@strapi/strapi 4.4.0-beta.3 → 4.4.0-beta.4

package/lib/Strapi.js

@@ -22,6 +22,7 @@ const createCronService = require('./services/cron');
 const entityValidator = require('./services/entity-validator');
 const createTelemetry = require('./services/metrics');
 const createAuth = require('./services/auth');
+const createContentAPI = require('./services/content-api');
 const createCustomFields = require('./services/custom-fields');
 const createUpdateNotifier = require('./utils/update-notifier');
 const createStartupLogger = require('./utils/startup-logger');
@@ -77,7 +78,7 @@ class Strapi {
     // Load the app configuration from the dist directory
     const appConfig = loadConfiguration({ appDir: rootDirs.app, distDir: rootDirs.dist }, opts);
 
-    // Instanciate the Strapi container
+    // Instantiate the Strapi container
     this.container = createContainer(this);
 
     // Register every Strapi registry in the container
@@ -93,6 +94,7 @@ class Strapi {
     this.container.register('custom-fields', customFieldsRegistry(this));
     this.container.register('apis', apisRegistry(this));
     this.container.register('auth', createAuth(this));
+    this.container.register('content-api', createContentAPI(this));
     this.container.register('sanitizers', sanitizersRegistry(this));
 
     // Create a mapping of every useful directory (for the app, dist and static directories)
@@ -102,7 +104,7 @@ class Strapi {
     this.isLoaded = false;
     this.reload = this.reload();
 
-    // Instanciate the Koa app & the HTTP server
+    // Instantiate the Koa app & the HTTP server
     this.server = createServer(this);
 
     // Strapi utils instanciation
@@ -194,6 +196,10 @@ class Strapi {
     return this.container.get('auth');
   }
 
+  get contentAPI() {
+    return this.container.get('content-api');
+  }
+
   get sanitizers() {
     return this.container.get('sanitizers');
   }
@@ -453,6 +459,8 @@ class Strapi {
     await this.server.initMiddlewares();
     await this.server.initRouting();
 
+    await this.contentAPI.permissions.registerActions();
+
     await this.runLifecyclesFunctions(LIFECYCLES.BOOTSTRAP);
 
     this.cron.start();

package/lib/services/auth/index.js

@@ -32,6 +32,7 @@ const createAuthentication = () => {
 
       return this;
     },
+
     async authenticate(ctx, next) {
       const { route } = ctx.state;
 
@@ -47,7 +48,7 @@ const createAuthentication = () => {
       for (const strategy of strategiesToUse) {
         const result = await strategy.authenticate(ctx);
 
-        const { authenticated = false, error = null, credentials } = result || {};
+        const { authenticated = false, credentials, ability = null, error = null } = result || {};
 
         if (error !== null) {
           return ctx.unauthorized(error);
@@ -58,6 +59,7 @@ const createAuthentication = () => {
           ctx.state.auth = {
             strategy,
             credentials,
+            ability,
           };
 
           return next();
@@ -66,6 +68,7 @@ const createAuthentication = () => {
 
       return ctx.unauthorized('Missing or invalid credentials');
     },
+
     async verify(auth, config = {}) {
       if (config === false) {
         return;

package/lib/services/content-api/index.js

@@ -0,0 +1,74 @@
+'use strict';
+
+const _ = require('lodash');
+const instantiatePermissionsUtilities = require('./permissions');
+
+const transformRoutePrefixFor = (pluginName) => (route) => {
+  const prefix = route.config && route.config.prefix;
+  const path = prefix !== undefined ? `${prefix}${route.path}` : `/${pluginName}${route.path}`;
+
+  return {
+    ...route,
+    path,
+  };
+};
+
+/**
+ * Create a content API container that holds logic, tools and utils. (eg: permissions, ...)
+ */
+const createContentAPI = (strapi) => {
+  const getRoutesMap = async () => {
+    const routesMap = {};
+
+    _.forEach(strapi.api, (api, apiName) => {
+      const routes = _.flatMap(api.routes, (route) => {
+        if (_.has(route, 'routes')) {
+          return route.routes;
+        }
+
+        return route;
+      }).filter((route) => route.info.type === 'content-api');
+
+      if (routes.length === 0) {
+        return;
+      }
+
+      const apiPrefix = strapi.config.get('api.rest.prefix');
+      routesMap[`api::${apiName}`] = routes.map((route) => ({
+        ...route,
+        path: `${apiPrefix}${route.path}`,
+      }));
+    });
+
+    _.forEach(strapi.plugins, (plugin, pluginName) => {
+      const transformPrefix = transformRoutePrefixFor(pluginName);
+
+      const routes = _.flatMap(plugin.routes, (route) => {
+        if (_.has(route, 'routes')) {
+          return route.routes.map(transformPrefix);
+        }
+
+        return transformPrefix(route);
+      }).filter((route) => route.info.type === 'content-api');
+
+      if (routes.length === 0) {
+        return;
+      }
+
+      const apiPrefix = strapi.config.get('api.rest.prefix');
+      routesMap[`plugin::${pluginName}`] = routes.map((route) => ({
+        ...route,
+        path: `${apiPrefix}${route.path}`,
+      }));
+    });
+
+    return routesMap;
+  };
+
+  return {
+    permissions: instantiatePermissionsUtilities(strapi),
+    getRoutesMap,
+  };
+};
+
+module.exports = createContentAPI;

