@strapi/plugin-users-permissions 0.0.0-next.e41415e8ff5f565ff959667d5c5ba4f20bee013c → 0.0.0-next.e9b6852d1c05518ff6e37d599321f7aa7aa0683b

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@strapi/plugin-users-permissions",
-  "version": "0.0.0-next.e41415e8ff5f565ff959667d5c5ba4f20bee013c",
+  "version": "0.0.0-next.e9b6852d1c05518ff6e37d599321f7aa7aa0683b",
   "description": "Protect your API with a full-authentication process based on JWT",
   "repository": {
     "type": "git",
@@ -19,56 +19,75 @@
       "url": "https://strapi.io"
     }
   ],
+  "exports": {
+    "./strapi-admin": {
+      "source": "./admin/src/index.js",
+      "import": "./dist/admin/index.mjs",
+      "require": "./dist/admin/index.js",
+      "default": "./dist/admin/index.js"
+    },
+    "./strapi-server": {
+      "source": "./strapi-server.js",
+      "require": "./strapi-server.js",
+      "default": "./strapi-server.js"
+    },
+    "./package.json": "./package.json"
+  },
   "scripts": {
-    "test:unit": "run -T jest",
-    "test:unit:watch": "run -T jest --watch",
+    "build": "pack-up build",
+    "clean": "run -T rimraf dist",
+    "lint": "run -T eslint .",
     "test:front": "run -T cross-env IS_EE=true jest --config ./jest.config.front.js",
-    "test:front:watch": "run -T cross-env IS_EE=true jest --config ./jest.config.front.js --watchAll",
     "test:front:ce": "run -T cross-env IS_EE=false jest --config ./jest.config.front.js",
+    "test:front:watch": "run -T cross-env IS_EE=true jest --config ./jest.config.front.js --watchAll",
     "test:front:watch:ce": "run -T cross-env IS_EE=false jest --config ./jest.config.front.js --watchAll",
-    "lint": "run -T eslint ."
+    "test:unit": "run -T jest",
+    "test:unit:watch": "run -T jest --watch",
+    "watch": "pack-up watch"
   },
   "dependencies": {
-    "@strapi/design-system": "1.8.0",
-    "@strapi/helper-plugin": "0.0.0-next.e41415e8ff5f565ff959667d5c5ba4f20bee013c",
-    "@strapi/icons": "1.8.0",
-    "@strapi/utils": "0.0.0-next.e41415e8ff5f565ff959667d5c5ba4f20bee013c",
+    "@strapi/design-system": "1.19.0",
+    "@strapi/helper-plugin": "0.0.0-next.e9b6852d1c05518ff6e37d599321f7aa7aa0683b",
+    "@strapi/icons": "1.19.0",
+    "@strapi/utils": "0.0.0-next.e9b6852d1c05518ff6e37d599321f7aa7aa0683b",
     "bcryptjs": "2.4.3",
     "formik": "2.4.0",
     "grant-koa": "5.4.8",
     "immer": "9.0.19",
     "jsonwebtoken": "9.0.0",
     "jwk-to-pem": "2.0.5",
-    "koa": "^2.13.4",
+    "koa": "2.13.4",
     "koa2-ratelimit": "^1.1.2",
     "lodash": "4.17.21",
     "prop-types": "^15.8.1",
     "purest": "4.0.2",
     "react-intl": "6.4.1",
     "react-query": "3.39.3",
-    "react-redux": "8.0.5",
+    "react-redux": "8.1.1",
     "url-join": "4.0.1",
-    "yup": "^0.32.9"
+    "yup": "0.32.9"
   },
   "devDependencies": {
+    "@strapi/pack-up": "4.23.0",
+    "@strapi/strapi": "0.0.0-next.e9b6852d1c05518ff6e37d599321f7aa7aa0683b",
     "@testing-library/dom": "9.2.0",
     "@testing-library/react": "14.0.0",
     "@testing-library/user-event": "14.4.3",
-    "history": "^4.9.0",
-    "msw": "1.2.1",
+    "msw": "1.3.0",
     "react": "^18.2.0",
     "react-dom": "^18.2.0",
     "react-router-dom": "5.3.4",
     "styled-components": "5.3.3"
   },
   "peerDependencies": {
+    "@strapi/strapi": "^4.0.0",
     "react": "^17.0.0 || ^18.0.0",
     "react-dom": "^17.0.0 || ^18.0.0",
-    "react-router-dom": "5.3.4",
-    "styled-components": "5.3.3"
+    "react-router-dom": "^5.2.0",
+    "styled-components": "^5.2.1"
   },
   "engines": {
-    "node": ">=14.19.1 <=18.x.x",
+    "node": ">=18.0.0 <=20.x.x",
     "npm": ">=6.0.0"
   },
   "strapi": {
@@ -78,5 +97,5 @@
     "required": true,
     "kind": "plugin"
   },
-  "gitHead": "e41415e8ff5f565ff959667d5c5ba4f20bee013c"
+  "gitHead": "e9b6852d1c05518ff6e37d599321f7aa7aa0683b"
 }

