@strapi/plugin-users-permissions 0.0.0-next.f6dca5adf05ef6bed9605a1535999ab0bbbf063e → 0.0.0-next.f86041c89a8c1545c6437a881dc613e98bc52bd7

package/rollup.config.mjs

@@ -0,0 +1,19 @@
+import { defineConfig } from 'rollup';
+import {  baseConfig } from '../../../rollup.utils.mjs';
+
+export default defineConfig([
+  baseConfig({
+    input: {
+      index: './admin/src/index.js',
+    },
+    rootDir: './admin/src',
+    outDir: './dist/admin',
+  }),
+  baseConfig({
+    input: {
+      index: './server/index.js'
+    },
+    rootDir: './server',
+    outDir: './dist/server',
+  })
+]);

package/server/bootstrap/index.js

@@ -11,6 +11,18 @@ const crypto = require('crypto');
 const _ = require('lodash');
 const { getService } = require('../utils');
 const usersPermissionsActions = require('./users-permissions-actions');
+const {
+  DEFAULT_ACCESS_TOKEN_LIFESPAN,
+  DEFAULT_MAX_REFRESH_TOKEN_LIFESPAN,
+  DEFAULT_IDLE_REFRESH_TOKEN_LIFESPAN,
+  DEFAULT_MAX_SESSION_LIFESPAN,
+  DEFAULT_IDLE_SESSION_LIFESPAN,
+} = require('../services/constants');
+
+const getSessionManager = () => {
+  const manager = strapi.sessionManager;
+  return manager ?? null;
+};
 
 const initGrant = async (pluginStore) => {
   const allProviders = getService('providers-registry').getAll();
@@ -113,6 +125,25 @@ module.exports = async ({ strapi }) => {
 
   await getService('users-permissions').initialize();
 
+  // Define users-permissions origin configuration for sessionManager
+  const upConfig = strapi.config.get('plugin::users-permissions');
+  const sessionManager = getSessionManager();
+
+  if (sessionManager) {
+    sessionManager.defineOrigin('users-permissions', {
+      jwtSecret: upConfig.jwtSecret || strapi.config.get('admin.auth.secret'),
+      accessTokenLifespan: upConfig.sessions?.accessTokenLifespan || DEFAULT_ACCESS_TOKEN_LIFESPAN,
+      maxRefreshTokenLifespan:
+        upConfig.sessions?.maxRefreshTokenLifespan || DEFAULT_MAX_REFRESH_TOKEN_LIFESPAN,
+      idleRefreshTokenLifespan:
+        upConfig.sessions?.idleRefreshTokenLifespan || DEFAULT_IDLE_REFRESH_TOKEN_LIFESPAN,
+      maxSessionLifespan: upConfig.sessions?.maxSessionLifespan || DEFAULT_MAX_SESSION_LIFESPAN,
+      idleSessionLifespan: upConfig.sessions?.idleSessionLifespan || DEFAULT_IDLE_SESSION_LIFESPAN,
+      algorithm: upConfig.jwt?.algorithm,
+      jwtOptions: upConfig.jwt || {},
+    });
+  }
+
   if (!strapi.config.get('plugin::users-permissions.jwtSecret')) {
     if (process.env.NODE_ENV !== 'development') {
       throw new Error(

package/server/config.js

@@ -1,11 +1,33 @@
 'use strict';
 
+const {
+  DEFAULT_ACCESS_TOKEN_LIFESPAN,
+  DEFAULT_MAX_REFRESH_TOKEN_LIFESPAN,
+  DEFAULT_IDLE_REFRESH_TOKEN_LIFESPAN,
+  DEFAULT_MAX_SESSION_LIFESPAN,
+  DEFAULT_IDLE_SESSION_LIFESPAN,
+} = require('./services/constants');
+
 module.exports = {
   default: ({ env }) => ({
     jwtSecret: env('JWT_SECRET'),
     jwt: {
       expiresIn: '30d',
     },
+    /**
+     * JWT management mode for the Content API authentication
+     * - "legacy-support": use plugin JWTs (backward compatible)
+     * - "refresh": use SessionManager (access/refresh tokens)
+     */
+    jwtManagement: 'legacy-support',
+    sessions: {
+      accessTokenLifespan: DEFAULT_ACCESS_TOKEN_LIFESPAN,
+      maxRefreshTokenLifespan: DEFAULT_MAX_REFRESH_TOKEN_LIFESPAN,
+      idleRefreshTokenLifespan: DEFAULT_IDLE_REFRESH_TOKEN_LIFESPAN,
+      maxSessionLifespan: DEFAULT_MAX_SESSION_LIFESPAN,
+      idleSessionLifespan: DEFAULT_IDLE_SESSION_LIFESPAN,
+      httpOnly: false,
+    },
     ratelimit: {
       interval: 60000,
       max: 10,

