strapi/packages/core/admin/server/services/api-token.js

'use strict';

const crypto = require('crypto');
const { omit, difference, isEmpty, map } = require('lodash/fp');
const { ValidationError, NotFoundError } = require('@strapi/utils').errors;
const constants = require('../services/constants');

/**
 * @typedef {'read-only'|'full-access'|'custom'} TokenType
 */

/**
 * @typedef ApiToken
 *
 * @property {number|string} id
 * @property {string} name
 * @property {string} [description]
 * @property {string} accessKey
 * @property {TokenType} type
 * @property {(number|ApiTokenPermission)[]} [permissions]
 */

/**
 * @typedef ApiTokenPermission
 *
 * @property {number|string} id
 * @property {string} action
 * @property {ApiToken|number} [token]
 */

/** @constant {Array<string>} */
const SELECT_FIELDS = ['id', 'name', 'description', 'type', 'createdAt'];

/** @constant {Array<string>} */
const POPULATE_FIELDS = ['permissions'];

const assertCustomTokenPermissionsValidity = attributes => {
  // Ensure non-custom tokens doesn't have permissions
  if (attributes.type !== constants.API_TOKEN_TYPE.CUSTOM && !isEmpty(attributes.permissions)) {
    throw new ValidationError('Non-custom tokens should not references permissions');
  }

  // Custom type tokens should always have permissions attached to them
  if (attributes.type === constants.API_TOKEN_TYPE.CUSTOM && isEmpty(attributes.permissions)) {
    throw new ValidationError('Missing permissions attributes for custom token');
  }
};

/**
 * @param {Object} whereParams
 * @param {string|number} [whereParams.id]
 * @param {string} [whereParams.name]
 * @param {string} [whereParams.description]
 * @param {string} [whereParams.accessKey]
 *
 * @returns {Promise<boolean>}
 */
const exists = async (whereParams = {}) => {
  const apiToken = await getBy(whereParams);

  return !!apiToken;
};

/**
 * @param {string} accessKey
 *
 * @returns {string}
 */
const hash = accessKey => {
  return crypto
    .createHmac('sha512', strapi.config.get('admin.apiToken.salt'))
    .update(accessKey)
    .digest('hex');
};

/**
 * @param {Object} attributes
 * @param {TokenType} attributes.type
 * @param {string} attributes.name
 * @param {string[]} [attributes.permissions]
 * @param {string} [attributes.description]
 *
 * @returns {Promise<ApiToken>}
 */
const create = async attributes => {
  const accessKey = crypto.randomBytes(128).toString('hex');

  assertCustomTokenPermissionsValidity(attributes);

  // Create the token
  const apiToken = await strapi.query('admin::api-token').create({
    select: SELECT_FIELDS,
    populate: POPULATE_FIELDS,
    data: {
      ...omit('permissions', attributes),
      accessKey: hash(accessKey),
    },
  });

  const result = { ...apiToken, accessKey };

  // If this is a custom type token, create and the related permissions
  if (attributes.type === constants.API_TOKEN_TYPE.CUSTOM) {
    // TODO: createMany doesn't seem to create relation properly, figure this out?
    // const permissionsCount = await strapi.query('admin::token-permission').createMany({
    //   populate: POPULATE_FIELDS,
    //   data: attributes.permissions.map(action => ({ action, token: apiToken })),
    // });

    let promises = [];
    attributes.permissions.forEach(action => {
      promises.push(
        strapi.query('admin::token-permission').create({
          data: { action, token: apiToken },
        })
      );
    });
    await Promise.all(promises);

    const currentPermissions = await strapi.entityService.load(
      'admin::api-token',
      apiToken,
      'permissions'
    );

    if (currentPermissions) {
      Object.assign(result, { permissions: map('action', currentPermissions) });
    }
  }

  return result;
};

