apostrophe 3.11.0 → 3.14.0

package/modules/@apostrophecms/i18n/index.js

@@ -10,6 +10,7 @@ const fs = require('fs');
 const _ = require('lodash');
 const { stripIndent } = require('common-tags');
 const ExpressSessionCookie = require('express-session/session/cookie');
+const path = require('path');
 
 const apostropheI18nDebugPlugin = {
   type: 'postProcessor',
@@ -46,6 +47,7 @@ module.exports = {
     }
   },
   async init(self) {
+    self.defaultNamespace = 'default';
     self.namespaces = {};
     self.debug = process.env.APOS_DEBUG_I18N ? true : self.options.debug;
     self.show = process.env.APOS_SHOW_I18N ? true : self.options.show;
@@ -83,7 +85,7 @@ module.exports = {
         // Nunjucks and Vue will already do this
         escapeValue: false
       },
-      defaultNS: 'default',
+      defaultNS: self.defaultNamespace,
       debug: self.debug
     });
     if (self.show) {
@@ -380,21 +382,65 @@ module.exports = {
       // Add the i18next resources provided by the specified module,
       // merging with any existing phrases for the same locales and namespaces
       addResourcesForModule(module) {
-        if (!module.options.i18n) {
-          return;
-        }
-        const ns = module.options.i18n.ns || 'default';
+        self.addDefaultResourcesForModule(module);
+        self.addNamespacedResourcesForModule(module);
+      },
+      // Automatically adds any localizations found in .json files in the main `i18n` subdirectory
+      // of a module.
+      //
+      // These are added to the `default` namespace, unless the legacy `i18n.ns` option is set
+      // for the module (not the preferred way, use namespace subdirectories in new projects).
+      addDefaultResourcesForModule(module) {
+        const ns = (module.options.i18n && module.options.i18n.ns) || 'default';
         self.namespaces[ns] = self.namespaces[ns] || {};
-        self.namespaces[ns].browser = self.namespaces[ns].browser || !!module.options.i18n.browser;
+        self.namespaces[ns].browser = self.namespaces[ns].browser || (module.options.i18n && module.options.i18n.browser);
         for (const entry of module.__meta.chain) {
-          const localizationsDir = `${entry.dirname}/i18n`;
-          if (!fs.existsSync(localizationsDir)) {
-            continue;
+          const localizationsDir = path.join(entry.dirname, 'i18n');
+          if (!self.defaultLocalizationsDirsAdded.has(localizationsDir)) {
+            self.defaultLocalizationsDirsAdded.add(localizationsDir);
+            if (!fs.existsSync(localizationsDir)) {
+              continue;
+            }
+            for (const localizationFile of fs.readdirSync(localizationsDir)) {
+              if (!localizationFile.endsWith('.json')) {
+                // Likely a namespace subdirectory
+                continue;
+              }
+              const data = JSON.parse(fs.readFileSync(path.join(localizationsDir, localizationFile)));
+              const locale = localizationFile.replace('.json', '');
+              self.i18next.addResourceBundle(locale, ns, data, true, true);
+            }
           }
-          for (const localizationFile of fs.readdirSync(localizationsDir)) {
-            const data = JSON.parse(fs.readFileSync(`${localizationsDir}/${localizationFile}`));
-            const locale = localizationFile.replace('.json', '');
-            self.i18next.addResourceBundle(locale, ns, data, true, true);
+        }
+      },
+      // Automatically adds any localizations found in subdirectories of the main `i18n`
+      // subdirectory of a module. The subdirectory's name is treated as an i18n namespace
+      // name.
+      addNamespacedResourcesForModule(module) {
+        for (const entry of module.__meta.chain) {
+          const metadata = module.__meta.i18n[entry.name] || {};
+          const localizationsDir = `${entry.dirname}/i18n`;
+          if (!self.namespacedLocalizationsDirsAdded.has(localizationsDir)) {
+            self.namespacedLocalizationsDirsAdded.add(localizationsDir);
+            if (!fs.existsSync(localizationsDir)) {
+              continue;
+            }
+            for (const ns of fs.readdirSync(localizationsDir)) {
+              if (ns.endsWith('.json')) {
+                // A JSON file for the default namespace, already handled
+                continue;
+              }
+              self.namespaces[ns] = self.namespaces[ns] || {};
+              self.namespaces[ns].browser = self.namespaces[ns].browser ||
+                (metadata[ns] && metadata[ns].browser);
+              const namespaceDir = path.join(localizationsDir, ns);
+              for (const localizationFile of fs.readdirSync(namespaceDir)) {
+                const fullLocalizationFile = path.join(namespaceDir, localizationFile);
+                const data = JSON.parse(fs.readFileSync(fullLocalizationFile));
+                const locale = localizationFile.replace('.json', '');
+                self.i18next.addResourceBundle(locale, ns, data, true, true);
+              }
+            }
           }
         }
       },
@@ -402,6 +448,8 @@ module.exports = {
       // itself, called by init. Later modules call addResourcesForModule(self),
       // making phrases available gradually as Apostrophe starts up
       addInitialResources() {
+        self.defaultLocalizationsDirsAdded = new Set();
+        self.namespacedLocalizationsDirsAdded = new Set();
         for (const module of Object.values(self.apos.modules)) {
           self.addResourcesForModule(module);
         }
@@ -493,6 +541,7 @@ module.exports = {
           i18n,
           locale: req.locale,
           defaultLocale: self.defaultLocale,
+          defaultNamespace: self.defaultNamespace,
           locales: self.locales,
           debug: self.debug,
           show: self.show,

