strapi/packages/core/admin/server/strategies/api-token.js

'use strict';

const { UnauthorizedError, ForbiddenError } = require('@strapi/utils').errors;
const constants = require('../services/constants');
const { getService } = require('../utils');

const isReadScope = scope => scope.endsWith('find') || scope.endsWith('findOne');

const extractToken = ctx => {
  if (ctx.request && ctx.request.header && ctx.request.header.authorization) {
    const parts = ctx.request.header.authorization.split(/\s+/);

    if (parts[0].toLowerCase() !== 'bearer' || parts.length !== 2) {
      return null;
    }

    return parts[1];
  }

  return null;
};

/** @type {import('.').AuthenticateFunction} */
const authenticate = async ctx => {
  const apiTokenService = getService('api-token');
  const token = extractToken(ctx);

  if (!token) {
    return { authenticated: false };
  }

  const apiToken = await apiTokenService.getBy({
    accessKey: apiTokenService.hash(token),
  });

  if (!apiToken) {
    return { authenticated: false };
  }

  return { authenticated: true, credentials: apiToken };
};

/** @type {import('.').VerifyFunction} */
const verify = (auth, config) => {
  const { credentials: apiToken } = auth;

  if (!apiToken) {
    throw new UnauthorizedError();
  }

  if (apiToken.type === constants.API_TOKEN_TYPE.FULL_ACCESS) {
    return;
  }

  /**
   * If you don't have `full-access` you can only access `find` and `findOne`
   * scopes. If the route has no scope, then you can't get access to it.
   */

  const scopes = Array.isArray(config.scope) ? config.scope : [config.scope];
  if (config.scope && scopes.every(isReadScope)) {
    return;
  }

  throw new ForbiddenError();
};

/** @type {import('.').AuthStrategy} */
module.exports = {
  name: 'api-token',
  authenticate,
  verify,
};
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`'use strict';`

refacto graphql errors 2021-10-27 18:54:58 +02:00			`const { UnauthorizedError, ForbiddenError } = require('@strapi/utils').errors;`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`const constants = require('../services/constants');`
			`const { getService } = require('../utils');`

Use array checks in api-token aut strategy 2021-10-11 09:49:35 +02:00			`const isReadScope = scope => scope.endsWith('find') \|\| scope.endsWith('findOne');`

Support query access_token 2021-11-15 17:54:17 +01:00			`const extractToken = ctx => {`
			`if (ctx.request && ctx.request.header && ctx.request.header.authorization) {`
			`const parts = ctx.request.header.authorization.split(/\s+/);`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00
Support query access_token 2021-11-15 17:54:17 +01:00			`if (parts[0].toLowerCase() !== 'bearer' \|\| parts.length !== 2) {`
			`return null;`
			`}`

			`return parts[1];`
			`}`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00
Support query access_token 2021-11-15 17:54:17 +01:00			`return null;`
			`};`

			`/** @type {import('.').AuthenticateFunction} */`
			`const authenticate = async ctx => {`
			`const apiTokenService = getService('api-token');`
			`const token = extractToken(ctx);`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00
Support query access_token 2021-11-15 17:54:17 +01:00			`if (!token) {`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`return { authenticated: false };`
			`}`

			`const apiToken = await apiTokenService.getBy({`
			`accessKey: apiTokenService.hash(token),`
			`});`

			`if (!apiToken) {`
			`return { authenticated: false };`
			`}`

			`return { authenticated: true, credentials: apiToken };`
			`};`

			`/** @type {import('.').VerifyFunction} */`
			`const verify = (auth, config) => {`
			`const { credentials: apiToken } = auth;`

			`if (!apiToken) {`
refacto graphql errors 2021-10-27 18:54:58 +02:00			`throw new UnauthorizedError();`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`}`

improve scope matching and verification failures 2021-09-17 14:07:39 +02:00			`if (apiToken.type === constants.API_TOKEN_TYPE.FULL_ACCESS) {`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`return;`
			`}`

improve scope matching and verification failures 2021-09-17 14:07:39 +02:00			`/**`
			* If you don't have `full-access` you can only access `find` and `findOne`
			`* scopes. If the route has no scope, then you can't get access to it.`
			`*/`
Use array checks in api-token aut strategy 2021-10-11 09:49:35 +02:00
Fix relations are not populated if API key is read-only Signed-off-by: harimkims <harimkims@gmail.com> 2021-12-21 22:37:43 +09:00			`const scopes = Array.isArray(config.scope) ? config.scope : [config.scope];`
			`if (config.scope && scopes.every(isReadScope)) {`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`return;`
			`}`

refacto graphql errors 2021-10-27 18:54:58 +02:00			`throw new ForbiddenError();`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`};`

			`/** @type {import('.').AuthStrategy} */`
			`module.exports = {`
			`name: 'api-token',`
			`authenticate,`
			`verify,`
			`};`