@strapi/strapi 4.0.0-next.9 → 4.0.3

package/lib/middlewares/responses.js

@@ -0,0 +1,19 @@
+'use strict';
+
+const { prop, isFunction } = require('lodash/fp');
+
+/**
+ * @type {import('./').MiddlewareFactory}
+ */
+module.exports = (config = {}) => {
+  return async (ctx, next) => {
+    await next();
+
+    const status = ctx.status;
+    const handler = prop(`handlers.${status}`, config);
+
+    if (isFunction(handler)) {
+      await handler(ctx);
+    }
+  };
+};

package/lib/middlewares/security.js

@@ -0,0 +1,51 @@
+'use strict';
+
+const { defaultsDeep, merge } = require('lodash/fp');
+const helmet = require('koa-helmet');
+
+const defaults = {
+  crossOriginEmbedderPolicy: false,
+  crossOriginOpenerPolicy: false,
+  crossOriginResourcePolicy: false,
+  originAgentCluster: false,
+  contentSecurityPolicy: {
+    useDefaults: true,
+    directives: {
+      'connect-src': ["'self'", 'https:'],
+      'img-src': ["'self'", 'data:', 'blob:'],
+      'media-src': ["'self'", 'data:', 'blob:'],
+      upgradeInsecureRequests: null,
+    },
+  },
+  xssFilter: false,
+  hsts: {
+    maxAge: 31536000,
+    includeSubDomains: true,
+  },
+  frameguard: {
+    action: 'sameorigin',
+  },
+};
+
+/**
+ * @type {import('./').MiddlewareFactory}
+ */
+module.exports = config => (ctx, next) => {
+  let helmetConfig = defaultsDeep(defaults, config);
+
+  if (
+    ctx.method === 'GET' &&
+    ['/graphql', '/documentation'].some(str => ctx.path.startsWith(str))
+  ) {
+    helmetConfig = merge(helmetConfig, {
+      contentSecurityPolicy: {
+        directives: {
+          'script-src': ["'self'", "'unsafe-inline'", 'cdn.jsdelivr.net'],
+          'img-src': ["'self'", 'data:', 'cdn.jsdelivr.net', 'strapi.io'],
+        },
+      },
+    });
+  }
+
+  return helmet(helmetConfig)(ctx, next);
+};

package/lib/middlewares/session/index.js

@@ -9,7 +9,7 @@ const session = require('koa-session');
  */
 module.exports = strapi => {
   const requireStore = store => {
-    return require(path.resolve(strapi.config.appPath, 'node_modules', 'koa-' + store));
+    return require(path.resolve(strapi.dirs.root, 'node_modules', 'koa-' + store));
   };
 
   const defineStore = session => {
@@ -93,7 +93,7 @@ module.exports = strapi => {
 
   return {
     initialize() {
-      strapi.app.keys = strapi.config.get('middleware.settings.session.secretKeys');
+      strapi.server.app.keys = strapi.config.get('middleware.settings.session.secretKeys');
 
       if (
         _.has(strapi.config.middleware.settings.session, 'client') &&
@@ -112,8 +112,8 @@ module.exports = strapi => {
             strapi.config.middleware.settings.session
           );
 
-          strapi.app.use(session(options, strapi.app));
-          strapi.app.use((ctx, next) => {
+          strapi.server.use(session(options, strapi.server.app));
+          strapi.server.use((ctx, next) => {
             ctx.state = ctx.state || {};
             ctx.state.session = ctx.session || {};
 
@@ -127,8 +127,8 @@ module.exports = strapi => {
       ) {
         const options = _.assign(strapi.config.middleware.settings.session);
 
-        strapi.app.use(session(options, strapi.app));
-        strapi.app.use((ctx, next) => {
+        strapi.server.use(session(options, strapi.server.app));
+        strapi.server.use((ctx, next) => {
           ctx.state = ctx.state || {};
           ctx.state.session = ctx.session || {};
 

