@strapi/plugin-users-permissions 4.2.0-beta.0 → 4.2.0-beta.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@strapi/plugin-users-permissions",
-  "version": "4.2.0-beta.0",
+  "version": "4.2.0-beta.1",
   "description": "Protect your API with a full-authentication process based on JWT",
   "repository": {
     "type": "git",
@@ -27,15 +27,14 @@
     "test:front:watch:ce": "cross-env IS_EE=false jest --config ./jest.config.front.js --watchAll"
   },
   "dependencies": {
-    "@purest/providers": "^1.0.2",
-    "@strapi/helper-plugin": "4.2.0-beta.0",
-    "@strapi/utils": "4.2.0-beta.0",
+    "@strapi/helper-plugin": "4.2.0-beta.1",
+    "@strapi/utils": "4.2.0-beta.1",
     "bcryptjs": "2.4.3",
     "grant-koa": "5.4.8",
     "jsonwebtoken": "^8.1.0",
     "koa2-ratelimit": "^0.9.0",
     "lodash": "4.17.21",
-    "purest": "3.1.0",
+    "purest": "4.0.2",
     "react": "^17.0.2",
     "react-dom": "^17.0.2",
     "react-intl": "5.20.2",
@@ -44,8 +43,7 @@
     "react-router-dom": "5.2.0",
     "redux-saga": "^0.16.0",
     "request": "^2.83.0",
-    "url-join": "4.0.1",
-    "uuid": "^3.1.0"
+    "url-join": "4.0.1"
   },
   "devDependencies": {
     "koa": "^2.13.1"
@@ -61,5 +59,5 @@
     "required": true,
     "kind": "plugin"
   },
-  "gitHead": "db70f0de7cc73fb469c8a076b89530729cf14142"
+  "gitHead": "4fa2804f35e15ed72dfd309fb5bb1c4dba18932f"
 }

package/server/bootstrap/index.js

@@ -7,9 +7,9 @@
  * This gives you an opportunity to set up your data model,
  * run jobs, or perform some special logic.
  */
+const crypto = require('crypto');
 const _ = require('lodash');
 const urljoin = require('url-join');
-const uuid = require('uuid/v4');
 const { getService } = require('../utils');
 const getGrantConfig = require('./grant-config');
 
@@ -29,13 +29,22 @@ module.exports = async ({ strapi }) => {
   await getService('users-permissions').initialize();
 
   if (!strapi.config.get('plugin.users-permissions.jwtSecret')) {
-    const jwtSecret = uuid();
+    if (process.env.NODE_ENV !== 'development') {
+      throw new Error(
+        `Missing jwtSecret. Please, set configuration variable "jwtSecret" for the users-permissions plugin in config/plugins.js (ex: you can generate one using Node with \`crypto.randomBytes(16).toString('base64')\`).
+For security reasons, prefer storing the secret in an environment variable and read it in config/plugins.js. See https://docs.strapi.io/developer-docs/latest/setup-deployment-guides/configurations/optional/environment.html#configuration-using-environment-variables.`
+      );
+    }
+
+    const jwtSecret = crypto.randomBytes(16).toString('base64');
+
     strapi.config.set('plugin.users-permissions.jwtSecret', jwtSecret);
 
     if (!process.env.JWT_SECRET) {
-      strapi.fs.appendFile(process.env.ENV_PATH || '.env', `JWT_SECRET=${jwtSecret}\n`);
+      const envPath = process.env.ENV_PATH || '.env';
+      strapi.fs.appendFile(envPath, `JWT_SECRET=${jwtSecret}\n`);
       strapi.log.info(
-        'The Users & Permissions plugin automatically generated a jwt secret and stored it in your .env file under the name JWT_SECRET.'
+        `The Users & Permissions plugin automatically generated a jwt secret and stored it in ${envPath} under the name JWT_SECRET.`
       );
     }
   }

package/server/controllers/auth.js

@@ -17,7 +17,7 @@ const {
   validateSendEmailConfirmationBody,
 } = require('./validation/auth');
 
-const { sanitize } = utils;
+const { getAbsoluteAdminUrl, getAbsoluteServerUrl, sanitize } = utils;
 const { ApplicationError, ValidationError } = utils.errors;
 
 const emailRegExp = /^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;
@@ -34,7 +34,7 @@ module.exports = {
     const provider = ctx.params.provider || 'local';
     const params = ctx.request.body;
 
-    const store = await strapi.store({ type: 'plugin', name: 'users-permissions' });
+    const store = strapi.store({ type: 'plugin', name: 'users-permissions' });
 
     if (provider === 'local') {
       if (!_.get(await store.get({ key: 'grant' }), 'email.enabled')) {
@@ -101,22 +101,15 @@ module.exports = {
       }
 
       // Connect the user with the third-party provider.
-      let user;
-      let error;
       try {
-        [user, error] = await getService('providers').connect(provider, ctx.query);
-      } catch ([user, error]) {
-        throw new ApplicationError(error.message);
-      }
-
-      if (!user) {
+        const user = await getService('providers').connect(provider, ctx.query);
+        ctx.send({
+          jwt: getService('jwt').issue({ id: user.id }),
+          user: await sanitizeUser(user, ctx),
+        });
+      } catch (error) {
         throw new ApplicationError(error.message);
       }
-
-      ctx.send({
-        jwt: getService('jwt').issue({ id: user.id }),
-        user: await sanitizeUser(user, ctx),
-      });
     }
   },
 
@@ -243,6 +236,8 @@ module.exports = {
 
     settings.message = await getService('users-permissions').template(settings.message, {
       URL: advanced.email_reset_password,
+      SERVER_URL: getAbsoluteServerUrl(strapi.config),
+      ADMIN_URL: getAbsoluteAdminUrl(strapi.config),
       USER: userInfo,
       TOKEN: resetPasswordToken,
     });

package/server/controllers/validation/email-template.js

@@ -3,7 +3,16 @@
 const _ = require('lodash');
 
 const invalidPatternsRegexes = [/<%[^=]([^<>%]*)%>/m, /\${([^{}]*)}/m];
-const authorizedKeys = ['URL', 'CODE', 'USER', 'USER.email', 'USER.username', 'TOKEN'];
+const authorizedKeys = [
+  'URL',
+  'ADMIN_URL',
+  'SERVER_URL',
+  'CODE',
+  'USER',
+  'USER.email',
+  'USER.username',
+  'TOKEN',
+];
 
 const matchAll = (pattern, src) => {
   const matches = [];