/**
 * @returns {void}
 */
const checkSaltIsDefined = () => {
  if (!strapi.config.get('admin.apiToken.salt')) {
    // TODO V5: stop reading API_TOKEN_SALT
    if (process.env.API_TOKEN_SALT) {
      process.emitWarning(`[deprecated] In future versions, Strapi will stop reading directly from the environment variable API_TOKEN_SALT. Please set apiToken.salt in config/admin.js instead.
For security reasons, keep storing the secret in an environment variable and use env() to read it in config/admin.js (ex: \`apiToken: { salt: env('API_TOKEN_SALT') }\`). See https://docs.strapi.io/developer-docs/latest/setup-deployment-guides/configurations/optional/environment.html#configuration-using-environment-variables.`);

      strapi.config.set('admin.apiToken.salt', process.env.API_TOKEN_SALT);
    } else {
      throw new Error(
        `Missing apiToken.salt. Please set apiToken.salt in config/admin.js (ex: you can generate one using Node with \`crypto.randomBytes(16).toString('base64')\`).
For security reasons, prefer storing the secret in an environment variable and read it in config/admin.js. See https://docs.strapi.io/developer-docs/latest/setup-deployment-guides/configurations/optional/environment.html#configuration-using-environment-variables.`
      );
    }
  }
};

/**
 * @returns {Promise<Omit<ApiToken, 'accessKey'>>}
 */
const list = async () => {
  return strapi.query('admin::api-token').findMany({
    select: SELECT_FIELDS,
    populate: POPULATE_FIELDS,
    orderBy: { name: 'ASC' },
  });
};

/**
 * @param {string|number} id
 *
 * @returns {Promise<Omit<ApiToken, 'accessKey'>>}
 */
const revoke = async id => {
  return strapi
    .query('admin::api-token')
    .delete({ select: SELECT_FIELDS, populate: POPULATE_FIELDS, where: { id } });
};

/**
 * @param {string|number} id
 *
 * @returns {Promise<Omit<ApiToken, 'accessKey'>>}
 */
const getById = async id => {
  return getBy({ id });
};

/**
 * @param {string} name
 *
 * @returns {Promise<Omit<ApiToken, 'accessKey'>>}
 */
const getByName = async name => {
  return getBy({ name });
};

/**
 * @param {string|number} id
 * @param {Object} attributes
 * @param {TokenType} attributes.type
 * @param {string} attributes.name
 * @param {string} [attributes.description]
 *
 * @returns {Promise<Omit<ApiToken, 'accessKey'>>}
 */
const update = async (id, attributes) => {
  // retrieve token without permissions
  const oldToken = await strapi.query('admin::api-token').findOne({ where: { id } });

  if (!oldToken) {
    throw new NotFoundError('Token not found');
  }

  assertCustomTokenPermissionsValidity({
    ...oldToken,
    ...attributes,
    type: attributes.type || oldToken.type,
  });

  const token = await strapi.query('admin::api-token').update({
    select: SELECT_FIELDS,
    populate: POPULATE_FIELDS,
    where: { id },
    data: omit('permissions', attributes),
  });

  const currentPermissions = await strapi.entityService.load(
    'admin::api-token',
    token,
    'permissions'
  );

  let permissions = {};
  if (token.type === constants.API_TOKEN_TYPE.CUSTOM) {
    const permissionsToDelete = difference(
      map('action', currentPermissions),
      attributes.permissions
    );
    const permissionsToCreate = difference(attributes.permissions, oldToken.permissions);

    // TODO: make deleteMany work with relations
    // await strapi
    //   .query('admin::token-permission')
    //   .deleteMany({ where: { action: map('action', permissionsToDelete), token: id } });
    let promises = [];
    permissionsToDelete.forEach(action => {
      promises.push(
        strapi.query('admin::token-permission').delete({
          where: { action, token: id },
        })
      );
    });
    await Promise.all(promises);

    // TODO: make createMany work with relations
    // await strapi
    //   .query('admin::token-permission')
    //   .createMany({ data: permissionsToCreate.map(action => ({ action, token: id })) });
    promises = [];
    permissionsToCreate.forEach(action => {
      promises.push(
        strapi.query('admin::token-permission').create({
          data: { action, token: id },
        })
      );
    });
    await Promise.all(promises);

    // retrieve permissions
    permissions = {
      permissions: await strapi.entityService.load('admin::api-token', token, 'permissions'),
    };
  }
  // TODO: if type is changing from custom, make sure old permissions get removed
  else {
    //TODO
  }

  return { ...token, ...permissions };
};