package/server/controllers/auth.js

@@ -31,6 +31,12 @@ const sanitizeUser = (user, ctx) => {
   return strapi.contentAPI.sanitize.output(user, userSchema, { auth });
 };
 
+const extractDeviceId = (requestBody) => {
+  const { deviceId } = requestBody || {};
+
+  return typeof deviceId === 'string' && deviceId.length > 0 ? deviceId : undefined;
+};
+
 module.exports = ({ strapi }) => ({
   async callback(ctx) {
     const provider = ctx.params.provider || 'local';
@@ -86,6 +92,51 @@ module.exports = ({ strapi }) => ({
         throw new ApplicationError('Your account has been blocked by an administrator');
       }
 
+      const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+      if (mode === 'refresh') {
+        const deviceId = extractDeviceId(ctx.request.body);
+
+        const refresh = await strapi
+          .sessionManager('users-permissions')
+          .generateRefreshToken(String(user.id), deviceId, { type: 'refresh' });
+
+        const access = await strapi
+          .sessionManager('users-permissions')
+          .generateAccessToken(refresh.token);
+        if ('error' in access) {
+          throw new ApplicationError('Invalid credentials');
+        }
+
+        const upSessions = strapi.config.get('plugin::users-permissions.sessions');
+        const requestHttpOnly = ctx.request.header['x-strapi-refresh-cookie'] === 'httpOnly';
+        if (upSessions?.httpOnly || requestHttpOnly) {
+          const cookieName = upSessions.cookie?.name || 'strapi_up_refresh';
+          const isProduction = process.env.NODE_ENV === 'production';
+          const isSecure =
+            typeof upSessions.cookie?.secure === 'boolean'
+              ? upSessions.cookie?.secure
+              : isProduction;
+
+          const cookieOptions = {
+            httpOnly: true,
+            secure: isSecure,
+            sameSite: upSessions.cookie?.sameSite ?? 'lax',
+            path: upSessions.cookie?.path ?? '/',
+            domain: upSessions.cookie?.domain,
+            overwrite: true,
+          };
+
+          ctx.cookies.set(cookieName, refresh.token, cookieOptions);
+          return ctx.send({ jwt: access.token, user: await sanitizeUser(user, ctx) });
+        }
+
+        return ctx.send({
+          jwt: access.token,
+          refreshToken: refresh.token,
+          user: await sanitizeUser(user, ctx),
+        });
+      }
+
       return ctx.send({
         jwt: getService('jwt').issue({ id: user.id }),
         user: await sanitizeUser(user, ctx),
@@ -100,6 +151,49 @@ module.exports = ({ strapi }) => ({
         throw new ForbiddenError('Your account has been blocked by an administrator');
       }
 
