@strapi/plugin-users-permissions 0.0.0-next.ce84fada19d58a7dfbdd553035e6558f8befcba4 → 0.0.0-next.ce8ed0c8aa03361c3009f41af96f742be028ffd9

package/server/bootstrap/index.js

@@ -11,6 +11,18 @@ const crypto = require('crypto');
 const _ = require('lodash');
 const { getService } = require('../utils');
 const usersPermissionsActions = require('./users-permissions-actions');
+const {
+  DEFAULT_ACCESS_TOKEN_LIFESPAN,
+  DEFAULT_MAX_REFRESH_TOKEN_LIFESPAN,
+  DEFAULT_IDLE_REFRESH_TOKEN_LIFESPAN,
+  DEFAULT_MAX_SESSION_LIFESPAN,
+  DEFAULT_IDLE_SESSION_LIFESPAN,
+} = require('../services/constants');
+
+const getSessionManager = () => {
+  const manager = strapi.sessionManager;
+  return manager ?? null;
+};
 
 const initGrant = async (pluginStore) => {
   const allProviders = getService('providers-registry').getAll();
@@ -113,6 +125,25 @@ module.exports = async ({ strapi }) => {
 
   await getService('users-permissions').initialize();
 
+  // Define users-permissions origin configuration for sessionManager
+  const upConfig = strapi.config.get('plugin::users-permissions');
+  const sessionManager = getSessionManager();
+
+  if (sessionManager) {
+    sessionManager.defineOrigin('users-permissions', {
+      jwtSecret: upConfig.jwtSecret || strapi.config.get('admin.auth.secret'),
+      accessTokenLifespan: upConfig.sessions?.accessTokenLifespan || DEFAULT_ACCESS_TOKEN_LIFESPAN,
+      maxRefreshTokenLifespan:
+        upConfig.sessions?.maxRefreshTokenLifespan || DEFAULT_MAX_REFRESH_TOKEN_LIFESPAN,
+      idleRefreshTokenLifespan:
+        upConfig.sessions?.idleRefreshTokenLifespan || DEFAULT_IDLE_REFRESH_TOKEN_LIFESPAN,
+      maxSessionLifespan: upConfig.sessions?.maxSessionLifespan || DEFAULT_MAX_SESSION_LIFESPAN,
+      idleSessionLifespan: upConfig.sessions?.idleSessionLifespan || DEFAULT_IDLE_SESSION_LIFESPAN,
+      algorithm: upConfig.jwt?.algorithm,
+      jwtOptions: upConfig.jwt || {},
+    });
+  }
+
   if (!strapi.config.get('plugin::users-permissions.jwtSecret')) {
     if (process.env.NODE_ENV !== 'development') {
       throw new Error(

package/server/config.js

@@ -1,11 +1,33 @@
 'use strict';
 
+const {
+  DEFAULT_ACCESS_TOKEN_LIFESPAN,
+  DEFAULT_MAX_REFRESH_TOKEN_LIFESPAN,
+  DEFAULT_IDLE_REFRESH_TOKEN_LIFESPAN,
+  DEFAULT_MAX_SESSION_LIFESPAN,
+  DEFAULT_IDLE_SESSION_LIFESPAN,
+} = require('./services/constants');
+
 module.exports = {
   default: ({ env }) => ({
     jwtSecret: env('JWT_SECRET'),
     jwt: {
       expiresIn: '30d',
     },
+    /**
+     * JWT management mode for the Content API authentication
+     * - "legacy-support": use plugin JWTs (backward compatible)
+     * - "refresh": use SessionManager (access/refresh tokens)
+     */
+    jwtManagement: 'legacy-support',
+    sessions: {
+      accessTokenLifespan: DEFAULT_ACCESS_TOKEN_LIFESPAN,
+      maxRefreshTokenLifespan: DEFAULT_MAX_REFRESH_TOKEN_LIFESPAN,
+      idleRefreshTokenLifespan: DEFAULT_IDLE_REFRESH_TOKEN_LIFESPAN,
+      maxSessionLifespan: DEFAULT_MAX_SESSION_LIFESPAN,
+      idleSessionLifespan: DEFAULT_IDLE_SESSION_LIFESPAN,
+      httpOnly: false,
+    },
     ratelimit: {
       interval: 60000,
       max: 10,

package/server/controllers/auth.js

@@ -31,7 +31,13 @@ const sanitizeUser = (user, ctx) => {
   return strapi.contentAPI.sanitize.output(user, userSchema, { auth });
 };
 