package/lib/migrations/draft-publish.js

@@ -0,0 +1,57 @@
+'use strict';
+
+const { hasDraftAndPublish } = require('@strapi/utils').contentTypes;
+
+const enableDraftAndPublish = async ({ oldContentTypes, contentTypes }) => {
+  if (!oldContentTypes) {
+    return;
+  }
+  // run the after content types migrations
+
+  for (const uid in contentTypes) {
+    if (!oldContentTypes[uid]) {
+      continue;
+    }
+
+    const oldContentType = oldContentTypes[uid];
+    const contentType = contentTypes[uid];
+
+    // if d&p was enabled set publishedAt to eq createdAt
+    if (!hasDraftAndPublish(oldContentType) && hasDraftAndPublish(contentType)) {
+      const qb = strapi.db.queryBuilder(uid);
+      await qb
+        .update({ published_at: qb.ref('created_at') })
+        .where({ published_at: null })
+        .execute();
+    }
+  }
+};
+
+const disableDraftAndPublish = async ({ oldContentTypes, contentTypes }) => {
+  if (!oldContentTypes) {
+    return;
+  }
+
+  for (const uid in contentTypes) {
+    if (!oldContentTypes[uid]) {
+      continue;
+    }
+
+    const oldContentType = oldContentTypes[uid];
+    const contentType = contentTypes[uid];
+
+    // if d&p was disabled remove unpublish content before sync
+    if (hasDraftAndPublish(oldContentType) && !hasDraftAndPublish(contentType)) {
+      await strapi.db
+        .queryBuilder(uid)
+        .delete()
+        .where({ published_at: null })
+        .execute();
+    }
+  }
+};
+
+module.exports = {
+  enable: enableDraftAndPublish,
+  disable: disableDraftAndPublish,
+};

package/lib/services/auth/index.js

@@ -0,0 +1,87 @@
+'use strict';
+
+const { strict: assert } = require('assert');
+const { has, prop } = require('lodash/fp');
+
+const { UnauthorizedError } = require('@strapi/utils').errors;
+
+const INVALID_STRATEGY_MSG =
+  'Invalid auth strategy. Expecting an object with properties {name: string, authenticate: function, verify: function}';
+
+const validStrategy = strategy => {
+  assert(has('authenticate', strategy), INVALID_STRATEGY_MSG);
+  assert(typeof strategy.authenticate === 'function', INVALID_STRATEGY_MSG);
+
+  if (has('verify', strategy)) {
+    assert(typeof strategy.verify === 'function', INVALID_STRATEGY_MSG);
+  }
+};
+
+const createAuthentication = () => {
+  const strategies = {};
+
+  return {
+    register(type, strategy) {
+      validStrategy(strategy);
+
+      if (!strategies[type]) {
+        strategies[type] = [];
+      }
+
+      strategies[type].push(strategy);
+
+      return this;
+    },
+    async authenticate(ctx, next) {
+      const { route } = ctx.state;
+
+      // use route strategy
+      const config = prop('config.auth', route);
+
+      if (config === false) {
+        return next();
+      }
+
+      const strategiesToUse = strategies[route.info.type];
+
+      for (const strategy of strategiesToUse) {
+        const result = await strategy.authenticate(ctx);
+
+        const { authenticated = false, error = null, credentials } = result || {};
+
+        if (error !== null) {
+          return ctx.unauthorized(error);
+        }
+
+        if (authenticated) {
+          ctx.state.isAuthenticated = true;
+          ctx.state.auth = {
+            strategy,
+            credentials,
+          };
+
+          return next();
+        }
+      }
+
+      return ctx.unauthorized('Missing or invalid credentials');
+    },
+    async verify(auth, config = {}) {
+      if (config === false) {
+        return;
+      }
+
+      if (!auth) {
+        throw new UnauthorizedError();
+      }
+
+      if (typeof auth.strategy.verify === 'function') {
+        return auth.strategy.verify(auth, config);
+      }
+
+      return;
+    },
+  };
+};
+
+module.exports = createAuthentication;

package/lib/services/core-store.js

@@ -22,21 +22,37 @@ const coreStoreModel = {
   },
 };
 
-const createCoreStore = ({ environment: defaultEnv, db }) => {
-  return (source = {}) => {
-    async function get(params = {}) {
-      const { key, environment = defaultEnv, type = 'core', name = '', tag = '' } = Object.assign(
-        {},
-        source,
-        params
-      );
+const createCoreStore = ({ db }) => {
+  const mergeParams = (defaultParams, params) => {
+    return {
+      ...defaultParams,
+      ...params,
+    };
+  };
+
+  const store = function(defaultParams = {}) {
+    return {
+      get: params => store.get(mergeParams(defaultParams, params)),
+      set: params => store.set(mergeParams(defaultParams, params)),
+      delete: params => store.delete(mergeParams(defaultParams, params)),
+    };
+  };
+
+  Object.assign(store, {
+    /**
+     * Get value from the core store
+     * @param {Object} params
+     * @returns {*}
+     */
+    async get(params = {}) {
+      const { key, type = 'core', environment, name, tag } = params;
 
       const prefix = `${type}${name ? `_${name}` : ''}`;
 
       const where = {
         key: `${prefix}_${key}`,
-        environment,
-        tag,
+        environment: environment || null,
+        tag: tag || null,
       };
 
       const data = await db.query('strapi::core-store').findOne({ where });
@@ -57,71 +73,70 @@ const createCoreStore = ({ environment: defaultEnv, db }) => {
           return new Date(data.value);
         }
       } else if (data.type === 'number') {
-        return parseFloat(data.value);
+        return Number(data.value);
       } else {
         return null;
       }
-    }
+    },
 
