apostrophe 3.13.0 → 3.14.2-alpha.20220401

package/modules/@apostrophecms/util/ui/src/http.js

@@ -65,7 +65,6 @@ export default () => {
   // parsed as JSON only if the content-type is application/json)
   // `headers` (an object containing header names and values)
   // `draft` (if true, always add aposMode=draft to the query string, creating one if needed)
-  // `csrf` (unless explicitly set to `false`, send the X-XSRF-TOKEN header when talking to the same site)
   // `fullResponse` (if true, return an object with `status`, `headers` and `body`
   // properties, rather than returning the body directly; the individual `headers` are canonicalized
   // to lowercase names. If there are duplicate headers after canonicalization only the
@@ -140,10 +139,10 @@ export default () => {
 
     const busyName = options.busy === true ? 'busy' : options.busy;
     const xmlhttp = new XMLHttpRequest();
-    const csrfToken = apos.csrfCookieName ? apos.util.getCookie(apos.csrfCookieName) : 'csrf-fallback';
     let data = options.body;
     let keys;
     let i;
+
     if (options.qs) {
       url = apos.http.addQueryToUrl(url, options.qs);
     }
@@ -166,11 +165,6 @@ export default () => {
     if (sendJson) {
       xmlhttp.setRequestHeader('Content-Type', 'application/json');
     }
-    if (csrfToken && (options.csrf !== false)) {
-      if (apos.util.sameSite(url)) {
-        xmlhttp.setRequestHeader('X-XSRF-TOKEN', csrfToken);
-      }
-    }
     if (options.headers) {
       keys = Object.keys(options.headers);
       for (i = 0; (i < keys.length); i++) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "apostrophe",
-  "version": "3.13.0",
+  "version": "3.14.2-alpha.20220401",
   "description": "The Apostrophe Content Management System.",
   "main": "index.js",
   "scripts": {
@@ -61,6 +61,7 @@
     "eslint-plugin-promise": "^5.1.0",
     "express": "^4.16.4",
     "express-bearer-token": "^2.4.0",
+    "express-cache-on-demand": "^1.0.3",
     "express-session": "^1.17.1",
     "form-data": "^4.0.0",
     "fs-extra": "^7.0.1",
@@ -136,4 +137,4 @@
   "browserslist": [
     "ie >= 10"
   ]
-}
+}

package/test/express.js

@@ -39,37 +39,13 @@ describe('Express', function() {
     assert(body.toString() === 'ok');
   });
 
-  it('should flunk a POST request with no X-XSRF-TOKEN header', async function() {
+  it('should flunk a POST request without the CSRF cookie', async function() {
     try {
       await apos.http.post('/tests/body', {
         body: {
           person: {
             age: '30'
           }
-        },
-        jar,
-        csrf: false
-      });
-      assert(false);
-    } catch (e) {
-      assert(e);
-    }
-  });
-
-  it('should flunk a POST request with the wrong CSRF token', async function() {
-    const csrfToken = 'BOGOSITY';
-
-    try {
-      await apos.http.post('/tests/body', {
-        body: {
-          person: {
-            age: '30'
-          }
-        },
-        jar,
-        csrf: false,
-        headers: {
-          'X-XSRF-TOKEN': csrfToken
         }
       });
       assert(false);
@@ -78,7 +54,7 @@ describe('Express', function() {
     }
   });
 
-  it('should use the extended bodyParser for submitted forms', async function() {
+  it('should use the extended bodyParser for submitted forms, and pass CSRF with the cookie', async function() {
 
     const response = await apos.http.post('/tests/body', {
       send: 'form',

package/test/http.js

@@ -40,30 +40,6 @@ describe('Http', function() {
     assert(result.match(/logged out/));
   });
 