package/packup.config.ts

@@ -0,0 +1,22 @@
+import { Config, defineConfig } from '@strapi/pack-up';
+import { transformWithEsbuild } from 'vite';
+
+const config: Config = defineConfig({
+  bundles: [
+    {
+      source: './admin/src/index.js',
+      import: './dist/admin/index.mjs',
+      require: './dist/admin/index.js',
+      runtime: 'web',
+    },
+  ],
+  dist: './dist',
+  /**
+   * Because we're exporting a server & client package
+   * which have different runtimes we want to ignore
+   * what they look like in the package.json
+   */
+  exports: {},
+});
+
+export default config;

package/server/bootstrap/grant-config.js

@@ -128,4 +128,13 @@ module.exports = (baseURL) => ({
     callback: `${baseURL}/patreon/callback`,
     scope: ['identity', 'identity[email]'],
   },
+  keycloak: {
+    enabled: false,
+    icon: '',
+    key: '',
+    secret: '',
+    subdomain: 'myKeycloakProvider.com/realms/myrealm',
+    callback: `${baseURL}/keycloak/callback`,
+    scope: ['openid', 'email', 'profile'],
+  },
 });

package/server/bootstrap/index.js

@@ -10,10 +10,12 @@
 const crypto = require('crypto');
 const _ = require('lodash');
 const urljoin = require('url-join');
+const { isArray } = require('lodash/fp');
 const { getService } = require('../utils');
 const getGrantConfig = require('./grant-config');
 
 const usersPermissionsActions = require('./users-permissions-actions');
+const userSchema = require('../content-types/user');
 
 const initGrant = async (pluginStore) => {
   const apiPrefix = strapi.config.get('api.rest.prefix');
@@ -97,6 +99,27 @@ const initAdvancedOptions = async (pluginStore) => {
   }
 };
 
+const userSchemaAdditions = () => {
+  const defaultSchema = Object.keys(userSchema.attributes);
+  const currentSchema = Object.keys(
+    strapi.contentTypes['plugin::users-permissions.user'].attributes
+  );
+
+  // Some dynamic fields may not have been initialized yet, so we need to ignore them
+  // TODO: we should have a global method for finding these
+  const ignoreDiffs = [
+    'createdBy',
+    'createdAt',
+    'updatedBy',
+    'updatedAt',
+    'publishedAt',
+    'strapi_stage',
+    'strapi_assignee',
+  ];
+
+  return currentSchema.filter((key) => !(ignoreDiffs.includes(key) || defaultSchema.includes(key)));
+};
+
 module.exports = async ({ strapi }) => {
   const pluginStore = strapi.store({ type: 'plugin', name: 'users-permissions' });
 
