strapi/packages/core/admin/server/services/api-token.js

'use strict';

const crypto = require('crypto');

/**
 * @typedef {'read-only'|'full-access'} TokenType
 */

/**
 * @typedef ApiToken
 *
 * @property {number|string} id
 * @property {string} name
 * @property {string} [description]
 * @property {string} accessKey
 * @property {TokenType} type
 */

/**
 * @param {Object} whereParams
 * @param {string} whereParams.name
 * @param {string} [whereParams.description]
 *
 * @returns {Promise<boolean>}
 */
const exists = async (whereParams = {}) => {
  const apiToken = await strapi.query('admin::api-token').findOne({ where: whereParams });

  return !!apiToken;
};

/**
 * @param {string} accessKey
 *
 * @returns {string}
 */
const hash = accessKey => {
  return crypto
    .createHmac('sha512', strapi.config.get('server.admin.api-token.salt'))
    .update(accessKey)
    .digest('hex');
};

/**
 * @param {Object} attributes
 * @param {TokenType} attributes.type
 * @param {string} attributes.name
 * @param {string} [attributes.description]
 *
 * @returns {Promise<ApiToken>}
 */
const create = async attributes => {
  const accessKey = crypto.randomBytes(128).toString('hex');

  const apiToken = await strapi.query('admin::api-token').create({
    select: ['id', 'name', 'description', 'type'],
    data: {
      ...attributes,
      accessKey: hash(accessKey),
    },
  });

  return {
    ...apiToken,
    accessKey,
  };
};

/**
 * @returns {void}
 */
const createSaltIfNotDefined = () => {
  if (strapi.config.get('server.admin.api-token.salt')) {
    return;
  }

  if (process.env.API_TOKEN_SALT) {
    throw new Error(
      `There's something wrong with the configuration of your api-token salt. If you have changed the env variable used in the configuration file, please verify that you have created and set the variable in your .env file.`
    );
  }

  const salt = crypto.randomBytes(16).toString('hex');
  strapi.fs.appendFile('.env', `API_TOKEN_SALT=${salt}\n`);
  strapi.config.set('server.admin.api-token.salt', salt);
};

/**
 * @returns {Promise<{id: number|string, name: string, description: string, type: TokenType}>}
 */
const list = async () => {
  return strapi.query('admin::api-token').findMany({
    select: ['id', 'name', 'description', 'type'],
    orderBy: { name: 'ASC' },
  });
};

/**
 * @param {string|number} id
 *
 * @returns {Promise<void>}
 */
const revoke = async id => {
  return strapi.query('admin::api-token').delete({ where: { id } });
};

module.exports = {
  create,
  exists,
  createSaltIfNotDefined,
  hash,
  list,
  revoke,
};
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`'use strict';`

			`const crypto = require('crypto');`

adds tests 2021-08-30 14:00:53 +02:00			`/**`
			`* @typedef {'read-only'\|'full-access'} TokenType`
			`*/`

improve jsdoc comments 2021-08-27 09:44:29 +02:00			`/**`
			`* @typedef ApiToken`
			`*`
adds tests 2021-08-30 14:00:53 +02:00			`* @property {number\|string} id`
improve jsdoc comments 2021-08-27 09:44:29 +02:00			`* @property {string} name`
			`* @property {string} [description]`
			`* @property {string} accessKey`
adds tests 2021-08-30 14:00:53 +02:00			`* @property {TokenType} type`
improve jsdoc comments 2021-08-27 09:44:29 +02:00			`*/`

implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`/**`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00			`* @param {Object} whereParams`
			`* @param {string} whereParams.name`
			`* @param {string} [whereParams.description]`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`*`
fix issues after rebasing on release/v4 2021-08-27 10:30:18 +02:00			`* @returns {Promise<boolean>}`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`*/`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00			`const exists = async (whereParams = {}) => {`
			`const apiToken = await strapi.query('admin::api-token').findOne({ where: whereParams });`

			`return !!apiToken;`
			`};`

			`/**`
			`* @param {string} accessKey`
			`*`
			`* @returns {string}`
			`*/`
			`const hash = accessKey => {`
			`return crypto`
use createHmac in favour of createHash for added security 2021-08-27 17:06:05 +02:00			`.createHmac('sha512', strapi.config.get('server.admin.api-token.salt'))`
			`.update(accessKey)`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00			`.digest('hex');`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`};`

			`/**`
			`* @param {Object} attributes`
adds tests 2021-08-30 14:00:53 +02:00			`* @param {TokenType} attributes.type`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`* @param {string} attributes.name`
			`* @param {string} [attributes.description]`
			`*`
improve jsdoc comments 2021-08-27 09:44:29 +02:00			`* @returns {Promise<ApiToken>}`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`*/`
			`const create = async attributes => {`
			`const accessKey = crypto.randomBytes(128).toString('hex');`

store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00			`const apiToken = await strapi.query('admin::api-token').create({`
			`select: ['id', 'name', 'description', 'type'],`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`data: {`
			`...attributes,`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00			`accessKey: hash(accessKey),`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`},`
			`});`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00
			`return {`
			`...apiToken,`
			`accessKey,`
			`};`
			`};`

			`/**`
			`* @returns {void}`
			`*/`
			`const createSaltIfNotDefined = () => {`
			`if (strapi.config.get('server.admin.api-token.salt')) {`
			`return;`
			`}`

throw an error if there is an issue with the salt configuration 2021-08-27 16:47:02 +02:00			`if (process.env.API_TOKEN_SALT) {`
			`throw new Error(`
			`There's something wrong with the configuration of your api-token salt. If you have changed the env variable used in the configuration file, please verify that you have created and set the variable in your .env file.`
			`);`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00			`}`
throw an error if there is an issue with the salt configuration 2021-08-27 16:47:02 +02:00
			`const salt = crypto.randomBytes(16).toString('hex');`
			strapi.fs.appendFile('.env', `API_TOKEN_SALT=${salt}\n`);
			`strapi.config.set('server.admin.api-token.salt', salt);`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`};`

implement GET endpoint to list the api tokens 2021-08-27 08:14:36 +02:00			`/**`
adds tests 2021-08-30 14:00:53 +02:00			`* @returns {Promise<{id: number\|string, name: string, description: string, type: TokenType}>}`
implement GET endpoint to list the api tokens 2021-08-27 08:14:36 +02:00			`*/`
			`const list = async () => {`
adds tests 2021-08-30 14:00:53 +02:00			`return strapi.query('admin::api-token').findMany({`
			`select: ['id', 'name', 'description', 'type'],`
add e2e tests 2021-08-27 08:39:08 +02:00			`orderBy: { name: 'ASC' },`
			`});`
implement GET endpoint to list the api tokens 2021-08-27 08:14:36 +02:00			`};`

add DELETE route and logic 2021-08-31 15:31:54 +02:00			`/**`
			`* @param {string\|number} id`
			`*`
			`* @returns {Promise<void>}`
			`*/`
			`const revoke = async id => {`
			`return strapi.query('admin::api-token').delete({ where: { id } });`
			`};`

implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`module.exports = {`
			`create,`
			`exists,`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00			`createSaltIfNotDefined,`
			`hash,`
implement GET endpoint to list the api tokens 2021-08-27 08:14:36 +02:00			`list,`
add DELETE route and logic 2021-08-31 15:31:54 +02:00			`revoke,`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`};`