budibase/packages/server/src/middleware/authenticated.js

const jwt = require("jsonwebtoken")
const STATUS_CODES = require("../utilities/statusCodes")
const accessLevelController = require("../api/controllers/accesslevel")
const {
  ADMIN_LEVEL_ID,
  POWERUSER_LEVEL_ID,
  BUILDER_LEVEL_ID,
  ANON_LEVEL_ID,
} = require("../utilities/accessLevels")

module.exports = async (ctx, next) => {
  if (ctx.path === "/_builder") {
    await next()
    return
  }

  const appToken = ctx.cookies.get("budibase:token")
  const builderToken = ctx.cookies.get("builder:token")

  if (builderToken) {
    try {
      const jwtPayload = jwt.verify(builderToken, ctx.config.jwtSecret)
      ctx.auth = {
        apiKey: jwtPayload.apiKey,
        authenticated: jwtPayload.accessLevelId === BUILDER_LEVEL_ID,
      }
      ctx.user = {
        ...jwtPayload,
        accessLevel: await getAccessLevel(
          jwtPayload.instanceId,
          jwtPayload.accessLevelId
        ),
      }
    } catch (_) {
      // empty: do nothing
    }

    await next()
    return
  }

  if (!appToken) {
    ctx.auth.authenticated = false
    await next()
    return
  }

  try {
    const jwtPayload = jwt.verify(appToken, ctx.config.jwtSecret)
    ctx.user = {
      ...jwtPayload,
      accessLevel: await getAccessLevel(
        jwtPayload.instanceId,
        jwtPayload.accessLevelId
      ),
    }
    ctx.auth = {
      authenticated: ctx.user.accessLevelId !== ANON_LEVEL_ID,
      apiKey: jwtPayload.apiKey,
    }
  } catch (err) {
    ctx.throw(err.status || STATUS_CODES.FORBIDDEN, err.text)
  }

  await next()
}

/**
 * Return the full access level object either from constants
 * or the database based on the access level ID passed.
 *
 * @param {*} instanceId - instanceId of the user
 * @param {*} accessLevelId - the id of the users access level
 */
const getAccessLevel = async (instanceId, accessLevelId) => {
  if (
    accessLevelId === POWERUSER_LEVEL_ID ||
    accessLevelId === ADMIN_LEVEL_ID ||
    accessLevelId === BUILDER_LEVEL_ID ||
    accessLevelId === ANON_LEVEL_ID
  ) {
    return {
      _id: accessLevelId,
      name: accessLevelId,
      permissions: [],
    }
  }

  const findAccessContext = {
    params: {
      levelId: accessLevelId,
    },
    user: {
      instanceId,
    },
  }
  await accessLevelController.find(findAccessContext)
  return findAccessContext.body
}
formatting + fixing builder tests 2020-05-07 11:53:34 +02:00			`const jwt = require("jsonwebtoken")`
server tests in-memory and passing 2020-05-14 16:12:30 +02:00			`const STATUS_CODES = require("../utilities/statusCodes")`
access levels 2020-05-27 18:23:01 +02:00			`const accessLevelController = require("../api/controllers/accesslevel")`
			`const {`
			`ADMIN_LEVEL_ID,`
			`POWERUSER_LEVEL_ID,`
instanceid removal 2020-06-18 17:59:31 +02:00			`BUILDER_LEVEL_ID,`
			`ANON_LEVEL_ID,`
access levels 2020-05-27 18:23:01 +02:00			`} = require("../utilities/accessLevels")`
pouchDB integration, use app id instead of app name for keying app packages 2020-04-23 15:37:08 +02:00
			`module.exports = async (ctx, next) => {`
removing Authorization header 2020-05-18 12:53:04 +02:00			`if (ctx.path === "/_builder") {`
server tests in-memory and passing 2020-05-14 16:12:30 +02:00			`await next()`
further simplification of server code 2020-05-07 15:04:32 +02:00			`return`
			`}`

logic to not use builder:token for apps running in dev 2020-06-03 18:05:36 +02:00			`const appToken = ctx.cookies.get("budibase:token")`
			`const builderToken = ctx.cookies.get("builder:token")`

