strapi/packages/plugins/users-permissions/server/strategies/users-permissions.js

'use strict';

const { castArray, map } = require('lodash/fp');

const { getService } = require('../utils');

const getAdvancedSettings = () => {
  return strapi.store({ type: 'plugin', name: 'users-permissions' }).get({ key: 'advanced' });
};

const authenticate = async ctx => {
  if (ctx.request && ctx.request.header && ctx.request.header.authorization) {
    try {
      const { id } = await getService('jwt').getToken(ctx);

      if (id === undefined) {
        return { authenticated: false };
      }

      // fetch authenticated user
      const user = await getService('user').fetchAuthenticatedUser(id);

      if (!user) {
        return { error: 'Invalid credentials' };
      }

      const advancedSettings = await getAdvancedSettings();

      if (advancedSettings.email_confirmation && !user.confirmed) {
        return { error: 'Invalid credentials' };
      }

      if (user.blocked) {
        return { error: 'Invalid credentials' };
      }

      ctx.state.user = user;

      return {
        authenticated: true,
        credentials: user,
      };
    } catch (err) {
      return { authenticated: false };
    }
  }

  const publicPermissions = await strapi.query('plugin::users-permissions.permission').findMany({
    where: {
      role: { type: 'public' },
    },
  });

  if (publicPermissions.length === 0) {
    return { authenticated: false };
  }

  return {
    authenticated: true,
    credentials: null,
  };
};

const verify = async (auth, config) => {
  const { errors } = strapi.container.get('auth');

  const { credentials: user } = auth;

  // public accesss
  if (!user) {
    // test against public role
    const publicPermissions = await strapi.query('plugin::users-permissions.permission').findMany({
      where: {
        role: { type: 'public' },
      },
    });

    const allowedActions = map('action', publicPermissions);

    // A non authenticated user cannot access routes that do not have a scope
    if (!config.scope) {
      throw new errors.UnauthorizedError();
    }

    const isAllowed = castArray(config.scope).every(scope => allowedActions.includes(scope));

    if (!isAllowed) {
      throw new errors.ForbiddenError();
    }

    return;
  }

  const permissions = await strapi.query('plugin::users-permissions.permission').findMany({
    where: { role: user.role.id },
  });

  const allowedActions = map('action', permissions);

  // An authenticated user can access non scoped routes
  if (!config.scope) {
    return;
  }

  const isAllowed = castArray(config.scope).every(scope => allowedActions.includes(scope));

  if (!isAllowed) {
    throw new errors.ForbiddenError();
  }

  // TODO: if we need to keep policies for u&p execution
  // Execute the policies.
  // if (permission.policy) {
  //   return await strapi.plugin('users-permissions').policy(permission.policy)(ctx, next);
  // }
};

module.exports = {
  name: 'users-permissions',
  authenticate,
  verify,
};
Move U&P permissions to new auth system 2021-09-07 14:51:48 +02:00			`'use strict';`

			`const { castArray, map } = require('lodash/fp');`

			`const { getService } = require('../utils');`

			`const getAdvancedSettings = () => {`
Init migration v4 - Hooks registry - D&P CT migrations - i18N CT migrations - Umzug with js / sql migrations - Eslint updates 2021-09-13 12:03:12 +02:00			`return strapi.store({ type: 'plugin', name: 'users-permissions' }).get({ key: 'advanced' });`
Move U&P permissions to new auth system 2021-09-07 14:51:48 +02:00			`};`

			`const authenticate = async ctx => {`
			`if (ctx.request && ctx.request.header && ctx.request.header.authorization) {`
			`try {`
			`const { id } = await getService('jwt').getToken(ctx);`

			`if (id === undefined) {`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`return { authenticated: false };`
Move U&P permissions to new auth system 2021-09-07 14:51:48 +02:00			`}`

			`// fetch authenticated user`
			`const user = await getService('user').fetchAuthenticatedUser(id);`

