@strapi/plugin-users-permissions 4.3.0-beta.1 → 4.3.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@strapi/plugin-users-permissions",
-  "version": "4.3.0-beta.1",
+  "version": "4.3.1",
   "description": "Protect your API with a full-authentication process based on JWT",
   "repository": {
     "type": "git",
@@ -27,18 +27,18 @@
     "test:front:watch:ce": "cross-env IS_EE=false jest --config ./jest.config.front.js --watchAll"
   },
   "dependencies": {
-    "@strapi/helper-plugin": "4.3.0-beta.1",
-    "@strapi/utils": "4.3.0-beta.1",
+    "@strapi/helper-plugin": "4.3.1",
+    "@strapi/utils": "4.3.1",
     "bcryptjs": "2.4.3",
     "grant-koa": "5.4.8",
     "jsonwebtoken": "^8.1.0",
-    "koa2-ratelimit": "^0.9.0",
+    "koa2-ratelimit": "^1.1.1",
     "lodash": "4.17.21",
     "purest": "4.0.2",
     "react": "^17.0.2",
     "react-dom": "^17.0.2",
     "react-intl": "5.20.2",
-    "react-redux": "7.2.3",
+    "react-redux": "7.2.8",
     "react-router": "^5.2.0",
     "react-router-dom": "5.2.0",
     "redux-saga": "^0.16.0",
@@ -46,7 +46,7 @@
     "url-join": "4.0.1"
   },
   "devDependencies": {
-    "koa": "^2.13.1"
+    "koa": "^2.13.4"
   },
   "engines": {
     "node": ">=14.19.1 <=16.x.x",
@@ -59,5 +59,5 @@
     "required": true,
     "kind": "plugin"
   },
-  "gitHead": "9d6555398960c39159d66bb4eea3bcb0362e37e3"
+  "gitHead": "1eab2fb08c7a4d3d40a5a7ff3b2f137ce0afcf8a"
 }

package/server/controllers/auth.js

@@ -15,13 +15,14 @@ const {
   validateCallbackBody,
   validateRegisterBody,
   validateSendEmailConfirmationBody,
+  validateForgotPasswordBody,
+  validateResetPasswordBody,
+  validateEmailConfirmationBody,
 } = require('./validation/auth');
 
 const { getAbsoluteAdminUrl, getAbsoluteServerUrl, sanitize } = utils;
 const { ApplicationError, ValidationError } = utils.errors;
 
-const emailRegExp = /^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;
-
 const sanitizeUser = (user, ctx) => {
   const { auth } = ctx.state;
   const userSchema = strapi.getModel('plugin::users-permissions.user');
@@ -35,49 +36,33 @@ module.exports = {
     const params = ctx.request.body;
 
     const store = strapi.store({ type: 'plugin', name: 'users-permissions' });
+    const grantSettings = await store.get({ key: 'grant' });
 
-    if (provider === 'local') {
-      if (!_.get(await store.get({ key: 'grant' }), 'email.enabled')) {
-        throw new ApplicationError('This provider is disabled');
-      }
-
-      await validateCallbackBody(params);
+    const grantProvider = provider === 'local' ? 'email' : provider;
 
-      const query = { provider };
+    if (!_.get(grantSettings, [grantProvider, 'enabled'])) {
+      throw new ApplicationError('This provider is disabled');
+    }
 
-      // Check if the provided identifier is an email or not.
-      const isEmail = emailRegExp.test(params.identifier);
+    if (provider === 'local') {
+      await validateCallbackBody(params);
 
-      // Set the identifier to the appropriate query field.
-      if (isEmail) {
-        query.email = params.identifier.toLowerCase();
-      } else {
-        query.username = params.identifier;
-      }
+      const { identifier } = params;
 
       // Check if the user exists.
-      const user = await strapi.query('plugin::users-permissions.user').findOne({ where: query });
+      const user = await strapi.query('plugin::users-permissions.user').findOne({
+        where: {
+          provider,
+          $or: [{ email: identifier.toLowerCase() }, { username: identifier }],
+        },
+      });
 
       if (!user) {
         throw new ValidationError('Invalid identifier or password');
       }
 
