strapi/packages/plugins/users-permissions/server/services/user.js

'use strict';

/**
 * User.js service
 *
 * @description: A set of functions similar to controller's actions to avoid code duplication.
 */

const crypto = require('crypto');
const bcrypt = require('bcryptjs');
const urlJoin = require('url-join');

const { sanitize } = require('@strapi/utils');
const { toNumber, getOr } = require('lodash/fp');
const { getService } = require('../utils');

const USER_MODEL_UID = 'plugin::users-permissions.user';

module.exports = ({ strapi }) => ({
  /**
   * Promise to count users
   *
   * @return {Promise}
   */

  count(params) {
    return strapi.db.query(USER_MODEL_UID).count({ where: params });
  },

  /**
   * Hashes password fields in the provided values object if they are present.
   * It checks each key in the values object against the model's attributes and
   * hashes it if the attribute type is 'password',
   *
   * @param {object} values - The object containing the fields to be hashed.
   * @return {object} The values object with hashed password fields if they were present.
   */
  async ensureHashedPasswords(values) {
    const attributes = strapi.getModel(USER_MODEL_UID).attributes;

    for (const key in values) {
      if (attributes[key] && attributes[key].type === 'password') {
        // Check if a custom encryption.rounds has been set on the password attribute
        const rounds = toNumber(getOr(10, 'encryption.rounds', attributes[key]));
        values[key] = await bcrypt.hash(values[key], rounds);
      }
    }

    return values;
  },

  /**
   * Promise to add a/an user.
   * @return {Promise}
   */
  async add(values) {
    return strapi.db.query(USER_MODEL_UID).create({
      data: await this.ensureHashedPasswords(values),
      populate: ['role'],
    });
  },

  /**
   * Promise to edit a/an user.
   * @param {string} userId
   * @param {object} params
   * @return {Promise}
   */
  async edit(userId, params = {}) {
    return strapi.db.query(USER_MODEL_UID).update({
      where: { id: userId },
      data: await this.ensureHashedPasswords(params),
      populate: ['role'],
    });
  },

  /**
   * Promise to fetch a/an user.
   * @return {Promise}
   */
  fetch(id, params) {
    const query = strapi.get('query-params').transform(USER_MODEL_UID, params ?? {});

    return strapi.db.query(USER_MODEL_UID).findOne({
      ...query,
      where: {
        $and: [{ id }, query.where || {}],
      },
    });
  },

  /**
   * Promise to fetch authenticated user.
   * @return {Promise}
   */
  fetchAuthenticatedUser(id) {
    return strapi.db.query(USER_MODEL_UID).findOne({ where: { id }, populate: ['role'] });
  },

  /**
   * Promise to fetch all users.
   * @return {Promise}
   */
  fetchAll(params) {
    const query = strapi.get('query-params').transform(USER_MODEL_UID, params ?? {});

    return strapi.db.query(USER_MODEL_UID).findMany(query);
  },

  /**
   * Promise to remove a/an user.
   * @return {Promise}
   */
  async remove(params) {
    return strapi.db.query(USER_MODEL_UID).delete({ where: params });
  },

  validatePassword(password, hash) {
    return bcrypt.compare(password, hash);
  },

  async sendConfirmationEmail(user) {
    const userPermissionService = getService('users-permissions');
    const pluginStore = await strapi.store({ type: 'plugin', name: 'users-permissions' });
    const userSchema = strapi.getModel(USER_MODEL_UID);

    const settings = await pluginStore
      .get({ key: 'email' })
      .then((storeEmail) => storeEmail.email_confirmation.options);

    // Sanitize the template's user information
    const sanitizedUserInfo = await sanitize.sanitizers.defaultSanitizeOutput(
      {
        schema: userSchema,
        getModel: strapi.getModel.bind(strapi),
      },
      user
    );

    const confirmationToken = crypto.randomBytes(20).toString('hex');

    await this.edit(user.id, { confirmationToken });

    const apiPrefix = strapi.config.get('api.rest.prefix');

    try {
      settings.message = await userPermissionService.template(settings.message, {
        URL: urlJoin(
          strapi.config.get('server.absoluteUrl'),
          apiPrefix,
          '/auth/email-confirmation'
        ),
        SERVER_URL: strapi.config.get('server.absoluteUrl'),
        ADMIN_URL: strapi.config.get('admin.absoluteUrl'),
        USER: sanitizedUserInfo,
        CODE: confirmationToken,
      });

      settings.object = await userPermissionService.template(settings.object, {
        USER: sanitizedUserInfo,
      });
    } catch {
      strapi.log.error(
        '[plugin::users-permissions.sendConfirmationEmail]: Failed to generate a template for "user confirmation email". Please make sure your email template is valid and does not contain invalid characters or patterns'
      );
      return;
    }

