Fix conflicts and build script

Signed-off-by: soupette <cyril@strapi.io>

.github/actions/run-e2e-tests/script.sh

@@ -4,6 +4,7 @@ if [[ -z "$RUN_EE" ]]; then
 fi
 
 export ENV_PATH="$(pwd)/testApp/.env"
+export JWT_SECRET="aSecret"
 
 opts=($DB_OPTIONS)
 

examples/getstarted/config/admin.js

@@ -3,4 +3,7 @@ module.exports = ({ env }) => ({
   auth: {
     secret: env('ADMIN_JWT_SECRET', 'example-token'),
   },
+  apiToken: {
+    salt: env('API_TOKEN_SALT', 'example-salt'),
+  },
 });

examples/kitchensink/config/admin.js

@@ -3,4 +3,7 @@ module.exports = ({ env }) => ({
   auth: {
     secret: env('ADMIN_JWT_SECRET', 'example-token'),
   },
+  apiToken: {
+    salt: env('API_TOKEN_SALT', 'example-salt'),
+  },
 });

examples/kitchensink/config/server.js

@@ -1,11 +1,6 @@
 module.exports = ({ env }) => ({
   host: env('HOST', '0.0.0.0'),
   port: env.int('PORT', 1337),
-  admin: {
-    auth: {
-      secret: env('ADMIN_JWT_SECRET', '6f75e424d1a0307077c294fcc3c7d78d'),
-    },
-  },
   app: {
     keys: env.array('APP_KEYS', ['toBeModified1', 'toBeModified2']),
   },

packages/core/admin/package.json

@@ -125,8 +125,7 @@
     "semver": "7.3.5",
     "sift": "13.5.0",
     "style-loader": "3.3.1",
-    "styled-components": "^5.2.3",
-    "terser-webpack-plugin": "5.3.0",
+    "styled-components": "5.3.3",
     "webpack": "5.65.0",
     "webpack-cli": "4.9.1",
     "webpack-dev-server": "4.7.3",

packages/core/admin/scripts/build.js

@@ -24,7 +24,7 @@ const buildAdmin = async () => {
   const args = {
     entry,
     dest,
-    cacheDir: __dirname,
+    cacheDir: path.resolve(__dirname, '..'),
     pluginsPath: [path.resolve(__dirname, '../../../../packages')],
     env: 'production',
     optimize: true,

packages/core/admin/server/bootstrap.js

@@ -61,6 +61,7 @@ module.exports = async () => {
   const userService = getService('user');
   const roleService = getService('role');
   const apiTokenService = getService('api-token');
+  const tokenService = getService('token');
 
   await roleService.createRolesIfNoneExist();
   await roleService.resetSuperAdminPermissions();
@@ -73,5 +74,6 @@ module.exports = async () => {
 
   await syncAuthSettings();
 
-  apiTokenService.createSaltIfNotDefined();
+  apiTokenService.checkSaltIsDefined();
+  tokenService.checkSecretIsDefined();
 };

packages/core/admin/server/config/api-token.js

@@ -1,7 +0,0 @@
-'use strict';
-
-const { env } = require('@strapi/utils');
-
-module.exports = {
-  salt: env('API_TOKEN_SALT'),
-};

packages/core/admin/server/config/index.js

@@ -6,5 +6,4 @@ module.exports = {
   forgotPassword: {
     emailTemplate: forgotPasswordTemplate,
   },
-  apiToken: require('./api-token'),
 };

packages/core/admin/server/services/__tests__/api-token.test.js

@@ -54,8 +54,8 @@ describe('API Token', () => {
     });
   });
 
-  describe('createSaltIfNotDefined', () => {
-    test('It does nothing if the salt is alread defined', () => {
+  describe('checkSaltIsDefined', () => {
+    test('It does nothing if the salt is already defined', () => {
       const mockedAppendFile = jest.fn();
       const mockedConfigSet = jest.fn();
 
@@ -66,37 +66,28 @@ describe('API Token', () => {
           })),
           set: mockedConfigSet,
         },
-        fs: { appendFile: mockedAppendFile },
       };
 
-      apiTokenService.createSaltIfNotDefined();
+      apiTokenService.checkSaltIsDefined();
 
       expect(mockedAppendFile).not.toHaveBeenCalled();
       expect(mockedConfigSet).not.toHaveBeenCalled();
     });
 
-    test('It creates a new salt, appends it to the .env file and sets it in the configuration', () => {
-      const mockedAppendFile = jest.fn();
-      const mockedConfigSet = jest.fn();
-
+    test('It throws if the salt if the salt is not defined', () => {
       global.strapi = {
         config: {
           get: jest.fn(() => null),
-          set: mockedConfigSet,
         },
-        fs: { appendFile: mockedAppendFile },
       };
 