-  it('should not be able to make an http POST request without csrf header', async () => {
-    try {
-      await apos.http.post('/csrf-test', {
-        jar,
-        csrf: false
-      });
-      assert(false);
-    } catch (e) {
-      assert(e.status === 403);
-    }
-  });
-
-  it('should be able to make an http POST request with manually built csrf header', async () => {
-    const response = await apos.http.post('/csrf-test?manual=1', {
-      jar,
-      headers: {
-        'X-XSRF-TOKEN': apos.http.getCookie(jar, '/', `${apos.options.shortName}.csrf`)
-      },
-      body: {},
-      csrf: false
-    });
-    assert(response.ok === true);
-  });
-
   it('should be able to make an http POST request with csrf header via default csrf convenience of http.post', async () => {
     const response = await apos.http.post('/csrf-test', {
       jar,

package/test/login-requirements.js

@@ -4,6 +4,8 @@ const assert = require('assert');
 let apos;
 
 describe('Login', function() {
+  const extraSecretErr = 'extra secret incorrect';
+  const captchaErr = 'captcha code incorrect';
 
   this.timeout(20000);
 
@@ -30,7 +32,7 @@ describe('Login', function() {
                   },
                   async verify(req, data) {
                     if (data !== 'xyz') {
-                      throw self.apos.error('invalid', 'captcha code incorrect');
+                      throw self.apos.error('invalid', captchaErr);
                     }
                   }
                 },
@@ -45,7 +47,7 @@ describe('Login', function() {
                   },
                   async verify(req, data, user) {
                     if (data !== user.extraSecret) {
-                      throw self.apos.error('invalid', 'extra secret incorrect');
+                      throw self.apos.error('invalid', extraSecretErr);
                     }
                   }
                 }
@@ -119,7 +121,7 @@ describe('Login', function() {
       assert(false);
     } catch (e) {
       assert(e.status === 400);
-      assert.strictEqual(e.body.message, 'captcha code incorrect');
+      assert.strictEqual(e.body.message, captchaErr);
       assert.strictEqual(e.body.data.requirement, 'WeakCaptcha');
     }
 
@@ -167,7 +169,7 @@ describe('Login', function() {
       assert(false);
     } catch (e) {
       assert(e.status === 400);
-      assert.strictEqual(e.body.message, 'captcha code incorrect');
+      assert.strictEqual(e.body.message, captchaErr);
       assert.strictEqual(e.body.data.requirement, 'WeakCaptcha');
     }
 
@@ -182,7 +184,10 @@ describe('Login', function() {
     assert(page.match(/logged out/));
   });
 
-  it('initial login should produce an incompleteToken, convertible with the afterPasswordVerified requirements', async function() {
+  it('should throttle requirements verify attemps and show a proper error when the limit is reached', async function () {
+    const loginModule = apos.modules['@apostrophecms/login'];
+    const { allowedAttempts } = loginModule.options.throttle;
+    const namespace = '@apostrophecms/loginAttempt/ExtraSecret';
 
     const jar = apos.http.jar();
 
@@ -224,6 +229,71 @@ describe('Login', function() {
 
     assert(page.match(/logged out/));
 
+    const token = result.incompleteToken;
+
+    for (let index = 0; index <= allowedAttempts; index++) {
+      try {
+        await apos.http.post('/api/v1/@apostrophecms/login/requirement-verify', {
+          body: {
+            incompleteToken: token,
+            session: true,
+            name: 'ExtraSecret',
+            value: 'roll-off'
+          },
+          jar
+        });
+      } catch ({ status, body }) {
+        if (index < allowedAttempts) {
+          assert(body.message === extraSecretErr);
+        } else {
+          assert(body.message === 'Too many attempts. You may try again in a minute.');
+        }
+      }
+    }
+
+    await loginModule.clearLoginAttempts('HarryPutter', namespace);
+  });
+
+  it('initial login should produce an incompleteToken, convertible with the afterPasswordVerified requirements', async function() {
+
+    const jar = apos.http.jar();
+
+    // establish session
+    let page = await apos.http.get(
+      '/',
+      {
+        jar
+      }
+    );
+
+    const result = await apos.http.post(
+      '/api/v1/@apostrophecms/login/login',
+      {
+        method: 'POST',
+        body: {
+          username: 'HarryPutter',
+          password: 'crookshanks',
+          session: true,
+          requirements: {
+            WeakCaptcha: 'xyz'
+          }
+        },
+        jar
+      }
+    );
+
+    assert(result.incompleteToken);
+
+    // Make sure it did not create a login session prematurely
+    page = await apos.http.get(
+      '/',
+      {
+        jar
+      }
+    );
+
+    assert(page.match(/logged out/));
+
     // Make sure it won't convert with an incorrect ExtraSecret
 
