strapi/packages/core/admin/server/services/api-token.js

'use strict';

const crypto = require('crypto');
const { map, omit, differenceBy } = require('lodash/fp');
const { ValidationError } = require('@strapi/utils').errors;
const constants = require('../services/constants');

/**
 * @typedef {'read-only'|'full-access'|'custom'} TokenType
 */

/**
 * @typedef ApiToken
 *
 * @property {number|string} id
 * @property {string} name
 * @property {string} [description]
 * @property {string} accessKey
 * @property {TokenType} type
 * @property {(number|ApiTokenPermission)[]} [permissions]
 */

/**
 * @typedef ApiTokenPermission
 *
 * @property {number|string} id
 * @property {string} action
 * @property {ApiToken|number} [token]
 */

/** @constant {Array<string>} */
const SELECT_FIELDS = ['id', 'name', 'description', 'type', 'createdAt'];

/** @constant {Array<string>} */
const POPULATE_FIELDS = ['permissions'];

const assertCustomTokenPermissionsValidity = attributes => {
  // Ensure non-custom tokens doesn't have permissions
  if (attributes.type !== constants.API_TOKEN_TYPE.CUSTOM && attributes.permissions) {
    throw new ValidationError('Non-custom tokens should not references permissions');
  }

  // Custom type tokens should always have permissions attached to them
  if (attributes.type === constants.API_TOKEN_TYPE.CUSTOM && !attributes.permissions) {
    throw new ValidationError('Missing permissions attributes for custom token');
  }
};

/**
 * @param {Object} whereParams
 * @param {string|number} [whereParams.id]
 * @param {string} [whereParams.name]
 * @param {string} [whereParams.description]
 * @param {string} [whereParams.accessKey]
 *
 * @returns {Promise<boolean>}
 */
const exists = async (whereParams = {}) => {
  const apiToken = await getBy(whereParams);

  return !!apiToken;
};

/**
 * @param {string} accessKey
 *
 * @returns {string}
 */
const hash = accessKey => {
  return crypto
    .createHmac('sha512', strapi.config.get('admin.apiToken.salt'))
    .update(accessKey)
    .digest('hex');
};

/**
 * @param {Object} attributes
 * @param {TokenType} attributes.type
 * @param {string} attributes.name
 * @param {string[]} [attributes.permissions]
 * @param {string} [attributes.description]
 *
 * @returns {Promise<ApiToken>}
 */
const create = async attributes => {
  const accessKey = crypto.randomBytes(128).toString('hex');

  assertCustomTokenPermissionsValidity(attributes);

  // Create the token
  const apiToken = await strapi.query('admin::api-token').create({
    select: SELECT_FIELDS,
    populate: POPULATE_FIELDS,
    data: {
      ...omit('permissions', attributes),
      accessKey: hash(accessKey),
    },
  });

  const result = { ...apiToken, accessKey };

  // If this is a custom type token, create and link the associated permissions
  if (attributes.type === constants.API_TOKEN_TYPE.CUSTOM) {
    const permissionsCount = await strapi
      .query('admin::token-permission')
      .createMany({ data: attributes.permissions.map(action => ({ action, token: apiToken.id })) });

    // TODO: should we select the permissions again to ensure it worked?
    if (permissionsCount) {
      Object.assign(result, { permissions: attributes.permissions });
    }
  }

  return result;
};

/**
 * @returns {void}
 */
const checkSaltIsDefined = () => {
  if (!strapi.config.get('admin.apiToken.salt')) {
    // TODO V5: stop reading API_TOKEN_SALT
    if (process.env.API_TOKEN_SALT) {
      process.emitWarning(`[deprecated] In future versions, Strapi will stop reading directly from the environment variable API_TOKEN_SALT. Please set apiToken.salt in config/admin.js instead.
For security reasons, keep storing the secret in an environment variable and use env() to read it in config/admin.js (ex: \`apiToken: { salt: env('API_TOKEN_SALT') }\`). See https://docs.strapi.io/developer-docs/latest/setup-deployment-guides/configurations/optional/environment.html#configuration-using-environment-variables.`);

      strapi.config.set('admin.apiToken.salt', process.env.API_TOKEN_SALT);
    } else {
      throw new Error(
        `Missing apiToken.salt. Please set apiToken.salt in config/admin.js (ex: you can generate one using Node with \`crypto.randomBytes(16).toString('base64')\`).
For security reasons, prefer storing the secret in an environment variable and read it in config/admin.js. See https://docs.strapi.io/developer-docs/latest/setup-deployment-guides/configurations/optional/environment.html#configuration-using-environment-variables.`
      );
    }
  }
};