-module.exports = {
+const extractDeviceId = (requestBody) => {
+  const { deviceId } = requestBody || {};
+
+  return typeof deviceId === 'string' && deviceId.length > 0 ? deviceId : undefined;
+};
+
+module.exports = ({ strapi }) => ({
   async callback(ctx) {
     const provider = ctx.params.provider || 'local';
     const params = ctx.request.body;
@@ -86,6 +92,51 @@ module.exports = {
         throw new ApplicationError('Your account has been blocked by an administrator');
       }
 
+      const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+      if (mode === 'refresh') {
+        const deviceId = extractDeviceId(ctx.request.body);
+
+        const refresh = await strapi
+          .sessionManager('users-permissions')
+          .generateRefreshToken(String(user.id), deviceId, { type: 'refresh' });
+
+        const access = await strapi
+          .sessionManager('users-permissions')
+          .generateAccessToken(refresh.token);
+        if ('error' in access) {
+          throw new ApplicationError('Invalid credentials');
+        }
+
+        const upSessions = strapi.config.get('plugin::users-permissions.sessions');
+        const requestHttpOnly = ctx.request.header['x-strapi-refresh-cookie'] === 'httpOnly';
+        if (upSessions?.httpOnly || requestHttpOnly) {
+          const cookieName = upSessions.cookie?.name || 'strapi_up_refresh';
+          const isProduction = process.env.NODE_ENV === 'production';
+          const isSecure =
+            typeof upSessions.cookie?.secure === 'boolean'
+              ? upSessions.cookie?.secure
+              : isProduction;
+
+          const cookieOptions = {
+            httpOnly: true,
+            secure: isSecure,
+            sameSite: upSessions.cookie?.sameSite ?? 'lax',
+            path: upSessions.cookie?.path ?? '/',
+            domain: upSessions.cookie?.domain,
+            overwrite: true,
+          };
+
+          ctx.cookies.set(cookieName, refresh.token, cookieOptions);
+          return ctx.send({ jwt: access.token, user: await sanitizeUser(user, ctx) });
+        }
+
+        return ctx.send({
+          jwt: access.token,
+          refreshToken: refresh.token,
+          user: await sanitizeUser(user, ctx),
+        });
+      }
+
       return ctx.send({
         jwt: getService('jwt').issue({ id: user.id }),
         user: await sanitizeUser(user, ctx),
@@ -100,6 +151,49 @@ module.exports = {
         throw new ForbiddenError('Your account has been blocked by an administrator');
       }
 
+      const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+      if (mode === 'refresh') {
+        const deviceId = extractDeviceId(ctx.request.body);
+
+        const refresh = await strapi
+          .sessionManager('users-permissions')
+          .generateRefreshToken(String(user.id), deviceId, { type: 'refresh' });
+
+        const access = await strapi
+          .sessionManager('users-permissions')
+          .generateAccessToken(refresh.token);
+        if ('error' in access) {
+          throw new ApplicationError('Invalid credentials');
+        }
+
+        const upSessions = strapi.config.get('plugin::users-permissions.sessions');
+        const requestHttpOnly = ctx.request.header['x-strapi-refresh-cookie'] === 'httpOnly';
+        if (upSessions?.httpOnly || requestHttpOnly) {
+          const cookieName = upSessions.cookie?.name || 'strapi_up_refresh';
+          const isProduction = process.env.NODE_ENV === 'production';
+          const isSecure =
+            typeof upSessions.cookie?.secure === 'boolean'
+              ? upSessions.cookie?.secure
+              : isProduction;
+
+          const cookieOptions = {
+            httpOnly: true,
+            secure: isSecure,
+            sameSite: upSessions.cookie?.sameSite ?? 'lax',
+            path: upSessions.cookie?.path ?? '/',
+            domain: upSessions.cookie?.domain,
+            overwrite: true,
+          };
+          ctx.cookies.set(cookieName, refresh.token, cookieOptions);
+          return ctx.send({ jwt: access.token, user: await sanitizeUser(user, ctx) });
+        }
+        return ctx.send({
+          jwt: access.token,
+          refreshToken: refresh.token,
+          user: await sanitizeUser(user, ctx),
+        });
+      }
+
       return ctx.send({
         jwt: getService('jwt').issue({ id: user.id }),
         user: await sanitizeUser(user, ctx),
@@ -114,7 +208,12 @@ module.exports = {
       throw new ApplicationError('You must be authenticated to reset your password');
     }
 
