apostrophe 3.14.2 → 3.16.0

package/CHANGELOG.md

@@ -1,5 +1,24 @@
 # Changelog
 
+## 3.16.0 (2022-03-18)
+
+### Adds
+
+* Offers a simple way to set a Cache-Control max-age for Apostrophe page and GET REST API responses for pieces and pages.
+* API keys and bearer tokens "win" over session cookies when both are present. Since API keys and bearer tokens are explicitly added to the request at hand, it never makes sense to ignore them in favor of a cookie, which is implicit. This also simplifies automated testing.
+* `data-apos-test=""` selectors for certain elements frequently selected in QA tests, such as `data-apos-test="adminBar"`.
+* To speed up functional tests, an `insecurePasswords` option has been added to the login module. This option is deliberately named to discourage use for any purpose other than functional tests in which repeated password hashing would unduly limit performance. Normally password hashing is intentionally difficult to slow down brute force attacks, especially if a database is compromised.
+
+### Fixes
+
+* `POST`ing a new child page with `_targetId: '_home'` now works properly in combination with `_position: 'lastChild'`.
+
+## 3.15.0 (2022-03-02)
+
+### Adds
+
+* Adds throttle system based on username (even when not existing), on initial login route. Also added for each late login requirement, e.g. for 2FA attempts.
+
 ## 3.14.2 (2022-02-27)
 
 * Hotfix: fixed a bug introduced by 3.14.1 in which non-parked pages could throw an error during the migration to fix replication issues.

package/modules/@apostrophecms/admin-bar/ui/apos/components/TheAposAdminBar.vue

@@ -1,12 +1,12 @@
 <template>
-  <div class="apos-admin-bar-wrapper" :class="themeClass">
+  <div data-apos-test="adminBar" class="apos-admin-bar-wrapper" :class="themeClass">
     <div class="apos-admin-bar-spacer" ref="spacer" />
     <nav class="apos-admin-bar" ref="adminBar">
       <div class="apos-admin-bar__row">
         <AposLogoPadless class="apos-admin-bar__logo" />
         <TheAposAdminBarMenu :items="items" />
         <TheAposAdminBarLocale v-if="hasLocales()" />
-        <TheAposAdminBarUser class="apos-admin-bar__user" />
+        <TheAposAdminBarUser data-apos-test="authenticatedUserMenuTrigger" class="apos-admin-bar__user" />
       </div>
       <TheAposContextBar @mounted="setSpacer" />
     </nav>

package/modules/@apostrophecms/admin-bar/ui/src/index.js

@@ -0,0 +1,26 @@
+/**
+ * If the page delivers a logged-out content but we know from session storage that a user is logged-in,
+ * we force-refresh the page to bypass the cache, in order to get the logged-in content (with admin UI).
+ */
+export default function() {
+  const isLoggedOutPageContent = !(apos.login && apos.login.user);
+  const isLoggedInCookie = apos.util.getCookie(`${self.apos.shortName}.loggedIn`) === 'true';
+
+  if (!isLoggedOutPageContent || !isLoggedInCookie) {
+    sessionStorage.setItem('aposRefreshedPages', '{}');
+
+    return;
+  }
+
+  const refreshedPages = JSON.parse(sessionStorage.aposRefreshedPages || '{}');
+
+  // Avoid potential refresh loops
+  if (!refreshedPages[location.href]) {
+    refreshedPages[location.href] = true;
+    sessionStorage.setItem('aposRefreshedPages', JSON.stringify(refreshedPages));
+
+    console.info('Received logged-out content from cache while logged-in, refreshing the page');
+
+    location.reload();
+  }
+};

package/modules/@apostrophecms/i18n/i18n/en.json

@@ -178,6 +178,8 @@
   "manageDocType": "Manage {{ type }}",
   "manageDraftSubmissions": "Manage Draft Submissions",
   "managePages": "Manage Pages",
+  "loginMaxAttemptsReached": "Too many attempts. You may try again in a minute.",
+  "loginMaxAttemptsReached_plural": "Too many attempts. You may try again in {{ count }} minutes.",
   "maxLabel": "Max:",
   "maxUi": "Max: {{ number }}",
   "mediaCreatedDate": "Uploaded: {{ createdDate }}",

package/modules/@apostrophecms/login/index.js

@@ -44,6 +44,9 @@ const Promise = require('bluebird');
 const cuid = require('cuid');
 const expressSession = require('express-session');
 