/**
 * @param {Object} whereParams
 * @param {string|number} [whereParams.id]
 * @param {string} [whereParams.name]
 * @param {string} [whereParams.description]
 * @param {string} [whereParams.accessKey]
 *
 * @returns {Promise<Omit<ApiToken, 'accessKey'> | null>}
 */
const getBy = async (whereParams = {}) => {
  if (Object.keys(whereParams).length === 0) {
    return null;
  }

  return strapi
    .query('admin::api-token')
    .findOne({ select: SELECT_FIELDS, populate: POPULATE_FIELDS, where: whereParams });
};

module.exports = {
  create,
  exists,
  checkSaltIsDefined,
  hash,
  list,
  revoke,
  getById,
  update,
  getByName,
  getBy,
};
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`'use strict';`

			`const crypto = require('crypto');`
fix updates 2022-08-10 17:35:15 +02:00			`const { omit, difference, isEmpty, map } = require('lodash/fp');`
allow empty permissions array on non-custom tokens 2022-08-10 10:55:49 +02:00			`const { ValidationError, NotFoundError } = require('@strapi/utils').errors;`
use constant 2022-08-08 17:06:38 +02:00			`const constants = require('../services/constants');`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00
adds tests 2021-08-30 14:00:53 +02:00			`/**`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`* @typedef {'read-only'\|'full-access'\|'custom'} TokenType`
adds tests 2021-08-30 14:00:53 +02:00			`*/`

improve jsdoc comments 2021-08-27 09:44:29 +02:00			`/**`
			`* @typedef ApiToken`
			`*`
adds tests 2021-08-30 14:00:53 +02:00			`* @property {number\|string} id`
improve jsdoc comments 2021-08-27 09:44:29 +02:00			`* @property {string} name`
			`* @property {string} [description]`
			`* @property {string} accessKey`
adds tests 2021-08-30 14:00:53 +02:00			`* @property {TokenType} type`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`* @property {(number\|ApiTokenPermission)[]} [permissions]`
			`*/`

			`/**`
			`* @typedef ApiTokenPermission`
			`*`
			`* @property {number\|string} id`
			`* @property {string} action`
			`* @property {ApiToken\|number} [token]`
improve jsdoc comments 2021-08-27 09:44:29 +02:00			`*/`

return deleted token 2021-09-02 10:47:06 +02:00			`/** @constant {Array<string>} */`
implement the ListView for the API Tokens 2021-10-05 13:13:45 +02:00			`const SELECT_FIELDS = ['id', 'name', 'description', 'type', 'createdAt'];`
return deleted token 2021-09-02 10:47:06 +02:00
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`/** @constant {Array<string>} */`
			`const POPULATE_FIELDS = ['permissions'];`

			`const assertCustomTokenPermissionsValidity = attributes => {`
			`// Ensure non-custom tokens doesn't have permissions`
allow empty permissions array on non-custom tokens 2022-08-10 10:55:49 +02:00			`if (attributes.type !== constants.API_TOKEN_TYPE.CUSTOM && !isEmpty(attributes.permissions)) {`
use ValidationError 2022-08-09 10:28:42 +02:00			`throw new ValidationError('Non-custom tokens should not references permissions');`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`}`

			`// Custom type tokens should always have permissions attached to them`
fix failure tests 2022-08-09 10:49:44 +02:00			`if (attributes.type === constants.API_TOKEN_TYPE.CUSTOM && isEmpty(attributes.permissions)) {`
use ValidationError 2022-08-09 10:28:42 +02:00			`throw new ValidationError('Missing permissions attributes for custom token');`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`}`
			`};`

implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`/**`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00			`* @param {Object} whereParams`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`* @param {string\|number} [whereParams.id]`
			`* @param {string} [whereParams.name]`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00			`* @param {string} [whereParams.description]`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`* @param {string} [whereParams.accessKey]`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`*`
fix issues after rebasing on release/v4 2021-08-27 10:30:18 +02:00			`* @returns {Promise<boolean>}`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`*/`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00			`const exists = async (whereParams = {}) => {`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`const apiToken = await getBy(whereParams);`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00
			`return !!apiToken;`
			`};`

