strapi/packages/core/admin/server/services/token.js

'use strict';

const crypto = require('crypto');
const _ = require('lodash');
const jwt = require('jsonwebtoken');

const defaultJwtOptions = { expiresIn: '30d' };

const getTokenOptions = () => {
  const { options, secret } = strapi.config.get('admin.auth', {});

  return {
    secret,
    options: _.merge(defaultJwtOptions, options),
  };
};

/**
 * Create a random token
 * @returns {string}
 */
const createToken = () => {
  return crypto.randomBytes(20).toString('hex');
};

/**
 * Creates a JWT token for an administration user
 * @param {object} user - admin user
 */
const createJwtToken = (user) => {
  const { options, secret } = getTokenOptions();

  return jwt.sign({ id: user.id }, secret, options);
};

/**
 * Tries to decode a token an return its payload and if it is valid
 * @param {string} token - a token to decode
 * @return {Object} decodeInfo - the decoded info
 */
const decodeJwtToken = (token) => {
  const { secret } = getTokenOptions();

  try {
    const payload = jwt.verify(token, secret);
    return { payload, isValid: true };
  } catch (err) {
    return { payload: null, isValid: false };
  }
};

/**
 * @returns {void}
 */
const checkSecretIsDefined = () => {
  if (strapi.config.serveAdminPanel && !strapi.config.get('admin.auth.secret')) {
    throw new Error(
      `Missing auth.secret. Please set auth.secret in config/admin.js (ex: you can generate one using Node with \`crypto.randomBytes(16).toString('base64')\`).
For security reasons, prefer storing the secret in an environment variable and read it in config/admin.js. See https://docs.strapi.io/developer-docs/latest/setup-deployment-guides/configurations/optional/environment.html#configuration-using-environment-variables.`
    );
  }
};

module.exports = {
  createToken,
  createJwtToken,
  getTokenOptions,
  decodeJwtToken,
  checkSecretIsDefined,
};
Add tests Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-13 11:46:52 +02:00			`'use strict';`

Add new POST /admin/users route (controller + related services). Update User model: remove required constraint on password field. Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-05-13 12:27:46 +02:00			`const crypto = require('crypto');`
Make lint stricter and fix the errors Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-27 11:27:17 +01:00			`const _ = require('lodash');`
Uniformize code with rbac/login Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-05-14 11:06:16 +02:00			`const jwt = require('jsonwebtoken');`
Make lint stricter and fix the errors Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-27 11:27:17 +01:00
Uniformize code with rbac/login Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-05-14 11:06:16 +02:00			`const defaultJwtOptions = { expiresIn: '30d' };`

			`const getTokenOptions = () => {`
Move admin config to config/admin.js 2021-10-26 12:07:57 +02:00			`const { options, secret } = strapi.config.get('admin.auth', {});`
Uniformize code with rbac/login Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-05-14 11:06:16 +02:00
			`return {`
			`secret,`
			`options: _.merge(defaultJwtOptions, options),`
			`};`
			`};`
Add tests Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-13 11:46:52 +02:00
Cleanup strapi-admin services & domain Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-05-14 10:37:32 +02:00			`/**`
Uniformize code with rbac/login Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-05-14 11:06:16 +02:00			`* Create a random token`
Cleanup strapi-admin services & domain Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-05-14 10:37:32 +02:00			`* @returns {string}`
			`*/`
Uniformize code with rbac/login Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-05-14 11:06:16 +02:00			`const createToken = () => {`
Add e2e tests, fix validation for mongoose, update services Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-05-14 18:54:52 +02:00			`return crypto.randomBytes(20).toString('hex');`
Uniformize code with rbac/login Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-05-14 11:06:16 +02:00			`};`

			`/**`
			`* Creates a JWT token for an administration user`
			`* @param {object} user - admin user`
			`*/`
Prettier and backend fix 2022-08-08 23:33:39 +02:00			`const createJwtToken = (user) => {`
Uniformize code with rbac/login Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-05-14 11:06:16 +02:00			`const { options, secret } = getTokenOptions();`

			`return jwt.sign({ id: user.id }, secret, options);`
			`};`

			`/**`
			`* Tries to decode a token an return its payload and if it is valid`
			`* @param {string} token - a token to decode`
			`* @return {Object} decodeInfo - the decoded info`
			`*/`
Prettier and backend fix 2022-08-08 23:33:39 +02:00			`const decodeJwtToken = (token) => {`
Uniformize code with rbac/login Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-05-14 11:06:16 +02:00			`const { secret } = getTokenOptions();`

			`try {`
			`const payload = jwt.verify(token, secret);`
			`return { payload, isValid: true };`
			`} catch (err) {`
			`return { payload: null, isValid: false };`
			`}`
			`};`
Cleanup strapi-admin services & domain Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-05-14 10:37:32 +02:00
harmonize secret generation + don't generate in production mode 2022-01-24 18:13:27 +01:00			`/**`
			`* @returns {void}`
			`*/`
			`const checkSecretIsDefined = () => {`
			`if (strapi.config.serveAdminPanel && !strapi.config.get('admin.auth.secret')) {`
			`throw new Error(`
change error messages 2022-03-18 17:55:22 +01:00			`Missing auth.secret. Please set auth.secret in config/admin.js (ex: you can generate one using Node with \`crypto.randomBytes(16).toString('base64')\`).
			For security reasons, prefer storing the secret in an environment variable and read it in config/admin.js. See https://docs.strapi.io/developer-docs/latest/setup-deployment-guides/configurations/optional/environment.html#configuration-using-environment-variables.`
harmonize secret generation + don't generate in production mode 2022-01-24 18:13:27 +01:00			`);`
			`}`
			`};`

Add tests Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-13 11:46:52 +02:00			`module.exports = {`
Uniformize code with rbac/login Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-05-14 11:06:16 +02:00			`createToken,`
			`createJwtToken,`
			`getTokenOptions,`
			`decodeJwtToken,`
harmonize secret generation + don't generate in production mode 2022-01-24 18:13:27 +01:00			`checkSecretIsDefined,`
Add tests Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-13 11:46:52 +02:00			`};`