@strapi/plugin-users-permissions 0.0.0-next.e3b4cdeebf6e9b0cd5575ff80b8a86715d44ce98 → 0.0.0-next.e61eff51f9834ffdef16bdc236aecab5f837723b

package/server/controllers/content-manager-user.js

@@ -17,24 +17,25 @@ const ACTIONS = {
 };
 
 const findEntityAndCheckPermissions = async (ability, action, model, id) => {
-  const entity = await strapi.query(userModel).findOne({
-    where: { id },
+  const doc = await strapi.service('plugin::content-manager.document-manager').findOne(id, model, {
     populate: [`${CREATED_BY_ATTRIBUTE}.roles`],
   });
 
-  if (_.isNil(entity)) {
+  if (_.isNil(doc)) {
     throw new NotFoundError();
   }
 
-  const pm = strapi.admin.services.permission.createPermissionsManager({ ability, action, model });
+  const pm = strapi
+    .service('admin::permission')
+    .createPermissionsManager({ ability, action, model });
 
-  if (pm.ability.cannot(pm.action, pm.toSubject(entity))) {
+  if (pm.ability.cannot(pm.action, pm.toSubject(doc))) {
     throw new ForbiddenError();
   }
 
-  const entityWithoutCreatorRoles = _.omit(entity, `${CREATED_BY_ATTRIBUTE}.roles`);
+  const docWithoutCreatorRoles = _.omit(doc, `${CREATED_BY_ATTRIBUTE}.roles`);
 
-  return { pm, entity: entityWithoutCreatorRoles };
+  return { pm, doc: docWithoutCreatorRoles };
 };
 
 module.exports = {
@@ -48,7 +49,7 @@ module.exports = {
 
     const { email, username } = body;
 
-    const pm = strapi.admin.services.permission.createPermissionsManager({
+    const pm = strapi.service('admin::permission').createPermissionsManager({
       ability: userAbility,
       action: ACTIONS.create,
       model: userModel,
@@ -66,7 +67,7 @@ module.exports = {
 
     await validateCreateUserBody(ctx.request.body);
 
-    const userWithSameUsername = await strapi
+    const userWithSameUsername = await strapi.db
       .query('plugin::users-permissions.user')
       .findOne({ where: { username } });
 
@@ -75,7 +76,7 @@ module.exports = {
     }
 
     if (advanced.unique_email) {
-      const userWithSameEmail = await strapi
+      const userWithSameEmail = await strapi.db
         .query('plugin::users-permissions.user')
         .findOne({ where: { email: email.toLowerCase() } });
 
@@ -93,18 +94,11 @@ module.exports = {
 
     user.email = _.toLower(user.email);
 
-    if (!user.role) {
-      const defaultRole = await strapi
-        .query('plugin::users-permissions.role')
-        .findOne({ where: { type: advanced.default_role } });
-
-      user.role = defaultRole.id;
-    }
-
     try {
       const data = await strapi
-        .service('plugin::content-manager.entity-manager')
-        .create(user, userModel);
+        .service('plugin::content-manager.document-manager')
+        .create(userModel, { data: user });
+
       const sanitizedData = await pm.sanitizeOutput(data, { action: ACTIONS.read });
 
       ctx.created(sanitizedData);
@@ -118,7 +112,7 @@ module.exports = {
    */
 
   async update(ctx) {
-    const { id } = ctx.params;
+    const { id: documentId } = ctx.params;
     const { body } = ctx.request;
     const { user: admin, userAbility } = ctx.state;
 
@@ -128,13 +122,14 @@ module.exports = {
 
     const { email, username, password } = body;
 
-    const { pm, entity } = await findEntityAndCheckPermissions(
+    const { pm, doc } = await findEntityAndCheckPermissions(
       userAbility,
       ACTIONS.edit,
       userModel,
-      id
+      documentId
     );
-    const user = entity;
+
+    const user = doc;
 
     await validateUpdateUserBody(ctx.request.body);
 
@@ -143,23 +138,24 @@ module.exports = {
     }
 
     if (_.has(body, 'username')) {
-      const userWithSameUsername = await strapi
+      const userWithSameUsername = await strapi.db
         .query('plugin::users-permissions.user')
         .findOne({ where: { username } });
 