     const token = result.incompleteToken;
@@ -240,7 +310,7 @@ describe('Login', function() {
       });
     } catch ({ status, body }) {
       assert(status === 400);
-      assert.strictEqual(body.message, 'extra secret incorrect');
+      assert.strictEqual(body.message, extraSecretErr);
       assert.strictEqual(body.data.requirement, 'ExtraSecret');
     }
 

package/test/login.js

@@ -41,6 +41,48 @@ describe('Login', function() {
     assert(doc._id);
   });
 
+  it('should throttle login attempts and show a proper error when the limit is reached', async function () {
+    const loginModule = apos.modules['@apostrophecms/login'];
+    const { allowedAttempts } = loginModule.options.throttle;
+    const jar = apos.http.jar();
+    const username = 'HarryPutter';
+    // establish session
+    const page = await apos.http.get(
+      '/',
+      {
+        jar
+      }
+    );
+
+    assert(page.match(/logged out/));
+
+    for (let index = 0; index <= allowedAttempts; index++) {
+      try {
+        await apos.http.post(
+          '/api/v1/@apostrophecms/login/login',
+          {
+            method: 'POST',
+            body: {
+              username,
+              password: 'badpassword',
+              session: true
+            },
+            jar
+          }
+        );
+
+      } catch ({ body }) {
+        if (index < allowedAttempts) {
+          assert(body.message === 'Your credentials are incorrect, or there is no such user');
+        } else {
+          assert(body.message === 'Too many attempts. You may try again in a minute.');
+        }
+      }
+    }
+
+    await loginModule.clearLoginAttempts(username);
+  });
+
   it('should be able to login a user with their username', async function() {
 
     const jar = apos.http.jar();

package/test/parked-pages.js

@@ -1,7 +1,36 @@
 const t = require('../test-lib/test.js');
 const assert = require('assert');
 
-let apos, apos2;
+let apos, apos2, apos3, apos4, apos5, apos6;
+
+const park2 = [
+  {
+    slug: '/',
+    parkedId: 'home',
+    _defaults: {
+      title: 'Home',
+      type: 'default-page'
+    },
+    _children: [
+      {
+        slug: '/default1',
+        parkedId: 'default1',
+        _defaults: {
+          type: 'default-page',
+          title: 'Default 1'
+        }
+      },
+      {
+        slug: '/default2',
+        parkedId: 'default2',
+        _defaults: {
+          type: 'default-page',
+          title: 'Default 2'
+        }
+      }
+    ]
+  }
+];
 
 describe('Parked Pages', function() {
 
@@ -10,12 +39,21 @@ describe('Parked Pages', function() {
   after(async function() {
     await t.destroy(apos);
     await t.destroy(apos2);
+    await t.destroy(apos3);
+    await t.destroy(apos4);
+    await t.destroy(apos5);
+    await t.destroy(apos6);
   });
 