-      if (
-        _.get(await store.get({ key: 'advanced' }), 'email_confirmation') &&
-        user.confirmed !== true
-      ) {
-        throw new ApplicationError('Your account email is not confirmed');
-      }
-
-      if (user.blocked === true) {
-        throw new ApplicationError('Your account has been blocked by an administrator');
-      }
-
-      // The user never authenticated with the `local` provider.
       if (!user.password) {
-        throw new ApplicationError(
-          'This user never set a local password, please login with the provider used during account creation'
-        );
+        throw new ValidationError('Invalid identifier or password');
       }
 
       const validPassword = await getService('user').validatePassword(
@@ -87,67 +72,65 @@ module.exports = {
 
       if (!validPassword) {
         throw new ValidationError('Invalid identifier or password');
-      } else {
-        ctx.send({
-          jwt: getService('jwt').issue({
-            id: user.id,
-          }),
-          user: await sanitizeUser(user, ctx),
-        });
-      }
-    } else {
-      if (!_.get(await store.get({ key: 'grant' }), [provider, 'enabled'])) {
-        throw new ApplicationError('This provider is disabled');
       }
 
-      // Connect the user with the third-party provider.
-      try {
-        const user = await getService('providers').connect(provider, ctx.query);
-        ctx.send({
-          jwt: getService('jwt').issue({ id: user.id }),
-          user: await sanitizeUser(user, ctx),
-        });
-      } catch (error) {
-        throw new ApplicationError(error.message);
-      }
-    }
-  },
+      const advancedSettings = await store.get({ key: 'advanced' });
+      const requiresConfirmation = _.get(advancedSettings, 'email_confirmation');
 
-  async resetPassword(ctx) {
-    const params = _.assign({}, ctx.request.body, ctx.params);
-
-    if (
-      params.password &&
-      params.passwordConfirmation &&
-      params.password === params.passwordConfirmation &&
-      params.code
-    ) {
-      const user = await strapi
-        .query('plugin::users-permissions.user')
-        .findOne({ where: { resetPasswordToken: `${params.code}` } });
+      if (requiresConfirmation && user.confirmed !== true) {
+        throw new ApplicationError('Your account email is not confirmed');
+      }
 
-      if (!user) {
-        throw new ValidationError('Incorrect code provided');
+      if (user.blocked === true) {
+        throw new ApplicationError('Your account has been blocked by an administrator');
       }
 
-      await getService('user').edit(user.id, {
-        resetPasswordToken: null,
-        password: params.password,
+      return ctx.send({
+        jwt: getService('jwt').issue({ id: user.id }),
+        user: await sanitizeUser(user, ctx),
       });
-      // Update the user.
-      ctx.send({
+    }
+
+    // Connect the user with the third-party provider.
+    try {
+      const user = await getService('providers').connect(provider, ctx.query);
+
+      return ctx.send({
         jwt: getService('jwt').issue({ id: user.id }),
         user: await sanitizeUser(user, ctx),
       });
-    } else if (
-      params.password &&
-      params.passwordConfirmation &&
-      params.password !== params.passwordConfirmation
-    ) {
+    } catch (error) {
+      throw new ApplicationError(error.message);
+    }
+  },
+
+  async resetPassword(ctx) {
+    const { password, passwordConfirmation, code } = await validateResetPasswordBody(
+      ctx.request.body
+    );
+
+    if (password !== passwordConfirmation) {
       throw new ValidationError('Passwords do not match');
-    } else {
-      throw new ValidationError('Incorrect params provided');
     }
+
+    const user = await strapi
+      .query('plugin::users-permissions.user')
+      .findOne({ where: { resetPasswordToken: code } });
+
+    if (!user) {
+      throw new ValidationError('Incorrect code provided');
+    }
+
+    await getService('user').edit(user.id, {
+      resetPasswordToken: null,
+      password,
+    });
+
+    // Update the user.
+    ctx.send({
+      jwt: getService('jwt').issue({ id: user.id }),
+      user: await sanitizeUser(user, ctx),
+    });
   },
 
   async connect(ctx, next) {
@@ -189,87 +172,66 @@ module.exports = {
   },
 
   async forgotPassword(ctx) {
-    let { email } = ctx.request.body;
-
-    // Check if the provided email is valid or not.
-    const isEmail = emailRegExp.test(email);
-
-    if (isEmail) {
-      email = email.toLowerCase();
-    } else {
-      throw new ValidationError('Please provide a valid email address');
-    }
+    const { email } = await validateForgotPasswordBody(ctx.request.body);
 
     const pluginStore = await strapi.store({ type: 'plugin', name: 'users-permissions' });
 