			`/**`
			`* @param {string} accessKey`
			`*`
			`* @returns {string}`
			`*/`
			`const hash = accessKey => {`
			`return crypto`
Fix tests and move api token config to use camelcase naming 2021-10-26 12:18:53 +02:00			`.createHmac('sha512', strapi.config.get('admin.apiToken.salt'))`
use createHmac in favour of createHash for added security 2021-08-27 17:06:05 +02:00			`.update(accessKey)`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00			`.digest('hex');`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`};`

			`/**`
			`* @param {Object} attributes`
adds tests 2021-08-30 14:00:53 +02:00			`* @param {TokenType} attributes.type`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`* @param {string} attributes.name`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`* @param {string[]} [attributes.permissions]`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`* @param {string} [attributes.description]`
			`*`
improve jsdoc comments 2021-08-27 09:44:29 +02:00			`* @returns {Promise<ApiToken>}`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`*/`
			`const create = async attributes => {`
			`const accessKey = crypto.randomBytes(128).toString('hex');`

Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`assertCustomTokenPermissionsValidity(attributes);`

			`// Create the token`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00			`const apiToken = await strapi.query('admin::api-token').create({`
return deleted token 2021-09-02 10:47:06 +02:00			`select: SELECT_FIELDS,`
Fix update & create 2022-08-05 12:31:16 +02:00			`populate: POPULATE_FIELDS,`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`data: {`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`...omit('permissions', attributes),`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00			`accessKey: hash(accessKey),`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`},`
			`});`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`const result = { ...apiToken, accessKey };`

fix updates 2022-08-10 17:35:15 +02:00			`// If this is a custom type token, create and the related permissions`
use constant 2022-08-08 17:06:38 +02:00			`if (attributes.type === constants.API_TOKEN_TYPE.CUSTOM) {`
fix updates 2022-08-10 17:35:15 +02:00			`// TODO: createMany doesn't seem to create relation properly, figure this out?`
			`// const permissionsCount = await strapi.query('admin::token-permission').createMany({`
			`// populate: POPULATE_FIELDS,`
			`// data: attributes.permissions.map(action => ({ action, token: apiToken })),`
			`// });`

			`let promises = [];`
			`attributes.permissions.forEach(action => {`
			`promises.push(`
			`strapi.query('admin::token-permission').create({`
			`data: { action, token: apiToken },`
			`})`
			`);`
			`});`
			`await Promise.all(promises);`

			`const currentPermissions = await strapi.entityService.load(`
			`'admin::api-token',`
			`apiToken,`
			`'permissions'`
			`);`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00
fix updates 2022-08-10 17:35:15 +02:00			`if (currentPermissions) {`
			`Object.assign(result, { permissions: map('action', currentPermissions) });`
return permissions with custom token create 2022-08-09 10:27:34 +02:00			`}`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`}`

			`return result;`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00			`};`

			`/**`
			`* @returns {void}`
			`*/`
harmonize secret generation + don't generate in production mode 2022-01-24 18:13:27 +01:00			`const checkSaltIsDefined = () => {`
			`if (!strapi.config.get('admin.apiToken.salt')) {`
continue reading API_TOKEN_SALT + add warning deprecated message 2022-02-14 14:57:15 +01:00			`// TODO V5: stop reading API_TOKEN_SALT`
			`if (process.env.API_TOKEN_SALT) {`
fix wording mistakes 2022-03-04 15:48:49 +01:00			process.emitWarning(`[deprecated] In future versions, Strapi will stop reading directly from the environment variable API_TOKEN_SALT. Please set apiToken.salt in config/admin.js instead.
			For security reasons, keep storing the secret in an environment variable and use env() to read it in config/admin.js (ex: \`apiToken: { salt: env('API_TOKEN_SALT') }\`). See https://docs.strapi.io/developer-docs/latest/setup-deployment-guides/configurations/optional/environment.html#configuration-using-environment-variables.`);

continue reading API_TOKEN_SALT + add warning deprecated message 2022-02-14 14:57:15 +01:00			`strapi.config.set('admin.apiToken.salt', process.env.API_TOKEN_SALT);`
			`} else {`
			`throw new Error(`
change error messages 2022-03-18 17:55:22 +01:00			`Missing apiToken.salt. Please set apiToken.salt in config/admin.js (ex: you can generate one using Node with \`crypto.randomBytes(16).toString('base64')\`).
			For security reasons, prefer storing the secret in an environment variable and read it in config/admin.js. See https://docs.strapi.io/developer-docs/latest/setup-deployment-guides/configurations/optional/environment.html#configuration-using-environment-variables.`
continue reading API_TOKEN_SALT + add warning deprecated message 2022-02-14 14:57:15 +01:00			`);`
			`}`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00			`}`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`};`

