strapi/packages/plugins/users-permissions/server/strategies/users-permissions.js

'use strict';

const { castArray, map, every, pipe } = require('lodash/fp');
const { ForbiddenError, UnauthorizedError } = require('@strapi/utils').errors;

const { getService } = require('../utils');

const getAdvancedSettings = () => {
  return strapi.store({ type: 'plugin', name: 'users-permissions' }).get({ key: 'advanced' });
};

const authenticate = async (ctx) => {
  try {
    const token = await getService('jwt').getToken(ctx);

    if (token) {
      const { id } = token;

      // Invalid token
      if (id === undefined) {
        return { authenticated: false };
      }

      const user = await getService('user').fetchAuthenticatedUser(id);

      // No user associated to the token
      if (!user) {
        return { error: 'Invalid credentials' };
      }

      const advancedSettings = await getAdvancedSettings();

      // User not confirmed
      if (advancedSettings.email_confirmation && !user.confirmed) {
        return { error: 'Invalid credentials' };
      }

      // User blocked
      if (user.blocked) {
        return { error: 'Invalid credentials' };
      }

      // Fetch user's permissions
      const permissions = await Promise.resolve(user.role.id)
        .then(getService('permission').findRolePermissions)
        .then(map(getService('permission').toContentAPIPermission));

      // Generate an ability (content API engine) based on the given permissions
      const ability = await strapi.contentAPI.permissions.engine.generateAbility(permissions);

      ctx.state.user = user;

      return {
        authenticated: true,
        credentials: user,
        ability,
      };
    }

    const publicPermissions = await getService('permission')
      .findPublicPermissions()
      .then(map(getService('permission').toContentAPIPermission));

    if (publicPermissions.length === 0) {
      return { authenticated: false };
    }

    const ability = await strapi.contentAPI.permissions.engine.generateAbility(publicPermissions);

    return {
      authenticated: true,
      credentials: null,
      ability,
    };
  } catch (err) {
    return { authenticated: false };
  }
};

const verify = async (auth, config) => {
  const { credentials: user, ability } = auth;

  if (!config.scope) {
    if (!user) {
      // A non authenticated user cannot access routes that do not have a scope
      throw new UnauthorizedError();
    } else {
      // An authenticated user can access non scoped routes
      return;
    }
  }

  // If no ability have been generated, then consider auth is missing
  if (!ability) {
    throw new UnauthorizedError();
  }

  const isAllowed = pipe(
    // Make sure we're dealing with an array
    castArray,
    // Transform the scope array into an action array
    every((scope) => ability.can(scope))
  )(config.scope);

  if (!isAllowed) {
    throw new ForbiddenError();
  }
};

module.exports = {
  name: 'users-permissions',
  authenticate,
  verify,
};
Move U&P permissions to new auth system 2021-09-07 14:51:48 +02:00			`'use strict';`

Make users-permissions auth strategy use the content API permission engine 2022-07-29 10:17:06 +02:00			`const { castArray, map, every, pipe } = require('lodash/fp');`
returned an important check condition 2022-01-08 15:46:36 +00:00			`const { ForbiddenError, UnauthorizedError } = require('@strapi/utils').errors;`
Move U&P permissions to new auth system 2021-09-07 14:51:48 +02:00
			`const { getService } = require('../utils');`

			`const getAdvancedSettings = () => {`
Init migration v4 - Hooks registry - D&P CT migrations - i18N CT migrations - Umzug with js / sql migrations - Eslint updates 2021-09-13 12:03:12 +02:00			`return strapi.store({ type: 'plugin', name: 'users-permissions' }).get({ key: 'advanced' });`
Move U&P permissions to new auth system 2021-09-07 14:51:48 +02:00			`};`

Prettier and backend fix 2022-08-08 23:33:39 +02:00			`const authenticate = async (ctx) => {`
Support query access_token 2021-11-15 17:54:17 +01:00			`try {`
			`const token = await getService('jwt').getToken(ctx);`

			`if (token) {`
			`const { id } = token;`
Move U&P permissions to new auth system 2021-09-07 14:51:48 +02:00
Make users-permissions auth strategy use the content API permission engine 2022-07-29 10:17:06 +02:00			`// Invalid token`
Move U&P permissions to new auth system 2021-09-07 14:51:48 +02:00			`if (id === undefined) {`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`return { authenticated: false };`
Move U&P permissions to new auth system 2021-09-07 14:51:48 +02:00			`}`

			`const user = await getService('user').fetchAuthenticatedUser(id);`

Make users-permissions auth strategy use the content API permission engine 2022-07-29 10:17:06 +02:00			`// No user associated to the token`
Move admin auth to global auth system 2021-09-08 16:16:16 +02:00			`if (!user) {`
improve scope matching and verification failures 2021-09-17 14:07:39 +02:00			`return { error: 'Invalid credentials' };`
Move U&P permissions to new auth system 2021-09-07 14:51:48 +02:00			`}`

Move admin auth to global auth system 2021-09-08 16:16:16 +02:00			`const advancedSettings = await getAdvancedSettings();`