/**
 * @returns {Promise<Omit<ApiToken, 'accessKey'>>}
 */
const list = async () => {
  return strapi.query('admin::api-token').findMany({
    select: SELECT_FIELDS,
    populate: POPULATE_FIELDS,
    orderBy: { name: 'ASC' },
  });
};

/**
 * @param {string|number} id
 *
 * @returns {Promise<Omit<ApiToken, 'accessKey'>>}
 */
const revoke = async id => {
  return strapi
    .query('admin::api-token')
    .delete({ select: SELECT_FIELDS, populate: POPULATE_FIELDS, where: { id } });
};

/**
 * @param {string|number} id
 *
 * @returns {Promise<Omit<ApiToken, 'accessKey'>>}
 */
const getById = async id => {
  return getBy({ id });
};

/**
 * @param {string} name
 *
 * @returns {Promise<Omit<ApiToken, 'accessKey'>>}
 */
const getByName = async name => {
  return getBy({ name });
};

/**
 * @param {string|number} id
 * @param {Object} attributes
 * @param {TokenType} attributes.type
 * @param {string} attributes.name
 * @param {string} [attributes.description]
 *
 * @returns {Promise<Omit<ApiToken, 'accessKey'>>}
 */
const update = async (id, attributes) => {
  const oldToken = await strapi.query('admin::api-token').findOne({ where: { id } });

  if (!oldToken) {
    throw new Error('Token not found');
  }

  assertCustomTokenPermissionsValidity({ ...attributes, type: attributes.type || oldToken.type });

  const token = await strapi.query('admin::api-token').update({
    select: SELECT_FIELDS,
    populate: POPULATE_FIELDS,
    where: { id },
    data: omit('permissions', attributes),
  });

  if (token.type === 'custom') {
    const permissionsToDelete = differenceBy('action', token.permissions, attributes.permissions);
    const permissionsToCreate = differenceBy('action', attributes.permissions, token.permissions);

    await strapi
      .query('admin::token-permission')
      .deleteMany({ where: { action: map('action', permissionsToDelete) } });

    await strapi
      .query('admin::token-permission')
      .createMany({ data: permissionsToCreate.map(({ action }) => ({ action, token: id })) });
  }

  const permissions = await strapi.entityService.load('admin::api-token', token, 'permissions');

  return { ...token, permissions };
};

/**
 * @param {Object} whereParams
 * @param {string|number} [whereParams.id]
 * @param {string} [whereParams.name]
 * @param {string} [whereParams.description]
 * @param {string} [whereParams.accessKey]
 *
 * @returns {Promise<Omit<ApiToken, 'accessKey'> | null>}
 */
const getBy = async (whereParams = {}) => {
  if (Object.keys(whereParams).length === 0) {
    return null;
  }

  return strapi
    .query('admin::api-token')
    .findOne({ select: SELECT_FIELDS, populate: POPULATE_FIELDS, where: whereParams });
};

module.exports = {
  create,
  exists,
  checkSaltIsDefined,
  hash,
  list,
  revoke,
  getById,
  update,
  getByName,
  getBy,
};
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`'use strict';`