-      if (userWithSameUsername && _.toString(userWithSameUsername.id) !== _.toString(id)) {
+      if (userWithSameUsername && _.toString(userWithSameUsername.id) !== _.toString(user.id)) {
         throw new ApplicationError('Username already taken');
       }
     }
 
     if (_.has(body, 'email') && advancedConfigs.unique_email) {
-      const userWithSameEmail = await strapi
+      const userWithSameEmail = await strapi.db
         .query('plugin::users-permissions.user')
         .findOne({ where: { email: _.toLower(email) } });
 
-      if (userWithSameEmail && _.toString(userWithSameEmail.id) !== _.toString(id)) {
+      if (userWithSameEmail && _.toString(userWithSameEmail.id) !== _.toString(user.id)) {
         throw new ApplicationError('Email already taken');
       }
+
       body.email = _.toLower(body.email);
     }
 
@@ -167,8 +163,10 @@ module.exports = {
     const updateData = _.omit({ ...sanitizedData, updatedBy: admin.id }, 'createdBy');
 
     const data = await strapi
-      .service('plugin::content-manager.entity-manager')
-      .update({ id }, updateData, userModel);
+      .service('plugin::content-manager.document-manager')
+      .update(documentId, userModel, {
+        data: updateData,
+      });
 
     ctx.body = await pm.sanitizeOutput(data, { action: ACTIONS.read });
   },

package/server/controllers/role.js

@@ -1,10 +1,19 @@
 'use strict';
 
 const _ = require('lodash');
-const { ApplicationError, ValidationError } = require('@strapi/utils').errors;
+const { async, errors } = require('@strapi/utils');
 const { getService } = require('../utils');
 const { validateDeleteRoleBody } = require('./validation/user');
 
+const { ApplicationError, ValidationError } = errors;
+
+const sanitizeOutput = async (role) => {
+  const { sanitizeLocalizationFields } = strapi.plugin('i18n').service('sanitize');
+  const schema = strapi.getModel('plugin::users-permissions.role');
+
+  return async.pipe(sanitizeLocalizationFields(schema))(role);
+};
+
 module.exports = {
   /**
    * Default action.
@@ -30,13 +39,17 @@ module.exports = {
       return ctx.notFound();
     }
 
-    ctx.send({ role });
+    const safeRole = await sanitizeOutput(role);
+
+    ctx.send({ role: safeRole });
   },
 
   async find(ctx) {
     const roles = await getService('role').find();
 
-    ctx.send({ roles });
+    const safeRoles = await Promise.all(roles.map(sanitizeOutput));
+
+    ctx.send({ roles: safeRoles });
   },
 
   async updateRole(ctx) {
@@ -59,7 +72,7 @@ module.exports = {
     }
 
     // Fetch public role.
-    const publicRole = await strapi
+    const publicRole = await strapi.db
       .query('plugin::users-permissions.role')
       .findOne({ where: { type: 'public' } });
 

package/server/controllers/user.js

@@ -11,21 +11,27 @@ const utils = require('@strapi/utils');
 const { getService } = require('../utils');
 const { validateCreateUserBody, validateUpdateUserBody } = require('./validation/user');
 
-const { sanitize } = utils;
 const { ApplicationError, ValidationError, NotFoundError } = utils.errors;
 
 const sanitizeOutput = async (user, ctx) => {
   const schema = strapi.getModel('plugin::users-permissions.user');
   const { auth } = ctx.state;
 
-  return sanitize.contentAPI.output(user, schema, { auth });
+  return strapi.contentAPI.sanitize.output(user, schema, { auth });
+};
+
+const validateQuery = async (query, ctx) => {
+  const schema = strapi.getModel('plugin::users-permissions.user');
+  const { auth } = ctx.state;
+
+  return strapi.contentAPI.validate.query(query, schema, { auth });
 };
 
 const sanitizeQuery = async (query, ctx) => {
   const schema = strapi.getModel('plugin::users-permissions.user');
   const { auth } = ctx.state;
 
-  return sanitize.contentAPI.query(query, schema, { auth });
+  return strapi.contentAPI.sanitize.query(query, schema, { auth });
 };
 
 module.exports = {
@@ -42,7 +48,7 @@ module.exports = {
 
     const { email, username, role } = ctx.request.body;
 
-    const userWithSameUsername = await strapi
+    const userWithSameUsername = await strapi.db
       .query('plugin::users-permissions.user')
       .findOne({ where: { username } });
 
