yujunjun/strapi
1
0
Fork 0
mirror of https://github.com/strapi/strapi.git synced 2025-11-01 10:23:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use array checks in api-token aut strategy

Browse Source
This commit is contained in:
Alexandre Bodin 2021-10-11 09:49:35 +02:00
parent 0ac9d88f28
commit cc52a93a47
4 changed files with 21 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
packages/core/admin/server/strategies/__tests__/api-token.test.js
View File

@ -112,7 +112,7 @@ describe('API Token Auth Strategy', () => {
expect(
apiTokenStrategy.verify(
{ credentials: readOnlyApiToken },
{ scope: 'api::model.model.find' }
{ scope: ['api::model.model.find'] }
)
).toBeUndefined();
});
@ -125,7 +125,7 @@ describe('API Token Auth Strategy', () => {
expect(
apiTokenStrategy.verify(
{ credentials: fullAccessApiToken },
{ scope: 'api::model.model.create' }
{ scope: ['api::model.model.create'] }
)
).toBeUndefined();
});
@ -140,7 +140,7 @@ describe('API Token Auth Strategy', () => {
try {
apiTokenStrategy.verify(
{ credentials: { readOnlyApiToken } },
{ scope: 'api::model.model.create' }
{ scope: ['api::model.model.create'] }
);
} catch (err) {
expect(err).toBeInstanceOf(Error);
@ -155,7 +155,7 @@ describe('API Token Auth Strategy', () => {
expect.assertions(1);
try {
apiTokenStrategy.verify({}, { scope: 'api::model.model.create' });
apiTokenStrategy.verify({}, { scope: ['api::model.model.create'] });
} catch (err) {
expect(err).toBeInstanceOf(Error);
}

5
packages/core/admin/server/strategies/api-token.js
View File

@ -3,6 +3,8 @@
const constants = require('../services/constants');
const { getService } = require('../utils');
const isReadScope = scope => scope.endsWith('find') || scope.endsWith('findOne');
/** @type {import('.').AuthenticateFunction} */
const authenticate = async ctx => {
const apiTokenService = getService('api-token');
@ -47,7 +49,8 @@ const verify = (auth, config) => {
* If you don't have `full-access` you can only access `find` and `findOne`
* scopes. If the route has no scope, then you can't get access to it.
*/
if (config.scope && (config.scope.endsWith('find') || config.scope.endsWith('findOne'))) {
if (config.scope && config.scope.every(isReadScope)) {
return;
}

2
packages/core/strapi/lib/services/server/register-routes.js
View File

@ -11,7 +11,7 @@ const createRouteScopeGenerator = namespace => route => {
_.defaultsDeep(route, {
config: {
auth: {
scope: `${prefix}${controller}.${action}`,
scope: [`${prefix}${controller}.${action}`],
},
},
});

12
packages/core/strapi/lib/services/server/routing.js
View File

@ -44,6 +44,18 @@ const routeSchema = yup.object({
}),
config: yup
.object({
auth: yup.lazy(value => {
if (value === false) {
return yup.boolean().required();
}
return yup.object({
scope: yup
.array()
.of(yup.string())
.required(),
});
}),
policies: yup
.array()
.of(policyOrMiddlewareSchema)