-      apiTokenService.createSaltIfNotDefined();
+      try {
+        apiTokenService.checkSaltIsDefined();
+      } catch (e) {
+        expect(e.message.includes('Missing apiToken.salt.')).toBe(true);
+      }
 
-      expect(mockedAppendFile).toHaveBeenCalledWith(
-        '.env',
-        `API_TOKEN_SALT=${mockedApiToken.hexedString}\n`
-      );
-      expect(mockedConfigSet).toHaveBeenCalledWith(
-        'admin.apiToken.salt',
-        mockedApiToken.hexedString
-      );
+      expect.assertions(1);
     });
 
     test('It throws an error if the env variable used in the config file has been changed and is empty', () => {

packages/core/admin/server/services/api-token.js

@@ -74,20 +74,21 @@ const create = async attributes => {
 /**
  * @returns {void}
  */
-const createSaltIfNotDefined = () => {
-  if (strapi.config.get('admin.apiToken.salt')) {
-    return;
-  }
+const checkSaltIsDefined = () => {
+  if (!strapi.config.get('admin.apiToken.salt')) {
+    // TODO V5: stop reading API_TOKEN_SALT
+    if (process.env.API_TOKEN_SALT) {
+      process.emitWarning(`[deprecated] In future versions, Strapi will stop reading directly from the environment variable API_TOKEN_SALT. Please set apiToken.salt in config/admin.js instead.
+For security reasons, keep storing the secret in an environment variable and use env() to read it in config/admin.js (ex: \`apiToken: { salt: env('API_TOKEN_SALT') }\`). See https://docs.strapi.io/developer-docs/latest/setup-deployment-guides/configurations/optional/environment.html#configuration-using-environment-variables.`);
 
-  if (process.env.API_TOKEN_SALT) {
-    throw new Error(
-      `There's something wrong with the configuration of your api-token salt. If you have changed the env variable used in the configuration file, please verify that you have created and set the variable in your .env file.`
-    );
+      strapi.config.set('admin.apiToken.salt', process.env.API_TOKEN_SALT);
+    } else {
+      throw new Error(
+        `Missing apiToken.salt. Please set apiToken.salt in config/admin.js (ex: you can generate one using Node with \`crypto.randomBytes(16).toString('base64')\`).
+For security reasons, prefer storing the secret in an environment variable and read it in config/admin.js. See https://docs.strapi.io/developer-docs/latest/setup-deployment-guides/configurations/optional/environment.html#configuration-using-environment-variables.`
+      );
+    }
   }
-
-  const salt = crypto.randomBytes(16).toString('hex');
-  strapi.fs.appendFile(process.env.ENV_PATH || '.env', `API_TOKEN_SALT=${salt}\n`);
-  strapi.config.set('admin.apiToken.salt', salt);
 };
 
 /**
@@ -162,7 +163,7 @@ const getBy = async (whereParams = {}) => {
 module.exports = {
   create,
   exists,
-  createSaltIfNotDefined,
+  checkSaltIsDefined,
   hash,
   list,
   revoke,

packages/core/admin/server/services/token.js

@@ -49,9 +49,22 @@ const decodeJwtToken = token => {
   }
 };
 
+/**
+ * @returns {void}
+ */
+const checkSecretIsDefined = () => {
+  if (strapi.config.serveAdminPanel && !strapi.config.get('admin.auth.secret')) {
+    throw new Error(
+      `Missing auth.secret. Please set auth.secret in config/admin.js (ex: you can generate one using Node with \`crypto.randomBytes(16).toString('base64')\`).
+For security reasons, prefer storing the secret in an environment variable and read it in config/admin.js. See https://docs.strapi.io/developer-docs/latest/setup-deployment-guides/configurations/optional/environment.html#configuration-using-environment-variables.`
+    );
+  }
+};
+
 module.exports = {
   createToken,
   createJwtToken,
   getTokenOptions,
   decodeJwtToken,
+  checkSecretIsDefined,
 };

packages/core/helper-plugin/package.json

@@ -58,7 +58,7 @@
     "react-intl": "5.20.2",
     "react-router": "^5.2.0",
     "react-router-dom": "5.2.0",
-    "styled-components": "^5.2.3",
+    "styled-components": "5.3.3",
     "whatwg-fetch": "^3.6.2"
   },
   "devDependencies": {

packages/generators/app/lib/create-project.js

@@ -16,7 +16,6 @@ const mergeTemplate = require('./utils/merge-template.js');
 
 const packageJSON = require('./resources/json/package.json');
 const createDatabaseConfig = require('./resources/templates/database.js');
-const createAdminConfig = require('./resources/templates/admin-config.js');
 const createEnvFile = require('./resources/templates/env.js');
 
 module.exports = async function createProject(scope, { client, connection, dependencies }) {
@@ -72,7 +71,6 @@ module.exports = async function createProject(scope, { client, connection, depen
     );
 