+const loginAttemptsNamespace = '@apostrophecms/loginAttempt';
+const loggedInCookieName = 'loggedIn';
+
 module.exports = {
   cascades: [ 'requirements' ],
   options: {
@@ -53,7 +56,12 @@ module.exports = {
     csrfExceptions: [
       'login'
     ],
-    bearerTokens: true
+    bearerTokens: true,
+    throttle: {
+      allowedAttempts: 3,
+      perMinutes: 1,
+      lockoutMinutes: 1
+    }
   },
   async init(self) {
     self.passport = new Passport();
@@ -144,6 +152,9 @@ module.exports = {
             expireCookie.expires = new Date(0);
             const name = self.apos.modules['@apostrophecms/express'].sessionOptions.name;
             req.res.header('set-cookie', expireCookie.serialize(name, 'deleted'));
+
+            // TODO: get cookie name from config
+            req.res.cookie(`${self.apos.shortName}.${loggedInCookieName}`, 'false');
           }
         },
         // invokes the `props(req, user)` function for the requirement specified by
@@ -166,8 +177,16 @@ module.exports = {
         },
         async requirementVerify(req) {
           const name = self.apos.launder.string(req.body.name);
+          const loginNamespace = `${loginAttemptsNamespace}/${name}`;
 
-          const { user } = await self.findIncompleteTokenAndUser(req, req.body.incompleteToken);
+          const { user } = await self.findIncompleteTokenAndUser(
+            req,
+            req.body.incompleteToken
+          );
+
+          if (!user) {
+            throw self.apos.error('invalid');
+          }
 
           const requirement = self.requirements[name];
 
@@ -179,7 +198,15 @@ module.exports = {
             throw self.apos.error('invalid', 'You must provide a verify method in your requirement');
           }
 
+          const { cachedAttempts, reached } = await self
+            .checkLoginAttempts(user.username, loginNamespace);
+
+          if (reached) {
+            throw self.apos.error('invalid', req.t('apostrophe:loginMaxAttemptsReached'));
+          }
+
           try {
+
             await requirement.verify(req, req.body.value, user);
 
             const token = await self.bearerTokens.findOne({
@@ -198,8 +225,16 @@ module.exports = {
               $pull: { requirementsToVerify: name }
             });
 
+            await self.clearLoginAttempts(user.username, loginNamespace);
+
             return {};
           } catch (err) {
+            await self.addLoginAttempt(
+              user.username,
+              cachedAttempts,
+              loginNamespace
+            );
+
             err.data = err.data || {};
             err.data.requirement = name;
             throw err;
@@ -553,48 +588,64 @@ module.exports = {
       // Implementation detail of the login route. Log in the user, or if there are
       // `requirements` that require password verification occur first, return an incomplete token.
       async initialLogin(req) {
-        // Initial login step
         const username = self.apos.launder.string(req.body.username);
         const password = self.apos.launder.string(req.body.password);
+
         if (!(username && password)) {
           throw self.apos.error('invalid', req.t('apostrophe:loginPageBothRequired'));
         }
-        const { earlyRequirements, lateRequirements } = self.filterRequirements();
-        for (const [ name, requirement ] of Object.entries(earlyRequirements)) {
-          try {
-            await requirement.verify(req, req.body.requirements && req.body.requirements[name]);
-          } catch (e) {
-            e.data = e.data || {};
-            e.data.requirement = name;
-            throw e;
-          }
+
+        const { cachedAttempts, reached } = await self.checkLoginAttempts(username);
+
+        if (reached) {
+          throw self.apos.error('invalid', req.t('apostrophe:loginMaxAttemptsReached', {
+            count: self.options.throttle.lockoutMinutes
+          }));
         }
-        const user = await self.apos.login.verifyLogin(username, password);
-        if (!user) {
+
+        try {
+          // Initial login step
+          const { earlyRequirements, lateRequirements } = self.filterRequirements();
+          for (const [ name, requirement ] of Object.entries(earlyRequirements)) {
+            try {
+              await requirement.verify(req, req.body.requirements && req.body.requirements[name]);
+            } catch (e) {
+              e.data = e.data || {};
+              e.data.requirement = name;
+              throw e;
+            }
+          }
+          const user = await self.apos.login.verifyLogin(username, password);
+          if (!user) {
           // For security reasons we may not tell the user which case applies
-          throw self.apos.error('invalid', req.t('apostrophe:loginPageBadCredentials'));
-        }
+            throw self.apos.error('invalid', req.t('apostrophe:loginPageBadCredentials'));
+          }
 
-        const requirementsToVerify = Object.keys(lateRequirements);
+          const requirementsToVerify = Object.keys(lateRequirements);
 