+      const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+      if (mode === 'refresh') {
+        const deviceId = extractDeviceId(ctx.request.body);
+
+        const refresh = await strapi
+          .sessionManager('users-permissions')
+          .generateRefreshToken(String(user.id), deviceId, { type: 'refresh' });
+
+        const access = await strapi
+          .sessionManager('users-permissions')
+          .generateAccessToken(refresh.token);
+        if ('error' in access) {
+          throw new ApplicationError('Invalid credentials');
+        }
+
+        const upSessions = strapi.config.get('plugin::users-permissions.sessions');
+        const requestHttpOnly = ctx.request.header['x-strapi-refresh-cookie'] === 'httpOnly';
+        if (upSessions?.httpOnly || requestHttpOnly) {
+          const cookieName = upSessions.cookie?.name || 'strapi_up_refresh';
+          const isProduction = process.env.NODE_ENV === 'production';
+          const isSecure =
+            typeof upSessions.cookie?.secure === 'boolean'
+              ? upSessions.cookie?.secure
+              : isProduction;
+
+          const cookieOptions = {
+            httpOnly: true,
+            secure: isSecure,
+            sameSite: upSessions.cookie?.sameSite ?? 'lax',
+            path: upSessions.cookie?.path ?? '/',
+            domain: upSessions.cookie?.domain,
+            overwrite: true,
+          };
+          ctx.cookies.set(cookieName, refresh.token, cookieOptions);
+          return ctx.send({ jwt: access.token, user: await sanitizeUser(user, ctx) });
+        }
+        return ctx.send({
+          jwt: access.token,
+          refreshToken: refresh.token,
+          user: await sanitizeUser(user, ctx),
+        });
+      }
+
       return ctx.send({
         jwt: getService('jwt').issue({ id: user.id }),
         user: await sanitizeUser(user, ctx),
@@ -137,7 +231,37 @@ module.exports = ({ strapi }) => ({
 
     await getService('user').edit(user.id, { password });
 
-    ctx.send({
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode === 'refresh') {
+      const deviceId = extractDeviceId(ctx.request.body);
+
+      if (deviceId) {
+        // Invalidate sessions: specific device if deviceId provided
+        await strapi
+          .sessionManager('users-permissions')
+          .invalidateRefreshToken(String(user.id), deviceId);
+      }
+
+      const newDeviceId = deviceId || crypto.randomUUID();
+      const refresh = await strapi
+        .sessionManager('users-permissions')
+        .generateRefreshToken(String(user.id), newDeviceId, { type: 'refresh' });
+
+      const access = await strapi
+        .sessionManager('users-permissions')
+        .generateAccessToken(refresh.token);
+      if ('error' in access) {
+        throw new ApplicationError('Invalid credentials');
+      }
+
+      return ctx.send({
+        jwt: access.token,
+        refreshToken: refresh.token,
+        user: await sanitizeUser(user, ctx),
+      });
+    }
+
+    return ctx.send({
       jwt: getService('jwt').issue({ id: user.id }),
       user: await sanitizeUser(user, ctx),
     });
@@ -168,15 +292,117 @@ module.exports = ({ strapi }) => ({
       password,
     });
 
-    // Update the user.
-    ctx.send({
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode === 'refresh') {
+      const deviceId = extractDeviceId(ctx.request.body);
+
+      if (deviceId) {
+        // Invalidate sessions: specific device if deviceId provided
+        await strapi
+          .sessionManager('users-permissions')
+          .invalidateRefreshToken(String(user.id), deviceId);
+      }
+
+      const newDeviceId = deviceId || crypto.randomUUID();
+      const refresh = await strapi
+        .sessionManager('users-permissions')
+        .generateRefreshToken(String(user.id), newDeviceId, { type: 'refresh' });
+
+      const access = await strapi
+        .sessionManager('users-permissions')
+        .generateAccessToken(refresh.token);
+      if ('error' in access) {
+        throw new ApplicationError('Invalid credentials');
+      }
+
+      return ctx.send({
+        jwt: access.token,
+        refreshToken: refresh.token,
+        user: await sanitizeUser(user, ctx),
+      });
+    }
+
+    return ctx.send({
       jwt: getService('jwt').issue({ id: user.id }),
       user: await sanitizeUser(user, ctx),
     });
   },
+  async refresh(ctx) {
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode !== 'refresh') {
+      return ctx.notFound();
+    }
+
+    const { refreshToken } = ctx.request.body || {};
+    if (!refreshToken || typeof refreshToken !== 'string') {
+      return ctx.badRequest('Missing refresh token');
+    }
+
+    const rotation = await strapi
+      .sessionManager('users-permissions')
+      .rotateRefreshToken(refreshToken);
+    if ('error' in rotation) {
+      return ctx.unauthorized('Invalid refresh token');
+    }
+
+    const result = await strapi
+      .sessionManager('users-permissions')
+      .generateAccessToken(rotation.token);
+    if ('error' in result) {
+      return ctx.unauthorized('Invalid refresh token');
+    }
+
+    const upSessions = strapi.config.get('plugin::users-permissions.sessions');
+    const requestHttpOnly = ctx.request.header['x-strapi-refresh-cookie'] === 'httpOnly';
+    if (upSessions?.httpOnly || requestHttpOnly) {
+      const cookieName = upSessions.cookie?.name || 'strapi_up_refresh';
+      const isProduction = process.env.NODE_ENV === 'production';
+      const isSecure =
+        typeof upSessions.cookie?.secure === 'boolean' ? upSessions.cookie?.secure : isProduction;
+
+      const cookieOptions = {
+        httpOnly: true,
+        secure: isSecure,
+        sameSite: upSessions.cookie?.sameSite ?? 'lax',
+        path: upSessions.cookie?.path ?? '/',
+        domain: upSessions.cookie?.domain,
+        overwrite: true,
+      };
+      ctx.cookies.set(cookieName, rotation.token, cookieOptions);
+      return ctx.send({ jwt: result.token });
+    }
+    return ctx.send({ jwt: result.token, refreshToken: rotation.token });
+  },
+  async logout(ctx) {
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode !== 'refresh') {
+      return ctx.notFound();
+    }
+
+    // Invalidate all sessions for the authenticated user, or by deviceId if provided
+    if (!ctx.state.user) {
+      return ctx.unauthorized('Missing authentication');
+    }
+
+    const deviceId = extractDeviceId(ctx.request.body);
+    try {
+      await strapi
+        .sessionManager('users-permissions')
+        .invalidateRefreshToken(String(ctx.state.user.id), deviceId);
+    } catch (err) {
+      strapi.log.error('UP logout failed', err);
+    }
 
