Merge pull request #11579 from strapi/v4/allow-access-token-param

Allow access_token query param for auth

packages/core/admin/server/strategies/api-token.js

@@ -6,22 +6,32 @@ const { getService } = require('../utils');
 
 const isReadScope = scope => scope.endsWith('find') || scope.endsWith('findOne');
 
+const extractToken = ctx => {
+  if (ctx.request && ctx.request.header && ctx.request.header.authorization) {
+    const parts = ctx.request.header.authorization.split(/\s+/);
+
+    if (parts[0].toLowerCase() !== 'bearer' || parts.length !== 2) {
+      return null;
+    }
+
+    return parts[1];
+  }
+  if (ctx.query.access_token) {
+    return ctx.query.access_token;
+  }
+
+  return null;
+};
+
 /** @type {import('.').AuthenticateFunction} */
 const authenticate = async ctx => {
   const apiTokenService = getService('api-token');
-  const { authorization } = ctx.request.header;
+  const token = extractToken(ctx);
 
-  if (!authorization) {
+  if (!token) {
     return { authenticated: false };
   }
 
-  const parts = authorization.split(/\s+/);
-
-  if (parts[0].toLowerCase() !== 'bearer' || parts.length !== 2) {
-    return { authenticated: false };
-  }
-
-  const token = parts[1];
   const apiToken = await apiTokenService.getBy({
     accessKey: apiTokenService.hash(token),
   });

packages/plugins/users-permissions/server/services/jwt.js

@@ -8,32 +8,23 @@
 
 const _ = require('lodash');
 const jwt = require('jsonwebtoken');
-const { ValidationError } = require('@strapi/utils').errors;
 
 module.exports = ({ strapi }) => ({
   getToken(ctx) {
-    const params = _.assign({}, ctx.request.body, ctx.request.query);
-
-    let token = '';
+    let token;
 
     if (ctx.request && ctx.request.header && ctx.request.header.authorization) {
-      const parts = ctx.request.header.authorization.split(' ');
+      const parts = ctx.request.header.authorization.split(/\s+/);
 
-      if (parts.length === 2) {
-        const scheme = parts[0];
-        const credentials = parts[1];
-        if (/^Bearer$/i.test(scheme)) {
-          token = credentials;
-        }
-      } else {
-        throw new ValidationError(
-          'Invalid authorization header format. Format is Authorization: Bearer [token]'
-        );
+      if (parts[0].toLowerCase() !== 'bearer' || parts.length !== 2) {
+        return null;
       }
-    } else if (params.token) {
-      token = params.token;
+
+      token = parts[1];
+    } else if (ctx.query.access_token) {
+      token = ctx.query.access_token;
     } else {
-      throw new ValidationError('No authorization header was found');
+      return null;
     }
 
     return this.verify(token);

packages/plugins/users-permissions/server/strategies/users-permissions.js

@@ -10,9 +10,11 @@ const getAdvancedSettings = () => {
 };
 
 const authenticate = async ctx => {
-  if (ctx.request && ctx.request.header && ctx.request.header.authorization) {
-    try {
-      const { id } = await getService('jwt').getToken(ctx);
+  try {
+    const token = await getService('jwt').getToken(ctx);
+
+    if (token) {
+      const { id } = token;
 
       if (id === undefined) {
         return { authenticated: false };
@@ -41,25 +43,25 @@ const authenticate = async ctx => {
         authenticated: true,
         credentials: user,
       };
-    } catch (err) {
+    }
+
+    const publicPermissions = await strapi.query('plugin::users-permissions.permission').findMany({
+      where: {
+        role: { type: 'public' },
+      },
+    });
+
+    if (publicPermissions.length === 0) {
       return { authenticated: false };
     }
-  }
 
-  const publicPermissions = await strapi.query('plugin::users-permissions.permission').findMany({
-    where: {
-      role: { type: 'public' },
-    },
-  });
-
-  if (publicPermissions.length === 0) {
+    return {
+      authenticated: true,
+      credentials: null,
+    };
+  } catch (err) {
     return { authenticated: false };
   }
-
-  return {
-    authenticated: true,
-    credentials: null,
-  };
 };
 
 const verify = async (auth, config) => {