+    const emailSettings = await pluginStore.get({ key: 'email' });
+    const advancedSettings = await pluginStore.get({ key: 'advanced' });
+
     // Find the user by email.
     const user = await strapi
       .query('plugin::users-permissions.user')
       .findOne({ where: { email: email.toLowerCase() } });
 
-    // User not found.
-    if (!user) {
-      throw new ApplicationError('This email does not exist');
-    }
-
-    // User blocked
-    if (user.blocked) {
-      throw new ApplicationError('This user is disabled');
+    if (!user || user.blocked) {
+      return ctx.send({ ok: true });
     }
 
     // Generate random token.
+    const userInfo = await sanitizeUser(user, ctx);
+
     const resetPasswordToken = crypto.randomBytes(64).toString('hex');
 
-    const settings = await pluginStore.get({ key: 'email' }).then(storeEmail => {
-      try {
-        return storeEmail['reset_password'].options;
-      } catch (error) {
-        return {};
+    const resetPasswordSettings = _.get(emailSettings, 'reset_password.options', {});
+    const emailBody = await getService('users-permissions').template(
+      resetPasswordSettings.message,
+      {
+        URL: advancedSettings.email_reset_password,
+        SERVER_URL: getAbsoluteServerUrl(strapi.config),
+        ADMIN_URL: getAbsoluteAdminUrl(strapi.config),
+        USER: userInfo,
+        TOKEN: resetPasswordToken,
       }
-    });
-
-    const advanced = await pluginStore.get({
-      key: 'advanced',
-    });
-
-    const userInfo = await sanitizeUser(user, ctx);
-
-    settings.message = await getService('users-permissions').template(settings.message, {
-      URL: advanced.email_reset_password,
-      SERVER_URL: getAbsoluteServerUrl(strapi.config),
-      ADMIN_URL: getAbsoluteAdminUrl(strapi.config),
-      USER: userInfo,
-      TOKEN: resetPasswordToken,
-    });
+    );
 
-    settings.object = await getService('users-permissions').template(settings.object, {
-      USER: userInfo,
-    });
+    const emailObject = await getService('users-permissions').template(
+      resetPasswordSettings.object,
+      {
+        USER: userInfo,
+      }
+    );
+
+    const emailToSend = {
+      to: user.email,
+      from:
+        resetPasswordSettings.from.email || resetPasswordSettings.from.name
+          ? `${resetPasswordSettings.from.name} <${resetPasswordSettings.from.email}>`
+          : undefined,
+      replyTo: resetPasswordSettings.response_email,
+      subject: emailObject,
+      text: emailBody,
+      html: emailBody,
+    };
 
-    try {
-      // Send an email to the user.
-      await strapi
-        .plugin('email')
-        .service('email')
-        .send({
-          to: user.email,
-          from:
-            settings.from.email || settings.from.name
-              ? `${settings.from.name} <${settings.from.email}>`
-              : undefined,
-          replyTo: settings.response_email,
-          subject: settings.object,
-          text: settings.message,
-          html: settings.message,
-        });
-    } catch (err) {
-      throw new ApplicationError(err.message);
-    }
+    // NOTE: Update the user before sending the email so an Admin can generate the link if the email fails
+    await getService('user').edit(user.id, { resetPasswordToken });
 
-    // Update the user.
+    // Send an email to the user.
     await strapi
-      .query('plugin::users-permissions.user')
-      .update({ where: { id: user.id }, data: { resetPasswordToken } });
+      .plugin('email')
+      .service('email')
+      .send(emailToSend);
 
     ctx.send({ ok: true });
   },
@@ -277,29 +239,25 @@ module.exports = {
   async register(ctx) {
     const pluginStore = await strapi.store({ type: 'plugin', name: 'users-permissions' });
 
-    const settings = await pluginStore.get({
-      key: 'advanced',
-    });
+    const settings = await pluginStore.get({ key: 'advanced' });
 
     if (!settings.allow_register) {
       throw new ApplicationError('Register action is currently disabled');
     }
 
     const params = {
-      ..._.omit(ctx.request.body, ['confirmed', 'confirmationToken', 'resetPasswordToken']),
+      ..._.omit(ctx.request.body, [
+        'confirmed',
+        'blocked',
+        'confirmationToken',
+        'resetPasswordToken',
+        'provider',
+      ]),
       provider: 'local',
     };
 
     await validateRegisterBody(params);
 