Move admin auth to global auth system 2021-09-08 16:16:16 +02:00			`if (!user) {`
improve scope matching and verification failures 2021-09-17 14:07:39 +02:00			`return { error: 'Invalid credentials' };`
Move U&P permissions to new auth system 2021-09-07 14:51:48 +02:00			`}`

Move admin auth to global auth system 2021-09-08 16:16:16 +02:00			`const advancedSettings = await getAdvancedSettings();`

			`if (advancedSettings.email_confirmation && !user.confirmed) {`
improve scope matching and verification failures 2021-09-17 14:07:39 +02:00			`return { error: 'Invalid credentials' };`
Move admin auth to global auth system 2021-09-08 16:16:16 +02:00			`}`
Move U&P permissions to new auth system 2021-09-07 14:51:48 +02:00
Move admin auth to global auth system 2021-09-08 16:16:16 +02:00			`if (user.blocked) {`
improve scope matching and verification failures 2021-09-17 14:07:39 +02:00			`return { error: 'Invalid credentials' };`
Move admin auth to global auth system 2021-09-08 16:16:16 +02:00			`}`
Move U&P permissions to new auth system 2021-09-07 14:51:48 +02:00
Move admin auth to global auth system 2021-09-08 16:16:16 +02:00			`ctx.state.user = user;`
Move U&P permissions to new auth system 2021-09-07 14:51:48 +02:00
Move admin auth to global auth system 2021-09-08 16:16:16 +02:00			`return {`
			`authenticated: true,`
			`credentials: user,`
			`};`
			`} catch (err) {`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`return { authenticated: false };`
Move U&P permissions to new auth system 2021-09-07 14:51:48 +02:00			`}`
			`}`

			`const publicPermissions = await strapi.query('plugin::users-permissions.permission').findMany({`
			`where: {`
			`role: { type: 'public' },`
			`},`
			`});`

			`if (publicPermissions.length === 0) {`
			`return { authenticated: false };`
			`}`

			`return {`
			`authenticated: true,`
			`credentials: null,`
			`};`
			`};`

			`const verify = async (auth, config) => {`
Move admin auth to global auth system 2021-09-08 16:16:16 +02:00			`const { errors } = strapi.container.get('auth');`
Move U&P permissions to new auth system 2021-09-07 14:51:48 +02:00
			`const { credentials: user } = auth;`

			`// public accesss`
			`if (!user) {`
			`// test against public role`
			`const publicPermissions = await strapi.query('plugin::users-permissions.permission').findMany({`
			`where: {`
			`role: { type: 'public' },`
			`},`
			`});`

			`const allowedActions = map('action', publicPermissions);`

			`// A non authenticated user cannot access routes that do not have a scope`
			`if (!config.scope) {`
			`throw new errors.UnauthorizedError();`
			`}`

			`const isAllowed = castArray(config.scope).every(scope => allowedActions.includes(scope));`

			`if (!isAllowed) {`
			`throw new errors.ForbiddenError();`
			`}`

			`return;`
			`}`

			`const permissions = await strapi.query('plugin::users-permissions.permission').findMany({`
			`where: { role: user.role.id },`
			`});`

			`const allowedActions = map('action', permissions);`

			`// An authenticated user can access non scoped routes`
			`if (!config.scope) {`
			`return;`
			`}`

			`const isAllowed = castArray(config.scope).every(scope => allowedActions.includes(scope));`

			`if (!isAllowed) {`
			`throw new errors.ForbiddenError();`
			`}`

			`// TODO: if we need to keep policies for u&p execution`
			`// Execute the policies.`
			`// if (permission.policy) {`
			`// return await strapi.plugin('users-permissions').policy(permission.policy)(ctx, next);`
			`// }`
			`};`

			`module.exports = {`
			`name: 'users-permissions',`
			`authenticate,`
			`verify,`
			`};`