@strapi/plugin-users-permissions 4.2.0-beta.0 → 4.2.0-beta.3

package/admin/src/translations/zh.json

@@ -13,7 +13,6 @@
   "HeaderNav.link.advancedSettings": "進階設定",
   "HeaderNav.link.emailTemplates": "郵件範本",
   "HeaderNav.link.providers": "驗證方式",
-  "HeaderNav.link.roles": "身份",
   "Plugin.permissions.plugins.description": "為 {name} 擴充功能定義所有可用的操作",
   "Plugins.header.description": "只有綁定路徑的操作會顯示在下方",
   "Plugins.header.title": "權限",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@strapi/plugin-users-permissions",
-  "version": "4.2.0-beta.0",
+  "version": "4.2.0-beta.3",
   "description": "Protect your API with a full-authentication process based on JWT",
   "repository": {
     "type": "git",
@@ -27,15 +27,14 @@
     "test:front:watch:ce": "cross-env IS_EE=false jest --config ./jest.config.front.js --watchAll"
   },
   "dependencies": {
-    "@purest/providers": "^1.0.2",
-    "@strapi/helper-plugin": "4.2.0-beta.0",
-    "@strapi/utils": "4.2.0-beta.0",
+    "@strapi/helper-plugin": "4.2.0-beta.3",
+    "@strapi/utils": "4.2.0-beta.3",
     "bcryptjs": "2.4.3",
     "grant-koa": "5.4.8",
     "jsonwebtoken": "^8.1.0",
     "koa2-ratelimit": "^0.9.0",
     "lodash": "4.17.21",
-    "purest": "3.1.0",
+    "purest": "4.0.2",
     "react": "^17.0.2",
     "react-dom": "^17.0.2",
     "react-intl": "5.20.2",
@@ -44,8 +43,7 @@
     "react-router-dom": "5.2.0",
     "redux-saga": "^0.16.0",
     "request": "^2.83.0",
-    "url-join": "4.0.1",
-    "uuid": "^3.1.0"
+    "url-join": "4.0.1"
   },
   "devDependencies": {
     "koa": "^2.13.1"
@@ -61,5 +59,5 @@
     "required": true,
     "kind": "plugin"
   },
-  "gitHead": "db70f0de7cc73fb469c8a076b89530729cf14142"
+  "gitHead": "c4addbad6ecbc8ef7633bbba3806f3b0a2ae5f49"
 }

package/server/bootstrap/index.js

@@ -7,9 +7,9 @@
  * This gives you an opportunity to set up your data model,
  * run jobs, or perform some special logic.
  */
+const crypto = require('crypto');
 const _ = require('lodash');
 const urljoin = require('url-join');
-const uuid = require('uuid/v4');
 const { getService } = require('../utils');
 const getGrantConfig = require('./grant-config');
 
@@ -29,13 +29,22 @@ module.exports = async ({ strapi }) => {
   await getService('users-permissions').initialize();
 
   if (!strapi.config.get('plugin.users-permissions.jwtSecret')) {
-    const jwtSecret = uuid();
+    if (process.env.NODE_ENV !== 'development') {
+      throw new Error(
+        `Missing jwtSecret. Please, set configuration variable "jwtSecret" for the users-permissions plugin in config/plugins.js (ex: you can generate one using Node with \`crypto.randomBytes(16).toString('base64')\`).
+For security reasons, prefer storing the secret in an environment variable and read it in config/plugins.js. See https://docs.strapi.io/developer-docs/latest/setup-deployment-guides/configurations/optional/environment.html#configuration-using-environment-variables.`
+      );
+    }
+
+    const jwtSecret = crypto.randomBytes(16).toString('base64');
+
     strapi.config.set('plugin.users-permissions.jwtSecret', jwtSecret);
 
     if (!process.env.JWT_SECRET) {
-      strapi.fs.appendFile(process.env.ENV_PATH || '.env', `JWT_SECRET=${jwtSecret}\n`);
+      const envPath = process.env.ENV_PATH || '.env';
+      strapi.fs.appendFile(envPath, `JWT_SECRET=${jwtSecret}\n`);
       strapi.log.info(
-        'The Users & Permissions plugin automatically generated a jwt secret and stored it in your .env file under the name JWT_SECRET.'
+        `The Users & Permissions plugin automatically generated a jwt secret and stored it in ${envPath} under the name JWT_SECRET.`
       );
     }
   }

package/server/controllers/auth.js

@@ -17,7 +17,7 @@ const {
   validateSendEmailConfirmationBody,
 } = require('./validation/auth');
 