Make users-permissions auth strategy use the content API permission engine 2022-07-29 10:17:06 +02:00			`// User not confirmed`
Move admin auth to global auth system 2021-09-08 16:16:16 +02:00			`if (advancedSettings.email_confirmation && !user.confirmed) {`
improve scope matching and verification failures 2021-09-17 14:07:39 +02:00			`return { error: 'Invalid credentials' };`
Move admin auth to global auth system 2021-09-08 16:16:16 +02:00			`}`
Move U&P permissions to new auth system 2021-09-07 14:51:48 +02:00
Make users-permissions auth strategy use the content API permission engine 2022-07-29 10:17:06 +02:00			`// User blocked`
Move admin auth to global auth system 2021-09-08 16:16:16 +02:00			`if (user.blocked) {`
improve scope matching and verification failures 2021-09-17 14:07:39 +02:00			`return { error: 'Invalid credentials' };`
Move admin auth to global auth system 2021-09-08 16:16:16 +02:00			`}`
Move U&P permissions to new auth system 2021-09-07 14:51:48 +02:00
Make users-permissions auth strategy use the content API permission engine 2022-07-29 10:17:06 +02:00			`// Fetch user's permissions`
			`const permissions = await Promise.resolve(user.role.id)`
			`.then(getService('permission').findRolePermissions)`
			`.then(map(getService('permission').toContentAPIPermission));`

			`// Generate an ability (content API engine) based on the given permissions`
			`const ability = await strapi.contentAPI.permissions.engine.generateAbility(permissions);`

Move admin auth to global auth system 2021-09-08 16:16:16 +02:00			`ctx.state.user = user;`
Move U&P permissions to new auth system 2021-09-07 14:51:48 +02:00
Move admin auth to global auth system 2021-09-08 16:16:16 +02:00			`return {`
			`authenticated: true,`
			`credentials: user,`
Make users-permissions auth strategy use the content API permission engine 2022-07-29 10:17:06 +02:00			`ability,`
Move admin auth to global auth system 2021-09-08 16:16:16 +02:00			`};`
Move U&P permissions to new auth system 2021-09-07 14:51:48 +02:00			`}`

Make users-permissions auth strategy use the content API permission engine 2022-07-29 10:17:06 +02:00			`const publicPermissions = await getService('permission')`
			`.findPublicPermissions()`
			`.then(map(getService('permission').toContentAPIPermission));`
Support query access_token 2021-11-15 17:54:17 +01:00
			`if (publicPermissions.length === 0) {`
			`return { authenticated: false };`
			`}`
Move U&P permissions to new auth system 2021-09-07 14:51:48 +02:00
Make users-permissions auth strategy use the content API permission engine 2022-07-29 10:17:06 +02:00			`const ability = await strapi.contentAPI.permissions.engine.generateAbility(publicPermissions);`

Support query access_token 2021-11-15 17:54:17 +01:00			`return {`
			`authenticated: true,`
			`credentials: null,`
Make users-permissions auth strategy use the content API permission engine 2022-07-29 10:17:06 +02:00			`ability,`
Support query access_token 2021-11-15 17:54:17 +01:00			`};`
			`} catch (err) {`
Move U&P permissions to new auth system 2021-09-07 14:51:48 +02:00			`return { authenticated: false };`
			`}`
			`};`

			`const verify = async (auth, config) => {`
Make users-permissions auth strategy use the content API permission engine 2022-07-29 10:17:06 +02:00			`const { credentials: user, ability } = auth;`
Move U&P permissions to new auth system 2021-09-07 14:51:48 +02:00
returned another important condition 2022-01-21 04:42:07 +00:00			`if (!config.scope) {`
			`if (!user) {`
			`// A non authenticated user cannot access routes that do not have a scope`
			`throw new UnauthorizedError();`
			`} else {`
			`// An authenticated user can access non scoped routes`
			`return;`
			`}`
returned an important check condition 2022-01-08 15:46:36 +00:00			`}`

Make users-permissions auth strategy use the content API permission engine 2022-07-29 10:17:06 +02:00			`// If no ability have been generated, then consider auth is missing`
			`if (!ability) {`
			`throw new UnauthorizedError();`
Move U&P permissions to new auth system 2021-09-07 14:51:48 +02:00			`}`

Make users-permissions auth strategy use the content API permission engine 2022-07-29 10:17:06 +02:00			`const isAllowed = pipe(`
			`// Make sure we're dealing with an array`
			`castArray,`
			`// Transform the scope array into an action array`
Merge branch 'main' into features/api-token-v2 2022-08-18 12:18:09 +03:00			`every((scope) => ability.can(scope))`
Make users-permissions auth strategy use the content API permission engine 2022-07-29 10:17:06 +02:00			`)(config.scope);`
Move U&P permissions to new auth system 2021-09-07 14:51:48 +02:00
			`if (!isAllowed) {`
refacto graphql errors 2021-10-27 18:54:58 +02:00			`throw new ForbiddenError();`
Move U&P permissions to new auth system 2021-09-07 14:51:48 +02:00			`}`
			`};`

			`module.exports = {`
			`name: 'users-permissions',`
			`authenticate,`
			`verify,`
			`};`