@strapi/plugin-users-permissions 0.0.0-next.e21fe90bf2ab9906267ea6e6ca620bdcc729906c → 0.0.0-next.e326c69a49373b420f6566c30aca26f4b6274c6a

package/server/config.js

@@ -1,11 +1,33 @@
 'use strict';
 
+const {
+  DEFAULT_ACCESS_TOKEN_LIFESPAN,
+  DEFAULT_MAX_REFRESH_TOKEN_LIFESPAN,
+  DEFAULT_IDLE_REFRESH_TOKEN_LIFESPAN,
+  DEFAULT_MAX_SESSION_LIFESPAN,
+  DEFAULT_IDLE_SESSION_LIFESPAN,
+} = require('./services/constants');
+
 module.exports = {
   default: ({ env }) => ({
     jwtSecret: env('JWT_SECRET'),
     jwt: {
       expiresIn: '30d',
     },
+    /**
+     * JWT management mode for the Content API authentication
+     * - "legacy-support": use plugin JWTs (backward compatible)
+     * - "refresh": use SessionManager (access/refresh tokens)
+     */
+    jwtManagement: 'legacy-support',
+    sessions: {
+      accessTokenLifespan: DEFAULT_ACCESS_TOKEN_LIFESPAN,
+      maxRefreshTokenLifespan: DEFAULT_MAX_REFRESH_TOKEN_LIFESPAN,
+      idleRefreshTokenLifespan: DEFAULT_IDLE_REFRESH_TOKEN_LIFESPAN,
+      maxSessionLifespan: DEFAULT_MAX_SESSION_LIFESPAN,
+      idleSessionLifespan: DEFAULT_IDLE_SESSION_LIFESPAN,
+      httpOnly: false,
+    },
     ratelimit: {
       interval: 60000,
       max: 10,

package/server/controllers/auth.js

@@ -31,6 +31,12 @@ const sanitizeUser = (user, ctx) => {
   return strapi.contentAPI.sanitize.output(user, userSchema, { auth });
 };
 
+const extractDeviceId = (requestBody) => {
+  const { deviceId } = requestBody || {};
+
+  return typeof deviceId === 'string' && deviceId.length > 0 ? deviceId : undefined;
+};
+
 module.exports = ({ strapi }) => ({
   async callback(ctx) {
     const provider = ctx.params.provider || 'local';
@@ -86,6 +92,45 @@ module.exports = ({ strapi }) => ({
         throw new ApplicationError('Your account has been blocked by an administrator');
       }
 
+      const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+      if (mode === 'refresh') {
+        const deviceId = extractDeviceId(ctx.request.body);
+
+        const refresh = await strapi
+          .sessionManager('users-permissions')
+          .generateRefreshToken(String(user.id), deviceId, { type: 'refresh' });
+
+        const access = await strapi
+          .sessionManager('users-permissions')
+          .generateAccessToken(refresh.token);
+        if ('error' in access) {
+          throw new ApplicationError('Invalid credentials');
+        }
+
+        const upSessions = strapi.config.get('plugin::users-permissions.sessions');
+        const requestHttpOnly = ctx.request.header['x-strapi-refresh-cookie'] === 'httpOnly';
+        if (upSessions?.httpOnly || requestHttpOnly) {
+          const cookieName = upSessions.cookie?.name || 'strapi_up_refresh';
+          const cookieOptions = {
+            httpOnly: true,
+            secure: Boolean(upSessions.cookie?.secure),
+            sameSite: upSessions.cookie?.sameSite ?? 'lax',
+            path: upSessions.cookie?.path ?? '/',
+            domain: upSessions.cookie?.domain,
+            overwrite: true,
+          };
+
+          ctx.cookies.set(cookieName, refresh.token, cookieOptions);
+          return ctx.send({ jwt: access.token, user: await sanitizeUser(user, ctx) });
+        }
+
+        return ctx.send({
+          jwt: access.token,
+          refreshToken: refresh.token,
+          user: await sanitizeUser(user, ctx),
+        });
+      }
+
       return ctx.send({
         jwt: getService('jwt').issue({ id: user.id }),
         user: await sanitizeUser(user, ctx),
@@ -100,6 +145,43 @@ module.exports = ({ strapi }) => ({
         throw new ForbiddenError('Your account has been blocked by an administrator');
       }
 
