budibase/packages/server/api/controllers/auth.js

58 lines
1.6 KiB
JavaScript
Raw Normal View History

2020-05-07 11:53:34 +02:00
const jwt = require("jsonwebtoken")
const CouchDB = require("../../db")
const bcrypt = require("../../utilities/bcrypt")
2020-04-07 21:34:21 +02:00
exports.authenticate = async ctx => {
2020-05-07 11:53:34 +02:00
const { username, password } = ctx.request.body
2020-05-07 11:53:34 +02:00
if (!username) ctx.throw(400, "Username Required.")
if (!password) ctx.throw(400, "Password Required")
2020-04-07 21:34:21 +02:00
// TODO: Don't use this. It can't be relied on
2020-05-07 11:53:34 +02:00
const referer = ctx.request.headers.referer.split("/")
const appId = referer[3]
2020-05-07 11:53:34 +02:00
// find the instance that the user is associated with
const db = new CouchDB(`client-${process.env.CLIENT_ID}`)
const app = await db.get(appId)
const instanceId = app.userInstanceMap[username]
2020-05-07 11:53:34 +02:00
if (!instanceId)
ctx.throw(500, "User is not associated with an instance of app", appId)
// Check the user exists in the instance DB by username
2020-05-07 11:53:34 +02:00
const instanceDb = new CouchDB(instanceId)
const { rows } = await instanceDb.query("database/by_username", {
include_docs: true,
2020-05-07 11:53:34 +02:00
username,
})
2020-05-07 11:53:34 +02:00
if (rows.length === 0) ctx.throw(500, `User does not exist.`)
2020-05-07 11:53:34 +02:00
const dbUser = rows[0].doc
// authenticate
if (await bcrypt.compare(password, dbUser.password)) {
2020-05-07 11:53:34 +02:00
const payload = {
userId: dbUser._id,
accessLevel: "",
instanceId: instanceId,
}
2020-05-06 21:29:47 +02:00
const token = jwt.sign(payload, ctx.config.jwtSecret, {
2020-05-07 11:53:34 +02:00
expiresIn: "1 day",
})
2020-05-06 21:49:21 +02:00
2020-05-07 11:53:34 +02:00
const ONE_DAY_FROM_NOW = new Date(Date.now() + 24 * 3600)
ctx.cookies.set("budibase:token", token, { expires: ONE_DAY_FROM_NOW })
2020-05-06 21:29:47 +02:00
ctx.body = {
token,
2020-05-07 11:53:34 +02:00
...dbUser,
}
} else {
2020-05-07 11:53:34 +02:00
ctx.throw(401, "Invalid credentials.")
}
2020-05-07 11:53:34 +02:00
}