implement GET endpoint to list the api tokens 2021-08-27 08:14:36 +02:00			`/**`
return deleted token 2021-09-02 10:47:06 +02:00			`* @returns {Promise<Omit<ApiToken, 'accessKey'>>}`
implement GET endpoint to list the api tokens 2021-08-27 08:14:36 +02:00			`*/`
			`const list = async () => {`
adds tests 2021-08-30 14:00:53 +02:00			`return strapi.query('admin::api-token').findMany({`
return deleted token 2021-09-02 10:47:06 +02:00			`select: SELECT_FIELDS,`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`populate: POPULATE_FIELDS,`
add e2e tests 2021-08-27 08:39:08 +02:00			`orderBy: { name: 'ASC' },`
			`});`
implement GET endpoint to list the api tokens 2021-08-27 08:14:36 +02:00			`};`

add DELETE route and logic 2021-08-31 15:31:54 +02:00			`/**`
			`* @param {string\|number} id`
			`*`
return deleted token 2021-09-02 10:47:06 +02:00			`* @returns {Promise<Omit<ApiToken, 'accessKey'>>}`
add DELETE route and logic 2021-08-31 15:31:54 +02:00			`*/`
			`const revoke = async id => {`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`return strapi`
			`.query('admin::api-token')`
			`.delete({ select: SELECT_FIELDS, populate: POPULATE_FIELDS, where: { id } });`
add DELETE route and logic 2021-08-31 15:31:54 +02:00			`};`

implement GET endpoint to get a single token 2021-09-02 11:56:14 +02:00			`/**`
			`* @param {string\|number} id`
			`*`
			`* @returns {Promise<Omit<ApiToken, 'accessKey'>>}`
			`*/`
update tests and rename get method 2021-09-06 15:14:45 +02:00			`const getById = async id => {`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`return getBy({ id });`
implement GET endpoint to get a single token 2021-09-02 11:56:14 +02:00			`};`

allow for partial payload to update a token 2021-09-08 14:38:43 +02:00			`/**`
			`* @param {string} name`
			`*`
			`* @returns {Promise<Omit<ApiToken, 'accessKey'>>}`
			`*/`
			`const getByName = async name => {`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`return getBy({ name });`
allow for partial payload to update a token 2021-09-08 14:38:43 +02:00			`};`

implement PUT endpoint to update a token 2021-09-06 13:30:52 +02:00			`/**`
			`* @param {string\|number} id`
			`* @param {Object} attributes`
			`* @param {TokenType} attributes.type`
			`* @param {string} attributes.name`
			`* @param {string} [attributes.description]`
			`*`
			`* @returns {Promise<Omit<ApiToken, 'accessKey'>>}`
			`*/`
			`const update = async (id, attributes) => {`
allow empty permissions array on non-custom tokens 2022-08-10 10:55:49 +02:00			`// retrieve token without permissions`
Fix update & create 2022-08-05 12:31:16 +02:00			`const oldToken = await strapi.query('admin::api-token').findOne({ where: { id } });`

			`if (!oldToken) {`
allow empty permissions array on non-custom tokens 2022-08-10 10:55:49 +02:00			`throw new NotFoundError('Token not found');`
Fix update & create 2022-08-05 12:31:16 +02:00			`}`

allow empty permissions array on non-custom tokens 2022-08-10 10:55:49 +02:00			`assertCustomTokenPermissionsValidity({`
			`...oldToken,`
			`...attributes,`
			`type: attributes.type \|\| oldToken.type,`
			`});`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00
Fix update & create 2022-08-05 12:31:16 +02:00			`const token = await strapi.query('admin::api-token').update({`
Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`select: SELECT_FIELDS,`
			`populate: POPULATE_FIELDS,`
			`where: { id },`
			`data: omit('permissions', attributes),`
			`});`
Fix update & create 2022-08-05 12:31:16 +02:00
fix updates 2022-08-10 17:35:15 +02:00			`const currentPermissions = await strapi.entityService.load(`
			`'admin::api-token',`
			`token,`
			`'permissions'`
			`);`

