apostrophe 3.63.2 → 3.64.0

package/CHANGELOG.md

@@ -1,5 +1,51 @@
 # Changelog
 
+## 3.64.0 (2024-04-18)
+
+### Adds
+
+### Fixes
+
+* Add the missing `metaType` property to newly inserted widgets.
+
+### Security
+
+* New passwords are now hashed with `scrypt`, the best password hash available in the Node.js core `crypto` module, following guidance from [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html).
+This reduces login time while improving overall security.
+* Old passwords are automatically re-hashed with `scrypt` on the next successful login attempt, which
+adds some delay to that next attempt, but speeds them up forever after compared to the old implementation.
+* Custom `scrypt` parameters for password hashing can be passed to the `@apostrophecms/user` module via the `scrypt` option. See the [Node.js documentation for `scrypt`]. Note that the `maxmem` parameter is computed automatically based on the other parameters.
+
+### Changes
+
+* `APOS_MONGODB_LOG_LEVEL` has been removed. According to [mongodb documentation](https://github.com/mongodb/node-mongodb-native/blob/main/etc/notes/CHANGES_5.0.0.md#mongoclientoptionslogger-and-mongoclientoptionsloglevel-removed) "Both the logger and the logLevel options had no effect and have been removed."
+* Update `connect-mongo` to `5.x`. Add `@apostrophecms/emulate-mongo-3-driver` dependency to keep supporting `mongodb@3.x` queries while using `mongodb@6.x`.
+
+## 3.63.3 (2024-03-14)
+
+### Adds
+
+* Add translation keys used by the multisite assembly module. This was released ahead of
+our regular schedule because the multisite module was released early with the expectation
+that these keys would be present.
+
+### Fixes
+
+* `field.help` and `field.htmlHelp` are now correctly translated when displayed in a tooltip.
+This was also an expectation for the multisite module.
+
+## UNRELEASED
+
+### Adds
+
+* Add side by side comparison support in AposSchema component.
+* Add the possibility to make widget modals wider, which can be useful for widgets that contain areas taking significant space. See [documentation](https://v3.docs.apostrophecms.org/reference/modules/widget-type.html#options).
+
+### Fixes
+
+* Adds `textStyle` to Tiptap types so that spans are rendered on RT initialization
+* Notification REST APIs should not directly return the result of MongoDB operations.
+
 ## 3.63.2 (2024-03-01)
 
 ### Security

package/defaults.js

@@ -4,6 +4,7 @@ module.exports = {
     '@apostrophecms/error': {},
     '@apostrophecms/util': {},
     '@apostrophecms/i18n': {},
+    '@apostrophecms/multisite-i18n': {},
     '@apostrophecms/task': {},
     '@apostrophecms/schema': {},
     '@apostrophecms/uploadfs': {},

package/lib/mongodb-connect.js

@@ -1,4 +1,4 @@
-const mongo = require('mongodb');
+const mongo = require('@apostrophecms/emulate-mongo-3-driver');
 const dns = require('dns');
 
 // Connect to MongoDB, using the modern topology and parser, and

package/modules/@apostrophecms/area/index.js

@@ -622,7 +622,7 @@ module.exports = {
           widgetIsContextual[name] = manager.options.contextual;
           widgetHasPlaceholder[name] = manager.options.placeholder;
           widgetHasInitialModal[name] = !manager.options.placeholder && manager.options.initialModal !== false;
-          contextualWidgetDefaultData[name] = manager.options.defaultData;
+          contextualWidgetDefaultData[name] = manager.options.defaultData || {};
         });
 
         return {

package/modules/@apostrophecms/area/ui/apos/components/AposAreaEditor.vue

@@ -431,7 +431,9 @@ export default {
     },
     async update(widget) {
       widget.aposPlaceholder = false;
-
+      if (!widget.metaType) {
+        widget.metaType = 'widget';
+      }
       if (this.docId === window.apos.adminBar.contextId) {
         apos.bus.$emit('context-edited', {
           [`@${widget._id}`]: widget
@@ -515,6 +517,9 @@ export default {
       if (!widget._id) {
         widget._id = cuid();
       }
+      if (!widget.metaType) {
+        widget.metaType = 'widget';
+      }
       const push = {
         $each: [ widget ]
       };