-const { sanitize } = utils;
+const { getAbsoluteAdminUrl, getAbsoluteServerUrl, sanitize } = utils;
 const { ApplicationError, ValidationError } = utils.errors;
 
 const emailRegExp = /^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;
@@ -34,7 +34,7 @@ module.exports = {
     const provider = ctx.params.provider || 'local';
     const params = ctx.request.body;
 
-    const store = await strapi.store({ type: 'plugin', name: 'users-permissions' });
+    const store = strapi.store({ type: 'plugin', name: 'users-permissions' });
 
     if (provider === 'local') {
       if (!_.get(await store.get({ key: 'grant' }), 'email.enabled')) {
@@ -101,22 +101,15 @@ module.exports = {
       }
 
       // Connect the user with the third-party provider.
-      let user;
-      let error;
       try {
-        [user, error] = await getService('providers').connect(provider, ctx.query);
-      } catch ([user, error]) {
-        throw new ApplicationError(error.message);
-      }
-
-      if (!user) {
+        const user = await getService('providers').connect(provider, ctx.query);
+        ctx.send({
+          jwt: getService('jwt').issue({ id: user.id }),
+          user: await sanitizeUser(user, ctx),
+        });
+      } catch (error) {
         throw new ApplicationError(error.message);
       }
-
-      ctx.send({
-        jwt: getService('jwt').issue({ id: user.id }),
-        user: await sanitizeUser(user, ctx),
-      });
     }
   },
 
@@ -243,6 +236,8 @@ module.exports = {
 
     settings.message = await getService('users-permissions').template(settings.message, {
       URL: advanced.email_reset_password,
+      SERVER_URL: getAbsoluteServerUrl(strapi.config),
+      ADMIN_URL: getAbsoluteAdminUrl(strapi.config),
       USER: userInfo,
       TOKEN: resetPasswordToken,
     });
@@ -383,7 +378,7 @@ module.exports = {
       throw new ValidationError('token.invalid');
     }
 
-    const user = await userService.fetch({ confirmationToken }, []);
+    const [user] = await userService.fetchAll({ filters: { confirmationToken } });
 
     if (!user) {
       throw new ValidationError('token.invalid');

package/server/controllers/role.js

@@ -21,10 +21,10 @@ module.exports = {
     ctx.send({ ok: true });
   },
 
-  async getRole(ctx) {
+  async findOne(ctx) {
     const { id } = ctx.params;
 
-    const role = await getService('role').getRole(id);
+    const role = await getService('role').findOne(id);
 
     if (!role) {
       return ctx.notFound();
@@ -33,8 +33,8 @@ module.exports = {
     ctx.send({ role });
   },
 
-  async getRoles(ctx) {
-    const roles = await getService('role').getRoles();
+  async find(ctx) {
+    const roles = await getService('role').find();
 
     ctx.send({ roles });
   },

package/server/controllers/settings.js

@@ -37,7 +37,7 @@ module.exports = {
       .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
       .get();
 
-    const roles = await getService('role').getRoles();
+    const roles = await getService('role').find();
 
     ctx.send({ settings, roles });
   },

package/server/controllers/user.js

@@ -12,7 +12,7 @@ const { getService } = require('../utils');
 const { validateCreateUserBody, validateUpdateUserBody } = require('./validation/user');
 
 const { sanitize } = utils;
-const { ApplicationError, ValidationError } = utils.errors;
+const { ApplicationError, ValidationError, NotFoundError } = utils.errors;
 
 const sanitizeOutput = (user, ctx) => {
   const schema = strapi.getModel('plugin::users-permissions.user');
@@ -90,7 +90,10 @@ module.exports = {
     const { id } = ctx.params;
     const { email, username, password } = ctx.request.body;
 
-    const user = await getService('user').fetch({ id });
+    const user = await getService('user').fetch(id);
+    if (!user) {
+      throw new NotFoundError(`User not found`);
+    }
 
     await validateUpdateUserBody(ctx.request.body);
 