+    const upSessions = strapi.config.get('plugin::users-permissions.sessions');
+    const requestHttpOnly = ctx.request.header['x-strapi-refresh-cookie'] === 'httpOnly';
+    if (upSessions?.httpOnly || requestHttpOnly) {
+      const cookieName = upSessions.cookie?.name || 'strapi_up_refresh';
+      ctx.cookies.set(cookieName, '', { expires: new Date(0) });
+    }
+    return ctx.send({ ok: true });
+  },
   async connect(ctx, next) {
-    const grant = require('grant-koa');
+    const grant = require('grant').koa();
 
     const providers = await strapi
       .store({ type: 'plugin', name: 'users-permissions', key: 'grant' })
@@ -387,12 +613,26 @@ module.exports = ({ strapi }) => ({
       return ctx.send({ user: sanitizedUser });
     }
 
-    const jwt = getService('jwt').issue(_.pick(user, ['id']));
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode === 'refresh') {
+      const deviceId = extractDeviceId(ctx.request.body) || crypto.randomUUID();
 
-    return ctx.send({
-      jwt,
-      user: sanitizedUser,
-    });
+      const refresh = await strapi
+        .sessionManager('users-permissions')
+        .generateRefreshToken(String(user.id), deviceId, { type: 'refresh' });
+
+      const access = await strapi
+        .sessionManager('users-permissions')
+        .generateAccessToken(refresh.token);
+      if ('error' in access) {
+        throw new ApplicationError('Invalid credentials');
+      }
+
+      return ctx.send({ jwt: access.token, refreshToken: refresh.token, user: sanitizedUser });
+    }
+
+    const jwt = getService('jwt').issue(_.pick(user, ['id']));
+    return ctx.send({ jwt, user: sanitizedUser });
   },
 
   async emailConfirmation(ctx, next, returnUser) {

package/server/controllers/content-manager-user.js

@@ -2,8 +2,7 @@
 
 const _ = require('lodash');
 const { contentTypes: contentTypesUtils } = require('@strapi/utils');
-const { ApplicationError, ValidationError, NotFoundError, ForbiddenError } =
-  require('@strapi/utils').errors;
+const { ApplicationError, NotFoundError, ForbiddenError } = require('@strapi/utils').errors;
 const { validateCreateUserBody, validateUpdateUserBody } = require('./validation/user');
 
 const { UPDATED_BY_ATTRIBUTE, CREATED_BY_ATTRIBUTE } = contentTypesUtils.constants;
@@ -133,8 +132,8 @@ module.exports = {
 
     await validateUpdateUserBody(ctx.request.body);
 