			`const crypto = require('crypto');`
Fix update & create 2022-08-05 12:31:16 +02:00			`const { map, omit, differenceBy } = require('lodash/fp');`
use ValidationError 2022-08-09 10:28:42 +02:00			`const { ValidationError } = require('@strapi/utils').errors;`
use constant 2022-08-08 17:06:38 +02:00			`const constants = require('../services/constants');`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00
adds tests 2021-08-30 14:00:53 +02:00			`/**`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`* @typedef {'read-only'\|'full-access'\|'custom'} TokenType`
adds tests 2021-08-30 14:00:53 +02:00			`*/`

improve jsdoc comments 2021-08-27 09:44:29 +02:00			`/**`
			`* @typedef ApiToken`
			`*`
adds tests 2021-08-30 14:00:53 +02:00			`* @property {number\|string} id`
improve jsdoc comments 2021-08-27 09:44:29 +02:00			`* @property {string} name`
			`* @property {string} [description]`
			`* @property {string} accessKey`
adds tests 2021-08-30 14:00:53 +02:00			`* @property {TokenType} type`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`* @property {(number\|ApiTokenPermission)[]} [permissions]`
			`*/`

			`/**`
			`* @typedef ApiTokenPermission`
			`*`
			`* @property {number\|string} id`
			`* @property {string} action`
			`* @property {ApiToken\|number} [token]`
improve jsdoc comments 2021-08-27 09:44:29 +02:00			`*/`

return deleted token 2021-09-02 10:47:06 +02:00			`/** @constant {Array<string>} */`
implement the ListView for the API Tokens 2021-10-05 13:13:45 +02:00			`const SELECT_FIELDS = ['id', 'name', 'description', 'type', 'createdAt'];`
return deleted token 2021-09-02 10:47:06 +02:00
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`/** @constant {Array<string>} */`
			`const POPULATE_FIELDS = ['permissions'];`

			`const assertCustomTokenPermissionsValidity = attributes => {`
			`// Ensure non-custom tokens doesn't have permissions`
use constants 2022-08-08 22:50:36 +02:00			`if (attributes.type !== constants.API_TOKEN_TYPE.CUSTOM && attributes.permissions) {`
use ValidationError 2022-08-09 10:28:42 +02:00			`throw new ValidationError('Non-custom tokens should not references permissions');`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`}`

			`// Custom type tokens should always have permissions attached to them`
use constants 2022-08-08 22:50:36 +02:00			`if (attributes.type === constants.API_TOKEN_TYPE.CUSTOM && !attributes.permissions) {`
use ValidationError 2022-08-09 10:28:42 +02:00			`throw new ValidationError('Missing permissions attributes for custom token');`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`}`
			`};`

implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`/**`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00			`* @param {Object} whereParams`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`* @param {string\|number} [whereParams.id]`
			`* @param {string} [whereParams.name]`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00			`* @param {string} [whereParams.description]`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`* @param {string} [whereParams.accessKey]`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`*`
fix issues after rebasing on release/v4 2021-08-27 10:30:18 +02:00			`* @returns {Promise<boolean>}`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`*/`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00			`const exists = async (whereParams = {}) => {`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`const apiToken = await getBy(whereParams);`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00
			`return !!apiToken;`
			`};`

			`/**`
			`* @param {string} accessKey`
			`*`
			`* @returns {string}`
			`*/`
			`const hash = accessKey => {`
			`return crypto`
Fix tests and move api token config to use camelcase naming 2021-10-26 12:18:53 +02:00			`.createHmac('sha512', strapi.config.get('admin.apiToken.salt'))`
use createHmac in favour of createHash for added security 2021-08-27 17:06:05 +02:00			`.update(accessKey)`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00			`.digest('hex');`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`};`

			`/**`
			`* @param {Object} attributes`
adds tests 2021-08-30 14:00:53 +02:00			`* @param {TokenType} attributes.type`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`* @param {string} attributes.name`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`* @param {string[]} [attributes.permissions]`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`* @param {string} [attributes.description]`
			`*`
improve jsdoc comments 2021-08-27 09:44:29 +02:00			`* @returns {Promise<ApiToken>}`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`*/`
			`const create = async attributes => {`
			`const accessKey = crypto.randomBytes(128).toString('hex');`

Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`assertCustomTokenPermissionsValidity(attributes);`

			`// Create the token`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00			`const apiToken = await strapi.query('admin::api-token').create({`
return deleted token 2021-09-02 10:47:06 +02:00			`select: SELECT_FIELDS,`
Fix update & create 2022-08-05 12:31:16 +02:00			`populate: POPULATE_FIELDS,`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`data: {`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`...omit('permissions', attributes),`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00			`accessKey: hash(accessKey),`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`},`
			`});`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`const result = { ...apiToken, accessKey };`