-    const { currentPassword, password } = await validateChangePasswordBody(ctx.request.body);
+    const validations = strapi.config.get('plugin::users-permissions.validationRules');
+
+    const { currentPassword, password } = await validateChangePasswordBody(
+      ctx.request.body,
+      validations
+    );
 
     const user = await strapi.db
       .query('plugin::users-permissions.user')
@@ -132,15 +231,48 @@ module.exports = {
 
     await getService('user').edit(user.id, { password });
 
-    ctx.send({
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode === 'refresh') {
+      const deviceId = extractDeviceId(ctx.request.body);
+
+      if (deviceId) {
+        // Invalidate sessions: specific device if deviceId provided
+        await strapi
+          .sessionManager('users-permissions')
+          .invalidateRefreshToken(String(user.id), deviceId);
+      }
+
+      const newDeviceId = deviceId || crypto.randomUUID();
+      const refresh = await strapi
+        .sessionManager('users-permissions')
+        .generateRefreshToken(String(user.id), newDeviceId, { type: 'refresh' });
+
+      const access = await strapi
+        .sessionManager('users-permissions')
+        .generateAccessToken(refresh.token);
+      if ('error' in access) {
+        throw new ApplicationError('Invalid credentials');
+      }
+
+      return ctx.send({
+        jwt: access.token,
+        refreshToken: refresh.token,
+        user: await sanitizeUser(user, ctx),
+      });
+    }
+
+    return ctx.send({
       jwt: getService('jwt').issue({ id: user.id }),
       user: await sanitizeUser(user, ctx),
     });
   },
 
   async resetPassword(ctx) {
+    const validations = strapi.config.get('plugin::users-permissions.validationRules');
+
     const { password, passwordConfirmation, code } = await validateResetPasswordBody(
-      ctx.request.body
+      ctx.request.body,
+      validations
     );
 
     if (password !== passwordConfirmation) {
@@ -160,15 +292,117 @@ module.exports = {
       password,
     });
 