@@ -130,4 +153,17 @@ For security reasons, prefer storing the secret in an environment variable and r
       );
     }
   }
+
+  // TODO v5: Remove this block of code and default allowedFields to empty array
+  if (!isArray(strapi.config.get('plugin.users-permissions.register.allowedFields'))) {
+    const modifications = userSchemaAdditions();
+    if (modifications.length > 0) {
+      // if there is a potential vulnerability, show a warning
+      strapi.log.warn(
+        `Users-permissions registration has defaulted to accepting the following additional user fields during registration: ${modifications.join(
+          ','
+        )}`
+      );
+    }
+  }
 };

package/server/bootstrap/users-permissions-actions.js

@@ -16,6 +16,12 @@ module.exports = {
       uid: 'roles.read',
       subCategory: 'roles',
       pluginName: 'users-permissions',
+      aliases: [
+        {
+          actionId: 'plugin::content-manager.explorer.read',
+          subjects: ['plugin::users-permissions.role'],
+        },
+      ],
     },
     {
       section: 'plugins',

package/server/config.js

@@ -18,6 +18,35 @@ module.exports = {
         },
       },
     },
+    callback: {
+      validate(callback, provider) {
+        let uCallback;
+        let uProviderCallback;
+
+        try {
+          uCallback = new URL(callback);
+          uProviderCallback = new URL(provider.callback);
+        } catch {
+          throw new Error('The callback is not a valid URL');
+        }
+
+        // Make sure the different origin matches
+        if (uCallback.origin !== uProviderCallback.origin) {
+          throw new Error(
+            `Forbidden callback provided: origins don't match. Please verify your config.`
+          );
+        }
+
+        // Make sure the different pathname matches
+        if (uCallback.pathname !== uProviderCallback.pathname) {
+          throw new Error(
+            `Forbidden callback provided: pathname don't match. Please verify your config.`
+          );
+        }
+
+        // NOTE: We're not checking the search parameters on purpose to allow passing different states
+      },
+    },
   }),
   validator() {},
 };

package/server/controllers/auth.js

@@ -9,7 +9,11 @@
 /* eslint-disable no-useless-escape */
 const crypto = require('crypto');
 const _ = require('lodash');
+const { concat, compact, isArray } = require('lodash/fp');
 const utils = require('@strapi/utils');
+const {
+  contentTypes: { getNonWritableAttributes },
+} = require('@strapi/utils');
 const { getService } = require('../utils');
 const {
   validateCallbackBody,
@@ -22,7 +26,7 @@ const {
 } = require('./validation/auth');
 
 const { getAbsoluteAdminUrl, getAbsoluteServerUrl, sanitize } = utils;
-const { ApplicationError, ValidationError } = utils.errors;
+const { ApplicationError, ValidationError, ForbiddenError } = utils.errors;
 
 const sanitizeUser = (user, ctx) => {
   const { auth } = ctx.state;
@@ -96,6 +100,10 @@ module.exports = {
     try {
       const user = await getService('providers').connect(provider, ctx.query);
 
+      if (user.blocked) {
+        throw new ForbiddenError('Your account has been blocked by an administrator');
+      }
+
       return ctx.send({
         jwt: getService('jwt').issue({ id: user.id }),
         user: await sanitizeUser(user, ctx),
@@ -193,10 +201,28 @@ module.exports = {
     }
 
     // Ability to pass OAuth callback dynamically
-    grantConfig[provider].callback =
-      _.get(ctx, 'query.callback') ||
-      _.get(ctx, 'session.grant.dynamic.callback') ||
-      grantConfig[provider].callback;
+    const queryCustomCallback = _.get(ctx, 'query.callback');
+    const dynamicSessionCallback = _.get(ctx, 'session.grant.dynamic.callback');
+
+    const customCallback = queryCustomCallback ?? dynamicSessionCallback;
+
+    // The custom callback is validated to make sure it's not redirecting to an unwanted actor.
+    if (customCallback !== undefined) {
+      try {
+        // We're extracting the callback validator from the plugin config since it can be user-customized
+        const { validate: validateCallback } = strapi
+          .plugin('users-permissions')
+          .config('callback');
+
+        await validateCallback(customCallback, grantConfig[provider]);
+
+        grantConfig[provider].callback = customCallback;
+      } catch (e) {
+        throw new ValidationError('Invalid callback URL provided', { callback: customCallback });
+      }
+    }
+
+    // Build a valid redirect URI for the current provider
     grantConfig[provider].redirect_uri = getService('providers').buildRedirectUri(provider);
 