package/modules/@apostrophecms/db/index.js

@@ -96,12 +96,6 @@ module.exports = {
           self.connectionReused = true;
           return;
         }
-        let Logger;
-        if (process.env.APOS_MONGODB_LOG_LEVEL) {
-          Logger = require('mongodb').Logger;
-          // Set debug level
-          Logger.setLevel(process.env.APOS_MONGODB_LOG_LEVEL);
-        }
         let uri = 'mongodb://';
         if (process.env.APOS_MONGODB_URI) {
           uri = process.env.APOS_MONGODB_URI;

package/modules/@apostrophecms/doc-type/index.js

@@ -2682,8 +2682,14 @@ module.exports = {
               subquery.limit(undefined);
               subquery.page(undefined);
               subquery.perPage(undefined);
-              const mongo = await subquery.toMongo();
-              const count = await mongo.count();
+              const cursor = await subquery.toMongo();
+              const count = await cursor.count();
+              // TODO: replace count with the code below
+              // await subquery.finalize();
+              // const count = await self.apos.doc.db.countDocuments({
+              //   ...subquery.get('criteria'),
+              //   ...(subquery.get('lateCriteria') || {})
+              // });
               if (query.get('perPage')) {
                 const perPage = query.get('perPage');
                 const totalPages = Math.ceil(count / perPage);

package/modules/@apostrophecms/express/index.js

@@ -554,12 +554,13 @@ module.exports = {
           }
           if (!sessionOptions.store.name) {
             // require from this module's dependencies
-            Store = require('connect-mongo')(expressSession);
+            const MongoStore = require('connect-mongo');
+            sessionOptions.store = MongoStore.create(sessionOptions.store.options);
           } else {
             // require from project's dependencies
             Store = self.apos.root.require(sessionOptions.store.name)(expressSession);
+            sessionOptions.store = new Store(sessionOptions.store.options);
           }
-          sessionOptions.store = new Store(sessionOptions.store.options);
         }
         // Exported for the benefit of code that needs to
         // interoperate in a compatible way with express-sessions

package/modules/@apostrophecms/migration/index.js

@@ -115,6 +115,11 @@ module.exports = {
         // https://groups.google.com/forum/#!topic/mongodb-user/AFC1ia7MHzk
         const cursor = collection.find(criteria);
         cursor.sort({ _id: 1 });
+        // TODO use a variant of the code below instead
+        // cursor.batchSize(limit);
+        // for await (const docs of cursor) {
+        //   // await iterator(docs);
+        // }
         return require('util').promisify(broadband)(cursor, limit, async function (doc, cb) {
           try {
             await iterator(doc);

package/modules/@apostrophecms/modal/ui/apos/components/AposModal.vue

@@ -308,7 +308,7 @@ export default {
       top: 0;
       bottom: 0;
       transform: translateX(0);
-      width: 90%;
+      width: 100%;
       border-radius: 0;
       height: 100vh;
 
@@ -339,6 +339,12 @@ export default {
       }
     }
 
+    &.apos-modal__inner--full {
+      @media screen and (min-width: 800px) {
+        max-width: 100%;
+      }
+    }
+
     &.slide-left-enter,
     &.slide-left-leave-to {
       transform: translateX(100%);