-        if (requirementsToVerify.length) {
-          const token = cuid();
+          if (requirementsToVerify.length) {
+            const token = cuid();
+
+            await self.bearerTokens.insert({
+              _id: token,
+              userId: user._id,
+              requirementsToVerify,
+              // Default lifetime of 1 hour is generous to permit situations like
+              // installing a TOTP app for the first time
+              expires: new Date(new Date().getTime() + (self.options.incompleteLifetime || 60 * 60 * 1000))
+            });
+
+            await self.clearLoginAttempts(user.username);
+
+            return {
+              incompleteToken: token
+            };
+          }
 
-          await self.bearerTokens.insert({
-            _id: token,
-            userId: user._id,
-            requirementsToVerify,
-            // Default lifetime of 1 hour is generous to permit situations like
-            // installing a TOTP app for the first time
-            expires: new Date(new Date().getTime() + (self.options.incompleteLifetime || 60 * 60 * 1000))
-          });
-          return {
-            incompleteToken: token
-          };
-        } else {
           const session = self.apos.launder.boolean(req.body.session);
           if (session) {
             await self.passportLogin(req, user);
+            await self.clearLoginAttempts(user.username);
           } else {
             const token = cuid();
             await self.bearerTokens.insert({
@@ -602,17 +653,30 @@ module.exports = {
               userId: user._id,
               expires: new Date(new Date().getTime() + (self.options.bearerTokens.lifetime || (86400 * 7 * 2)) * 1000)
             });
+
+            await self.clearLoginAttempts(user.username);
+
             return {
               token
             };
           }
+        } catch (err) {
+          await self.addLoginAttempt(username, cachedAttempts);
+
+          throw err;
         }
       },
 
       filterRequirements() {
         return {
-          earlyRequirements: Object.fromEntries(Object.entries(self.requirements).filter(([ name, requirement ]) => requirement.phase === 'beforeSubmit')),
-          lateRequirements: Object.fromEntries(Object.entries(self.requirements).filter(([ name, requirement ]) => requirement.phase === 'afterPasswordVerified'))
+          earlyRequirements: Object.fromEntries(
+            Object.entries(self.requirements)
+              .filter(([ _, requirement ]) => requirement.phase === 'beforeSubmit')
+          ),
+          lateRequirements: Object.fromEntries(
+            Object.entries(self.requirements)
+              .filter(([ _, requirement ]) => requirement.phase === 'afterPasswordVerified')
+          )
         };
       },
 
@@ -624,6 +688,63 @@ module.exports = {
           })(user);
         };
         await passportLogin(user);
+      },
+
+      async addLoginAttempt (
+        username,
+        attempts,
+        namespace = loginAttemptsNamespace
+      ) {
+        if (typeof attempts !== 'number') {
+          await self.apos.cache.set(namespace,
+            username,
+            1,
+            self.options.throttle.perMinutes * 60
+          );
+        } else {
+          await self.apos.cache.cacheCollection.updateOne(
+            {
+              namespace,
+              key: username
+            },
+            {
+              $inc: {
+                value: 1
+              }
+            }
+          );
+        }
+      },
+
+      async checkLoginAttempts (username, namespace = loginAttemptsNamespace) {
+        const cachedAttempts = await self.apos.cache.get(namespace, username);
+        const { allowedAttempts } = self.options.throttle;
+
+        if (!cachedAttempts || cachedAttempts < allowedAttempts) {
+          return { cachedAttempts };
+        }
+
+        // When this is the first time we reach the limit
+        // we set the lifetime only once with lockoutMinutes
+        if (cachedAttempts === allowedAttempts) {
+          await self.apos.cache.set(namespace,
+            username,
+            cachedAttempts + 1,
+            self.options.throttle.lockoutMinutes * 60
+          );
+        }
+
+        return {
+          cachedAttempts,
+          reached: true
+        };
+      },
+
+      async clearLoginAttempts (username, namespace = loginAttemptsNamespace) {
+        await self.apos.cache.cacheCollection.deleteOne({
+          namespace,
+          key: username
+        });
       }
     };
   },
@@ -672,7 +793,12 @@ module.exports = {
       },
       passportSession: {
         before: '@apostrophecms/i18n',
-        middleware: self.passport.session()
+        middleware: (() => {
+          // Wrap the passport middleware so that if the apikey or bearer token
+          // middleware already supplied req.user, that wins (explicit wins over implicit)
+          const passportSession = self.passport.session();
+          return (req, res, next) => req.user ? next() : passportSession(req, res, next);
+        })()
       },
       honorLoginInvalidBefore: {
         before: '@apostrophecms/i18n',
@@ -695,6 +821,17 @@ module.exports = {
             return next();
           }
         }
+      },
+      addLoggedInCookie: {
+        before: '@apostrophecms/i18n',
+        middleware(req, res, next) {
+          // TODO: get cookie name from config
+          const cookieName = `${self.apos.shortName}.${loggedInCookieName}`;
+          if (req.user && req.cookies[cookieName] !== 'true') {
+            res.cookie(cookieName, 'true');
+          }
+          return next();
+        }
       }
     };
   }

