validate lifespan

packages/core/admin/server/controllers/__tests__/api-token.test.js

@@ -3,6 +3,7 @@
 const { ApplicationError } = require('@strapi/utils').errors;
 const { omit } = require('lodash/fp');
 const createContext = require('../../../../../../test/helpers/create-context');
+const constants = require('../../services/constants');
 const apiTokenController = require('../api-token');
 
 describe('API Token Controller', () => {
@@ -65,8 +66,8 @@ describe('API Token Controller', () => {
       expect(created).toHaveBeenCalled();
     });
 
-    test('Create API Token with lifespan', async () => {
-      const lifespan = 90 * 24 * 60 * 60 * 1000; // 90 days
+    test('Create API Token with valid lifespan', async () => {
+      const lifespan = constants.API_TOKEN_LIFESPANS.DAYS_7;
       const createBody = {
         ...body,
         lifespan,
@@ -159,7 +160,8 @@ describe('API Token Controller', () => {
     });
 
     test('Ignores a received expiresAt', async () => {
-      const lifespan = 90 * 24 * 60 * 60 * 1000; // 90 days
+      const lifespan = constants.API_TOKEN_LIFESPANS.DAYS_7;
+
       const createBody = {
         ...body,
         expiresAt: 1234,

packages/core/admin/server/services/__tests__/api-token.test.js

@@ -4,6 +4,7 @@ const { NotFoundError } = require('@strapi/utils/lib/errors');
 const crypto = require('crypto');
 const { omit } = require('lodash/fp');
 const apiTokenService = require('../api-token');
+const constants = require('../constants');
 
 describe('API Token', () => {
   const mockedApiToken = {
@@ -70,7 +71,7 @@ describe('API Token', () => {
         name: 'api-token_tests-name',
         description: 'api-token_tests-description',
         type: 'read-only',
-        lifespan: 123456,
+        lifespan: constants.API_TOKEN_LIFESPANS.DAYS_90,
       };
 
       const expectedExpires = Date.now() + attributes.lifespan;
@@ -106,6 +107,31 @@ describe('API Token', () => {
       expect(res.expiresAt).toBe(expectedExpires);
     });
 
+    test('It throws when creating a token with invalid lifespan', async () => {
+      const attributes = {
+        name: 'api-token_tests-name',
+        description: 'api-token_tests-description',
+        type: 'read-only',
+        lifespan: 12345,
+      };
+
+      const create = jest.fn(({ data }) => Promise.resolve(data));
+      global.strapi = {
+        query() {
+          return { create };
+        },
+        config: {
+          get: jest.fn(() => ''),
+        },
+      };
+
+      expect(async () => {
+        await apiTokenService.create(attributes);
+      }).rejects.toThrow(/lifespan/);
+
+      expect(create).not.toHaveBeenCalled();
+    });
+
     test('Creates a custom token', async () => {
       const attributes = {
         name: 'api-token_tests-name',

packages/core/admin/server/services/api-token.js

@@ -67,6 +67,24 @@ const assertCustomTokenPermissionsValidity = (attributes) => {
   }
 };
 
+/**
+ * Assert that a token's permissions attribute is valid for its type
+ *
+ * @param {ApiToken} token
+ */
+const assertValidLifespan = ({ lifespan }) => {
+  if (isNil(lifespan)) {
+    return;
+  }
+
+  if (!Object.values(constants.API_TOKEN_LIFESPANS).includes(lifespan)) {
+    throw new ValidationError(
+      `lifespan must be one of the following values: 
+      ${Object.values(constants.API_TOKEN_LIFESPANS).join(', ')}`
+    );
+  }
+};
+
 /**
  * Flatten a token's database permissions objects to an array of strings
  *
@@ -173,6 +191,7 @@ const create = async (attributes) => {
   const accessKey = crypto.randomBytes(128).toString('hex');
 
   assertCustomTokenPermissionsValidity(attributes);
+  assertValidLifespan(attributes);
 
   // Create the token
   const apiToken = await strapi.query('admin::api-token').create({
@@ -348,6 +367,8 @@ const update = async (id, attributes) => {
     });
   }
 
+  assertValidLifespan(attributes);
+
   const updatedToken = await strapi.query('admin::api-token').update({
     select: SELECT_FIELDS,
     populate: POPULATE_FIELDS,