@@ -51,7 +57,7 @@ module.exports = {
     }
 
     if (advanced.unique_email) {
-      const userWithSameEmail = await strapi
+      const userWithSameEmail = await strapi.db
         .query('plugin::users-permissions.user')
         .findOne({ where: { email: email.toLowerCase() } });
 
@@ -67,7 +73,7 @@ module.exports = {
     };
 
     if (!role) {
-      const defaultRole = await strapi
+      const defaultRole = await strapi.db
         .query('plugin::users-permissions.role')
         .findOne({ where: { type: advanced.default_role } });
 
@@ -108,7 +114,7 @@ module.exports = {
     }
 
     if (_.has(ctx.request.body, 'username')) {
-      const userWithSameUsername = await strapi
+      const userWithSameUsername = await strapi.db
         .query('plugin::users-permissions.user')
         .findOne({ where: { username } });
 
@@ -118,7 +124,7 @@ module.exports = {
     }
 
     if (_.has(ctx.request.body, 'email') && advancedConfigs.unique_email) {
-      const userWithSameEmail = await strapi
+      const userWithSameEmail = await strapi.db
         .query('plugin::users-permissions.user')
         .findOne({ where: { email: email.toLowerCase() } });
 
@@ -143,6 +149,7 @@ module.exports = {
    * @return {Object|Array}
    */
   async find(ctx) {
+    await validateQuery(ctx.query, ctx);
     const sanitizedQuery = await sanitizeQuery(ctx.query, ctx);
     const users = await getService('user').fetchAll(sanitizedQuery);
 
@@ -155,6 +162,7 @@ module.exports = {
    */
   async findOne(ctx) {
     const { id } = ctx.params;
+    await validateQuery(ctx.query, ctx);
     const sanitizedQuery = await sanitizeQuery(ctx.query, ctx);
 
     let data = await getService('user').fetch(id, sanitizedQuery);
@@ -171,6 +179,7 @@ module.exports = {
    * @return {Number}
    */
   async count(ctx) {
+    await validateQuery(ctx.query, ctx);
     const sanitizedQuery = await sanitizeQuery(ctx.query, ctx);
 
     ctx.body = await getService('user').count(sanitizedQuery);
@@ -201,6 +210,7 @@ module.exports = {
       return ctx.unauthorized();
     }
 
+    await validateQuery(query, ctx);
     const sanitizedQuery = await sanitizeQuery(query, ctx);
     const user = await getService('user').fetch(authUser.id, sanitizedQuery);
 

package/server/controllers/validation/auth.js

@@ -7,11 +7,35 @@ const callbackSchema = yup.object({
   password: yup.string().required(),
 });
 
-const registerSchema = yup.object({
-  email: yup.string().email().required(),
-  username: yup.string().required(),
-  password: yup.string().required(),
-});
+const createRegisterSchema = (config) =>
+  yup.object({
+    email: yup.string().email().required(),
+    username: yup.string().required(),
+    password: yup
+      .string()
+      .required()
+      .test(function (value) {
+        if (!value) return true;
+        const isValid = new TextEncoder().encode(value).length <= 72;
+        if (!isValid) {
+          return this.createError({ message: 'Password must be less than 73 bytes' });
+        }
+        return true;
+      })
+      .test(async function (value) {
+        if (typeof config?.validatePassword === 'function') {
+          try {
+            const isValid = await config.validatePassword(value);
+            if (!isValid) {
+              return this.createError({ message: 'Password validation failed.' });
+            }
+          } catch (error) {
+            return this.createError({ message: error.message || 'An error occurred.' });
+          }
+        }
+        return true;
+      }),
+  });
 
 const sendEmailConfirmationSchema = yup.object({
   email: yup.string().email().required(),
@@ -27,31 +51,86 @@ const forgotPasswordSchema = yup
   })
   .noUnknown();
 
-const resetPasswordSchema = yup
-  .object({
-    password: yup.string().required(),
-    passwordConfirmation: yup.string().required(),
-    code: yup.string().required(),
-  })
-  .noUnknown();
+const createResetPasswordSchema = (config) =>
+  yup
+    .object({
+      password: yup
+        .string()
+        .required()
+        .test(function (value) {
+          if (!value) return true;
+          const isValid = new TextEncoder().encode(value).length <= 72;
+          if (!isValid) {
+            return this.createError({ message: 'Password must be less than 73 bytes' });
+          }
+          return true;
+        })
+        .test(async function (value) {
+          if (typeof config?.validatePassword === 'function') {
+            try {
+              const isValid = await config.validatePassword(value);
+              if (!isValid) {
+                return this.createError({ message: 'Password validation failed.' });
+              }
+            } catch (error) {
+              return this.createError({ message: error.message || 'An error occurred.' });
+            }
+          }
+          return true;
+        }),
+      passwordConfirmation: yup
+        .string()
+        .required()
+        .oneOf([yup.ref('password')], 'Passwords do not match'),
 