package/modules/@apostrophecms/multisite-i18n/i18n/aposMultisite/en.json

@@ -0,0 +1,48 @@
+{
+  "shortName": "Short Name",
+  "shortNameHelp": "If the short name is \"niftypig\", then the temporary hostname of the site will be \"niftypig.{{ baseDomain }}\".",
+  "prodHostname": "Production Hostname",
+  "prodHostnameHelp": "We will also automatically add \"www.\" as an alternate. The final name of the site. Do not add unless the DNS is being changed or has been changed to point to this service",
+  "canonicalize": "Redirect to Production Hostname",
+  "canonicalizeHelp": "Do not activate this until you see that both DNS and HTTPS are working for the production hostname.",
+  "canonicalizeStatus": "Canonical Redirect Status Code",
+  "canonicalizeStatusHelp": "\"Moved Permanently\" is best for SEO, but you should make sure you are happy with the results using \"Moved Temporarily\" first to avoid caching of bad redirects.",
+  "hostnamesArray": "Hostnames",
+  "hostnamesArrayHelp": "All valid hostnames for the site must be on this list, for instance both example.com and www.example.com",
+  "devBaseUrl": "Development Base URL",
+  "devBaseUrlHelp": "like http://localhost:3000",
+  "stagingBaseUrl": "Staging Base URL",
+  "stagingBaseUrlHelp": "like http://project.staging.org",
+  "prodBaseUrl": "Production Base URL",
+  "prodBaseUrlHelp": "like https://myproject.com",
+  "localeName": "Name",
+  "localeNameHelp": "Like en or en-GB. NOTE: the name may be changed but renaming a locale can be a slow operation. Consider changing just the label, prefix and hostname.",
+  "localeLabel": "Label",
+  "localeLabelHelp": "Like British English",
+  "localePrefix": "Prefix",
+  "localePrefixHelp": "Like /en",
+  "localeSeparateHost": "Separate Host",
+  "localeSeparateHostHelp": "This locale requires a separate hostname, e.g. fr.example.com in staging or example.fr in production.",
+  "localeStagingSubdomain": "Staging Subdomain",
+  "localeStagingSubdomainHelp": "Custom subdomain used in staging. Multiple locales can be configured with the same subdomain in order to group them on it, for instance \"canada.example.com/en\" and \"canada.example.com/fr\". Note that all but one locale must have a prefix for distinction. If left blank, the locale name will be used as the subdomain, outside of production.",
+  "localeSeparateProductionHostname": "Separate Production Hostname",
+  "localeSeparateProductionHostnameHelp": "Like example.fr. If not set, defaults to LOCALE.SHORTNAME.{{ baseDomain }}, e.g. fr.somesite.{{ baseDomain }}.",
+  "localePrivate": "Private locale",
+  "localePrivateHelp": "This locale is private",
+  "adminPassword": "Admin Password",
+  "adminPasswordHelp": "Set password for the \"admin\" user of the new site. For pre-existing sites, leave blank for no change.",
+  "redirect": "Redirect Entire Site",
+  "redirectHelp": "Redirect all traffic for the site to another URL.",
+  "redirectUrl": "Redirect To...",
+  "redirectUrlHelp": "Redirect traffic to this URL.",
+  "redirectPreservePath": "Preserve the Path when Redirecting",
+  "redirectPreservePathHelp": "If the URL ends with /something, add /something to the redirect URL as well. Otherwise, all traffic is redirected to a single place.",
+  "redirectStatus": "Redirect Status Code",
+  "redirectStatusHelp": "\"Moved Permanently\" is best for SEO, but you should test thoroughly first with \"Moved Temporarily\" to avoid caching of bad redirects.",
+  "emptyAdminPasswordError": "You must fill out the admin password field.",
+  "shortnameError": "The short name of the site must not contain dots, a protocol or spaces. It is a short name like \"nifty\" (without quotes) and will be used as a \"working name\" for a temporary subdomain for your site until it is launched.",
+  "shortnameInUseError": "That short name is already in use by another site.",
+  "productionHostnameInUseError": "That Production Hostname is already in use by another site.",
+  "renamingLocale": "Renaming locale {{ oldName }} to {{ newName }} in site {{ siteName }}, access to the site is paused, this may take time",
+  "localeRenamed": "Locale renamed"
+}

package/modules/@apostrophecms/multisite-i18n/index.js

@@ -0,0 +1,7 @@
+module.exports = {
+  i18n: {
+    aposMultisite: {
+      browser: true
+    }
+  }
+};

package/modules/@apostrophecms/notification/index.js

@@ -154,7 +154,7 @@ module.exports = {
           dismissed
         });
 