-    async function set(params = {}) {
-      const { key, value, environment = defaultEnv, type, name, tag = '' } = Object.assign(
-        {},
-        source,
-        params
-      );
+    /**
+     * Set value in the core store
+     * @param {Object} params
+     * @returns {*}
+     */
+    async set(params = {}) {
+      const { key, value, type, environment, name, tag } = params;
 
       const prefix = `${type}${name ? `_${name}` : ''}`;
 
       const where = {
         key: `${prefix}_${key}`,
-        environment,
-        tag,
+        environment: environment || null,
+        tag: tag || null,
       };
 
       const data = await db.query('strapi::core-store').findOne({ where });
 
       if (data) {
-        Object.assign(data, {
-          value: JSON.stringify(value) || value.toString(),
-          type: (typeof value).toString(),
+        return db.query('strapi::core-store').update({
+          where: { id: data.id },
+          data: {
+            value: JSON.stringify(value) || value.toString(),
+            type: typeof value,
+          },
         });
+      }
 
-        await db.query('strapi::core-store').update({ where: { id: data.id }, data });
-      } else {
-        const data = Object.assign({}, where, {
+      return db.query('strapi::core-store').create({
+        data: {
+          ...where,
           value: JSON.stringify(value) || value.toString(),
-          type: (typeof value).toString(),
-          tag,
-        });
-
-        await db.query('strapi::core-store').create({ data });
-      }
-    }
+          type: typeof value,
+        },
+      });
+    },
 
-    async function deleteFn(params = {}) {
-      const { key, environment = defaultEnv, type, name, tag = '' } = Object.assign(
-        {},
-        source,
-        params
-      );
+    /**
+     * Deletes a value from the core store
+     * @param {Object} params
+     * @returns {*}
+     */
+    async delete(params = {}) {
+      const { key, environment, type, name, tag } = params;
 
       const prefix = `${type}${name ? `_${name}` : ''}`;
 
       const where = {
         key: `${prefix}_${key}`,
-        environment,
-        tag,
+        environment: environment || null,
+        tag: tag || null,
       };
 
-      await db.query('strapi::core-store').delete({ where });
-    }
+      return db.query('strapi::core-store').delete({ where });
+    },
+  });
 
-    return {
-      get,
-      set,
-      delete: deleteFn,
-    };
-  };
+  return store;
 };
 
 module.exports = {

package/lib/services/cron.js

@@ -0,0 +1,54 @@
+'use strict';
+
+const { Job } = require('node-schedule');
+const { isFunction } = require('lodash/fp');
+
+const createCronService = () => {
+  let jobsSpecs = [];
+
+  return {
+    add(tasks = {}) {
+      for (const taskExpression in tasks) {
+        const taskValue = tasks[taskExpression];
+
+        let fn;
+        let options;
+        if (isFunction(taskValue)) {
+          fn = taskValue.bind(tasks);
+          options = taskExpression;
+        } else if (isFunction(taskValue.task)) {
+          fn = taskValue.task.bind(taskValue);
+          options = taskValue.options;
+        } else {
+          throw new Error(
+            `Could not schedule a cron job for "${taskExpression}": no function found.`
+          );
+        }
+
+        const fnWithStrapi = (...args) => fn({ strapi }, ...args);
+
+        const job = new Job(null, fnWithStrapi);
+        jobsSpecs.push({ job, options });
+      }
+      return this;
+    },
+    start() {
+      if (!strapi.config.get('server.cron.enabled')) {
+        return;
+      }
+      jobsSpecs.forEach(({ job, options }) => job.schedule(options));
+      return this;
+    },
+    stop() {
+      jobsSpecs.forEach(({ job }) => job.cancel());
+      return this;
+    },
+    destroy() {
+      this.stop();
+      jobsSpecs = [];
+      return this;
+    },
+  };
+};
+
+module.exports = createCronService;

package/lib/services/entity-service/attributes/index.js

@@ -0,0 +1,31 @@
+'use strict';
+
+const transforms = require('./transforms');
+
+const applyTransforms = (data, context) => {
+  const { contentType } = context;
+
+  const entries = Object.entries(data);
+
+  for (const [attributeName, value] of entries) {
+    const attribute = contentType.attributes[attributeName];
+
+    if (!attribute) {
+      continue;
+    }
+
+    const transform = transforms[attribute.type];
+
+    if (transform) {
+      const attributeContext = { ...context, attributeName, attribute };
+
+      data[attributeName] = transform(value, attributeContext);
+    }
+  }
+
+  return data;
+};
+
+module.exports = {
+  applyTransforms,
+};