package/modules/@apostrophecms/login/index.js

@@ -42,8 +42,10 @@ const Passport = require('passport').Passport;
 const LocalStrategy = require('passport-local');
 const Promise = require('bluebird');
 const cuid = require('cuid');
+const expressSession = require('express-session');
 
 module.exports = {
+  cascades: [ 'requirements' ],
   options: {
     alias: 'login',
     localLogin: true,
@@ -106,34 +108,13 @@ module.exports = {
     return {
       post: {
         async login(req) {
-          const username = self.apos.launder.string(req.body.username);
-          const password = self.apos.launder.string(req.body.password);
-          const session = self.apos.launder.boolean(req.body.session);
-          if (!(username && password)) {
-            throw self.apos.error('invalid', req.t('apostrophe:loginPageBothRequired'));
-          }
-          const user = await self.apos.login.verifyLogin(username, password);
-          if (!user) {
-            // For security reasons we may not tell the user which case applies
-            throw self.apos.error('invalid', req.t('apostrophe:loginPageBadCredentials'));
-          }
-          if (session) {
-            const passportLogin = (user) => {
-              return require('util').promisify(function(user, callback) {
-                return req.login(user, callback);
-              })(user);
-            };
-            await passportLogin(user);
+          // Don't make verify functions worry about whether this object
+          // is present, just the value of their own sub-property
+          req.body.requirements = req.body.requirements || {};
+          if (req.body.incompleteToken) {
+            return self.finalizeIncompleteLogin(req);
           } else {
-            const token = cuid();
-            await self.bearerTokens.insert({
-              _id: token,
-              userId: user._id,
-              expires: new Date(new Date().getTime() + (self.options.bearerTokens.lifetime || (86400 * 7 * 2)) * 1000)
-            });
-            return {
-              token
-            };
+            return self.initialLogin(req);
           }
         },
         async logout(req) {
@@ -141,7 +122,7 @@ module.exports = {
             throw self.apos.error('forbidden', req.t('apostrophe:logOutNotLoggedIn'));
           }
           if (req.token) {
-            await self.bearerTokens.remove({
+            await self.bearerTokens.removeOne({
               userId: req.user._id,
               _id: req.token
             });
@@ -153,8 +134,79 @@ module.exports = {
                 return req.session.destroy(callback);
               })();
             };
+            const cookie = req.session.cookie;
             await destroySession();
+            // Session cookie expiration isn't automatic with `req.session.destroy`.
+            // Fix that to reduce challenges for those attempting to implement custom
+            // caching strategies at the edge
+            // https://github.com/expressjs/session/issues/241
+            const expireCookie = new expressSession.Cookie(cookie);
+            expireCookie.expires = new Date(0);
+            const name = self.apos.modules['@apostrophecms/express'].sessionOptions.name;
+            req.res.header('set-cookie', expireCookie.serialize(name, 'deleted'));
+          }
+        },
+        // invokes the `props(req, user)` function for the requirement specified by
+        // `body.name`. Invoked before displaying each `afterPasswordVerified`
+        // requirement. The return value of the function, which should
+        // be an object, is delivered as the API response
+        async requirementProps(req) {
+          const { user } = await self.findIncompleteTokenAndUser(req, req.body.incompleteToken);
+
+          const name = self.apos.launder.string(req.body.name);
+
+          const requirement = self.requirements[name];
+          if (!requirement) {
+            throw self.apos.error('notfound');
+          }
+          if (!requirement.props) {
+            return {};
           }
+          return requirement.props(req, user);
+        },
+        async requirementVerify(req) {
+          const name = self.apos.launder.string(req.body.name);
+
+          const { user } = await self.findIncompleteTokenAndUser(req, req.body.incompleteToken);
+
+          const requirement = self.requirements[name];
+
+          if (!requirement) {
+            throw self.apos.error('notfound');
+          }
+
+          if (!requirement.verify) {
+            throw self.apos.error('invalid', 'You must provide a verify method in your requirement');
+          }
+
+          try {
+            await requirement.verify(req, req.body.value, user);
+
+            const token = await self.bearerTokens.findOne({
+              _id: self.apos.launder.string(req.body.incompleteToken),
+              requirementsToVerify: { $exists: true },
+              expires: {
+                $gte: new Date()
+              }
+            });
+
+            if (!token) {
+              throw self.apos.error('notfound');
+            }
+
+            await self.bearerTokens.updateOne(token, {
+              $pull: { requirementsToVerify: name }
+            });
+
+            return {};
+          } catch (err) {
+            err.data = err.data || {};
+            err.data.requirement = name;
+            throw err;
+          }
+        },
+        async context(req) {
+          return self.getContext(req);
         },
         ...(self.options.passwordReset ? {
           async resetRequest(req) {
@@ -217,19 +269,12 @@ module.exports = {
         } : {})
       },
       get: {
-        context () {
-          let aposPackage = {};
-          try {
-            aposPackage = require('../../../package.json');
-          } catch (err) {
-            self.apos.util.error(err);
-          }
-
-          return {
-            env: process.env.NODE_ENV || 'development',
-            name: (process.env.npm_package_name && process.env.npm_package_name.replace(/-/g, ' ')) || 'Apostrophe',
-            version: aposPackage.version || '3'
-          };
+        // For bc this route is still available via GET, however
+        // it should be accessed via POST because the result
+        // may differ by individual user session and should not
+        // be cached
+        async context(req) {
+          return self.getContext(req);
         }
       }
     };
@@ -237,6 +282,33 @@ module.exports = {
   methods(self) {
     return {
 