     return grant(grantConfig)(ctx, next);
@@ -273,20 +299,49 @@ module.exports = {
       throw new ApplicationError('Register action is currently disabled');
     }
 
+    const { register } = strapi.config.get('plugin.users-permissions');
+    const alwaysAllowedKeys = ['username', 'password', 'email'];
+    const userModel = strapi.contentTypes['plugin::users-permissions.user'];
+    const { attributes } = userModel;
+
+    const nonWritable = getNonWritableAttributes(userModel);
+
+    const allowedKeys = compact(
+      concat(
+        alwaysAllowedKeys,
+        isArray(register?.allowedFields)
+          ? // Note that we do not filter allowedFields in case a user explicitly chooses to allow a private or otherwise omitted field on registration
+            register.allowedFields // if null or undefined, compact will remove it
+          : // to prevent breaking changes, if allowedFields is not set in config, we only remove private and known dangerous user schema fields
+            // TODO V5: allowedFields defaults to [] when undefined and remove this case
+            Object.keys(attributes).filter(
+              (key) =>
+                !nonWritable.includes(key) &&
+                !attributes[key].private &&
+                ![
+                  // many of these are included in nonWritable, but we'll list them again to be safe and since we're removing this code in v5 anyway
+                  // Strapi user schema fields
+                  'confirmed',
+                  'blocked',
+                  'confirmationToken',
+                  'resetPasswordToken',
+                  'provider',
+                  'id',
+                  'role',
+                  // other Strapi fields that might be added
+                  'createdAt',
+                  'updatedAt',
+                  'createdBy',
+                  'updatedBy',
+                  'publishedAt', // d&p
+                  'strapi_reviewWorkflows_stage', // review workflows
+                ].includes(key)
+            )
+      )
+    );
+
     const params = {
-      ..._.omit(ctx.request.body, [
-        'confirmed',
-        'blocked',
-        'confirmationToken',
-        'resetPasswordToken',
-        'provider',
-        'id',
-        'createdAt',
-        'updatedAt',
-        'createdBy',
-        'updatedBy',
-        'role',
-      ]),
+      ..._.pick(ctx.request.body, allowedKeys),
       provider: 'local',
     };
 

package/server/controllers/user.js

@@ -11,7 +11,7 @@ const utils = require('@strapi/utils');
 const { getService } = require('../utils');
 const { validateCreateUserBody, validateUpdateUserBody } = require('./validation/user');
 
-const { sanitize } = utils;
+const { sanitize, validate } = utils;
 const { ApplicationError, ValidationError, NotFoundError } = utils.errors;
 
 const sanitizeOutput = async (user, ctx) => {
@@ -21,6 +21,13 @@ const sanitizeOutput = async (user, ctx) => {
   return sanitize.contentAPI.output(user, schema, { auth });
 };
 
+const validateQuery = async (query, ctx) => {
+  const schema = strapi.getModel('plugin::users-permissions.user');
+  const { auth } = ctx.state;
+
+  return validate.contentAPI.query(query, schema, { auth });
+};
+
 const sanitizeQuery = async (query, ctx) => {
   const schema = strapi.getModel('plugin::users-permissions.user');
   const { auth } = ctx.state;
@@ -143,6 +150,7 @@ module.exports = {
    * @return {Object|Array}
    */
   async find(ctx) {
+    await validateQuery(ctx.query, ctx);
     const sanitizedQuery = await sanitizeQuery(ctx.query, ctx);
     const users = await getService('user').fetchAll(sanitizedQuery);
 