-    // Throw an error if the password selected by the user
-    // contains more than three times the symbol '$'.
-    if (getService('user').isHashed(params.password)) {
-      throw new ValidationError(
-        'Your password cannot contain more than three times the symbol `$`'
-      );
-    }
-
     const role = await strapi
       .query('plugin::users-permissions.role')
       .findOne({ where: { type: settings.default_role } });
@@ -308,80 +266,75 @@ module.exports = {
       throw new ApplicationError('Impossible to find the default role');
     }
 
-    // Check if the provided email is valid or not.
-    const isEmail = emailRegExp.test(params.email);
-
-    if (isEmail) {
-      params.email = params.email.toLowerCase();
-    } else {
-      throw new ValidationError('Please provide a valid email address');
-    }
+    const { email, username, provider } = params;
 
-    params.role = role.id;
+    const identifierFilter = {
+      $or: [
+        { email: email.toLowerCase() },
+        { username: email.toLowerCase() },
+        { username },
+        { email: username },
+      ],
+    };
 
-    const user = await strapi.query('plugin::users-permissions.user').findOne({
-      where: { email: params.email },
+    const conflictingUserCount = await strapi.query('plugin::users-permissions.user').count({
+      where: { ...identifierFilter, provider },
     });
 
-    if (user && user.provider === params.provider) {
-      throw new ApplicationError('Email is already taken');
+    if (conflictingUserCount > 0) {
+      throw new ApplicationError('Email or Username are already taken');
     }
 
-    if (user && user.provider !== params.provider && settings.unique_email) {
-      throw new ApplicationError('Email is already taken');
-    }
+    if (settings.unique_email) {
+      const conflictingUserCount = await strapi.query('plugin::users-permissions.user').count({
+        where: { ...identifierFilter },
+      });
 
-    try {
-      if (!settings.email_confirmation) {
-        params.confirmed = true;
+      if (conflictingUserCount > 0) {
+        throw new ApplicationError('Email or Username are already taken');
       }
+    }
 
-      const user = await getService('user').add(params);
+    let newUser = {
+      ...params,
+      role: role.id,
+      email: email.toLowerCase(),
+      username,
+      confirmed: !settings.email_confirmation,
+    };
 
-      const sanitizedUser = await sanitizeUser(user, ctx);
+    const user = await getService('user').add(newUser);
 
-      if (settings.email_confirmation) {
-        try {
-          await getService('user').sendConfirmationEmail(sanitizedUser);
-        } catch (err) {
-          throw new ApplicationError(err.message);
-        }
+    const sanitizedUser = await sanitizeUser(user, ctx);
 
-        return ctx.send({ user: sanitizedUser });
+    if (settings.email_confirmation) {
+      try {
+        await getService('user').sendConfirmationEmail(sanitizedUser);
+      } catch (err) {
+        throw new ApplicationError(err.message);
       }
 
-      const jwt = getService('jwt').issue(_.pick(user, ['id']));
-
-      return ctx.send({
-        jwt,
-        user: sanitizedUser,
-      });
-    } catch (err) {
-      if (_.includes(err.message, 'username')) {
-        throw new ApplicationError('Username already taken');
-      } else if (_.includes(err.message, 'email')) {
-        throw new ApplicationError('Email already taken');
-      } else {
-        strapi.log.error(err);
-        throw new ApplicationError('An error occurred during account creation');
-      }
+      return ctx.send({ user: sanitizedUser });
     }
+
+    const jwt = getService('jwt').issue(_.pick(user, ['id']));
+
+    return ctx.send({
+      jwt,
+      user: sanitizedUser,
+    });
   },
 
   async emailConfirmation(ctx, next, returnUser) {
-    const { confirmation: confirmationToken } = ctx.query;
+    const { confirmation: confirmationToken } = await validateEmailConfirmationBody(ctx.query);
 
     const userService = getService('user');
     const jwtService = getService('jwt');
 