-  it('standard parked pages should be as expected', async function() {
+  it('standard and custom parked pages should be as expected', async function() {
+    this.timeout(20000);
     apos = await t.create({
       root: module,
-      modules: {}
+      modules: {
+        'default-page': {
+          extend: '@apostrophecms/page-type'
+        }
+      }
     });
     const req = apos.task.getReq();
     const home = await apos.page.find(req, { slug: '/' }).toObject();
@@ -29,21 +67,13 @@ describe('Parked Pages', function() {
   });
 
   it('overridden home page should work without disturbing archive', async function() {
+    this.timeout(20000);
     apos2 = await t.create({
       root: module,
       modules: {
         '@apostrophecms/page': {
           options: {
-            park: [
-              {
-                slug: '/',
-                parkedId: 'home',
-                _defaults: {
-                  title: 'Home',
-                  type: 'default-page'
-                }
-              }
-            ]
+            park: park2
           }
         },
         'default-page': {}
@@ -58,5 +88,246 @@ describe('Parked Pages', function() {
     assert(archive);
     assert(archive.parkedId === 'archive');
     assert(archive.type === '@apostrophecms/archive-page');
+    await apos2.db.collection('verify').insertOne({
+      checkSameDb: true
+    });
+  });
+
+  it('all pages should have consistent aposDocId across draft and published', async function() {
+    this.timeout(20000);
+    await validate(apos2, [ '/', '/archive', '/default1', '/default2' ]);
+  });
+
+  it('third apos object should park a third child correctly when spinning up later on existing db', async function() {
+    this.timeout(20000);
+    apos3 = await t.create({
+      root: module,
+      modules: {
+        '@apostrophecms/page': {
+          options: {
+            park: [
+              ...park2,
+              {
+                slug: '/default3',
+                parkedId: 'default3',
+                _defaults: {
+                  type: 'default-page',
+                  title: 'Default 3'
+                }
+              }
+            ]
+          }
+        },
+        'default-page': {}
+      },
+      shortName: apos2.options.shortName
+    });
+    // prove apos2 and apos3 are talking to the same db and it hasn't been erased
+    assert(await apos3.db.collection('verify').findOne({
+      checkSameDb: true
+    }));
   });
+
+  it('all pages should have consistent aposDocId across draft and published', async function() {
+    await validate(apos3, [ '/', '/archive', '/default1', '/default2', '/default3' ]);
+    // Should be same db, make sure of that
+    await validate(apos2, [ '/', '/archive', '/default1', '/default2', '/default3' ]);
+  });
+
+  it('nested parked children work', async function() {
+    this.timeout(20000);
+    apos4 = await t.create({
+      root: module,
+      modules: {
+        '@apostrophecms/page': {
+          options: {
+            park: [
+              ...park2,
+              {
+                slug: '/default3',
+                parkedId: 'default3',
+                _defaults: {
+                  type: 'default-page',
+                  title: 'Default 3'
+                },
+                _children: [
+                  {
+                    slug: '/default3/child1',
+                    parkedId: 'default3child1',
+                    _defaults: {
+                      type: 'default-page',
+                      title: 'Default 3 Child 1'
+                    }
+                  }
+                ]
+              }
+            ]
+          }
+        },
+        'default-page': {}
+      },
+      shortName: apos2.options.shortName
+    });
+    await validate(apos4, [ '/', '/archive', '/default1', '/default2', '/default3', '/default3/child1' ]);
+  });
+
+  it('nested parked children work across locales if locales are added later', async function() {
+    this.timeout(20000);
+    apos5 = await t.create({
+      root: module,
+      modules: {
+        '@apostrophecms/i18n': {
+          options: {
+            locales: {
+              en: {
+                label: 'English',
+                hostname: 'en'
+              },
+              fr: {
+                label: 'French',
+                hostname: 'fr'
+              }
+            }
+          }
+        },