package/modules/@apostrophecms/login/ui/apos/components/TheAposLogin.vue

@@ -2,6 +2,7 @@
   <transition name="fade-stage">
     <div
       class="apos-login apos-theme-dark"
+      data-apos-test="loginForm"
       v-show="loaded"
       :class="themeClass"
     >
@@ -35,6 +36,7 @@
                 <!-- TODO -->
                 <!-- <a href="#" class="apos-login__link">Forgot Password</a> -->
                 <AposButton
+                  data-apos-test="loginSubmit"
                   :busy="busy"
                   :disabled="disabled"
                   type="primary"
@@ -128,7 +130,8 @@ export default {
       return this.mounted && this.beforeCreateFinished;
     },
     disabled() {
-      return this.doc.hasErrors || !!this.beforeSubmitRequirements.find(requirement => !requirement.done);
+      return this.doc.hasErrors ||
+        !!this.beforeSubmitRequirements.find(requirement => !requirement.done);
     },
     beforeSubmitRequirements() {
       return this.requirements.filter(requirement => requirement.phase === 'beforeSubmit');
@@ -274,12 +277,14 @@ export default {
       location.assign(`${apos.prefix}/`);
     },
     async requirementBlock(requirementBlock) {
-      const requirement = this.requirements.find(requirement => requirement.name === requirementBlock.name);
+      const requirement = this.requirements
+        .find(requirement => requirement.name === requirementBlock.name);
       requirement.done = false;
       requirement.value = undefined;
     },
     async requirementDone(requirementDone, value) {
-      const requirement = this.requirements.find(requirement => requirement.name === requirementDone.name);
+      const requirement = this.requirements
+        .find(requirement => requirement.name === requirementDone.name);
 
       if (requirement.phase === 'beforeSubmit') {
         requirement.done = true;

package/modules/@apostrophecms/module/index.js

@@ -177,6 +177,11 @@ module.exports = {
           return async function(req, res) {
             try {
               const result = await fn(req);
+
+              if (req.method === 'GET' && req.user) {
+                res.header('Cache-Control', 'no-store');
+              }
+
               res.status(200);
               res.send(result);
             } catch (err) {
@@ -446,6 +451,27 @@ module.exports = {
         );
       },
 
+      setMaxAge(req, maxAge) {
+        if (typeof maxAge !== 'number') {
+          self.apos.util.warnDev(`"maxAge" property must be defined as a number in the "${self.__meta.name}" module's cache options"`);
+          return;
+        }
+
+        // A cookie in session doesn't mean we can't cache, nor an empty flash or passport object.
+        // Other session properties must be assumed to be specific to the user, with a possible
+        // impact on the response, and thus mean this request must not be cached.
+        // Same rule as in [express-cache-on-demand](https://github.com/apostrophecms/express-cache-on-demand/blob/master/index.js#L102)
+        const isSessionClearForCaching = Object.entries(req.session).every(([ key, val ]) =>
+          key === 'cookie' || (
+            (key === 'flash' || key === 'passport') && _.isEmpty(val)
+          )
+        );
+        const isSafeToCache = !req.user && isSessionClearForCaching;
+        const cacheControlValue = isSafeToCache ? `max-age=${maxAge}` : 'no-store';
+
+        req.res.header('Cache-Control', cacheControlValue);
+      },
+
       // Call from init once if this module implements the `getBrowserData` method.
       // The data returned by `getBrowserData(req)` will then be available on
       // `apos.modules['your-module-name']` in the browser.

package/modules/@apostrophecms/page/index.js

@@ -119,6 +119,10 @@ module.exports = {
               project: self.getAllProjection()
             }).toObject();
 