+      // Implements the context route, which provides basic
+      // information about the site being logged into and also
+      // props for beforeSubmit requirements
+      async getContext(req) {
+        const aposPackage = require('../../../package.json');
+        // For performance beforeSubmit requirement props all happen together here
+        const requirementProps = {};
+        for (const [ name, requirement ] of Object.entries(self.requirements)) {
+          if ((requirement.phase !== 'afterPasswordVerified') && requirement.props) {
+            try {
+              requirementProps[name] = await requirement.props(req);
+            } catch (e) {
+              if (e.body && e.body.data) {
+                e.body.data.requirement = name;
+              }
+              throw e;
+            }
+          }
+        }
+        return {
+          env: process.env.NODE_ENV || 'development',
+          name: (process.env.npm_package_name && process.env.npm_package_name.replace(/-/g, ' ')) || 'Apostrophe',
+          version: aposPackage.version || '3',
+          requirementProps
+        };
+      },
+
       // return the loginUrl option
       login(url) {
         return self.options.loginUrl ? self.options.loginUrl : '/login';
@@ -368,7 +440,17 @@ module.exports = {
               username: req.user.username,
               email: req.user.email
             }
-          } : {})
+          } : {}),
+          requirements: Object.fromEntries(
+            Object.entries(self.requirements).map(([ name, requirement ]) => {
+              const browserRequirement = {
+                phase: requirement.phase,
+                propsRequired: !!requirement.props,
+                askForConfirmation: requirement.askForConfirmation || false
+              };
+              return [ name, browserRequirement ];
+            })
+          )
         };
       },
 