-    if (_.has(body, 'password') && !password && user.provider === 'local') {
-      throw new ValidationError('password.notNull');
+    if (_.has(body, 'password') && (password == null || password === '')) {
+      delete body.password;
     }
 
     if (_.has(body, 'username')) {

package/server/controllers/validation/auth.js

@@ -14,6 +14,14 @@ const createRegisterSchema = (config) =>
     password: yup
       .string()
       .required()
+      .test(function (value) {
+        if (!value) return true;
+        const isValid = new TextEncoder().encode(value).length <= 72;
+        if (!isValid) {
+          return this.createError({ message: 'Password must be less than 73 bytes' });
+        }
+        return true;
+      })
       .test(async function (value) {
         if (typeof config?.validatePassword === 'function') {
           try {
@@ -49,6 +57,14 @@ const createResetPasswordSchema = (config) =>
       password: yup
         .string()
         .required()
+        .test(function (value) {
+          if (!value) return true;
+          const isValid = new TextEncoder().encode(value).length <= 72;
+          if (!isValid) {
+            return this.createError({ message: 'Password must be less than 73 bytes' });
+          }
+          return true;
+        })
         .test(async function (value) {
           if (typeof config?.validatePassword === 'function') {
             try {
@@ -62,7 +78,6 @@ const createResetPasswordSchema = (config) =>
           }
           return true;
         }),
-
       passwordConfirmation: yup
         .string()
         .required()
@@ -78,6 +93,14 @@ const createChangePasswordSchema = (config) =>
       password: yup
         .string()
         .required()
+        .test(function (value) {
+          if (!value) return true;
+          const isValid = new TextEncoder().encode(value).length <= 72;
+          if (!isValid) {
+            return this.createError({ message: 'Password must be less than 73 bytes' });
+          }
+          return true;
+        })
         .test(async function (value) {
           if (typeof config?.validatePassword === 'function') {
             try {

package/server/controllers/validation/user.js

@@ -29,7 +29,18 @@ const createUserBodySchema = yup.object().shape({
 const updateUserBodySchema = yup.object().shape({
   email: yup.string().email().min(1),
   username: yup.string().min(1),
-  password: yup.string().min(1),
+  password: yup
+    .mixed()
+    .test(
+      'password-validation',
+      'Password must be at least 1 character',
+      function validatePassword(value) {
+        if (value == null || value === '') {
+          return true;
+        }
+        return typeof value === 'string' && value.length >= 1;
+      }
+    ),
   role: yup.lazy((value) =>
     typeof value === 'object'
       ? yup.object().shape({

package/server/graphql/types/index.js

@@ -10,6 +10,7 @@ const typesFactories = [
   require('./create-role-payload'),
   require('./update-role-payload'),
   require('./delete-role-payload'),
+  require('./user-input'),
 ];
 
 /**

package/server/graphql/types/me.js

@@ -6,6 +6,7 @@ module.exports = ({ nexus }) => {
 
     definition(t) {
       t.nonNull.id('id');
+      t.nonNull.id('documentId');
       t.nonNull.string('username');
       t.string('email');
       t.boolean('confirmed');

package/server/graphql/types/user-input.js

@@ -0,0 +1,20 @@
+'use strict';
+
+const usersPermissionsUserUID = 'plugin::users-permissions.user';
+
+module.exports = ({ nexus, strapi }) => {
+  const { getContentTypeInputName } = strapi.plugin('graphql').service('utils').naming;
+
+  const userContentType = strapi.getModel(usersPermissionsUserUID);
+  const userInputName = getContentTypeInputName(userContentType);
+
+  return nexus.extendInputType({
+    type: userInputName,
+
+    definition(t) {
+      // Manually add the private password field back to the data
+      // input type as it is used for CRUD operations on users
+      t.string('password');
+    },
+  });
+};

package/server/register.js

@@ -15,7 +15,7 @@ module.exports = ({ strapi }) => {
   }
 
   if (strapi.plugin('documentation')) {
-    const specPath = path.join(__dirname, '../documentation/content-api.yaml');
+    const specPath = path.join(__dirname, '../../documentation/content-api.yaml');
     const spec = fs.readFileSync(specPath, 'utf8');
 
     strapi