-        return self.db.updateOne({ _id }, {
+        await self.db.updateOne({ _id }, {
           $set: {
             dismissed
           },
@@ -164,8 +164,8 @@ module.exports = {
         });
       }
     },
-    delete(req, _id) {
-      return self.db.deleteMany({ _id });
+    async delete(req, _id) {
+      await self.db.deleteMany({ _id });
     }
   }),
   apiRoutes(self) {
@@ -414,7 +414,7 @@ module.exports = {
 
       async ensureCollection() {
         self.db = self.apos.db.collection('aposNotifications');
-        return self.db.createIndex({
+        await self.db.createIndex({
           userId: 1,
           createdAt: 1
         });

package/modules/@apostrophecms/rich-text-widget/index.js

@@ -331,6 +331,7 @@ module.exports = {
       blockquote: [ 'blockquote' ],
       superscript: [ 'sup' ],
       subscript: [ 'sub' ],
+      textStyle: [ 'span' ],
       // Generic div type, usually used with classes,
       // and for A2 content migration. Intentionally not
       // given a nicer-sounding name

package/modules/@apostrophecms/schema/ui/apos/components/AposInputWrapper.vue

@@ -38,7 +38,7 @@
               <AposIndicator
                 icon="help-circle-icon"
                 class="apos-field__help-tooltip__icon"
-                :tooltip="field.help || field.htmlHelp"
+                :tooltip="$t(field.help || field.htmlHelp)"
                 :icon-size="11"
                 icon-color="var(--a-base-4)"
               />

package/modules/@apostrophecms/schema/ui/apos/components/AposSchema.vue

@@ -25,11 +25,13 @@
 <template>
   <component
     class="apos-schema"
+    :class="classes"
     :is="fieldStyle === 'table' ? 'tr' : 'div'"
   >
     <slot name="before" />
     <component
-      v-for="field in schema" :key="field.name.concat(field._id ?? '')"
+      v-for="field in schema"
+      :key="field.name.concat(field._id ?? '')"
       :data-apos-field="field.name"
       :is="fieldStyle === 'table' ? 'td' : 'div'"
       :style="(fieldStyle === 'table' && field.columnStyle) || {}"
@@ -53,6 +55,25 @@
         @update-doc-data="onUpdateDocData"
         @validate="emitValidate()"
       />
+      <component
+        v-if="hasCompareMeta"
+        v-show="displayComponent(field)"
+        v-model="compareMetaState[field.name]"
+        :is="fieldComponentMap[field.type]"
+        :following-values="followingValues[field.name]"
+        :condition-met="conditionalFields?.if[field.name]"
+        :field="fields[field.name].field"
+        :meta="meta"
+        :modifiers="fields[field.name].modifiers"
+        :display-options="getDisplayOptions(field.name)"
+        :trigger-validation="triggerValidation"
+        :server-error="fields[field.name].serverError"
+        :doc-id="docId"
+        :ref="field.name"
+        :generation="generation"
+        @update-doc-data="onUpdateDocData"
+        @validate="emitValidate()"
+      />
     </component>
     <slot name="after" />
   </component>
@@ -96,4 +117,26 @@ export default {
       margin-bottom: 0;
     }
   }
+
+  .apos-schema.apos-schema--compare {
+    & > ::v-deep [data-apos-field] {
+      display: flex;
+
+      & > .apos-field__wrapper {
+        flex-grow: 1;
+        flex-basis: 50%;
+        border-right: 1px solid var(--a-base-9);
+        padding-right: 20px;
+      }
+      & > .apos-field__wrapper + .apos-field__wrapper {
+        border-right: none;
+        padding-right: 0;
+        padding-left: 20px;
+      }
+
+      & .apos-field__label {
+        word-break: break-all;
+      }
+    }
+  }
 </style>

package/modules/@apostrophecms/schema/ui/apos/logic/AposSchema.js

@@ -130,6 +130,32 @@ export default {
           }
         };
       }, {});
+    },
+    hasCompareMeta() {
+      return this.schema.some(field => this.meta[field.name]?.['@apostrophecms/schema:compare']);
+    },
+    classes() {
+      const classes = [];
+      if (this.hasCompareMeta) {
+        classes.push('apos-schema--compare');
+      }
+
+      return classes;
+    },
+    compareMetaState() {
+      if (!this.hasCompareMeta) {
+        return {};
+      }
+
+      const compareMetaState = {};
+      this.schema.forEach(field => {
+        compareMetaState[field.name] = {
+          error: false,
+          data: this.meta[field.name]['@apostrophecms/schema:compare']
+        };
+      });
+
+      return compareMetaState;
     }
   },
   watch: {