-const changePasswordSchema = yup
-  .object({
-    password: yup.string().required(),
-    passwordConfirmation: yup
-      .string()
-      .required()
-      .oneOf([yup.ref('password')], 'Passwords do not match'),
-    currentPassword: yup.string().required(),
-  })
-  .noUnknown();
+      code: yup.string().required(),
+    })
+    .noUnknown();
+
+const createChangePasswordSchema = (config) =>
+  yup
+    .object({
+      password: yup
+        .string()
+        .required()
+        .test(function (value) {
+          if (!value) return true;
+          const isValid = new TextEncoder().encode(value).length <= 72;
+          if (!isValid) {
+            return this.createError({ message: 'Password must be less than 73 bytes' });
+          }
+          return true;
+        })
+        .test(async function (value) {
+          if (typeof config?.validatePassword === 'function') {
+            try {
+              const isValid = await config.validatePassword(value);
+              if (!isValid) {
+                return this.createError({ message: 'Password validation failed.' });
+              }
+            } catch (error) {
+              return this.createError({ message: error.message || 'An error occurred.' });
+            }
+          }
+          return true;
+        }),
+      passwordConfirmation: yup
+        .string()
+        .required()
+        .oneOf([yup.ref('password')], 'Passwords do not match'),
+      currentPassword: yup.string().required(),
+    })
+    .noUnknown();
 
 module.exports = {
   validateCallbackBody: validateYupSchema(callbackSchema),
-  validateRegisterBody: validateYupSchema(registerSchema),
+  validateRegisterBody: (payload, config) =>
+    validateYupSchema(createRegisterSchema(config))(payload),
   validateSendEmailConfirmationBody: validateYupSchema(sendEmailConfirmationSchema),
   validateEmailConfirmationBody: validateYupSchema(validateEmailConfirmationSchema),
   validateForgotPasswordBody: validateYupSchema(forgotPasswordSchema),
-  validateResetPasswordBody: validateYupSchema(resetPasswordSchema),
-  validateChangePasswordBody: validateYupSchema(changePasswordSchema),
+  validateResetPasswordBody: (payload, config) =>
+    validateYupSchema(createResetPasswordSchema(config))(payload),
+  validateChangePasswordBody: (payload, config) =>
+    validateYupSchema(createChangePasswordSchema(config))(payload),
 };

package/server/graphql/types/index.js

@@ -10,6 +10,7 @@ const typesFactories = [
   require('./create-role-payload'),
   require('./update-role-payload'),
   require('./delete-role-payload'),
+  require('./user-input'),
 ];
 
 /**

package/server/graphql/types/me.js

@@ -6,6 +6,7 @@ module.exports = ({ nexus }) => {
 
     definition(t) {
       t.nonNull.id('id');
+      t.nonNull.id('documentId');
       t.nonNull.string('username');
       t.string('email');
       t.boolean('confirmed');

package/server/graphql/types/user-input.js

@@ -0,0 +1,20 @@
+'use strict';
+
+const usersPermissionsUserUID = 'plugin::users-permissions.user';
+
+module.exports = ({ nexus, strapi }) => {
+  const { getContentTypeInputName } = strapi.plugin('graphql').service('utils').naming;
+
+  const userContentType = strapi.getModel(usersPermissionsUserUID);
+  const userInputName = getContentTypeInputName(userContentType);
+
+  return nexus.extendInputType({
+    type: userInputName,
+
+    definition(t) {
+      // Manually add the private password field back to the data
+      // input type as it is used for CRUD operations on users
+      t.string('password');
+    },
+  });
+};

package/server/middlewares/rateLimit.js

@@ -1,27 +1,47 @@
 'use strict';
 