+      const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+      if (mode === 'refresh') {
+        const deviceId = extractDeviceId(ctx.request.body);
+
+        const refresh = await strapi
+          .sessionManager('users-permissions')
+          .generateRefreshToken(String(user.id), deviceId, { type: 'refresh' });
+
+        const access = await strapi
+          .sessionManager('users-permissions')
+          .generateAccessToken(refresh.token);
+        if ('error' in access) {
+          throw new ApplicationError('Invalid credentials');
+        }
+
+        const upSessions = strapi.config.get('plugin::users-permissions.sessions');
+        const requestHttpOnly = ctx.request.header['x-strapi-refresh-cookie'] === 'httpOnly';
+        if (upSessions?.httpOnly || requestHttpOnly) {
+          const cookieName = upSessions.cookie?.name || 'strapi_up_refresh';
+          const cookieOptions = {
+            httpOnly: true,
+            secure: Boolean(upSessions.cookie?.secure),
+            sameSite: upSessions.cookie?.sameSite ?? 'lax',
+            path: upSessions.cookie?.path ?? '/',
+            domain: upSessions.cookie?.domain,
+            overwrite: true,
+          };
+          ctx.cookies.set(cookieName, refresh.token, cookieOptions);
+          return ctx.send({ jwt: access.token, user: await sanitizeUser(user, ctx) });
+        }
+        return ctx.send({
+          jwt: access.token,
+          refreshToken: refresh.token,
+          user: await sanitizeUser(user, ctx),
+        });
+      }
+
       return ctx.send({
         jwt: getService('jwt').issue({ id: user.id }),
         user: await sanitizeUser(user, ctx),
@@ -137,7 +219,37 @@ module.exports = ({ strapi }) => ({
 
     await getService('user').edit(user.id, { password });
 
-    ctx.send({
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode === 'refresh') {
+      const deviceId = extractDeviceId(ctx.request.body);
+
+      if (deviceId) {
+        // Invalidate sessions: specific device if deviceId provided
+        await strapi
+          .sessionManager('users-permissions')
+          .invalidateRefreshToken(String(user.id), deviceId);
+      }
+
+      const newDeviceId = deviceId || crypto.randomUUID();
+      const refresh = await strapi
+        .sessionManager('users-permissions')
+        .generateRefreshToken(String(user.id), newDeviceId, { type: 'refresh' });
+
+      const access = await strapi
+        .sessionManager('users-permissions')
+        .generateAccessToken(refresh.token);
+      if ('error' in access) {
+        throw new ApplicationError('Invalid credentials');
+      }
+
+      return ctx.send({
+        jwt: access.token,
+        refreshToken: refresh.token,
+        user: await sanitizeUser(user, ctx),
+      });
+    }
+
+    return ctx.send({
       jwt: getService('jwt').issue({ id: user.id }),
       user: await sanitizeUser(user, ctx),
     });
@@ -168,13 +280,111 @@ module.exports = ({ strapi }) => ({
       password,
     });
 