    // Send an email to the user.
    await strapi
      .plugin('email')
      .service('email')
      .send({
        to: user.email,
        from:
          settings.from.email && settings.from.name
            ? `${settings.from.name} <${settings.from.email}>`
            : undefined,
        replyTo: settings.response_email,
        subject: settings.object,
        text: settings.message,
        html: settings.message,
      });
  },
});
Init user models and fix api prefix 2017-11-14 11:11:22 +01:00			`'use strict';`

			`/**`
			`* User.js service`
			`*`
			`* @description: A set of functions similar to controller's actions to avoid code duplication.`
			`*/`

Add confirmationToken to user for email confirmation Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-16 16:53:40 +02:00			`const crypto = require('crypto');`
Make lint stricter and fix the errors Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-27 11:27:17 +01:00			`const bcrypt = require('bcryptjs');`
fix confirmation url missing the api prefix 2022-01-10 18:11:32 +01:00			`const urlJoin = require('url-join');`
Add confirmationToken to user for email confirmation Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-16 16:53:40 +02:00
chore: introduce query-params service to remove strapi.global dep in utils 2024-03-25 12:32:56 +01:00			`const { sanitize } = require('@strapi/utils');`
fix: u&p service hashes password attributes 2024-04-18 15:58:46 +02:00			`const { toNumber, getOr } = require('lodash/fp');`
Refactor all query() calls 2021-07-08 18:15:32 +02:00			`const { getService } = require('../utils');`
Init user models and fix api prefix 2017-11-14 11:11:22 +01:00
chore: deprecate entity-service and delegate to document service 2024-03-11 11:35:58 +01:00			`const USER_MODEL_UID = 'plugin::users-permissions.user';`

WIP 2021-07-08 11:20:13 +02:00			`module.exports = ({ strapi }) => ({`
added user count Signed-off-by: Walter Cossu <walter.cossu@realt.it> 2020-04-17 17:33:21 +02:00			`/**`
			`* Promise to count users`
			`*`
			`* @return {Promise}`
			`*/`

			`count(params) {`
chore: deprecate entity-service and delegate to document service 2024-03-11 11:35:58 +01:00			`return strapi.db.query(USER_MODEL_UID).count({ where: params });`
added user count Signed-off-by: Walter Cossu <walter.cossu@realt.it> 2020-04-17 17:33:21 +02:00			`},`

added countSearch method to user service 2020-04-24 10:30:37 +02:00			`/**`
fix: u&p service hashes password attributes 2024-04-18 15:58:46 +02:00			`* Hashes password fields in the provided values object if they are present.`
			`* It checks each key in the values object against the model's attributes and`
			`* hashes it if the attribute type is 'password',`
added countSearch method to user service 2020-04-24 10:30:37 +02:00			`*`
fix: u&p service hashes password attributes 2024-04-18 15:58:46 +02:00			`* @param {object} values - The object containing the fields to be hashed.`
			`* @return {object} The values object with hashed password fields if they were present.`
added countSearch method to user service 2020-04-24 10:30:37 +02:00			`*/`
fix: u&p service hashes password attributes 2024-04-18 15:58:46 +02:00			`async ensureHashedPasswords(values) {`
			`const attributes = strapi.getModel(USER_MODEL_UID).attributes;`

			`for (const key in values) {`
			`if (attributes[key] && attributes[key].type === 'password') {`
			`// Check if a custom encryption.rounds has been set on the password attribute`
			`const rounds = toNumber(getOr(10, 'encryption.rounds', attributes[key]));`
			`values[key] = await bcrypt.hash(values[key], rounds);`
			`}`
			`}`

			`return values;`
			`},`
added countSearch method to user service 2020-04-24 10:30:37 +02:00
Init user models and fix api prefix 2017-11-14 11:11:22 +01:00			`/**`
			`* Promise to add a/an user.`
			`* @return {Promise}`
			`*/`
Refactor users-permissions to use the new strapi.query 2019-07-15 23:16:50 +02:00			`async add(values) {`
chore: deprecate entity-service and delegate to document service 2024-03-11 11:35:58 +01:00			`return strapi.db.query(USER_MODEL_UID).create({`
fix: u&p service hashes password attributes 2024-04-18 15:58:46 +02:00			`data: await this.ensureHashedPasswords(values),`
correcting entity create 2022-01-27 10:15:04 +01:00			`populate: ['role'],`
			`});`
Init user models and fix api prefix 2017-11-14 11:11:22 +01:00			`},`