-    // Update the user.
-    ctx.send({
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode === 'refresh') {
+      const deviceId = extractDeviceId(ctx.request.body);
+
+      if (deviceId) {
+        // Invalidate sessions: specific device if deviceId provided
+        await strapi
+          .sessionManager('users-permissions')
+          .invalidateRefreshToken(String(user.id), deviceId);
+      }
+
+      const newDeviceId = deviceId || crypto.randomUUID();
+      const refresh = await strapi
+        .sessionManager('users-permissions')
+        .generateRefreshToken(String(user.id), newDeviceId, { type: 'refresh' });
+
+      const access = await strapi
+        .sessionManager('users-permissions')
+        .generateAccessToken(refresh.token);
+      if ('error' in access) {
+        throw new ApplicationError('Invalid credentials');
+      }
+
+      return ctx.send({
+        jwt: access.token,
+        refreshToken: refresh.token,
+        user: await sanitizeUser(user, ctx),
+      });
+    }
+
+    return ctx.send({
       jwt: getService('jwt').issue({ id: user.id }),
       user: await sanitizeUser(user, ctx),
     });
   },
+  async refresh(ctx) {
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode !== 'refresh') {
+      return ctx.notFound();
+    }
+
+    const { refreshToken } = ctx.request.body || {};
+    if (!refreshToken || typeof refreshToken !== 'string') {
+      return ctx.badRequest('Missing refresh token');
+    }
+
+    const rotation = await strapi
+      .sessionManager('users-permissions')
+      .rotateRefreshToken(refreshToken);
+    if ('error' in rotation) {
+      return ctx.unauthorized('Invalid refresh token');
+    }
+
+    const result = await strapi
+      .sessionManager('users-permissions')
+      .generateAccessToken(rotation.token);
+    if ('error' in result) {
+      return ctx.unauthorized('Invalid refresh token');
+    }
+
+    const upSessions = strapi.config.get('plugin::users-permissions.sessions');
+    const requestHttpOnly = ctx.request.header['x-strapi-refresh-cookie'] === 'httpOnly';
+    if (upSessions?.httpOnly || requestHttpOnly) {
+      const cookieName = upSessions.cookie?.name || 'strapi_up_refresh';
+      const isProduction = process.env.NODE_ENV === 'production';
+      const isSecure =
+        typeof upSessions.cookie?.secure === 'boolean' ? upSessions.cookie?.secure : isProduction;
+
+      const cookieOptions = {
+        httpOnly: true,
+        secure: isSecure,
+        sameSite: upSessions.cookie?.sameSite ?? 'lax',
+        path: upSessions.cookie?.path ?? '/',
+        domain: upSessions.cookie?.domain,
+        overwrite: true,
+      };
+      ctx.cookies.set(cookieName, rotation.token, cookieOptions);
+      return ctx.send({ jwt: result.token });
+    }
+    return ctx.send({ jwt: result.token, refreshToken: rotation.token });
+  },
+  async logout(ctx) {
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode !== 'refresh') {
+      return ctx.notFound();
+    }
+
+    // Invalidate all sessions for the authenticated user, or by deviceId if provided
+    if (!ctx.state.user) {
+      return ctx.unauthorized('Missing authentication');
+    }
 
+    const deviceId = extractDeviceId(ctx.request.body);
+    try {
+      await strapi
+        .sessionManager('users-permissions')
+        .invalidateRefreshToken(String(ctx.state.user.id), deviceId);
+    } catch (err) {
+      strapi.log.error('UP logout failed', err);
+    }
+
+    const upSessions = strapi.config.get('plugin::users-permissions.sessions');
+    const requestHttpOnly = ctx.request.header['x-strapi-refresh-cookie'] === 'httpOnly';
+    if (upSessions?.httpOnly || requestHttpOnly) {
+      const cookieName = upSessions.cookie?.name || 'strapi_up_refresh';
+      ctx.cookies.set(cookieName, '', { expires: new Date(0) });
+    }
+    return ctx.send({ ok: true });
+  },
   async connect(ctx, next) {
-    const grant = require('grant-koa');
+    const grant = require('grant').koa();
 
     const providers = await strapi
       .store({ type: 'plugin', name: 'users-permissions', key: 'grant' })
@@ -315,7 +549,9 @@ module.exports = {
       provider: 'local',
     };
 
-    await validateRegisterBody(params);
+    const validations = strapi.config.get('plugin::users-permissions.validationRules');
+
+    await validateRegisterBody(params, validations);
 
     const role = await strapi.db
       .query('plugin::users-permissions.role')
@@ -377,12 +613,26 @@ module.exports = {
       return ctx.send({ user: sanitizedUser });
     }
 
-    const jwt = getService('jwt').issue(_.pick(user, ['id']));
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode === 'refresh') {
+      const deviceId = extractDeviceId(ctx.request.body) || crypto.randomUUID();
 
-    return ctx.send({
-      jwt,
-      user: sanitizedUser,
-    });
+      const refresh = await strapi
+        .sessionManager('users-permissions')
+        .generateRefreshToken(String(user.id), deviceId, { type: 'refresh' });
+
+      const access = await strapi
+        .sessionManager('users-permissions')
+        .generateAccessToken(refresh.token);
+      if ('error' in access) {
+        throw new ApplicationError('Invalid credentials');
+      }
+
+      return ctx.send({ jwt: access.token, refreshToken: refresh.token, user: sanitizedUser });
+    }
+
+    const jwt = getService('jwt').issue(_.pick(user, ['id']));
+    return ctx.send({ jwt, user: sanitizedUser });
   },
 
   async emailConfirmation(ctx, next, returnUser) {
@@ -439,4 +689,4 @@ module.exports = {
       sent: true,
     });
   },
-};
+});