-    // Update the user.
-    ctx.send({
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode === 'refresh') {
+      const deviceId = extractDeviceId(ctx.request.body);
+
+      if (deviceId) {
+        // Invalidate sessions: specific device if deviceId provided
+        await strapi
+          .sessionManager('users-permissions')
+          .invalidateRefreshToken(String(user.id), deviceId);
+      }
+
+      const newDeviceId = deviceId || crypto.randomUUID();
+      const refresh = await strapi
+        .sessionManager('users-permissions')
+        .generateRefreshToken(String(user.id), newDeviceId, { type: 'refresh' });
+
+      const access = await strapi
+        .sessionManager('users-permissions')
+        .generateAccessToken(refresh.token);
+      if ('error' in access) {
+        throw new ApplicationError('Invalid credentials');
+      }
+
+      return ctx.send({
+        jwt: access.token,
+        refreshToken: refresh.token,
+        user: await sanitizeUser(user, ctx),
+      });
+    }
+
+    return ctx.send({
       jwt: getService('jwt').issue({ id: user.id }),
       user: await sanitizeUser(user, ctx),
     });
   },
+  async refresh(ctx) {
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode !== 'refresh') {
+      return ctx.notFound();
+    }
+
+    const { refreshToken } = ctx.request.body || {};
+    if (!refreshToken || typeof refreshToken !== 'string') {
+      return ctx.badRequest('Missing refresh token');
+    }
+
+    const rotation = await strapi
+      .sessionManager('users-permissions')
+      .rotateRefreshToken(refreshToken);
+    if ('error' in rotation) {
+      return ctx.unauthorized('Invalid refresh token');
+    }
+
+    const result = await strapi
+      .sessionManager('users-permissions')
+      .generateAccessToken(rotation.token);
+    if ('error' in result) {
+      return ctx.unauthorized('Invalid refresh token');
+    }
+
+    const upSessions = strapi.config.get('plugin::users-permissions.sessions');
+    const requestHttpOnly = ctx.request.header['x-strapi-refresh-cookie'] === 'httpOnly';
+    if (upSessions?.httpOnly || requestHttpOnly) {
+      const cookieName = upSessions.cookie?.name || 'strapi_up_refresh';
+      const cookieOptions = {
+        httpOnly: true,
+        secure: Boolean(upSessions.cookie?.secure),
+        sameSite: upSessions.cookie?.sameSite ?? 'lax',
+        path: upSessions.cookie?.path ?? '/',
+        domain: upSessions.cookie?.domain,
+        overwrite: true,
+      };
+      ctx.cookies.set(cookieName, rotation.token, cookieOptions);
+      return ctx.send({ jwt: result.token });
+    }
+    return ctx.send({ jwt: result.token, refreshToken: rotation.token });
+  },
+  async logout(ctx) {
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode !== 'refresh') {
+      return ctx.notFound();
+    }
+
+    // Invalidate all sessions for the authenticated user, or by deviceId if provided
+    if (!ctx.state.user) {
+      return ctx.unauthorized('Missing authentication');
+    }
+
+    const deviceId = extractDeviceId(ctx.request.body);
+    try {
+      await strapi
+        .sessionManager('users-permissions')
+        .invalidateRefreshToken(String(ctx.state.user.id), deviceId);
+    } catch (err) {
+      strapi.log.error('UP logout failed', err);
+    }
 
+    const upSessions = strapi.config.get('plugin::users-permissions.sessions');
+    const requestHttpOnly = ctx.request.header['x-strapi-refresh-cookie'] === 'httpOnly';
+    if (upSessions?.httpOnly || requestHttpOnly) {
+      const cookieName = upSessions.cookie?.name || 'strapi_up_refresh';
+      ctx.cookies.set(cookieName, '', { expires: new Date(0) });
+    }
+    return ctx.send({ ok: true });
+  },
   async connect(ctx, next) {
     const grant = require('grant').koa();
 
@@ -387,12 +597,26 @@ module.exports = ({ strapi }) => ({
       return ctx.send({ user: sanitizedUser });
     }
 
-    const jwt = getService('jwt').issue(_.pick(user, ['id']));
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode === 'refresh') {
+      const deviceId = extractDeviceId(ctx.request.body) || crypto.randomUUID();
 
-    return ctx.send({
-      jwt,
-      user: sanitizedUser,
-    });
+      const refresh = await strapi
+        .sessionManager('users-permissions')
+        .generateRefreshToken(String(user.id), deviceId, { type: 'refresh' });
+
+      const access = await strapi
+        .sessionManager('users-permissions')
+        .generateAccessToken(refresh.token);
+      if ('error' in access) {
+        throw new ApplicationError('Invalid credentials');
+      }
+
+      return ctx.send({ jwt: access.token, refreshToken: refresh.token, user: sanitizedUser });
+    }
+
+    const jwt = getService('jwt').issue(_.pick(user, ['id']));
+    return ctx.send({ jwt, user: sanitizedUser });
   },
 
   async emailConfirmation(ctx, next, returnUser) {

package/server/controllers/content-manager-user.js

@@ -2,8 +2,7 @@
 
 const _ = require('lodash');
 const { contentTypes: contentTypesUtils } = require('@strapi/utils');
-const { ApplicationError, ValidationError, NotFoundError, ForbiddenError } =
-  require('@strapi/utils').errors;
+const { ApplicationError, NotFoundError, ForbiddenError } = require('@strapi/utils').errors;
 const { validateCreateUserBody, validateUpdateUserBody } = require('./validation/user');
 
 const { UPDATED_BY_ATTRIBUTE, CREATED_BY_ATTRIBUTE } = contentTypesUtils.constants;
@@ -133,8 +132,8 @@ module.exports = {
 
     await validateUpdateUserBody(ctx.request.body);
 