			`// If this is a custom type token, create and link the associated permissions`
use constant 2022-08-08 17:06:38 +02:00			`if (attributes.type === constants.API_TOKEN_TYPE.CUSTOM) {`
return permissions with custom token create 2022-08-09 10:27:34 +02:00			`const permissionsCount = await strapi`
Fix update & create 2022-08-05 12:31:16 +02:00			`.query('admin::token-permission')`
			`.createMany({ data: attributes.permissions.map(action => ({ action, token: apiToken.id })) });`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00
return permissions with custom token create 2022-08-09 10:27:34 +02:00			`// TODO: should we select the permissions again to ensure it worked?`
			`if (permissionsCount) {`
			`Object.assign(result, { permissions: attributes.permissions });`
			`}`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`}`

			`return result;`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00			`};`

			`/**`
			`* @returns {void}`
			`*/`
harmonize secret generation + don't generate in production mode 2022-01-24 18:13:27 +01:00			`const checkSaltIsDefined = () => {`
			`if (!strapi.config.get('admin.apiToken.salt')) {`
continue reading API_TOKEN_SALT + add warning deprecated message 2022-02-14 14:57:15 +01:00			`// TODO V5: stop reading API_TOKEN_SALT`
			`if (process.env.API_TOKEN_SALT) {`
fix wording mistakes 2022-03-04 15:48:49 +01:00			process.emitWarning(`[deprecated] In future versions, Strapi will stop reading directly from the environment variable API_TOKEN_SALT. Please set apiToken.salt in config/admin.js instead.
			For security reasons, keep storing the secret in an environment variable and use env() to read it in config/admin.js (ex: \`apiToken: { salt: env('API_TOKEN_SALT') }\`). See https://docs.strapi.io/developer-docs/latest/setup-deployment-guides/configurations/optional/environment.html#configuration-using-environment-variables.`);

continue reading API_TOKEN_SALT + add warning deprecated message 2022-02-14 14:57:15 +01:00			`strapi.config.set('admin.apiToken.salt', process.env.API_TOKEN_SALT);`
			`} else {`
			`throw new Error(`
change error messages 2022-03-18 17:55:22 +01:00			`Missing apiToken.salt. Please set apiToken.salt in config/admin.js (ex: you can generate one using Node with \`crypto.randomBytes(16).toString('base64')\`).
			For security reasons, prefer storing the secret in an environment variable and read it in config/admin.js. See https://docs.strapi.io/developer-docs/latest/setup-deployment-guides/configurations/optional/environment.html#configuration-using-environment-variables.`
continue reading API_TOKEN_SALT + add warning deprecated message 2022-02-14 14:57:15 +01:00			`);`
			`}`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00			`}`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`};`

implement GET endpoint to list the api tokens 2021-08-27 08:14:36 +02:00			`/**`
return deleted token 2021-09-02 10:47:06 +02:00			`* @returns {Promise<Omit<ApiToken, 'accessKey'>>}`
implement GET endpoint to list the api tokens 2021-08-27 08:14:36 +02:00			`*/`
			`const list = async () => {`
adds tests 2021-08-30 14:00:53 +02:00			`return strapi.query('admin::api-token').findMany({`
return deleted token 2021-09-02 10:47:06 +02:00			`select: SELECT_FIELDS,`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`populate: POPULATE_FIELDS,`
add e2e tests 2021-08-27 08:39:08 +02:00			`orderBy: { name: 'ASC' },`
			`});`
implement GET endpoint to list the api tokens 2021-08-27 08:14:36 +02:00			`};`

add DELETE route and logic 2021-08-31 15:31:54 +02:00			`/**`
			`* @param {string\|number} id`
			`*`
return deleted token 2021-09-02 10:47:06 +02:00			`* @returns {Promise<Omit<ApiToken, 'accessKey'>>}`
add DELETE route and logic 2021-08-31 15:31:54 +02:00			`*/`
			`const revoke = async id => {`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`return strapi`
			`.query('admin::api-token')`
			`.delete({ select: SELECT_FIELDS, populate: POPULATE_FIELDS, where: { id } });`
add DELETE route and logic 2021-08-31 15:31:54 +02:00			`};`