+            if (self.options.cache && self.options.cache.api) {
+              self.setMaxAge(req, self.options.cache.api.maxAge);
+            }
+
             if (!page) {
               throw self.apos.error('notfound');
             }
@@ -137,6 +141,11 @@ module.exports = {
             }
           } else {
             const result = await self.getRestQuery(req).and({ level: 0 }).toObject();
+
+            if (self.options.cache && self.options.cache.api) {
+              self.setMaxAge(req, self.options.cache.api.maxAge);
+            }
+
             if (!result) {
               throw self.apos.error('notfound');
             }
@@ -168,6 +177,11 @@ module.exports = {
           self.publicApiCheck(req);
           const criteria = self.getIdCriteria(_id);
           const result = await self.getRestQuery(req).and(criteria).toObject();
+
+          if (self.options.cache && self.options.cache.api) {
+            self.setMaxAge(req, self.options.cache.api.maxAge);
+          }
+
           if (!result) {
             throw self.apos.error('notfound');
           }
@@ -220,7 +234,7 @@ module.exports = {
         }
 
         return self.withLock(req, async () => {
-          const targetPage = await self.findForEditing(req, targetId ? { _id: targetId } : { level: 0 }).ancestors(true).permission('edit').toObject();
+          const targetPage = await self.findForEditing(req, targetId ? self.getIdCriteria(targetId) : { level: 0 }).ancestors(true).permission('edit').toObject();
           if (!targetPage) {
             throw self.apos.error('notfound');
           }
@@ -1415,6 +1429,10 @@ database.`);
         await self.emit('serveQuery', query);
         req.data.bestPage = await query.toObject();
         self.evaluatePageMatch(req);
+
+        if (self.options.cache && self.options.cache.page) {
+          self.setMaxAge(req, self.options.cache.page.maxAge);
+        }
       },
       // Normalize req.slug to account for unneeded trailing whitespace,
       // trailing slashes other than the root, and double slash based open

package/modules/@apostrophecms/piece-type/index.js

@@ -200,6 +200,11 @@ module.exports = {
           if (query.get('countsResults')) {
             result.counts = query.get('countsResults');
           }
+
+          if (self.options.cache && self.options.cache.api) {
+            self.setMaxAge(req, self.options.cache.api.maxAge);
+          }
+
           return result;
         }
       ],
@@ -209,6 +214,11 @@ module.exports = {
           _id = self.inferIdLocaleAndMode(req, _id);
           self.publicApiCheck(req);
           const doc = await self.getRestQuery(req).and({ _id }).toObject();
+
+          if (self.options.cache && self.options.cache.api) {
+            self.setMaxAge(req, self.options.cache.api.maxAge);
+          }
+
           if (!doc) {
             throw self.apos.error('notfound');
           }

package/modules/@apostrophecms/task/index.js

@@ -193,6 +193,12 @@ module.exports = {
           res: {
             redirect(url) {
               req.res.redirectedTo = url;
+            },
+            header(key, value) {
+              req.res.headers = {
+                ...(req.res.headers || {}),
+                [key]: value
+              };
             }
           },
           t(key, options = {}) {

package/modules/@apostrophecms/template/index.js

@@ -643,6 +643,7 @@ module.exports = {
           modules: {},
           prefix: req.prefix,
           sitePrefix: self.apos.prefix,
+          shortName: self.apos.shortName,
           locale: req.locale,
           csrfCookieName: self.apos.csrfCookieName,
           tabId: self.apos.util.generateId(),

package/modules/@apostrophecms/ui/ui/apos/components/AposContextMenu.vue

@@ -16,6 +16,7 @@
       <!-- TODO refactor buttons to take a single config obj -->
       <AposButton
         class="apos-context-menu__btn"
+        data-apos-test="contextMenuTrigger"
         @click.stop="buttonClicked($event)"
         v-bind="button"
         :state="buttonState"

package/modules/@apostrophecms/ui/ui/apos/components/AposContextMenuDialog.vue

@@ -19,6 +19,7 @@
           <AposContextMenuItem
             v-for="item in menu"
             :key="item.action"
+            :data-apos-test-context-menu-item="item.action"
             :menu-item="item"
             @clicked="menuItemClicked"
             :open="isOpen"

package/modules/@apostrophecms/user/index.js

@@ -432,7 +432,12 @@ module.exports = {
 
       // Initialize the [credential](https://npmjs.org/package/credential) module.
       initializeCredential() {
-        self.pw = credential();
+        self.pw = credential({
+          // For efficient unit tests only. Reducing the work factor
+          // for actual credentials increases the speed of brute force attacks
+          // if the database is ever compromised
+          work: self.options.insecurePasswords ? 0.01 : 1
+        });
       },
 
       // Implement the `@apostrophecms/user:add` command line task.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "apostrophe",
-  "version": "3.14.2",
+  "version": "3.16.0",
   "description": "The Apostrophe Content Management System.",
   "main": "index.js",
   "scripts": {