			`/**`
			`* Promise to edit a/an user.`
Fix Update user does not update component attribute (#11871) * use entityService to update user instead of old query, add update test Signed-off-by: harimkims <harimkims@gmail.com> * fix e2e test * Add component update test * Remove console.log Co-authored-by: Jean-Sébastien Herbaux <jean-sebastien.herbaux@epitech.eu> 2022-01-05 23:54:58 +09:00			`* @param {string} userId`
			`* @param {object} params`
Init user models and fix api prefix 2017-11-14 11:11:22 +01:00			`* @return {Promise}`
			`*/`
Fix Update user does not update component attribute (#11871) * use entityService to update user instead of old query, add update test Signed-off-by: harimkims <harimkims@gmail.com> * fix e2e test * Add component update test * Remove console.log Co-authored-by: Jean-Sébastien Herbaux <jean-sebastien.herbaux@epitech.eu> 2022-01-05 23:54:58 +09:00			`async edit(userId, params = {}) {`
chore: deprecate entity-service and delegate to document service 2024-03-11 11:35:58 +01:00			`return strapi.db.query(USER_MODEL_UID).update({`
			`where: { id: userId },`
fix: u&p service hashes password attributes 2024-04-18 15:58:46 +02:00			`data: await this.ensureHashedPasswords(params),`
fix confirmation url missing the api prefix 2022-01-10 18:11:32 +01:00			`populate: ['role'],`
			`});`
Init user models and fix api prefix 2017-11-14 11:11:22 +01:00			`},`

			`/**`
Sort functions by name 2017-12-07 15:27:11 +01:00			`* Promise to fetch a/an user.`
Init user models and fix api prefix 2017-11-14 11:11:22 +01:00			`* @return {Promise}`
			`*/`
Replace fetch, fetchAll query with entityService 2022-03-03 22:56:58 +09:00			`fetch(id, params) {`
chore: introduce query-params service to remove strapi.global dep in utils 2024-03-25 12:32:56 +01:00			`const query = strapi.get('query-params').transform(USER_MODEL_UID, params ?? {});`
chore: deprecate entity-service and delegate to document service 2024-03-11 11:35:58 +01:00
			`return strapi.db.query(USER_MODEL_UID).findOne({`
			`...query,`
			`where: {`
			`$and: [{ id }, query.where \|\| {}],`
			`},`
			`});`
Sort functions by name 2017-12-07 15:27:11 +01:00			`},`

Fix/#7197/Change custom populate state to own service (#7204) * Fix/#7197/Change custom populate state to own service To avoid issue with population we change the service of state user to there own service call "fetchState", also to keep a separate customization Signed-off-by: Juan David <juand.business@gmail.com> * specific service for fetch authenticated user Signed-off-by: Juan David <juand.business@gmail.com> * Update comment Signed-off-by: Juan David <juand.business@gmail.com> * Add some comments Signed-off-by: Juan David <juand.business@gmail.com> 2020-07-28 10:18:18 +03:00			`/**`
			`* Promise to fetch authenticated user.`
			`* @return {Promise}`
			`*/`
			`fetchAuthenticatedUser(id) {`
chore: deprecate entity-service and delegate to document service 2024-03-11 11:35:58 +01:00			`return strapi.db.query(USER_MODEL_UID).findOne({ where: { id }, populate: ['role'] });`
Fix/#7197/Change custom populate state to own service (#7204) * Fix/#7197/Change custom populate state to own service To avoid issue with population we change the service of state user to there own service call "fetchState", also to keep a separate customization Signed-off-by: Juan David <juand.business@gmail.com> * specific service for fetch authenticated user Signed-off-by: Juan David <juand.business@gmail.com> * Update comment Signed-off-by: Juan David <juand.business@gmail.com> * Add some comments Signed-off-by: Juan David <juand.business@gmail.com> 2020-07-28 10:18:18 +03:00			`},`

Sort functions by name 2017-12-07 15:27:11 +01:00			`/**`
			`* Promise to fetch all users.`
			`* @return {Promise}`
			`*/`
Replace fetch, fetchAll query with entityService 2022-03-03 22:56:58 +09:00			`fetchAll(params) {`
chore: introduce query-params service to remove strapi.global dep in utils 2024-03-25 12:32:56 +01:00			`const query = strapi.get('query-params').transform(USER_MODEL_UID, params ?? {});`
chore: deprecate entity-service and delegate to document service 2024-03-11 11:35:58 +01:00
			`return strapi.db.query(USER_MODEL_UID).findMany(query);`
Register new user with hashed password 2017-11-16 14:12:03 +01:00			`},`

Sort functions by name 2017-12-07 15:27:11 +01:00			`/**`
			`* Promise to remove a/an user.`
			`* @return {Promise}`
			`*/`
Refactor users-permissions to use the new strapi.query 2019-07-15 23:16:50 +02:00			`async remove(params) {`
chore: deprecate entity-service and delegate to document service 2024-03-11 11:35:58 +01:00			`return strapi.db.query(USER_MODEL_UID).delete({ where: params });`
Sort functions by name 2017-12-07 15:27:11 +01:00			`},`