     // create config/server.js
-    await fse.writeFile(join(rootPath, `config/admin.js`), createAdminConfig());
     await trackUsage({ event: 'didCopyConfigurationFiles', scope });
 
     // merge template files if a template is specified

packages/generators/app/lib/resources/files/config/admin.js

@@ -0,0 +1,8 @@
+module.exports = ({ env }) => ({
+  auth: {
+    secret: env('ADMIN_JWT_SECRET'),
+  },
+  apiToken: {
+    salt: env('API_TOKEN_SALT'),
+  },
+});

packages/generators/app/lib/resources/templates/admin-config.js

@@ -1,16 +0,0 @@
-'use strict';
-
-const crypto = require('crypto');
-
-const fs = require('fs');
-const path = require('path');
-const _ = require('lodash');
-
-module.exports = () => {
-  const tmpl = fs.readFileSync(path.join(__dirname, `admin-config.template`));
-  const compile = _.template(tmpl);
-
-  return compile({
-    adminJwtToken: crypto.randomBytes(16).toString('hex'),
-  });
-};

packages/generators/app/lib/resources/templates/admin-config.template

@@ -1,5 +0,0 @@
-module.exports = ({ env }) => ({
-  auth: {
-    secret: env('ADMIN_JWT_SECRET', '<%= adminJwtToken %>'),
-  },
-});

packages/generators/app/lib/resources/templates/env.template

@@ -1,3 +1,5 @@
 HOST=0.0.0.0
 PORT=1337
 APP_KEYS=<%= appKeys %>
+API_TOKEN_SALT=<%= apiTokenSalt %>
+ADMIN_JWT_SECRET= <%= adminJwtToken %>

packages/plugins/users-permissions/package.json

@@ -43,8 +43,7 @@
     "react-router-dom": "5.2.0",
     "redux-saga": "^0.16.0",
     "request": "^2.83.0",
-    "url-join": "4.0.1",
-    "uuid": "^3.1.0"
+    "url-join": "4.0.1"
   },
   "devDependencies": {
     "koa": "^2.13.1"

packages/plugins/users-permissions/server/bootstrap/index.js

@@ -7,9 +7,9 @@
  * This gives you an opportunity to set up your data model,
  * run jobs, or perform some special logic.
  */
+const crypto = require('crypto');
 const _ = require('lodash');
 const urljoin = require('url-join');
-const uuid = require('uuid/v4');
 const { getService } = require('../utils');
 const getGrantConfig = require('./grant-config');
 
@@ -29,13 +29,22 @@ module.exports = async ({ strapi }) => {
   await getService('users-permissions').initialize();
 
   if (!strapi.config.get('plugin.users-permissions.jwtSecret')) {
-    const jwtSecret = uuid();
+    if (process.env.NODE_ENV !== 'development') {
+      throw new Error(
+        `Missing jwtSecret. Please, set configuration variable "jwtSecret" for the users-permissions plugin in config/plugins.js (ex: you can generate one using Node with \`crypto.randomBytes(16).toString('base64')\`).
+For security reasons, prefer storing the secret in an environment variable and read it in config/plugins.js. See https://docs.strapi.io/developer-docs/latest/setup-deployment-guides/configurations/optional/environment.html#configuration-using-environment-variables.`
+      );
+    }
+
+    const jwtSecret = crypto.randomBytes(16).toString('base64');
+
     strapi.config.set('plugin.users-permissions.jwtSecret', jwtSecret);
 
     if (!process.env.JWT_SECRET) {
-      strapi.fs.appendFile(process.env.ENV_PATH || '.env', `JWT_SECRET=${jwtSecret}\n`);
+      const envPath = process.env.ENV_PATH || '.env';
+      strapi.fs.appendFile(envPath, `JWT_SECRET=${jwtSecret}\n`);
       strapi.log.info(
-        'The Users & Permissions plugin automatically generated a jwt secret and stored it in your .env file under the name JWT_SECRET.'
+        `The Users & Permissions plugin automatically generated a jwt secret and stored it in ${envPath} under the name JWT_SECRET.`
       );
     }
   }

test/e2e.js

@@ -48,6 +48,7 @@ const runAllTests = async args => {
     env: {
       FORCE_COLOR: 1,
       ENV_PATH: process.env.ENV_PATH,
+      JWT_SECRET: 'aSecret',
     },
   });
 };