Merge branch 'dev' of https://github.com/umami-software/umami into dev

2026-02-06 13:47:15 +01:00 · 2026-01-22 19:17:22 -08:00 · 2026-01-22 19:17:22 -08:00 · 4c9b2f10da
commit 4c9b2f10da
parent adea3e9b1c c88425332b
20 changed files with 349 additions and 168 deletions
--- a/src/app/(main)/admin/users/UserAddForm.tsx
+++ b/src/app/(main)/admin/users/UserAddForm.tsx
@ -10,6 +10,7 @@ import {
  TextField,
 } from '@umami/react-zen';
 import { useMessages, useUpdateQuery } from '@/components/hooks';
+import { messages } from '@/components/messages';
 import { ROLES } from '@/lib/constants';

 export function UserAddForm({ onSave, onClose }) {
@ -37,7 +38,10 @@ export function UserAddForm({ onSave, onClose }) {
      <FormField
        label={formatMessage(labels.password)}
        name="password"
-        rules={{ required: formatMessage(labels.required) }}
+        rules={{
+          required: formatMessage(labels.required),
+          minLength: { value: 8, message: formatMessage(messages.minPasswordLength, { n: '8' }) },
+        }}
      >
        <PasswordField autoComplete="new-password" data-test="input-password" />
      </FormField>
--- a/src/app/api/auth/logout/route.ts
+++ b/src/app/api/auth/logout/route.ts
@ -1,7 +1,14 @@
 import redis from '@/lib/redis';
+import { parseRequest } from '@/lib/request';
 import { ok } from '@/lib/response';

 export async function POST(request: Request) {
+  const { error } = await parseRequest(request);
+
+  if (error) {
+    return error();
+  }
+
  if (redis.enabled) {
    const token = request.headers.get('authorization')?.split(' ')?.[1];

--- a/src/app/api/auth/sso/route.ts
+++ b/src/app/api/auth/sso/route.ts
@ -1,7 +1,7 @@
 import { saveAuth } from '@/lib/auth';
 import redis from '@/lib/redis';
 import { parseRequest } from '@/lib/request';
-import { json } from '@/lib/response';
+import { json, serverError } from '@/lib/response';

 export async function POST(request: Request) {
  const { auth, error } = await parseRequest(request);
@ -10,9 +10,13 @@ export async function POST(request: Request) {
    return error();
  }

-  if (redis.enabled) {
-    const token = await saveAuth({ userId: auth.user.id }, 86400);
-
-    return json({ user: auth.user, token });
+  if (!redis.enabled) {
+    return serverError({
+      message: 'Redis is disabled',
+    });
  }
+
+  const token = await saveAuth({ userId: auth.user.id }, 86400);
+
+  return json({ user: auth.user, token });
 }
--- a/src/app/api/users/[userId]/route.ts
+++ b/src/app/api/users/[userId]/route.ts
@ -1,7 +1,7 @@
 import { z } from 'zod';
 import { hashPassword } from '@/lib/password';
 import { parseRequest } from '@/lib/request';
-import { badRequest, json, ok, unauthorized } from '@/lib/response';
+import { badRequest, json, notFound, ok, unauthorized } from '@/lib/response';
 import { userRoleParam } from '@/lib/schema';
 import { canDeleteUser, canUpdateUser, canViewUser } from '@/permissions';
 import { deleteUser, getUser, getUserByUsername, updateUser } from '@/queries/prisma';
@ -27,7 +27,7 @@ export async function GET(request: Request, { params }: { params: Promise<{ user
 export async function POST(request: Request, { params }: { params: Promise<{ userId: string }> }) {
  const schema = z.object({
    username: z.string().max(255).optional(),
-    password: z.string().max(255).optional(),
+    password: z.string().min(8).max(255).optional(),
    role: userRoleParam.optional(),
  });

@ -47,6 +47,10 @@ export async function POST(request: Request, { params }: { params: Promise<{ use

  const user = await getUser(userId);

+  if (!user) {
+    return notFound();
+  }
+
  const data: any = {};

  if (password) {
--- a/src/app/api/users/route.ts
+++ b/src/app/api/users/route.ts
@ -4,6 +4,7 @@ import { uuid } from '@/lib/crypto';
 import { hashPassword } from '@/lib/password';
 import { parseRequest } from '@/lib/request';
 import { badRequest, json, unauthorized } from '@/lib/response';
+import { userRoleParam } from '@/lib/schema';
 import { canCreateUser } from '@/permissions';
 import { createUser, getUserByUsername } from '@/queries/prisma';

@ -11,8 +12,8 @@ export async function POST(request: Request) {
  const schema = z.object({
    id: z.uuid().optional(),
    username: z.string().max(255),
-    password: z.string(),
-    role: z.string().regex(/admin|user|view-only/i),
+    password: z.string().min(8).max(255),
+    role: userRoleParam,
  });

  const { auth, body, error } = await parseRequest(request, schema);
--- a/src/app/api/websites/[websiteId]/segments/route.ts
+++ b/src/app/api/websites/[websiteId]/segments/route.ts
@ -2,7 +2,7 @@ import { z } from 'zod';
 import { uuid } from '@/lib/crypto';
 import { getQueryFilters, parseRequest } from '@/lib/request';
 import { json, unauthorized } from '@/lib/response';
-import { anyObjectParam, searchParams, segmentTypeParam } from '@/lib/schema';
+import { searchParams, segmentParamSchema, segmentTypeParam } from '@/lib/schema';
 import { canUpdateWebsite, canViewWebsite } from '@/permissions';
 import { createSegment, getWebsiteSegments } from '@/queries/prisma';