@@ -155,6 +163,7 @@ module.exports = {
    */
   async findOne(ctx) {
     const { id } = ctx.params;
+    await validateQuery(ctx.query, ctx);
     const sanitizedQuery = await sanitizeQuery(ctx.query, ctx);
 
     let data = await getService('user').fetch(id, sanitizedQuery);
@@ -171,6 +180,7 @@ module.exports = {
    * @return {Number}
    */
   async count(ctx) {
+    await validateQuery(ctx.query, ctx);
     const sanitizedQuery = await sanitizeQuery(ctx.query, ctx);
 
     ctx.body = await getService('user').count(sanitizedQuery);
@@ -201,6 +211,7 @@ module.exports = {
       return ctx.unauthorized();
     }
 
+    await validateQuery(query, ctx);
     const sanitizedQuery = await sanitizeQuery(query, ctx);
     const user = await getService('user').fetch(authUser.id, sanitizedQuery);
 

package/server/middlewares/rateLimit.js

@@ -1,27 +1,47 @@
 'use strict';
 
+const path = require('path');
+const utils = require('@strapi/utils');
+const { isString, has, toLower } = require('lodash/fp');
+
+const { RateLimitError } = utils.errors;
+
 module.exports =
   (config, { strapi }) =>
   async (ctx, next) => {
-    const ratelimit = require('koa2-ratelimit').RateLimit;
-
-    const message = [
-      {
-        messages: [
-          {
-            id: 'Auth.form.error.ratelimit',
-            message: 'Too many attempts, please try again in a minute.',
-          },
-        ],
-      },
-    ];
-
-    return ratelimit.middleware({
-      interval: 1 * 60 * 1000,
-      max: 5,
-      prefixKey: `${ctx.request.path}:${ctx.request.ip}`,
-      message,
-      ...strapi.config.get('plugin.users-permissions.ratelimit'),
-      ...config,
-    })(ctx, next);
+    let rateLimitConfig = strapi.config.get('plugin.users-permissions.ratelimit');
+
+    if (!rateLimitConfig) {
+      rateLimitConfig = {
+        enabled: true,
+      };
+    }
+
+    if (!has('enabled', rateLimitConfig)) {
+      rateLimitConfig.enabled = true;
+    }
+
+    if (rateLimitConfig.enabled === true) {
+      const rateLimit = require('koa2-ratelimit').RateLimit;
+
+      const userIdentifier = toLower(ctx.request.body.email) || 'unknownIdentifier';
+      const requestPath = isString(ctx.request.path)
+        ? toLower(path.normalize(ctx.request.path))
+        : 'invalidPath';
+
+      const loadConfig = {
+        interval: { min: 5 },
+        max: 5,
+        prefixKey: `${userIdentifier}:${requestPath}:${ctx.request.ip}`,
+        handler() {
+          throw new RateLimitError();
+        },
+        ...rateLimitConfig,
+        ...config,
+      };
+
+      return rateLimit.middleware(loadConfig)(ctx, next);
+    }
+
+    return next();
   };

package/server/services/providers-registry.js

@@ -54,8 +54,11 @@ const getInitialProviders = ({ purest }) => ({
       .auth(accessToken)
       .request()
       .then(({ body }) => {
-        // Combine username and discriminator because discord username is not unique
-        const username = `${body.username}#${body.discriminator}`;
+        // Combine username and discriminator (if discriminator exists and not equal to 0)
+        const username =
+          body.discriminator && body.discriminator !== '0'
+            ? `${body.username}#${body.discriminator}`
+            : body.username;
         return {
           username,
           email: body.email,
@@ -311,6 +314,7 @@ const getInitialProviders = ({ purest }) => ({
             origin: 'https://www.patreon.com',
             path: 'api/oauth2/{path}',
             headers: {
+              'user-agent': 'strapi',
               authorization: 'Bearer {auth}',
             },
           },
@@ -331,6 +335,21 @@ const getInitialProviders = ({ purest }) => ({
         };
       });
   },
+  async keycloak({ accessToken, providers }) {
+    const keycloak = purest({ provider: 'keycloak' });
+
+    return keycloak
+      .subdomain(providers.keycloak.subdomain)
+      .get('protocol/openid-connect/userinfo')
+      .auth(accessToken)
+      .request()
+      .then(({ body }) => {
+        return {
+          username: body.preferred_username,
+          email: body.email,
+        };
+      });
+  },
 });
 