package/modules/@apostrophecms/user/index.js

@@ -34,7 +34,7 @@
 // their preferred language for the admin UI. It will be added only if
 // @apostrophecms/i18n is configured with `adminLocales`.
 
-const credentials = require('credentials');
+const passwordHash = require('./lib/password-hash.js');
 const prompts = require('prompts');
 
 module.exports = {
@@ -52,7 +52,20 @@ module.exports = {
     publishRole: 'admin',
     viewRole: 'admin',
     showPermissions: true,
-    relationshipSuggestionIcon: 'account-box-icon'
+    relationshipSuggestionIcon: 'account-box-icon',
+    scrypt: {
+      // These are the defaults. If you choose to pass
+      // this option, you can pass one or more new values.
+      // "cost" must be a power of 2. See:
+      //
+      // https://nodejs.org/api/crypto.html#cryptoscryptpassword-salt-keylen-options-callback
+      //
+      // Do not pass maxmem, it is calculated automatically.
+      //
+      // cost: 131072,
+      // parallelization: 1,
+      // blockSize: 8
+    }
   },
   fields(self, options) {
     const fields = {};
@@ -426,11 +439,11 @@ module.exports = {
       // in `options.secrets` when configuring this module or via
       // `addSecrets` are not stored as plaintext and are not kept in the
       // aposDocs collection. Instead, they are hashed and salted using the
-      // `credential` module and the resulting hash is stored
+      // the same algorithm applied to passwords and the resulting hash is stored
       // in a separate `aposUsersSafe` collection. This method
       // can be used to verify that `attempt` matches the
       // previously hashed value for the property named `secret`,
-      // without ever storing the actual value of the secret
+      // without ever storing the actual value of the secret.
       //
       // If the secret does not match, an `invalid` error is thrown.
       // Otherwise the method returns normally.
@@ -440,10 +453,20 @@ module.exports = {
         if (!safeUser) {
           throw new Error('No such user in the safe.');
         }
-
-        const isVerified = await self.pw.verify(migrate(safeUser[secret + 'Hash']), attempt);
+        const key = secret + 'Hash';
+        const isVerified = await self.pw.verify(migrate(safeUser[key]), attempt);
 
         if (isVerified) {
+          if ((typeof isVerified) === 'string') {
+            // "verify" updated the hash, store the new one
+            const $set = {};
+            $set[key] = isVerified;
+            await self.safe.updateOne({
+              _id: user._id
+            }, {
+              $set
+            });
+          }
           return null;
         } else {
           throw self.apos.error('invalid', `Incorrect ${secret}`);
@@ -452,8 +475,9 @@ module.exports = {
         function migrate(json) {
           const data = JSON.parse(json);
 
-          // Do not re-encode salt generated by credentials@3
-          if (data.credentials3) {
+          // * Do not re-encode legacy salt generated by credentials@3
+          // * Do not alter salts not generated by the credentials module
+          if (data.credentials3 || (data.hashMethod !== 'pbkdf2')) {
             return json;
           }
 
@@ -477,13 +501,15 @@ module.exports = {
         await self.safe.updateOne({ _id: user._id }, changes);
       },
 