@@ -133,8 +136,8 @@ module.exports = {
    * Retrieve user records.
    * @return {Object|Array}
    */
-  async find(ctx, next, { populate } = {}) {
-    const users = await getService('user').fetchAll(ctx.query.filters, populate);
+  async find(ctx) {
+    const users = await getService('user').fetchAll(ctx.query);
 
     ctx.body = await Promise.all(users.map(user => sanitizeOutput(user, ctx)));
   },
@@ -145,7 +148,9 @@ module.exports = {
    */
   async findOne(ctx) {
     const { id } = ctx.params;
-    let data = await getService('user').fetch({ id });
+    const { query } = ctx;
+
+    let data = await getService('user').fetch(id, query);
 
     if (data) {
       data = await sanitizeOutput(data, ctx);

package/server/controllers/validation/email-template.js

@@ -3,7 +3,16 @@
 const _ = require('lodash');
 
 const invalidPatternsRegexes = [/<%[^=]([^<>%]*)%>/m, /\${([^{}]*)}/m];
-const authorizedKeys = ['URL', 'CODE', 'USER', 'USER.email', 'USER.username', 'TOKEN'];
+const authorizedKeys = [
+  'URL',
+  'ADMIN_URL',
+  'SERVER_URL',
+  'CODE',
+  'USER',
+  'USER.email',
+  'USER.username',
+  'TOKEN',
+];
 
 const matchAll = (pattern, src) => {
   const matches = [];

package/server/graphql/mutations/auth/email-confirmation.js

@@ -19,7 +19,7 @@ module.exports = ({ nexus, strapi }) => {
     async resolve(parent, args, context) {
       const { koaContext } = context;
 
-      koaContext.request.body = toPlainObject(args);
+      koaContext.query = toPlainObject(args);
 
       await strapi
         .plugin('users-permissions')

package/server/graphql/mutations/crud/user/delete-user.js

@@ -19,7 +19,7 @@ module.exports = ({ nexus, strapi }) => {
       id: nonNull('ID'),
     },
 
-    description: 'Update an existing user',
+    description: 'Delete an existing user',
 
     async resolve(parent, args, context) {
       const { koaContext } = context;

package/server/graphql/resolvers-configs.js

@@ -26,12 +26,12 @@ module.exports = ({ strapi }) => {
 
     // Scoped auth for replaced CRUD operations
     // Role
-    [`Mutation.${createRole}`]: { auth: { scope: [`${roleUID}.create`] } },
-    [`Mutation.${updateRole}`]: { auth: { scope: [`${roleUID}.update`] } },
-    [`Mutation.${deleteRole}`]: { auth: { scope: [`${roleUID}.delete`] } },
+    [`Mutation.${createRole}`]: { auth: { scope: [`${roleUID}.createRole`] } },
+    [`Mutation.${updateRole}`]: { auth: { scope: [`${roleUID}.updateRole`] } },
+    [`Mutation.${deleteRole}`]: { auth: { scope: [`${roleUID}.deleteRole`] } },
     // User
     [`Mutation.${createUser}`]: { auth: { scope: [`${userUID}.create`] } },
     [`Mutation.${updateUser}`]: { auth: { scope: [`${userUID}.update`] } },
-    [`Mutation.${deleteUser}`]: { auth: { scope: [`${userUID}.delete`] } },
+    [`Mutation.${deleteUser}`]: { auth: { scope: [`${userUID}.destroy`] } },
   };
 };

package/server/register.js

@@ -1,9 +1,11 @@
 'use strict';
 
 const authStrategy = require('./strategies/users-permissions');
+const sanitizers = require('./utils/sanitize/sanitizers');
 
 module.exports = ({ strapi }) => {
   strapi.container.get('auth').register('content-api', authStrategy);
+  strapi.sanitizers.add('content-api.output', sanitizers.defaultSanitizeOutput);
 
   if (strapi.plugin('graphql')) {
     require('./graphql')({ strapi });

package/server/routes/admin/role.js

@@ -4,7 +4,7 @@ module.exports = [
   {
     method: 'GET',
     path: '/roles/:id',
-    handler: 'role.getRole',
+    handler: 'role.findOne',
     config: {
       policies: [
         {
@@ -19,7 +19,7 @@ module.exports = [
   {
     method: 'GET',
     path: '/roles',
-    handler: 'role.getRoles',
+    handler: 'role.find',
     config: {
       policies: [
         {

package/server/routes/content-api/role.js

@@ -4,12 +4,12 @@ module.exports = [
   {
     method: 'GET',
     path: '/roles/:id',
-    handler: 'role.getRole',
+    handler: 'role.findOne',
   },
   {
     method: 'GET',
     path: '/roles',
-    handler: 'role.getRoles',
+    handler: 'role.find',
   },
   {
     method: 'POST',