 module.exports = () => {

package/server/strategies/users-permissions.js

@@ -1,6 +1,6 @@
 'use strict';
 
-const { castArray, map, every, pipe, isEmpty } = require('lodash/fp');
+const { castArray, map, every, pipe } = require('lodash/fp');
 const { ForbiddenError, UnauthorizedError } = require('@strapi/utils').errors;
 
 const { getService } = require('../utils');
@@ -80,13 +80,6 @@ const authenticate = async (ctx) => {
 const verify = async (auth, config) => {
   const { credentials: user, ability } = auth;
 
-  strapi.telemetry.send('didReceiveAPIRequest', {
-    eventProperties: {
-      authenticationMethod: auth?.strategy?.name,
-      isAuthenticated: !isEmpty(user),
-    },
-  });
-
   if (!config.scope) {
     if (!user) {
       // A non authenticated user cannot access routes that do not have a scope

package/.eslintrc.js

@@ -1,14 +0,0 @@
-module.exports = {
-  root: true,
-  overrides: [
-    {
-      files: ['admin/**/*'],
-      extends: ['custom/front'],
-    },
-    {
-      files: ['**/*'],
-      excludedFiles: ['admin/**/*'],
-      extends: ['custom/back'],
-    },
-  ],
-};

package/admin/src/hooks/index.js

@@ -1,5 +0,0 @@
-// eslint-disable-next-line import/prefer-default-export
-export { default as useForm } from './useForm';
-export { default as useRolesList } from './useRolesList';
-export { default as usePlugins } from './usePlugins';
-export { default as useFetchRole } from './useFetchRole';

package/admin/src/hooks/useFetchRole/index.js

@@ -1,64 +0,0 @@
-import { useCallback, useReducer, useEffect, useRef } from 'react';
-import { useNotification, useFetchClient } from '@strapi/helper-plugin';
-import reducer, { initialState } from './reducer';
-import pluginId from '../../pluginId';
-
-const useFetchRole = (id) => {
-  const [state, dispatch] = useReducer(reducer, initialState);
-  const toggleNotification = useNotification();
-  const isMounted = useRef(null);
-  const { get } = useFetchClient();
-
-  useEffect(() => {
-    isMounted.current = true;
-
-    if (id) {
-      fetchRole(id);
-    } else {
-      dispatch({
-        type: 'GET_DATA_SUCCEEDED',
-        role: {},
-      });
-    }
-
-    return () => (isMounted.current = false);
-    // eslint-disable-next-line react-hooks/exhaustive-deps
-  }, [id]);
-
-  const fetchRole = async (roleId) => {
-    try {
-      const {
-        data: { role },
-      } = await get(`/${pluginId}/roles/${roleId}`);
-
-      // Prevent updating state on an unmounted component
-      if (isMounted.current) {
-        dispatch({
-          type: 'GET_DATA_SUCCEEDED',
-          role,
-        });
-      }
-    } catch (err) {
-      console.error(err);
-
-      dispatch({
-        type: 'GET_DATA_ERROR',
-      });
-      toggleNotification({
-        type: 'warning',
-        message: { id: 'notification.error' },
-      });
-    }
-  };
-
-  const handleSubmitSucceeded = useCallback((data) => {
-    dispatch({
-      type: 'ON_SUBMIT_SUCCEEDED',
-      ...data,
-    });
-  }, []);
-
-  return { ...state, onSubmitSucceeded: handleSubmitSucceeded };
-};
-
-export default useFetchRole;