@ -42,7 +42,7 @@ export async function POST(
  const schema = z.object({
    type: segmentTypeParam,
    name: z.string().max(200),
-    parameters: anyObjectParam,
+    parameters: segmentParamSchema,
  });

  const { auth, body, error } = await parseRequest(request, schema);
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@ -1,7 +1,6 @@
 import debug from 'debug';
 import { ROLE_PERMISSIONS, ROLES, SHARE_TOKEN_HEADER } from '@/lib/constants';
-import { secret } from '@/lib/crypto';
-import { getRandomChars } from '@/lib/generate';
+import { createAuthKey, secret } from '@/lib/crypto';
 import { createSecureToken, parseSecureToken, parseToken } from '@/lib/jwt';
 import redis from '@/lib/redis';
 import { ensureArray } from '@/lib/utils';
@ -53,7 +52,7 @@ export async function checkAuth(request: Request) {
 }

 export async function saveAuth(data: any, expire = 0) {
-  const authKey = `auth:${getRandomChars(32)}`;
+  const authKey = `auth:${createAuthKey()}`;

  if (redis.enabled) {
    await redis.client.set(authKey, data);
--- a/src/lib/crypto.ts
+++ b/src/lib/crypto.ts
@ -63,3 +63,7 @@ export function uuid(...args: any) {

  return process.env.USE_UUIDV7 ? v7() : v4();
 }
+
+export function createAuthKey() {
+  return crypto.randomBytes(16).toString('hex');
+}
--- a/src/lib/entity.ts
+++ b/src/lib/entity.ts
@ -1,6 +1,7 @@
+import type { Link, Pixel, Website } from '@/generated/prisma/client';
 import { getLink, getPixel, getWebsite } from '@/queries/prisma';

-export async function getEntity(entityId: string) {
+export async function getEntity(entityId: string): Promise<Website | Link | Pixel | null> {
  const website = await getWebsite(entityId);
  const link = await getLink(entityId);
  const pixel = await getPixel(entityId);
--- a/src/lib/schema.ts
+++ b/src/lib/schema.ts
@ -104,6 +104,23 @@ export const reportTypeParam = z.enum([
  'utm',
 ]);

+export const operatorParam = z.enum([
+  'eq',
+  'neq',
+  's',
+  'ns',
+  'c',
+  'dnc',
+  't',
+  'f',
+  'gt',
+  'lt',
+  'gte',
+  'lte',
+  'bf',
+  'af',
+]);
+
 export const goalReportSchema = z.object({
  type: z.literal('goal'),
  parameters: z
@ -157,7 +174,7 @@ export const retentionReportSchema = z.object({
  parameters: z.object({
    startDate: z.coerce.date(),
    endDate: z.coerce.date(),
-    timezone: z.string().optional(),
+    timezone: timezoneParam.optional(),
  }),
 });

@ -175,7 +192,7 @@ export const revenueReportSchema = z.object({
    startDate: z.coerce.date(),
    endDate: z.coerce.date(),
    unit: unitParam.optional(),
-    timezone: z.string().optional(),
+    timezone: timezoneParam.optional(),
    currency: z.string(),
  }),
 });
@ -231,3 +248,22 @@ export const reportResultSchema = z.intersection(
 );

 export const segmentTypeParam = z.enum(['segment', 'cohort']);
+
+export const segmentParamSchema = z.object({
+  filters: z
+    .array(
+      z.object({
+        name: z.string(),
+        operator: operatorParam,
+        value: z.string(),
+      }),
+    )
+    .optional(),
+  dateRange: z.string().optional(),
+  action: z
+    .object({
+      type: z.string(),
+      value: z.string(),
+    })
+    .optional(),
+});
--- a/src/permissions/team.ts
+++ b/src/permissions/team.ts
@ -16,7 +16,7 @@ export async function canCreateTeam({ user }: Auth) {
    return true;
  }

-  return !!user;
+  return hasPermission(user.role, PERMISSIONS.teamCreate);
 }

 export async function canUpdateTeam({ user }: Auth, teamId: string) {
--- a/src/permissions/website.ts
+++ b/src/permissions/website.ts
@ -1,7 +1,8 @@
 import { hasPermission } from '@/lib/auth';
 import { PERMISSIONS } from '@/lib/constants';
+import { getEntity } from '@/lib/entity';
 import type { Auth } from '@/lib/types';
-import { getLink, getPixel, getTeamUser, getWebsite } from '@/queries/prisma';
+import { getTeamUser, getWebsite } from '@/queries/prisma';

 export async function canViewWebsite({ user, shareToken }: Auth, websiteId: string) {
  if (user?.isAdmin) {
@ -12,11 +13,7 @@ export async function canViewWebsite({ user, shareToken }: Auth, websiteId: stri
    return true;
  }

-  const website = await getWebsite(websiteId);
-  const link = await getLink(websiteId);
-  const pixel = await getPixel(websiteId);
-
-  const entity = website || link || pixel;
+  const entity = await getEntity(websiteId);

  if (!entity) {
    return false;
--- a/src/queries/prisma/user.ts
+++ b/src/queries/prisma/user.ts
@ -18,7 +18,7 @@ async function findUser(criteria: Prisma.UserFindUniqueArgs, options: GetUserOpt
    ...criteria,
    where: {
      ...criteria.where,
-      ...(showDeleted && { deletedAt: null }),
+      ...(showDeleted ? {} : { deletedAt: null }),
    },
    select: {
      id: true,