-    if (_.has(body, 'password') && !password && user.provider === 'local') {
-      throw new ValidationError('password.notNull');
+    if (_.has(body, 'password') && (password == null || password === '')) {
+      delete body.password;
     }
 
     if (_.has(body, 'username')) {

package/server/controllers/validation/user.js

@@ -29,7 +29,18 @@ const createUserBodySchema = yup.object().shape({
 const updateUserBodySchema = yup.object().shape({
   email: yup.string().email().min(1),
   username: yup.string().min(1),
-  password: yup.string().min(1),
+  password: yup
+    .mixed()
+    .test(
+      'password-validation',
+      'Password must be at least 1 character',
+      function validatePassword(value) {
+        if (value == null || value === '') {
+          return true;
+        }
+        return typeof value === 'string' && value.length >= 1;
+      }
+    ),
   role: yup.lazy((value) =>
     typeof value === 'object'
       ? yup.object().shape({

package/server/routes/content-api/auth.js

@@ -1,82 +1,130 @@
 'use strict';
 
-module.exports = [
-  {
-    method: 'GET',
-    path: '/connect/(.*)',
-    handler: 'auth.connect',
-    config: {
-      middlewares: ['plugin::users-permissions.rateLimit'],
-      prefix: '',
+const { UsersPermissionsRouteValidator } = require('./validation');
+
+module.exports = (strapi) => {
+  const validator = new UsersPermissionsRouteValidator(strapi);
+
+  return [
+    {
+      method: 'GET',
+      path: '/connect/(.*)',
+      handler: 'auth.connect',
+      config: {
+        middlewares: ['plugin::users-permissions.rateLimit'],
+        prefix: '',
+      },
+    },
+    {
+      method: 'POST',
+      path: '/auth/local',
+      handler: 'auth.callback',
+      config: {
+        middlewares: ['plugin::users-permissions.rateLimit'],
+        prefix: '',
+      },
+      request: {
+        body: { 'application/json': validator.loginBodySchema },
+      },
+      response: validator.authResponseSchema,
+    },
+    {
+      method: 'POST',
+      path: '/auth/local/register',
+      handler: 'auth.register',
+      config: {
+        middlewares: ['plugin::users-permissions.rateLimit'],
+        prefix: '',
+      },
+      request: {
+        body: { 'application/json': validator.registerBodySchema },
+      },
+      response: validator.authRegisterResponseSchema,
     },
-  },
-  {
-    method: 'POST',
-    path: '/auth/local',
-    handler: 'auth.callback',
-    config: {
-      middlewares: ['plugin::users-permissions.rateLimit'],
-      prefix: '',
+    {
+      method: 'GET',
+      path: '/auth/:provider/callback',
+      handler: 'auth.callback',
+      config: {
+        prefix: '',
+      },
+      request: {
+        params: {
+          provider: validator.providerParam,
+        },
+      },
+      response: validator.authResponseSchema,
     },
-  },
-  {
-    method: 'POST',
-    path: '/auth/local/register',
-    handler: 'auth.register',
-    config: {
-      middlewares: ['plugin::users-permissions.rateLimit'],
-      prefix: '',
+    {
+      method: 'POST',
+      path: '/auth/forgot-password',
+      handler: 'auth.forgotPassword',
+      config: {
+        middlewares: ['plugin::users-permissions.rateLimit'],
+        prefix: '',
+      },
+      request: {
+        body: { 'application/json': validator.forgotPasswordBodySchema },
+      },
+      response: validator.forgotPasswordResponseSchema,
     },
-  },
-  {
-    method: 'GET',
-    path: '/auth/:provider/callback',
-    handler: 'auth.callback',
-    config: {
-      prefix: '',
+    {
+      method: 'POST',
+      path: '/auth/reset-password',