-    if (_.isEmpty(confirmationToken)) {
-      throw new ValidationError('token.invalid');
-    }
-
     const [user] = await userService.fetchAll({ filters: { confirmationToken } });
 
     if (!user) {
-      throw new ValidationError('token.invalid');
+      throw new ValidationError('Invalid token');
     }
 
     await userService.edit(user.id, { confirmed: true, confirmationToken: null });
@@ -401,45 +354,29 @@ module.exports = {
   },
 
   async sendEmailConfirmation(ctx) {
-    const params = _.assign(ctx.request.body);
-
-    await validateSendEmailConfirmationBody(params);
-
-    const isEmail = emailRegExp.test(params.email);
-
-    if (isEmail) {
-      params.email = params.email.toLowerCase();
-    } else {
-      throw new ValidationError('wrong.email');
-    }
+    const { email } = await validateSendEmailConfirmationBody(ctx.request.body);
 
     const user = await strapi.query('plugin::users-permissions.user').findOne({
-      where: { email: params.email },
+      where: { email: email.toLowerCase() },
     });
 
     if (!user) {
-      return ctx.send({
-        email: params.email,
-        sent: true,
-      });
+      return ctx.send({ email, sent: true });
     }
 
     if (user.confirmed) {
-      throw new ApplicationError('already.confirmed');
+      throw new ApplicationError('Already confirmed');
     }
 
     if (user.blocked) {
-      throw new ApplicationError('blocked.user');
+      throw new ApplicationError('User blocked');
     }
 
-    try {
-      await getService('user').sendConfirmationEmail(user);
-      ctx.send({
-        email: user.email,
-        sent: true,
-      });
-    } catch (err) {
-      throw new ApplicationError(err.message);
-    }
+    await getService('user').sendConfirmationEmail(user);
+
+    ctx.send({
+      email: user.email,
+      sent: true,
+    });
   },
 };

package/server/controllers/user.js

@@ -55,11 +55,10 @@ module.exports = {
 
     const user = {
       ...ctx.request.body,
+      email: email.toLowerCase(),
       provider: 'local',
     };
 
-    user.email = _.toLower(user.email);
-
     if (!role) {
       const defaultRole = await strapi
         .query('plugin::users-permissions.role')
@@ -185,12 +184,15 @@ module.exports = {
    * @return {Object|Array}
    */
   async me(ctx) {
-    const user = ctx.state.user;
+    const authUser = ctx.state.user;
+    const { query } = ctx;
 
-    if (!user) {
+    if (!authUser) {
       return ctx.unauthorized();
     }
 
+    const user = await getService('user').fetch(authUser.id, query);
+
     ctx.body = await sanitizeOutput(user, ctx);
   },
 };

package/server/controllers/validation/auth.js

@@ -2,28 +2,53 @@
 
 const { yup, validateYupSchema } = require('@strapi/utils');
 
-const callbackBodySchema = yup.object().shape({
+const callbackSchema = yup.object({
   identifier: yup.string().required(),
   password: yup.string().required(),
 });
 
-const registerBodySchema = yup.object().shape({
+const registerSchema = yup.object({
   email: yup
     .string()
     .email()
     .required(),
+  username: yup.string().required(),
   password: yup.string().required(),
 });
 
-const sendEmailConfirmationBodySchema = yup.object().shape({
+const sendEmailConfirmationSchema = yup.object({
   email: yup
     .string()
     .email()
     .required(),
 });
 
+const validateEmailConfirmationSchema = yup.object({
+  confirmation: yup.string().required(),
+});
+
+const forgotPasswordSchema = yup
+  .object({
+    email: yup
+      .string()
+      .email()
+      .required(),
+  })
+  .noUnknown();
+
+const resetPasswordSchema = yup
+  .object({
+    password: yup.string().required(),
+    passwordConfirmation: yup.string().required(),
+    code: yup.string().required(),
+  })
+  .noUnknown();
+
 module.exports = {
-  validateCallbackBody: validateYupSchema(callbackBodySchema),
-  validateRegisterBody: validateYupSchema(registerBodySchema),
-  validateSendEmailConfirmationBody: validateYupSchema(sendEmailConfirmationBodySchema),
+  validateCallbackBody: validateYupSchema(callbackSchema),
+  validateRegisterBody: validateYupSchema(registerSchema),
+  validateSendEmailConfirmationBody: validateYupSchema(sendEmailConfirmationSchema),
+  validateEmailConfirmationBody: validateYupSchema(validateEmailConfirmationSchema),
+  validateForgotPasswordBody: validateYupSchema(forgotPasswordSchema),
+  validateResetPasswordBody: validateYupSchema(resetPasswordSchema),
 };