package/lib/services/entity-service/attributes/transforms.js

@@ -0,0 +1,20 @@
+'use strict';
+
+const { getOr, toNumber, isString, isBuffer } = require('lodash/fp');
+const bcrypt = require('bcryptjs');
+
+const transforms = {
+  password(value, context) {
+    const { attribute } = context;
+
+    if (!isString(value) && !isBuffer(value)) {
+      return value;
+    }
+
+    const rounds = toNumber(getOr(10, 'encryption.rounds', attribute));
+
+    return bcrypt.hashSync(value, rounds);
+  },
+};
+
+module.exports = transforms;

package/lib/services/entity-service/components.js

@@ -1,9 +1,10 @@
 'use strict';
 
 const _ = require('lodash');
-const { has, prop, omit } = require('lodash/fp');
+const { has, prop, omit, toString } = require('lodash/fp');
 
 const { contentTypes: contentTypesUtils } = require('@strapi/utils');
+const { ApplicationError } = require('@strapi/utils').errors;
 
 const omitComponentData = (contentType, data) => {
   const { attributes } = contentType;
@@ -131,11 +132,26 @@ const updateComponents = async (uid, entityToUpdate, data) => {
           componentValue.map(value => updateOrCreateComponent(componentUID, value))
         );
 
-        // TODO: add order
-        componentBody[attributeName] = components.filter(_.negate(_.isNil)).map(({ id }) => id);
+        componentBody[attributeName] = components.filter(_.negate(_.isNil)).map(({ id }, idx) => {
+          return {
+            id,
+            __pivot: {
+              order: idx + 1,
+              field: attributeName,
+              component_type: componentUID,
+            },
+          };
+        });
       } else {
         const component = await updateOrCreateComponent(componentUID, componentValue);
-        componentBody[attributeName] = component && component.id;
+        componentBody[attributeName] = component && {
+          id: component.id,
+          __pivot: {
+            order: 1,
+            field: attributeName,
+            component_type: componentUID,
+          },
+        };
       }
 
       continue;
@@ -151,9 +167,17 @@ const updateComponents = async (uid, entityToUpdate, data) => {
       }
 
       componentBody[attributeName] = await Promise.all(
-        dynamiczoneValues.map(async value => {
+        dynamiczoneValues.map(async (value, idx) => {
           const { id } = await updateOrCreateComponent(value.__component, value);
-          return { id, __component: value.__component };
+
+          return {
+            id,
+            __component: value.__component,
+            __pivot: {
+              order: idx + 1,
+              field: attributeName,
+            },
+          };
         })
       );
 
@@ -175,19 +199,19 @@ const deleteOldComponents = async (
 
   const idsToKeep = _.castArray(componentValue)
     .filter(has('id'))
-    .map(prop('id'));
+    .map(prop('id'))
+    .map(toString);
 
   const allIds = _.castArray(previousValue)
     .filter(has('id'))
-    .map(prop('id'));
+    .map(prop('id'))
+    .map(toString);
 
   idsToKeep.forEach(id => {
     if (!allIds.includes(id)) {
-      const err = new Error(
+      throw new ApplicationError(
         `Some of the provided components in ${attributeName} are not related to the entity`
       );
-      err.status = 400;
-      throw err;
     }
   });
 
@@ -206,14 +230,14 @@ const deleteOldDZComponents = async (uid, entityToUpdate, attributeName, dynamic
   const idsToKeep = _.castArray(dynamiczoneValues)
     .filter(has('id'))
     .map(({ id, __component }) => ({
-      id,
+      id: toString(id),
       __component,
     }));
 
   const allIds = _.castArray(previousValue)
     .filter(has('id'))
     .map(({ id, __component }) => ({
-      id,
+      id: toString(id),
       __component,
     }));
 
@@ -293,7 +317,7 @@ const createComponent = async (uid, data) => {
 
   const componentData = await createComponents(uid, data);
 
-  return await strapi.query(uid).create({
+  return strapi.query(uid).create({
     data: Object.assign(omitComponentData(model, data), componentData),
   });
 };
@@ -304,7 +328,7 @@ const updateComponent = async (uid, componentToUpdate, data) => {
 
   const componentData = await updateComponents(uid, componentToUpdate, data);
 
-  return await strapi.query(uid).update({
+  return strapi.query(uid).update({
     where: {
       id: componentToUpdate.id,
     },