@@ -384,6 +466,164 @@ module.exports = {
       async enableBearerTokens() {
         self.bearerTokens = self.apos.db.collection('aposBearerTokens');
         await self.bearerTokens.createIndex({ expires: 1 }, { expireAfterSeconds: 0 });
+      },
+
+      // Finalize an incomplete login based on the provided incompleteToken
+      // and various `requirements` subproperties. Implementation detail of the login route
+      async finalizeIncompleteLogin(req) {
+        const session = self.apos.launder.boolean(req.body.session);
+        // Completing a previous incomplete login
+        // (password was verified but post-password-verification
+        // requirements were not supplied)
+        const token = await self.bearerTokens.findOne({
+          _id: self.apos.launder.string(req.body.incompleteToken),
+          requirementsToVerify: {
+            $exists: true
+          },
+          expires: {
+            $gte: new Date()
+          }
+        });
+
+        if (!token) {
+          throw self.apos.error('notfound');
+        }
+
+        if (token.requirementsToVerify.length) {
+          throw self.apos.error('forbidden', 'All requirements must be verified');
+        }
+
+        const user = await self.deserializeUser(token.userId);
+        if (!user) {
+          await self.bearerTokens.removeOne({
+            _id: token.userId
+          });
+          throw self.apos.error('notfound');
+        }
+
+        if (session) {
+          await self.bearerTokens.removeOne({
+            _id: token.userId
+          });
+          await self.passportLogin(req, user);
+        } else {
+          delete token.requirementsToVerify;
+          self.bearerTokens.updateOne(token, {
+            $unset: {
+              requirementsToVerify: 1
+            }
+          });
+          return {
+            token
+          };
+        }
+      },
+
+      // Implementation detail of the login route and the requirementProps mechanism for
+      // custom login requirements. Given the string `token`, returns
+      // `{ token, user }`. Throws an exception if the token is not found.
+      // `token` is sanitized before passing to mongodb.
+      async findIncompleteTokenAndUser(req, token) {
+        token = await self.bearerTokens.findOne({
+          _id: self.apos.launder.string(token),
+          requirementsToVerify: {
+            $exists: true,
+            $ne: []
+          },
+          expires: {
+            $gte: new Date()
+          }
+        });
+        if (!token) {
+          throw self.apos.error('notfound');
+        }
+        const user = await self.deserializeUser(token.userId);
+        if (!user) {
+          await self.bearerTokens.removeOne({
+            _id: token._id
+          });
+          throw self.apos.error('notfound');
+        }
+        return {
+          token,
+          user
+        };
+      },
+
+      // Implementation detail of the login route. Log in the user, or if there are
+      // `requirements` that require password verification occur first, return an incomplete token.
+      async initialLogin(req) {
+        // Initial login step
+        const username = self.apos.launder.string(req.body.username);
+        const password = self.apos.launder.string(req.body.password);
+        if (!(username && password)) {
+          throw self.apos.error('invalid', req.t('apostrophe:loginPageBothRequired'));
+        }
+        const { earlyRequirements, lateRequirements } = self.filterRequirements();
+        for (const [ name, requirement ] of Object.entries(earlyRequirements)) {
+          try {
+            await requirement.verify(req, req.body.requirements && req.body.requirements[name]);
+          } catch (e) {
+            e.data = e.data || {};
+            e.data.requirement = name;
+            throw e;
+          }
+        }
+        const user = await self.apos.login.verifyLogin(username, password);
+        if (!user) {
+          // For security reasons we may not tell the user which case applies
+          throw self.apos.error('invalid', req.t('apostrophe:loginPageBadCredentials'));
+        }
+
+        const requirementsToVerify = Object.keys(lateRequirements);
+
+        if (requirementsToVerify.length) {
+          const token = cuid();
+
+          await self.bearerTokens.insert({
+            _id: token,
+            userId: user._id,
+            requirementsToVerify,
+            // Default lifetime of 1 hour is generous to permit situations like
+            // installing a TOTP app for the first time
+            expires: new Date(new Date().getTime() + (self.options.incompleteLifetime || 60 * 60 * 1000))
+          });
+          return {
+            incompleteToken: token
+          };
+        } else {
+          const session = self.apos.launder.boolean(req.body.session);
+          if (session) {
+            await self.passportLogin(req, user);
+          } else {
+            const token = cuid();
+            await self.bearerTokens.insert({
+              _id: token,
+              userId: user._id,
+              expires: new Date(new Date().getTime() + (self.options.bearerTokens.lifetime || (86400 * 7 * 2)) * 1000)
+            });
+            return {
+              token
+            };
+          }
+        }
+      },
+
+      filterRequirements() {
+        return {
+          earlyRequirements: Object.fromEntries(Object.entries(self.requirements).filter(([ name, requirement ]) => requirement.phase === 'beforeSubmit')),
+          lateRequirements: Object.fromEntries(Object.entries(self.requirements).filter(([ name, requirement ]) => requirement.phase === 'afterPasswordVerified'))
+        };
+      },
+
+      // Awaitable wrapper for req.login. An implementation detail of the login route
+      async passportLogin(req, user) {
+        const passportLogin = (user) => {
+          return require('util').promisify(function(user, callback) {
+            return req.login(user, callback);
+          })(user);
+        };
+        await passportLogin(user);
       }
     };
   },