+ */ const deleteAdminTokensForUser = async (userId)=>{
+    const tokens = await strapi.db.query('admin::api-token').findMany({
+        where: {
+            kind: 'admin',
+            adminUserOwner: {
+                id: userId
+            }
+        },
+        select: [
+            'id'
+        ],
+        populate: [
+            'adminPermissions'
+        ]
+    });
+    for (const token of tokens){
+        const permissionIds = (token.adminPermissions ?? []).map((p)=>p.id).filter((id)=>id !== null && id !== undefined);
+        if (permissionIds.length > 0) {
+            await getService('permission').deleteByIds(permissionIds);
+        }
+        await strapi.db.query('admin::api-token').delete({
+            where: {
+                id: token.id
+            }
+        });
+    }
+};
+function createTokenService(kind) {
+    const shared = {
+        hash,
+        checkSaltIsDefined,
+        getByAccessKey: (accessKeyHash, options)=>getBy({
+                accessKey: accessKeyHash
+            }, options),
+        countAll: count,
+        reconcileTokenPermissionsToUserCeiling
+    };
+    if (kind === 'content-api') {
+        const svc = {
+            ...shared,
+            create: (attributes, callingUser)=>create({
+                    ...attributes,
+                    kind: 'content-api'
+                }, callingUser),
+            list: (callingUser)=>list(callingUser, {
+                    filter: {
+                        kind: 'content-api'
+                    }
+                }),
+            getById: (id, options)=>getBy({
+                    $and: [
+                        {
+                            id
+                        },
+                        {
+                            $or: [
+                                {
+                                    kind: 'content-api'
+                                },
+                                {
+                                    kind: {
+                                        $null: true
+                                    }
+                                }
+                            ]
+                        }
+                    ]
+                }, options),
+            getByName: (name, options)=>getBy({
+                    $and: [
+                        {
+                            name
+                        },
+                        {
+                            $or: [
+                                {
+                                    kind: 'content-api'
+                                },
+                                {
+                                    kind: {
+                                        $null: true
+                                    }
+                                }
+                            ]
+                        }
+                    ]
+                }, options),
+            update: (id, attributes)=>update(id, attributes),
+            revoke: (id)=>revoke(id),
+            regenerate: (id)=>regenerate(id),
+            exists,
+            count
+        };
+        return svc;
+    }
+    const svc = {
+        ...shared,
+        create: (attributes, callingUser)=>create({
+                ...attributes,
+                kind: 'admin'
+            }, callingUser),
+        list: (callingUser)=>list(callingUser, {
+                filter: {
+                    kind: 'admin'
+                }
+            }),
+        getById: (id, options)=>getBy({
+                id,
+                kind: 'admin'
+            }, options),
+        getByName: (name, options)=>getBy({
+                name,
+                kind: 'admin'
+            }, options),
+        update: (id, attributes)=>update(id, attributes),
+        revoke: (id)=>revoke(id),
+        regenerate: (id)=>regenerate(id),
+        exists,
+        count,
+        assignAdminPermissionsToToken,
+        syncPermissionsForUser: syncApiTokenPermissionsForUser,
+        syncPermissionsForRole: syncApiTokenPermissionsForRole,
+        deleteTokensForUser: deleteAdminTokensForUser
+    };
+    return svc;
+}
 
-export { checkSaltIsDefined, count, create, exists, getBy, getById, getByName, hash, list, regenerate, revoke, update };
+export { assignAdminPermissionsToToken, checkSaltIsDefined, count, create, createTokenService, deleteAdminTokensForUser, enforceAdminPermissionsCeiling, exists, getBy, hash, list, reconcileTokenPermissionsToUserCeiling, regenerate, revoke, syncApiTokenPermissionsForRole, syncApiTokenPermissionsForUser, update };
 //# sourceMappingURL=api-token.mjs.map