implement GET endpoint to get a single token 2021-09-02 11:56:14 +02:00			`/**`
			`* @param {string\|number} id`
			`*`
			`* @returns {Promise<Omit<ApiToken, 'accessKey'>>}`
			`*/`
update tests and rename get method 2021-09-06 15:14:45 +02:00			`const getById = async id => {`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`return getBy({ id });`
implement GET endpoint to get a single token 2021-09-02 11:56:14 +02:00			`};`

allow for partial payload to update a token 2021-09-08 14:38:43 +02:00			`/**`
			`* @param {string} name`
			`*`
			`* @returns {Promise<Omit<ApiToken, 'accessKey'>>}`
			`*/`
			`const getByName = async name => {`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`return getBy({ name });`
allow for partial payload to update a token 2021-09-08 14:38:43 +02:00			`};`

implement PUT endpoint to update a token 2021-09-06 13:30:52 +02:00			`/**`
			`* @param {string\|number} id`
			`* @param {Object} attributes`
			`* @param {TokenType} attributes.type`
			`* @param {string} attributes.name`
			`* @param {string} [attributes.description]`
			`*`
			`* @returns {Promise<Omit<ApiToken, 'accessKey'>>}`
			`*/`
			`const update = async (id, attributes) => {`
Fix update & create 2022-08-05 12:31:16 +02:00			`const oldToken = await strapi.query('admin::api-token').findOne({ where: { id } });`

			`if (!oldToken) {`
			`throw new Error('Token not found');`
			`}`

			`assertCustomTokenPermissionsValidity({ ...attributes, type: attributes.type \|\| oldToken.type });`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00
Fix update & create 2022-08-05 12:31:16 +02:00			`const token = await strapi.query('admin::api-token').update({`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`select: SELECT_FIELDS,`
			`populate: POPULATE_FIELDS,`
			`where: { id },`
			`data: omit('permissions', attributes),`
			`});`
Fix update & create 2022-08-05 12:31:16 +02:00
			`if (token.type === 'custom') {`
			`const permissionsToDelete = differenceBy('action', token.permissions, attributes.permissions);`
			`const permissionsToCreate = differenceBy('action', attributes.permissions, token.permissions);`

			`await strapi`
			`.query('admin::token-permission')`
			`.deleteMany({ where: { action: map('action', permissionsToDelete) } });`

			`await strapi`
			`.query('admin::token-permission')`
			`.createMany({ data: permissionsToCreate.map(({ action }) => ({ action, token: id })) });`
			`}`

			`const permissions = await strapi.entityService.load('admin::api-token', token, 'permissions');`

			`return { ...token, permissions };`
implement PUT endpoint to update a token 2021-09-06 13:30:52 +02:00			`};`

add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`/**`
			`* @param {Object} whereParams`
			`* @param {string\|number} [whereParams.id]`
			`* @param {string} [whereParams.name]`
			`* @param {string} [whereParams.description]`
			`* @param {string} [whereParams.accessKey]`
			`*`
			`* @returns {Promise<Omit<ApiToken, 'accessKey'> \| null>}`
			`*/`
			`const getBy = async (whereParams = {}) => {`
			`if (Object.keys(whereParams).length === 0) {`
			`return null;`
			`}`

Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`return strapi`
			`.query('admin::api-token')`
			`.findOne({ select: SELECT_FIELDS, populate: POPULATE_FIELDS, where: whereParams });`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`};`

implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`module.exports = {`
			`create,`
			`exists,`
harmonize secret generation + don't generate in production mode 2022-01-24 18:13:27 +01:00			`checkSaltIsDefined,`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00			`hash,`
implement GET endpoint to list the api tokens 2021-08-27 08:14:36 +02:00			`list,`
add DELETE route and logic 2021-08-31 15:31:54 +02:00			`revoke,`
update tests and rename get method 2021-09-06 15:14:45 +02:00			`getById,`
implement PUT endpoint to update a token 2021-09-06 13:30:52 +02:00			`update,`
allow for partial payload to update a token 2021-09-08 14:38:43 +02:00			`getByName,`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`getBy,`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`};`