+const path = require('path');
+const utils = require('@strapi/utils');
+const { isString, has, toLower } = require('lodash/fp');
+
+const { RateLimitError } = utils.errors;
+
 module.exports =
   (config, { strapi }) =>
   async (ctx, next) => {
-    const ratelimit = require('koa2-ratelimit').RateLimit;
-
-    const message = [
-      {
-        messages: [
-          {
-            id: 'Auth.form.error.ratelimit',
-            message: 'Too many attempts, please try again in a minute.',
-          },
-        ],
-      },
-    ];
-
-    return ratelimit.middleware({
-      interval: 1 * 60 * 1000,
-      max: 5,
-      prefixKey: `${ctx.request.path}:${ctx.request.ip}`,
-      message,
-      ...strapi.config.get('plugin.users-permissions.ratelimit'),
-      ...config,
-    })(ctx, next);
+    let rateLimitConfig = strapi.config.get('plugin::users-permissions.ratelimit');
+
+    if (!rateLimitConfig) {
+      rateLimitConfig = {
+        enabled: true,
+      };
+    }
+
+    if (!has('enabled', rateLimitConfig)) {
+      rateLimitConfig.enabled = true;
+    }
+
+    if (rateLimitConfig.enabled === true) {
+      const rateLimit = require('koa2-ratelimit').RateLimit;
+
+      const userIdentifier = toLower(ctx.request.body.email) || 'unknownIdentifier';
+      const requestPath = isString(ctx.request.path)
+        ? toLower(path.normalize(ctx.request.path))
+        : 'invalidPath';
+
+      const loadConfig = {
+        interval: { min: 5 },
+        max: 5,
+        prefixKey: `${userIdentifier}:${requestPath}:${ctx.request.ip}`,
+        handler() {
+          throw new RateLimitError();
+        },
+        ...rateLimitConfig,
+        ...config,
+      };
+
+      return rateLimit.middleware(loadConfig)(ctx, next);
+    }
+
+    return next();
   };

package/server/register.js

@@ -7,7 +7,7 @@ const authStrategy = require('./strategies/users-permissions');
 const sanitizers = require('./utils/sanitize/sanitizers');
 
 module.exports = ({ strapi }) => {
-  strapi.container.get('auth').register('content-api', authStrategy);
+  strapi.get('auth').register('content-api', authStrategy);
   strapi.sanitizers.add('content-api.output', sanitizers.defaultSanitizeOutput);
 
   if (strapi.plugin('graphql')) {
@@ -15,7 +15,7 @@ module.exports = ({ strapi }) => {
   }
 
   if (strapi.plugin('documentation')) {
-    const specPath = path.join(__dirname, '../documentation/content-api.yaml');
+    const specPath = path.join(__dirname, '../../documentation/content-api.yaml');
     const spec = fs.readFileSync(specPath, 'utf8');
 
     strapi

package/server/services/jwt.js

@@ -29,10 +29,10 @@ module.exports = ({ strapi }) => ({
   },
 
   issue(payload, jwtOptions = {}) {
-    _.defaults(jwtOptions, strapi.config.get('plugin.users-permissions.jwt'));
+    _.defaults(jwtOptions, strapi.config.get('plugin::users-permissions.jwt'));
     return jwt.sign(
       _.clone(payload.toJSON ? payload.toJSON() : payload),
-      strapi.config.get('plugin.users-permissions.jwtSecret'),
+      strapi.config.get('plugin::users-permissions.jwtSecret'),
       jwtOptions
     );
   },
@@ -41,7 +41,7 @@ module.exports = ({ strapi }) => ({
     return new Promise((resolve, reject) => {
       jwt.verify(
         token,
-        strapi.config.get('plugin.users-permissions.jwtSecret'),
+        strapi.config.get('plugin::users-permissions.jwtSecret'),
         {},
         (err, tokenPayload = {}) => {
           if (err) {

package/server/services/permission.js

@@ -11,11 +11,7 @@ module.exports = ({ strapi }) => ({
    * @return {object[]}
    */
   async findRolePermissions(roleID) {
-    return strapi.entityService.load(
-      'plugin::users-permissions.role',
-      { id: roleID },
-      'permissions'
-    );
+    return strapi.db.query('plugin::users-permissions.role').load({ id: roleID }, 'permissions');
   },
 
   /**
@@ -24,8 +20,8 @@ module.exports = ({ strapi }) => ({
    * @return {object[]}
    */
   async findPublicPermissions() {
-    return strapi.entityService.findMany('plugin::users-permissions.permission', {
-      filters: PUBLIC_ROLE_FILTER,
+    return strapi.db.query('plugin::users-permissions.permission').findMany({
+      where: PUBLIC_ROLE_FILTER,
     });
   },