-      // Initialize the [credential](https://npmjs.org/package/credential) module.
+      // Initialize password hashing system. Name is for
+      // legacy reasons
+
       initializeCredential() {
-        self.pw = credentials({
-          // For efficient unit tests only. Reducing the work factor
-          // for actual credentials increases the speed of brute force attacks
-          // if the database is ever compromised
-          work: self.options.insecurePasswords ? 0.01 : 1
+        self.pw = passwordHash({
+          error(s) {
+            return self.apos.error('invalid', s);
+          },
+          scrypt: self.options.scrypt
         });
       },
 

package/modules/@apostrophecms/user/lib/password-hash.js

@@ -0,0 +1,122 @@
+// Password hashing based on scrypt, per:
+// https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
+//
+// Also includes legacy support for pbkdf2 passwords.
+//
+// Adapted from the "credential" and "credentials" modules,
+// which were also released under the MIT license.
+
+const util = require('util');
+const crypto = require('crypto');
+
+const scrypt = util.promisify(crypto.scrypt);
+const pbkdf2 = util.promisify(crypto.pbkdf2);
+const randomBytes = util.promisify(crypto.randomBytes);
+const timingSafeEqual = crypto.timingSafeEqual;
+
+function getScryptOptions(options) {
+  const result = {
+    cost: 131072,
+    parallelization: 1,
+    blockSize: 8,
+    ...options
+  };
+  // Per https://github.com/nodejs/node/issues/21524
+  // Without this the parameters are rejected as soon as we
+  // exceed the default cost of 16384
+  result.maxmem = 128 * result.parallelization * result.blockSize + 128 * (2 + result.cost) * result.blockSize;
+  return result;
+}
+
+configure.hash = hash;
+configure.verify = verify;
+
+module.exports = configure;
+
+function configure(opts) {
+  opts = {
+    keyLength: 64,
+    ...opts,
+    scrypt: getScryptOptions(opts.scrypt)
+  };
+  return {
+    hash: password => hash(password, opts),
+    verify: (stored, input) => verify(stored, input, opts)
+  };
+}
+
+async function hash(password, opts) {
+  const { keyLength } = opts;
+
+  if (typeof password !== 'string' || password.length === 0) {
+    throw opts.error('Password must be a non-empty string.');
+  }
+
+  const salt = await randomBytes(keyLength);
+  const hash = await scrypt(password, salt, keyLength, opts.scrypt);
+
+  return JSON.stringify({
+    hashMethod: 'scrypt',
+    salt: salt.toString('base64'),
+    hash: hash.toString('base64'),
+    keyLength,
+    scrypt: opts.scrypt
+  });
+}
+
+async function verify(stored, input, opts) {
+  const parsed = parse(stored);
+
+  const {
+    hashMethod, keyLength, salt, hash: hashA
+  } = parse(stored);
+
+  if (typeof input !== 'string' || input.length === 0) {
+    throw opts.error('Input password must be a non-empty string.');
+  }
+  if (!hashMethod) {
+    throw opts.error('Couldn\'t parse stored hash.');
+  }
+  let hashB;
+  if (hashMethod === 'scrypt') {
+    // Use scrypt as a more modern but also safely portable
+    // solution in Node.js
+    const { scrypt: scryptOptions } = parsed;
+    // Calculate maxmem to make sure we still have the resources
+    // if this password was hashed with a higher cost factor
+    // than the one we are using for new passwords
+    hashB = await scrypt(input, salt, keyLength, getScryptOptions(scryptOptions));
+  } else {
+    // Support existing pbkdf2 hashes from credentials module
+    const { iterations } = parsed;
+    const dfn = hashMethod.slice(0, 6);
+    const hfn = hashMethod.slice(7) || 'sha1';
+    if (dfn !== 'pbkdf2') {
+      throw opts.error('Unsupported key derivation function');
+    }
+    if (![ 'sha1', 'sha512' ].includes(hfn)) {
+      throw opts.error('Unsupported hash function');
+    }
+    hashB = await pbkdf2(input, salt, iterations, keyLength, hfn);
+  }
+  const equal = timingSafeEqual(hashA, hashB);
+  if (equal && (hashMethod !== 'scrypt')) {
+    // Modernize legacy hashes on next login
+    return hash(input, opts);
+  } else {
+    return equal;
+  }
+}
+
+function parse(stored) {
+  try {
+    const parsed = JSON.parse(stored);
+    return {
+      ...parsed,
+      salt: Buffer.from(parsed.salt, 'base64'),
+      hash: Buffer.from(parsed.hash, 'base64')
+    };
+  } catch (err) {
+    return {};
+  }
+}

