yujunjun/strapi
1
0
Fork 0
mirror of https://github.com/strapi/strapi.git synced 2025-11-11 07:39:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use array checks in api-token aut strategy

Browse Source
This commit is contained in:
Alexandre Bodin 2021-10-11 09:49:35 +02:00
parent 0ac9d88f28
commit cc52a93a47
4 changed files with 21 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
packages/core/admin/server/strategies/__tests__/api-token.test.js
View File

@ -112,7 +112,7 @@ describe('API Token Auth Strategy', () => {
expect( expect(
apiTokenStrategy.verify( apiTokenStrategy.verify(
{ credentials: readOnlyApiToken }, { credentials: readOnlyApiToken },
{ scope: 'api::model.model.find' } { scope: ['api::model.model.find'] }
) )
).toBeUndefined(); ).toBeUndefined();
}); });
@ -125,7 +125,7 @@ describe('API Token Auth Strategy', () => {
expect( expect(
apiTokenStrategy.verify( apiTokenStrategy.verify(
{ credentials: fullAccessApiToken }, { credentials: fullAccessApiToken },
{ scope: 'api::model.model.create' } { scope: ['api::model.model.create'] }
) )
).toBeUndefined(); ).toBeUndefined();
}); });
@ -140,7 +140,7 @@ describe('API Token Auth Strategy', () => {
try { try {
apiTokenStrategy.verify( apiTokenStrategy.verify(
{ credentials: { readOnlyApiToken } }, { credentials: { readOnlyApiToken } },
{ scope: 'api::model.model.create' } { scope: ['api::model.model.create'] }
); );
} catch (err) { } catch (err) {
expect(err).toBeInstanceOf(Error); expect(err).toBeInstanceOf(Error);
@ -155,7 +155,7 @@ describe('API Token Auth Strategy', () => {
expect.assertions(1); expect.assertions(1);
try { try {
apiTokenStrategy.verify({}, { scope: 'api::model.model.create' }); apiTokenStrategy.verify({}, { scope: ['api::model.model.create'] });
} catch (err) { } catch (err) {
expect(err).toBeInstanceOf(Error); expect(err).toBeInstanceOf(Error);
} }

5
packages/core/admin/server/strategies/api-token.js
View File

@ -3,6 +3,8 @@
const constants = require('../services/constants'); const constants = require('../services/constants');
const { getService } = require('../utils'); const { getService } = require('../utils');
const isReadScope = scope => scope.endsWith('find') || scope.endsWith('findOne');
/** @type {import('.').AuthenticateFunction} */ /** @type {import('.').AuthenticateFunction} */
const authenticate = async ctx => { const authenticate = async ctx => {
const apiTokenService = getService('api-token'); const apiTokenService = getService('api-token');
@ -47,7 +49,8 @@ const verify = (auth, config) => {
* If you don't have `full-access` you can only access `find` and `findOne` * If you don't have `full-access` you can only access `find` and `findOne`
* scopes. If the route has no scope, then you can't get access to it. * scopes. If the route has no scope, then you can't get access to it.
*/ */
if (config.scope && (config.scope.endsWith('find') || config.scope.endsWith('findOne'))) {
if (config.scope && config.scope.every(isReadScope)) {
return; return;
} }

2
packages/core/strapi/lib/services/server/register-routes.js
View File

@ -11,7 +11,7 @@ const createRouteScopeGenerator = namespace => route => {
_.defaultsDeep(route, { _.defaultsDeep(route, {
config: { config: {
auth: { auth: {
scope: `${prefix}${controller}.${action}`, scope: [`${prefix}${controller}.${action}`],
}, },
}, },
}); });

12
packages/core/strapi/lib/services/server/routing.js
View File

@ -44,6 +44,18 @@ const routeSchema = yup.object({
}), }),
config: yup config: yup
.object({ .object({
auth: yup.lazy(value => {
if (value === false) {
return yup.boolean().required();
}
return yup.object({
scope: yup
.array()
.of(yup.string())
.required(),
});
}),
policies: yup policies: yup
.array() .array()
.of(policyOrMiddlewareSchema) .of(policyOrMiddlewareSchema)