package/lib/services/content-api/permissions/engine.js

@@ -0,0 +1,5 @@
+'use strict';
+
+const permissions = require('@strapi/permissions');
+
+module.exports = ({ providers }) => permissions.engine.new({ providers });

package/lib/services/content-api/permissions/index.js

@@ -0,0 +1,148 @@
+'use strict';
+
+const _ = require('lodash');
+const { createActionProvider, createConditionProvider } = require('./providers');
+const createPermissionEngine = require('./engine');
+
+/**
+ * Creates an handler that checks if the permission's action exists in the action registry
+ */
+const createValidatePermissionHandler =
+  (actionProvider) =>
+  ({ permission }) => {
+    const action = actionProvider.get(permission.action);
+
+    // If the action isn't registered into the action provider, then ignore the permission and warn the user
+    if (!action) {
+      strapi.log.debug(
+        `Unknown action "${permission.action}" supplied when registering a new permission`
+      );
+      return false;
+    }
+  };
+
+/**
+ * Create instances of providers and permission engine for the core content-API service.
+ * Also, expose utilities to get informations about available actions and such.
+ *
+ * @param {Strapi.Strapi} strapi
+ */
+module.exports = (strapi) => {
+  // NOTE: Here we define both an action and condition provider,
+  // but at the moment, we're only using the action one.
+  const providers = {
+    action: createActionProvider(),
+    condition: createConditionProvider(),
+  };
+
+  /**
+   * Get a tree representation of the available Content API actions
+   * based on the methods of the Content API controllers.
+   *
+   * @note Only actions bound to a content-API route are returned.
+   *
+   * @return {{ [api: string]: { [controller: string]: string[] }}}
+   */
+  const getActionsMap = () => {
+    const actionMap = {};
+
+    /**
+     * Check if a controller's action is bound to the
+     * content-api by looking at a potential __type__ symbol
+     *
+     * @param {object} action
+     *
+     * @return {boolean}
+     */
+    const isContentApi = (action) => {
+      if (!_.has(action, Symbol.for('__type__'))) {
+        return false;
+      }
+
+      return action[Symbol.for('__type__')].includes('content-api');
+    };
+
+    /**
+     * Register actions from a specific API source into the result tree
+     *
+     * @param {{ [apiName]: { controllers: { [controller]: object } }}} apis The API container
+     * @param {string} source The prefix to use in front the API name
+     *
+     * @return {void}
+     */
+    const registerAPIsActions = (apis, source) => {
+      _.forEach(apis, (api, apiName) => {
+        const controllers = _.reduce(
+          api.controllers,
+          (acc, controller, controllerName) => {
+            const contentApiActions = _.pickBy(controller, isContentApi);
+
+            if (_.isEmpty(contentApiActions)) {
+              return acc;
+            }
+
+            acc[controllerName] = Object.keys(contentApiActions);
+
+            return acc;
+          },
+          {}
+        );
+
+        if (!_.isEmpty(controllers)) {
+          actionMap[`${source}::${apiName}`] = { controllers };
+        }
+      });
+    };
+
+    registerAPIsActions(strapi.api, 'api');
+    registerAPIsActions(strapi.plugins, 'plugin');
+
+    return actionMap;
+  };
+
+  /**
+   * Register all the content-API's controllers actions into the action provider.
+   * This method make use of the {@link getActionsMap} to generate the list of actions to register.
+   *
+   * @return {void}
+   */
+  const registerActions = async () => {
+    const actionsMap = getActionsMap();
+
+    // For each API
+    for (const [api, value] of Object.entries(actionsMap)) {
+      const { controllers } = value;
+
+      // Register controllers methods as actions
+      for (const [controller, actions] of Object.entries(controllers)) {
+        // Register each action individually
+        await Promise.all(
+          actions.map((action) => {
+            const actionUID = `${api}.${controller}.${action}`;
+
+            return providers.action.register(actionUID, {
+              api,
+              controller,
+              action,
+              uid: actionUID,
+            });
+          })
+        );
+      }
+    }
+  };
+
+  // Create an instance of a content-API permission engine
+  // and binds a custom validation handler to it
+  const engine = createPermissionEngine({ providers }).on(
+    'before-format::validate.permission',
+    createValidatePermissionHandler(providers.action)
+  );
+
+  return {
+    engine,
+    providers,
+    registerActions,
+    getActionsMap,
+  };
+};