+        '@apostrophecms/page': {
+          options: {
+            park: [
+              ...park2,
+              {
+                slug: '/default3',
+                parkedId: 'default3',
+                _defaults: {
+                  type: 'default-page',
+                  title: 'Default 3'
+                },
+                _children: [
+                  {
+                    slug: '/default3/child1',
+                    parkedId: 'default3child1',
+                    _defaults: {
+                      type: 'default-page',
+                      title: 'Default 3 Child 1'
+                    }
+                  }
+                ]
+              }
+            ]
+          }
+        },
+        'default-page': {}
+      },
+      shortName: apos4.options.shortName
+    });
+    await validate(apos5, [ '/', '/archive', '/default1', '/default2', '/default3', '/default3/child1' ]);
+  });
+});
+
+it('nested parked children work across locales if locales are present from the start', async function() {
+  this.timeout(20000);
+  apos6 = await t.create({
+    root: module,
+    modules: {
+      '@apostrophecms/i18n': {
+        options: {
+          locales: {
+            en: {
+              label: 'English',
+              hostname: 'en'
+            },
+            fr: {
+              label: 'French',
+              hostname: 'fr'
+            }
+          }
+        }
+      },
+      '@apostrophecms/page': {
+        options: {
+          park: [
+            ...park2,
+            {
+              slug: '/default3',
+              parkedId: 'default3',
+              _defaults: {
+                type: 'default-page',
+                title: 'Default 3'
+              },
+              _children: [
+                {
+                  slug: '/default3/child1',
+                  parkedId: 'default3child1',
+                  _defaults: {
+                    type: 'default-page',
+                    title: 'Default 3 Child 1'
+                  }
+                }
+              ]
+            }
+          ]
+        }
+      },
+      'default-page': {}
+    }
+  });
+  await validate(apos6, [ '/', '/archive', '/default1', '/default2', '/default3', '/default3/child1' ]);
 });
+
+async function validate(apos, expected) {
+  const locales = Object.keys(apos.i18n.locales);
+  const slugs = await apos.doc.db.distinct('slug', {
+    slug: /^\//
+  });
+  slugs.sort();
+  assert.deepStrictEqual(slugs, expected);
+  const pages = await apos.doc.db.find({
+    slug: /^\//
+  }).toArray();
+  assert(pages.length === slugs.length * 2 * locales.length);
+  for (const slug of slugs) {
+    const matches = pages.filter(page => page.slug === slug);
+    matches.sort((p1, p2) => {
+      if (p1.aposLocale < p2.aposLocale) {
+        return -1;
+      } else if (p1.aposLocale > p2.aposLocale) {
+        return 1;
+      } else {
+        return 0;
+      }
+    });
+    assert.strictEqual(matches.length, 2 * locales.length);
+    let i = 0;
+    let aposDocId;
+    for (const locale of locales) {
+      const draft = i;
+      const published = i + 1;
+      assert.strictEqual(matches[draft].aposLocale, `${locale}:draft`);
+      assert.strictEqual(matches[published].aposLocale, `${locale}:published`);
+      assert(matches[draft].aposDocId);
+      assert.strictEqual(matches[draft].aposDocId, matches[published].aposDocId);
+      if (!aposDocId) {
+        aposDocId = matches[draft].aposDocId;
+      } else {
+        assert.strictEqual(matches[draft].aposDocId, aposDocId);
+      }
+      assert.strictEqual(matches[draft]._id, `${aposDocId}:${locale}:draft`);
+      assert.strictEqual(matches[published]._id, `${aposDocId}:${locale}:published`);
+      i += 2;
+    }
+  }
+  const home = await apos.page.find(apos.task.getReq(), {
+    slug: '/'
+  }).children({
+    depth: 2
+  }).toObject();
+  const children = expected.filter(slug => slug.startsWith('/default') && !slug.match(/\/.*\//));
+  assert.deepStrictEqual(home._children.map(child => child.slug), children);
+  const grandkids = expected.filter(slug => slug.match(/\/.*\//));
+  for (const grandkid of grandkids) {
+    const parentSlug = grandkid.replace(/\/[^/]+$/, '');
+    const parent = home._children.find(child => child.slug === parentSlug);
+    assert(parent);
+    assert(parent._children);
+    assert(parent._children.find(child => child.slug === grandkid));
+  }
+}