package/server/controllers/content-manager-user.js

@@ -2,8 +2,7 @@
 
 const _ = require('lodash');
 const { contentTypes: contentTypesUtils } = require('@strapi/utils');
-const { ApplicationError, ValidationError, NotFoundError, ForbiddenError } =
-  require('@strapi/utils').errors;
+const { ApplicationError, NotFoundError, ForbiddenError } = require('@strapi/utils').errors;
 const { validateCreateUserBody, validateUpdateUserBody } = require('./validation/user');
 
 const { UPDATED_BY_ATTRIBUTE, CREATED_BY_ATTRIBUTE } = contentTypesUtils.constants;
@@ -133,8 +132,8 @@ module.exports = {
 
     await validateUpdateUserBody(ctx.request.body);
 
-    if (_.has(body, 'password') && !password && user.provider === 'local') {
-      throw new ValidationError('password.notNull');
+    if (_.has(body, 'password') && (password == null || password === '')) {
+      delete body.password;
     }
 
     if (_.has(body, 'username')) {

package/server/controllers/role.js

@@ -1,10 +1,19 @@
 'use strict';
 
 const _ = require('lodash');
-const { ApplicationError, ValidationError } = require('@strapi/utils').errors;
+const { async, errors } = require('@strapi/utils');
 const { getService } = require('../utils');
 const { validateDeleteRoleBody } = require('./validation/user');
 
+const { ApplicationError, ValidationError } = errors;
+
+const sanitizeOutput = async (role) => {
+  const { sanitizeLocalizationFields } = strapi.plugin('i18n').service('sanitize');
+  const schema = strapi.getModel('plugin::users-permissions.role');
+
+  return async.pipe(sanitizeLocalizationFields(schema))(role);
+};
+
 module.exports = {
   /**
    * Default action.
@@ -30,13 +39,17 @@ module.exports = {
       return ctx.notFound();
     }
 
-    ctx.send({ role });
+    const safeRole = await sanitizeOutput(role);
+
+    ctx.send({ role: safeRole });
   },
 
   async find(ctx) {
     const roles = await getService('role').find();
 
-    ctx.send({ roles });
+    const safeRoles = await Promise.all(roles.map(sanitizeOutput));
+
+    ctx.send({ roles: safeRoles });
   },
 
   async updateRole(ctx) {

package/server/controllers/validation/auth.js

@@ -7,11 +7,35 @@ const callbackSchema = yup.object({
   password: yup.string().required(),
 });
 
-const registerSchema = yup.object({
-  email: yup.string().email().required(),
-  username: yup.string().required(),
-  password: yup.string().required(),
-});
+const createRegisterSchema = (config) =>
+  yup.object({
+    email: yup.string().email().required(),
+    username: yup.string().required(),
+    password: yup
+      .string()
+      .required()
+      .test(function (value) {
+        if (!value) return true;
+        const isValid = new TextEncoder().encode(value).length <= 72;
+        if (!isValid) {
+          return this.createError({ message: 'Password must be less than 73 bytes' });
+        }
+        return true;
+      })
+      .test(async function (value) {
+        if (typeof config?.validatePassword === 'function') {
+          try {
+            const isValid = await config.validatePassword(value);
+            if (!isValid) {
+              return this.createError({ message: 'Password validation failed.' });
+            }
+          } catch (error) {
+            return this.createError({ message: error.message || 'An error occurred.' });
+          }
+        }
+        return true;
+      }),
+  });
 
 const sendEmailConfirmationSchema = yup.object({
   email: yup.string().email().required(),
@@ -27,31 +51,86 @@ const forgotPasswordSchema = yup
   })
   .noUnknown();
 