Refactor users-permissions to use the new strapi.query 2019-07-15 23:16:50 +02:00			`validatePassword(password, hash) {`
Use brcrypt.compare for password validation instead of compareSync (#7612) Signed-off-by: Vinit Sarvade <vinit.sarvade.08@gmail.com> 2020-09-01 20:33:37 +05:30			`return bcrypt.compare(password, hash);`
Refactor users-permissions to use the new strapi.query 2019-07-15 23:16:50 +02:00			`},`
Add confirmationToken to user for email confirmation Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-16 16:53:40 +02:00
			`async sendConfirmationEmail(user) {`
Fix default permissions in UP plugin 2021-08-02 08:28:10 +02:00			`const userPermissionService = getService('users-permissions');`
Init migration v4 - Hooks registry - D&P CT migrations - i18N CT migrations - Umzug with js / sql migrations - Eslint updates 2021-09-13 12:03:12 +02:00			`const pluginStore = await strapi.store({ type: 'plugin', name: 'users-permissions' });`
chore: deprecate entity-service and delegate to document service 2024-03-11 11:35:58 +01:00			`const userSchema = strapi.getModel(USER_MODEL_UID);`
Add confirmationToken to user for email confirmation Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-16 16:53:40 +02:00
			`const settings = await pluginStore`
			`.get({ key: 'email' })`
Prettier and backend fix 2022-08-08 23:33:39 +02:00			`.then((storeEmail) => storeEmail.email_confirmation.options);`
Add confirmationToken to user for email confirmation Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-16 16:53:40 +02:00
Sanitize user information for email templates 2021-11-05 10:45:25 +01:00			`// Sanitize the template's user information`
fix: emailConfirmation broken 2024-09-16 10:26:16 +02:00			`const sanitizedUserInfo = await sanitize.sanitizers.defaultSanitizeOutput(`
			`{`
			`schema: userSchema,`
			`getModel: strapi.getModel.bind(strapi),`
			`},`
			`user`
			`);`
Sanitize user information for email templates 2021-11-05 10:45:25 +01:00
Add confirmationToken to user for email confirmation Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-16 16:53:40 +02:00			`const confirmationToken = crypto.randomBytes(20).toString('hex');`

Fix Update user does not update component attribute (#11871) * use entityService to update user instead of old query, add update test Signed-off-by: harimkims <harimkims@gmail.com> * fix e2e test * Add component update test * Remove console.log Co-authored-by: Jean-Sébastien Herbaux <jean-sebastien.herbaux@epitech.eu> 2022-01-05 23:54:58 +09:00			`await this.edit(user.id, { confirmationToken });`
Add confirmationToken to user for email confirmation Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-16 16:53:40 +02:00
fix confirmation url missing the api prefix 2022-01-10 18:11:32 +01:00			`const apiPrefix = strapi.config.get('api.rest.prefix');`
Add confirmationToken to user for email confirmation Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-16 16:53:40 +02:00
Update users-permissions service to prevent usage of invalid email templates 2022-12-30 19:01:04 +01:00			`try {`
			`settings.message = await userPermissionService.template(settings.message, {`
chore: setup configuration in one place only 2024-01-19 10:09:53 +01:00			`URL: urlJoin(`
			`strapi.config.get('server.absoluteUrl'),`
			`apiPrefix,`
			`'/auth/email-confirmation'`
			`),`
			`SERVER_URL: strapi.config.get('server.absoluteUrl'),`
			`ADMIN_URL: strapi.config.get('admin.absoluteUrl'),`
Update users-permissions service to prevent usage of invalid email templates 2022-12-30 19:01:04 +01:00			`USER: sanitizedUserInfo,`
			`CODE: confirmationToken,`
			`});`

			`settings.object = await userPermissionService.template(settings.object, {`
			`USER: sanitizedUserInfo,`
			`});`
			`} catch {`
			`strapi.log.error(`
			`'[plugin::users-permissions.sendConfirmationEmail]: Failed to generate a template for "user confirmation email". Please make sure your email template is valid and does not contain invalid characters or patterns'`
			`);`
			`return;`
			`}`
Add confirmationToken to user for email confirmation Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-16 16:53:40 +02:00
			`// Send an email to the user.`
Migrate plugin getters 2021-08-19 22:27:00 +02:00			`await strapi`
			`.plugin('email')`
			`.service('email')`
			`.send({`
			`to: user.email,`
			`from:`
			`settings.from.email && settings.from.name`
			? `${settings.from.name} <${settings.from.email}>`
			`: undefined,`
			`replyTo: settings.response_email,`
			`subject: settings.object,`
			`text: settings.message,`
			`html: settings.message,`
			`});`
Add confirmationToken to user for email confirmation Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-16 16:53:40 +02:00			`},`
WIP 2021-07-08 11:20:13 +02:00			`});`