only return permissions with custom tokens 2022-08-09 17:48:52 +02:00			`let permissions = {};`
fix failure tests 2022-08-09 10:49:44 +02:00			`if (token.type === constants.API_TOKEN_TYPE.CUSTOM) {`
fix updates 2022-08-10 17:35:15 +02:00			`const permissionsToDelete = difference(`
			`map('action', currentPermissions),`
			`attributes.permissions`
			`);`
			`const permissionsToCreate = difference(attributes.permissions, oldToken.permissions);`

			`// TODO: make deleteMany work with relations`
			`// await strapi`
			`// .query('admin::token-permission')`
			`// .deleteMany({ where: { action: map('action', permissionsToDelete), token: id } });`
			`let promises = [];`
			`permissionsToDelete.forEach(action => {`
			`promises.push(`
			`strapi.query('admin::token-permission').delete({`
			`where: { action, token: id },`
			`})`
			`);`
			`});`
			`await Promise.all(promises);`

			`// TODO: make createMany work with relations`
			`// await strapi`
			`// .query('admin::token-permission')`
			`// .createMany({ data: permissionsToCreate.map(action => ({ action, token: id })) });`
			`promises = [];`
			`permissionsToCreate.forEach(action => {`
			`promises.push(`
			`strapi.query('admin::token-permission').create({`
			`data: { action, token: id },`
			`})`
			`);`
			`});`
			`await Promise.all(promises);`
Fix update & create 2022-08-05 12:31:16 +02:00
fix updates 2022-08-10 17:35:15 +02:00			`// retrieve permissions`
only return permissions with custom tokens 2022-08-09 17:48:52 +02:00			`permissions = {`
			`permissions: await strapi.entityService.load('admin::api-token', token, 'permissions'),`
			`};`
fix updates 2022-08-10 17:35:15 +02:00			`}`
			`// TODO: if type is changing from custom, make sure old permissions get removed`
			`else {`
			`//TODO`
only return permissions with custom tokens 2022-08-09 17:48:52 +02:00			`}`
Fix update & create 2022-08-05 12:31:16 +02:00
only return permissions with custom tokens 2022-08-09 17:48:52 +02:00			`return { ...token, ...permissions };`
implement PUT endpoint to update a token 2021-09-06 13:30:52 +02:00			`};`

add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`/**`
			`* @param {Object} whereParams`
			`* @param {string\|number} [whereParams.id]`
			`* @param {string} [whereParams.name]`
			`* @param {string} [whereParams.description]`
			`* @param {string} [whereParams.accessKey]`
			`*`
			`* @returns {Promise<Omit<ApiToken, 'accessKey'> \| null>}`
			`*/`
			`const getBy = async (whereParams = {}) => {`
			`if (Object.keys(whereParams).length === 0) {`
			`return null;`
			`}`

Attach permission model to tokens, update api token' strategy & services 2022-08-05 12:01:36 +02:00			`return strapi`
			`.query('admin::api-token')`
			`.findOne({ select: SELECT_FIELDS, populate: POPULATE_FIELDS, where: whereParams });`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`};`

implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`module.exports = {`
			`create,`
			`exists,`
harmonize secret generation + don't generate in production mode 2022-01-24 18:13:27 +01:00			`checkSaltIsDefined,`
store the hashed accessKey in the database 2021-08-27 16:23:19 +02:00			`hash,`
implement GET endpoint to list the api tokens 2021-08-27 08:14:36 +02:00			`list,`
add DELETE route and logic 2021-08-31 15:31:54 +02:00			`revoke,`
update tests and rename get method 2021-09-06 15:14:45 +02:00			`getById,`
implement PUT endpoint to update a token 2021-09-06 13:30:52 +02:00			`update,`
allow for partial payload to update a token 2021-09-08 14:38:43 +02:00			`getByName,`
add api-token auth strategy to the content-api 2021-09-16 14:36:54 +02:00			`getBy,`
implement POST endpoint to create api tokens 2021-08-26 14:37:55 +02:00			`};`