package/modules/@apostrophecms/widget-type/index.js

@@ -100,7 +100,11 @@ module.exports = {
     neverLoadSelf: true,
     initialModal: true,
     placeholder: false,
-    placeholderClass: 'apos-placeholder'
+    placeholderClass: 'apos-placeholder',
+    // two-thirds, half or full:
+    width: '',
+    // left or right:
+    origin: 'right'
   },
   init(self) {
     const badFieldName = Object.keys(self.fields).indexOf('type') !== -1;
@@ -400,7 +404,9 @@ module.exports = {
           contextual: self.options.contextual,
           placeholderClass: self.options.placeholderClass,
           className: self.options.className,
-          components: self.options.components
+          components: self.options.components,
+          width: self.options.width,
+          origin: self.options.origin
         });
         return result;
       }

package/modules/@apostrophecms/widget-type/ui/apos/components/AposWidgetEditor.vue

@@ -92,6 +92,8 @@ export default {
   },
   emits: [ 'safe-close', 'modal-result' ],
   data() {
+    const moduleOptions = window.apos.modules[apos.area.widgetManagers[this.type]];
+
     return {
       id: this.value && this.value._id,
       original: null,
@@ -103,6 +105,8 @@ export default {
         title: this.editLabel,
         active: false,
         type: 'slide',
+        width: moduleOptions.width,
+        origin: moduleOptions.origin,
         showModal: false
       },
       triggerValidation: false
@@ -218,9 +222,3 @@ export default {
   }
 };
 </script>
-
-<style lang="scss" scoped>
-  .apos-widget-editor ::v-deep .apos-modal__inner {
-    max-width: 458px;
-  }
-</style>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "apostrophe",
-  "version": "3.63.2",
+  "version": "3.64.0",
   "description": "The Apostrophe Content Management System.",
   "main": "index.js",
   "scripts": {
@@ -31,6 +31,7 @@
   "author": "Apostrophe Technologies, Inc.",
   "license": "MIT",
   "dependencies": {
+    "@apostrophecms/emulate-mongo-3-driver": "^1.0.2",
     "@apostrophecms/vue-color": "^2.8.2",
     "@opentelemetry/api": "^1.0.4",
     "@opentelemetry/semantic-conventions": "^1.0.1",
@@ -74,11 +75,10 @@
     "cheerio": "^1.0.0-rc.10",
     "chokidar": "^3.5.2",
     "common-tags": "^1.8.0",
-    "connect-mongo": "^3.0.0",
+    "connect-mongo": "^5.1.0",
     "connect-multiparty": "^2.1.1",
     "cookie-parser": "^1.4.5",
     "cors": "^2.8.5",
-    "credentials": "^3.0.2",
     "css-loader": "^5.2.4",
     "cuid": "^2.1.8",
     "dayjs": "^1.9.8",
@@ -104,7 +104,6 @@
     "mini-css-extract-plugin": "^1.6.0",
     "minimatch": "^3.0.4",
     "mkdirp": "^0.5.5",
-    "mongodb": "^3.6.6",
     "node-fetch": "^2.6.1",
     "nodemailer": "^6.6.1",
     "nunjucks": "^3.2.1",