-const resetPasswordSchema = yup
-  .object({
-    password: yup.string().required(),
-    passwordConfirmation: yup.string().required(),
-    code: yup.string().required(),
-  })
-  .noUnknown();
+const createResetPasswordSchema = (config) =>
+  yup
+    .object({
+      password: yup
+        .string()
+        .required()
+        .test(function (value) {
+          if (!value) return true;
+          const isValid = new TextEncoder().encode(value).length <= 72;
+          if (!isValid) {
+            return this.createError({ message: 'Password must be less than 73 bytes' });
+          }
+          return true;
+        })
+        .test(async function (value) {
+          if (typeof config?.validatePassword === 'function') {
+            try {
+              const isValid = await config.validatePassword(value);
+              if (!isValid) {
+                return this.createError({ message: 'Password validation failed.' });
+              }
+            } catch (error) {
+              return this.createError({ message: error.message || 'An error occurred.' });
+            }
+          }
+          return true;
+        }),
+      passwordConfirmation: yup
+        .string()
+        .required()
+        .oneOf([yup.ref('password')], 'Passwords do not match'),
 
-const changePasswordSchema = yup
-  .object({
-    password: yup.string().required(),
-    passwordConfirmation: yup
-      .string()
-      .required()
-      .oneOf([yup.ref('password')], 'Passwords do not match'),
-    currentPassword: yup.string().required(),
-  })
-  .noUnknown();
+      code: yup.string().required(),
+    })
+    .noUnknown();
+
+const createChangePasswordSchema = (config) =>
+  yup
+    .object({
+      password: yup
+        .string()
+        .required()
+        .test(function (value) {
+          if (!value) return true;
+          const isValid = new TextEncoder().encode(value).length <= 72;
+          if (!isValid) {
+            return this.createError({ message: 'Password must be less than 73 bytes' });
+          }
+          return true;
+        })
+        .test(async function (value) {
+          if (typeof config?.validatePassword === 'function') {
+            try {
+              const isValid = await config.validatePassword(value);
+              if (!isValid) {
+                return this.createError({ message: 'Password validation failed.' });
+              }
+            } catch (error) {
+              return this.createError({ message: error.message || 'An error occurred.' });
+            }
+          }
+          return true;
+        }),
+      passwordConfirmation: yup
+        .string()
+        .required()
+        .oneOf([yup.ref('password')], 'Passwords do not match'),
+      currentPassword: yup.string().required(),
+    })
+    .noUnknown();
 
 module.exports = {
   validateCallbackBody: validateYupSchema(callbackSchema),
-  validateRegisterBody: validateYupSchema(registerSchema),
+  validateRegisterBody: (payload, config) =>
+    validateYupSchema(createRegisterSchema(config))(payload),
   validateSendEmailConfirmationBody: validateYupSchema(sendEmailConfirmationSchema),
   validateEmailConfirmationBody: validateYupSchema(validateEmailConfirmationSchema),
   validateForgotPasswordBody: validateYupSchema(forgotPasswordSchema),
-  validateResetPasswordBody: validateYupSchema(resetPasswordSchema),
-  validateChangePasswordBody: validateYupSchema(changePasswordSchema),
+  validateResetPasswordBody: (payload, config) =>
+    validateYupSchema(createResetPasswordSchema(config))(payload),
+  validateChangePasswordBody: (payload, config) =>
+    validateYupSchema(createChangePasswordSchema(config))(payload),
 };

package/server/controllers/validation/user.js

@@ -29,7 +29,18 @@ const createUserBodySchema = yup.object().shape({
 const updateUserBodySchema = yup.object().shape({
   email: yup.string().email().min(1),
   username: yup.string().min(1),
-  password: yup.string().min(1),
+  password: yup
+    .mixed()
+    .test(
+      'password-validation',
+      'Password must be at least 1 character',
+      function validatePassword(value) {
+        if (value == null || value === '') {
+          return true;
+        }
+        return typeof value === 'string' && value.length >= 1;
+      }
+    ),
   role: yup.lazy((value) =>
     typeof value === 'object'
       ? yup.object().shape({

package/server/graphql/types/index.js

@@ -10,6 +10,7 @@ const typesFactories = [
   require('./create-role-payload'),
   require('./update-role-payload'),
   require('./delete-role-payload'),
+  require('./user-input'),
 ];
 
 /**

package/server/graphql/types/me.js

@@ -6,6 +6,7 @@ module.exports = ({ nexus }) => {
 
     definition(t) {
       t.nonNull.id('id');
+      t.nonNull.id('documentId');
       t.nonNull.string('username');
       t.string('email');
       t.boolean('confirmed');