+      handler: 'auth.resetPassword',
+      config: {
+        middlewares: ['plugin::users-permissions.rateLimit'],
+        prefix: '',
+      },
+      request: {
+        body: { 'application/json': validator.resetPasswordBodySchema },
+      },
+      response: validator.authResponseSchema,
     },
-  },
-  {
-    method: 'POST',
-    path: '/auth/forgot-password',
-    handler: 'auth.forgotPassword',
-    config: {
-      middlewares: ['plugin::users-permissions.rateLimit'],
-      prefix: '',
+    {
+      method: 'GET',
+      path: '/auth/email-confirmation',
+      handler: 'auth.emailConfirmation',
+      config: {
+        prefix: '',
+      },
     },
-  },
-  {
-    method: 'POST',
-    path: '/auth/reset-password',
-    handler: 'auth.resetPassword',
-    config: {
-      middlewares: ['plugin::users-permissions.rateLimit'],
-      prefix: '',
+    {
+      method: 'POST',
+      path: '/auth/send-email-confirmation',
+      handler: 'auth.sendEmailConfirmation',
+      config: {
+        prefix: '',
+      },
+      request: {
+        body: { 'application/json': validator.sendEmailConfirmationBodySchema },
+      },
+      response: validator.sendEmailConfirmationResponseSchema,
     },
-  },
-  {
-    method: 'GET',
-    path: '/auth/email-confirmation',
-    handler: 'auth.emailConfirmation',
-    config: {
-      prefix: '',
+    {
+      method: 'POST',
+      path: '/auth/change-password',
+      handler: 'auth.changePassword',
+      config: {
+        middlewares: ['plugin::users-permissions.rateLimit'],
+        prefix: '',
+      },
+      request: {
+        body: { 'application/json': validator.changePasswordBodySchema },
+      },
+      response: validator.authResponseSchema,
     },
-  },
-  {
-    method: 'POST',
-    path: '/auth/send-email-confirmation',
-    handler: 'auth.sendEmailConfirmation',
-    config: {
-      prefix: '',
+    {
+      method: 'POST',
+      path: '/auth/refresh',
+      handler: 'auth.refresh',
+      config: { prefix: '' },
     },
-  },
-  {
-    method: 'POST',
-    path: '/auth/change-password',
-    handler: 'auth.changePassword',
-    config: {
-      middlewares: ['plugin::users-permissions.rateLimit'],
-      prefix: '',
+    {
+      method: 'POST',
+      path: '/auth/logout',
+      handler: 'auth.logout',
+      config: { prefix: '' },
     },
-  },
-];
+  ];
+};

package/server/routes/content-api/index.js

@@ -1,11 +1,18 @@
 'use strict';
 
+const { createContentApiRoutesFactory } = require('@strapi/utils');
 const authRoutes = require('./auth');
 const userRoutes = require('./user');
 const roleRoutes = require('./role');
 const permissionsRoutes = require('./permissions');
 
-module.exports = {
-  type: 'content-api',
-  routes: [...authRoutes, ...userRoutes, ...roleRoutes, ...permissionsRoutes],
-};
+const createContentApiRoutes = createContentApiRoutesFactory(() => {
+  return [
+    ...authRoutes(strapi),
+    ...userRoutes(strapi),
+    ...roleRoutes(strapi),
+    ...permissionsRoutes(strapi),
+  ];
+});
+
+module.exports = createContentApiRoutes;

package/server/routes/content-api/permissions.js

@@ -1,9 +1,16 @@
 'use strict';
 
-module.exports = [
-  {
-    method: 'GET',
-    path: '/permissions',
-    handler: 'permissions.getPermissions',
-  },
-];
+const { UsersPermissionsRouteValidator } = require('./validation');
+
+module.exports = (strapi) => {
+  const validator = new UsersPermissionsRouteValidator(strapi);
+
+  return [
+    {
+      method: 'GET',
+      path: '/permissions',
+      handler: 'permissions.getPermissions',
+      response: validator.permissionsResponseSchema,
+    },
+  ];
+};