package/test/password-hash.js

@@ -0,0 +1,56 @@
+const assert = require('assert');
+const passwordHash = require('../modules/@apostrophecms/user/lib/password-hash.js');
+
+const legacyHash = '{"hashMethod":"pbkdf2-sha512","salt":"JEB7TX4iOky4kWy+1xsGlN0u7GpEtEoUxmRzaf0Oi35A5j9ynYZfT1Lk4JofBz5nbAHD4HoMqQnevltTLd4Hbw==","hash":"aFM6axOnaPiwNGly7NsfYEvFHEv1ML4lNyi2nEz95tudK1/M1PUlMbtxujZ+W1Gv8Q2mHh7KnL6Ql94OOL8S0g==","keyLength":64,"iterations":4449149,"credentials3":true}';
+
+describe('password-hash', function() {
+  it('can hash a password', async function() {
+    const instance = getInstance();
+    const hash = await instance.hash('test one');
+    assert(hash);
+  });
+  it('can verify a correct password', async function() {
+    const instance = getInstance();
+    const hash = await instance.hash('test one');
+    assert(await instance.verify(hash, 'test one'));
+  });
+  it('cannot verify an incorrect password', async function() {
+    const instance = getInstance();
+    const hash = await instance.hash('test one');
+    assert(!await instance.verify(hash, 'test two'));
+  });
+  it('hash does not contain password and uses scrypt with parameters', async function() {
+    const instance = getInstance();
+    const hash = JSON.parse(await instance.hash('test one'));
+    assert(!JSON.stringify(hash).includes('test one'));
+    assert.strictEqual(hash.hashMethod, 'scrypt');
+    assert(hash.scrypt);
+    assert.strictEqual(hash.scrypt.cost, 131072);
+    assert.strictEqual(hash.scrypt.blockSize, 8);
+    assert.strictEqual(hash.scrypt.parallelization, 1);
+  });
+  it('can verify and modernize a legacy pbkdf2 password hash', async function() {
+    this.timeout(10000);
+    const instance = getInstance();
+    const hash = await instance.verify(legacyHash, 'test-password');
+    assert(hash);
+    assert.strictEqual(typeof hash, 'string');
+    const data = JSON.parse(hash);
+    assert.strictEqual(data.hashMethod, 'scrypt');
+    assert.strictEqual(await instance.verify(hash, 'test-password'), true);
+    assert.strictEqual(await instance.verify(hash, 'bogus-password'), false);
+  });
+  it('can reject a bad password for a legacy pbkdf2 hash', async function() {
+    this.timeout(10000);
+    const instance = getInstance();
+    assert(!await instance.verify(legacyHash, 'bad-password'));
+  });
+});
+
+function getInstance() {
+  return passwordHash({
+    error(s) {
+      return new Error(s);
+    }
+  });
+}

package/test/users.js

@@ -99,7 +99,7 @@ describe('Users', function() {
     }
   });
 
-  it('should verify a user password created with former credential package', async function() {
+  it('should verify a user password created with former credential package and also upgrade the hash', async function() {
     const req = apos.task.getReq();
     const user = apos.user.newInstance();
 
@@ -115,9 +115,25 @@ describe('Users', function() {
     const oldPasswordHashSimulated =
       '{"hash":"/1GntJjtkMY1iPmQY1gn9f3bOZ5tb2qFL+x4qsDerZq2JL8+12TERR4/xqh246wBb+QJwwIRsF/6E+eccshsLxT/","salt":"GJHukLNaG6xDgdIpxVOpqV7xQLQM7e5xnhDW7oaUOe7mTicr7Ca76M4uUJalN/cQ68CE9O7yXZ5WJOz4RN/udcX0","keyLength":66,"hashMethod":"pbkdf2","iterations":2853053}';
 
-    await apos.user.safe.update({ username: 'olduser' }, { $set: { passwordHash: oldPasswordHashSimulated } });
+    await apos.user.safe.updateOne({ username: 'olduser' }, { $set: { passwordHash: oldPasswordHashSimulated } });
     await apos.user.verifyPassword(user, 'passwordThatWentThroughOldCredentialPackageHashing');
-    await apos.user.safe.remove({ username: 'olduser' });
+
+    // verifyPassword now upgrades legacy hashes on next use, e.g.
+    // the next time it is possible because the password is known
+    const newHash = JSON.parse((await apos.user.safe.findOne({
+      username: 'olduser'
+    })).passwordHash);
+    assert.strictEqual(newHash.hashMethod, 'scrypt');
+    // Confirm the modernized end result is still verifiable with the old password
+    await apos.user.verifyPassword(user, 'passwordThatWentThroughOldCredentialPackageHashing');
+    try {
+      // ... And not with a bogus one
+      await apos.user.verifyPassword(user, 'bogus');
+      assert(false);
+    } catch (e) {
+      // Good
+    }
+    await apos.user.safe.removeOne({ username: 'olduser' });
   });
 
   it('should not be able to insert a new user if their email already exists', async function() {