removed x-user-agent 2020-06-19 17:59:46 +02:00			`if (builderToken) {`
instanceid removal 2020-06-18 17:59:31 +02:00			`try {`
			`const jwtPayload = jwt.verify(builderToken, ctx.config.jwtSecret)`
adding auth object to context rather than separate booleans 2020-10-12 14:32:52 +02:00			`ctx.auth = {`
			`apiKey: jwtPayload.apiKey,`
			`authenticated: jwtPayload.accessLevelId === BUILDER_LEVEL_ID,`
			`}`
instanceid removal 2020-06-18 17:59:31 +02:00			`ctx.user = {`
			`...jwtPayload,`
			`accessLevel: await getAccessLevel(`
			`jwtPayload.instanceId,`
			`jwtPayload.accessLevelId`
			`),`
			`}`
			`} catch (_) {`
			`// empty: do nothing`
			`}`
logic to not use builder:token for apps running in dev 2020-06-03 18:05:36 +02:00
removing clientId from frontend, fixing invalid database name 2020-05-18 07:40:29 +02:00			`await next()`
			`return`
			`}`

logic to not use builder:token for apps running in dev 2020-06-03 18:05:36 +02:00			`if (!appToken) {`
adding auth object to context rather than separate booleans 2020-10-12 14:32:52 +02:00			`ctx.auth.authenticated = false`
formatting + fixing builder tests 2020-05-07 11:53:34 +02:00			`await next()`
			`return`
			`}`
pouchDB integration, use app id instead of app name for keying app packages 2020-04-23 15:37:08 +02:00
			`try {`
logic to not use builder:token for apps running in dev 2020-06-03 18:05:36 +02:00			`const jwtPayload = jwt.verify(appToken, ctx.config.jwtSecret)`
access levels 2020-05-27 18:23:01 +02:00			`ctx.user = {`
			`...jwtPayload,`
			`accessLevel: await getAccessLevel(`
			`jwtPayload.instanceId,`
			`jwtPayload.accessLevelId`
			`),`
			`}`
adding auth object to context rather than separate booleans 2020-10-12 14:32:52 +02:00			`ctx.auth = {`
			`authenticated: ctx.user.accessLevelId !== ANON_LEVEL_ID,`
			`apiKey: jwtPayload.apiKey,`
			`}`
pouchDB integration, use app id instead of app name for keying app packages 2020-04-23 15:37:08 +02:00			`} catch (err) {`
further simplification of server code 2020-05-07 15:04:32 +02:00			`ctx.throw(err.status \|\| STATUS_CODES.FORBIDDEN, err.text)`
pouchDB integration, use app id instead of app name for keying app packages 2020-04-23 15:37:08 +02:00			`}`

formatting + fixing builder tests 2020-05-07 11:53:34 +02:00			`await next()`
			`}`
access levels 2020-05-27 18:23:01 +02:00
upload assets to s3 2020-06-29 19:57:17 +02:00			`/**`
lint :sparkles: 2020-07-07 22:29:20 +02:00			`* Return the full access level object either from constants`
upload assets to s3 2020-06-29 19:57:17 +02:00			`* or the database based on the access level ID passed.`
lint :sparkles: 2020-07-07 22:29:20 +02:00			`*`
upload assets to s3 2020-06-29 19:57:17 +02:00			`* @param {*} instanceId - instanceId of the user`
lint :sparkles: 2020-07-07 22:29:20 +02:00			`* @param {*} accessLevelId - the id of the users access level`
upload assets to s3 2020-06-29 19:57:17 +02:00			`*/`
access levels 2020-05-27 18:23:01 +02:00			`const getAccessLevel = async (instanceId, accessLevelId) => {`
			`if (`
			`accessLevelId === POWERUSER_LEVEL_ID \|\|`
instanceid removal 2020-06-18 17:59:31 +02:00			`accessLevelId === ADMIN_LEVEL_ID \|\|`
			`accessLevelId === BUILDER_LEVEL_ID \|\|`
			`accessLevelId === ANON_LEVEL_ID`
access levels 2020-05-27 18:23:01 +02:00			`) {`
			`return {`
			`_id: accessLevelId,`
			`name: accessLevelId,`
			`permissions: [],`
			`}`
			`}`

			`const findAccessContext = {`
			`params: {`
			`levelId: accessLevelId,`
fixing broken tests 2020-06-18 21:41:37 +02:00			`},`
			`user: {`
access levels 2020-05-27 18:23:01 +02:00			`instanceId,`
			`},`
			`}`
			`await accessLevelController.find(findAccessContext)`
			`return findAccessContext.body`
			`}`