package/lib/services/content-api/permissions/providers/action.js

@@ -0,0 +1,19 @@
+'use strict';
+
+const { providerFactory } = require('@strapi/utils');
+
+module.exports = (options = {}) => {
+  const provider = providerFactory(options);
+
+  return {
+    ...provider,
+
+    async register(action, payload) {
+      if (strapi.isLoaded) {
+        throw new Error(`You can't register new actions outside the bootstrap function.`);
+      }
+
+      return provider.register(action, payload);
+    },
+  };
+};

package/lib/services/content-api/permissions/providers/condition.js

@@ -0,0 +1,19 @@
+'use strict';
+
+const { providerFactory } = require('@strapi/utils');
+
+module.exports = (options = {}) => {
+  const provider = providerFactory(options);
+
+  return {
+    ...provider,
+
+    async register(condition) {
+      if (strapi.isLoaded) {
+        throw new Error(`You can't register new conditions outside the bootstrap function.`);
+      }
+
+      return provider.register(condition.name, condition);
+    },
+  };
+};

package/lib/services/content-api/permissions/providers/index.js

@@ -0,0 +1,9 @@
+'use strict';
+
+const createActionProvider = require('./action');
+const createConditionProvider = require('./condition');
+
+module.exports = {
+  createActionProvider,
+  createConditionProvider,
+};

package/lib/types/core/strapi/index.d.ts

@@ -46,6 +46,11 @@ export interface Strapi {
    */
   readonly auth: any;
 
+  /**
+   * Getter for the Strapi content API container
+   */
+  readonly contentAPI: any;
+
   /**
    * Getter for the Strapi sanitizers container
    */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@strapi/strapi",
-  "version": "4.4.0-beta.3",
+  "version": "4.4.0-beta.4",
   "description": "An open source headless CMS solution to create and manage your own API. It provides a powerful dashboard and features to make your life easier. Databases supported: MySQL, MariaDB, PostgreSQL, SQLite",
   "keywords": [
     "strapi",
@@ -80,17 +80,18 @@
   "dependencies": {
     "@koa/cors": "3.4.1",
     "@koa/router": "10.1.1",
-    "@strapi/admin": "4.4.0-beta.3",
-    "@strapi/database": "4.4.0-beta.3",
-    "@strapi/generate-new": "4.4.0-beta.3",
-    "@strapi/generators": "4.4.0-beta.3",
-    "@strapi/logger": "4.4.0-beta.3",
-    "@strapi/plugin-content-manager": "4.4.0-beta.3",
-    "@strapi/plugin-content-type-builder": "4.4.0-beta.3",
-    "@strapi/plugin-email": "4.4.0-beta.3",
-    "@strapi/plugin-upload": "4.4.0-beta.3",
-    "@strapi/typescript-utils": "4.4.0-beta.3",
-    "@strapi/utils": "4.4.0-beta.3",
+    "@strapi/admin": "4.4.0-beta.4",
+    "@strapi/database": "4.4.0-beta.4",
+    "@strapi/generate-new": "4.4.0-beta.4",
+    "@strapi/generators": "4.4.0-beta.4",
+    "@strapi/logger": "4.4.0-beta.4",
+    "@strapi/permissions": "4.4.0-beta.4",
+    "@strapi/plugin-content-manager": "4.4.0-beta.4",
+    "@strapi/plugin-content-type-builder": "4.4.0-beta.4",
+    "@strapi/plugin-email": "4.4.0-beta.4",
+    "@strapi/plugin-upload": "4.4.0-beta.4",
+    "@strapi/typescript-utils": "4.4.0-beta.4",
+    "@strapi/utils": "4.4.0-beta.4",
     "bcryptjs": "2.4.3",
     "boxen": "5.1.2",
     "chalk": "4.1.2",
@@ -139,5 +140,5 @@
     "node": ">=14.19.1 <=18.x.x",
     "npm": ">=6.0.0"
   },
-  "gitHead": "baad89e67844d972ef53a6f1b0839a361bf968c0"
+  "gitHead": "8ad31453be3eda4e01eae027995e7e584892e688"
 }