budibase/packages/auth/src/middleware/authenticated.js

const { Cookies } = require("../constants")
const database = require("../db")
const { getCookie, clearCookie } = require("../utils")
const { StaticDatabases } = require("../db/utils")
const env = require("../environment")

const PARAM_REGEX = /\/:(.*?)\//g

function buildNoAuthRegex(patterns) {
  return patterns.map(pattern => {
    const isObj = typeof pattern === "object" && pattern.route
    const method = isObj ? pattern.method : "GET"
    let route = isObj ? pattern.route : pattern

    const matches = route.match(PARAM_REGEX)
    if (matches) {
      for (let match of matches) {
        route = route.replace(match, "/.*/")
      }
    }
    return { regex: new RegExp(route), method }
  })
}

module.exports = (noAuthPatterns = [], opts) => {
  const noAuthOptions = noAuthPatterns ? buildNoAuthRegex(noAuthPatterns) : []
  return async (ctx, next) => {
    // the path is not authenticated
    const found = noAuthOptions.find(({ regex, method }) => {
      return (
        regex.test(ctx.request.url) &&
        ctx.request.method.toLowerCase() === method.toLowerCase()
      )
    })
    if (found != null) {
      return next()
    }
    try {
      const apiKey = ctx.request.headers["x-budibase-api-key"]
      // check the actual user is authenticated first
      const authCookie = getCookie(ctx, Cookies.Auth)

      // this is an internal request, no user made it
      if (apiKey && apiKey === env.INTERNAL_API_KEY) {
        ctx.isAuthenticated = true
        ctx.internal = true
      } else if (authCookie) {
        try {
          const db = database.getDB(StaticDatabases.GLOBAL.name)
          const user = await db.get(authCookie.userId)
          delete user.password
          ctx.isAuthenticated = true
          ctx.user = user
        } catch (err) {
          // remove the cookie as the use does not exist anymore
          clearCookie(ctx, Cookies.Auth)
        }
      }
      // be explicit
      if (ctx.isAuthenticated !== true) {
        ctx.isAuthenticated = false
      }
      return next()
    } catch (err) {
      // allow configuring for public access
      if (opts && opts.publicAllowed) {
        ctx.isAuthenticated = false
      } else {
        ctx.throw(err.status || 403, err)
      }
    }
  }
}
login page 2021-04-11 12:35:55 +02:00			`const { Cookies } = require("../constants")`
config specificity 2021-04-22 12:45:22 +02:00			`const database = require("../db")`
Updating test cases and some re-work of the email system. 2021-04-23 19:07:39 +02:00			`const { getCookie, clearCookie } = require("../utils")`
config specificity 2021-04-22 12:45:22 +02:00			`const { StaticDatabases } = require("../db/utils")`
Some updates, working towards supporting automation send smtp email also removing the styling template, adding to base. 2021-05-11 13:02:29 +02:00			`const env = require("../environment")`
login page 2021-04-11 12:35:55 +02:00
Updating auth middleware to accomodate public endpoints for the server properly and some refactoring. 2021-04-28 19:13:21 +02:00			`const PARAM_REGEX = /\/:(.*?)\//g`
Fixing login issue. 2021-04-28 15:28:25 +02:00
Updating auth middleware to accomodate public endpoints for the server properly and some refactoring. 2021-04-28 19:13:21 +02:00			`function buildNoAuthRegex(patterns) {`
			`return patterns.map(pattern => {`
			`const isObj = typeof pattern === "object" && pattern.route`
			`const method = isObj ? pattern.method : "GET"`
			`let route = isObj ? pattern.route : pattern`

			`const matches = route.match(PARAM_REGEX)`
			`if (matches) {`
			`for (let match of matches) {`
			`route = route.replace(match, "/.*/")`
			`}`
			`}`
			`return { regex: new RegExp(route), method }`
			`})`
Fixing login issue. 2021-04-28 15:28:25 +02:00			`}`

Updating auth middleware to accomodate public endpoints for the server properly and some refactoring. 2021-04-28 19:13:21 +02:00			`module.exports = (noAuthPatterns = [], opts) => {`
			`const noAuthOptions = noAuthPatterns ? buildNoAuthRegex(noAuthPatterns) : []`
Some re-work of the auth package, making it a bit easier to use/less likely to make a mistake. 2021-04-21 17:42:44 +02:00			`return async (ctx, next) => {`
			`// the path is not authenticated`
Updating auth middleware to accomodate public endpoints for the server properly and some refactoring. 2021-04-28 19:13:21 +02:00			`const found = noAuthOptions.find(({ regex, method }) => {`
			`return (`
			`regex.test(ctx.request.url) &&`
			`ctx.request.method.toLowerCase() === method.toLowerCase()`
			`)`
			`})`
			`if (found != null) {`
Some re-work of the auth package, making it a bit easier to use/less likely to make a mistake. 2021-04-21 17:42:44 +02:00			`return next()`
login page 2021-04-11 12:35:55 +02:00			`}`
Some re-work of the auth package, making it a bit easier to use/less likely to make a mistake. 2021-04-21 17:42:44 +02:00			`try {`
Some updates, working towards supporting automation send smtp email also removing the styling template, adding to base. 2021-05-11 13:02:29 +02:00			`const apiKey = ctx.request.headers["x-budibase-api-key"]`
Some re-work of the auth package, making it a bit easier to use/less likely to make a mistake. 2021-04-21 17:42:44 +02:00			`// check the actual user is authenticated first`
			`const authCookie = getCookie(ctx, Cookies.Auth)`

Some updates, working towards supporting automation send smtp email also removing the styling template, adding to base. 2021-05-11 13:02:29 +02:00			`// this is an internal request, no user made it`
Changing INTERNAL_KEY to INTERNAL_API_KEY. 2021-05-11 16:23:03 +02:00			`if (apiKey && apiKey === env.INTERNAL_API_KEY) {`
Some updates, working towards supporting automation send smtp email also removing the styling template, adding to base. 2021-05-11 13:02:29 +02:00			`ctx.isAuthenticated = true`
Updating administration middleware so that internal requests allowed through automatically. 2021-05-21 17:43:01 +02:00			`ctx.internal = true`
Some updates, working towards supporting automation send smtp email also removing the styling template, adding to base. 2021-05-11 13:02:29 +02:00			`} else if (authCookie) {`
Updating test cases and some re-work of the email system. 2021-04-23 19:07:39 +02:00			`try {`
			`const db = database.getDB(StaticDatabases.GLOBAL.name)`
			`const user = await db.get(authCookie.userId)`
			`delete user.password`
			`ctx.isAuthenticated = true`
			`ctx.user = user`
			`} catch (err) {`
			`// remove the cookie as the use does not exist anymore`
			`clearCookie(ctx, Cookies.Auth)`
			`}`
			`}`
			`// be explicit`
			`if (ctx.isAuthenticated !== true) {`
			`ctx.isAuthenticated = false`
Some re-work of the auth package, making it a bit easier to use/less likely to make a mistake. 2021-04-21 17:42:44 +02:00			`}`
			`return next()`
			`} catch (err) {`
Updating auth middleware to accomodate public endpoints for the server properly and some refactoring. 2021-04-28 19:13:21 +02:00			`// allow configuring for public access`
			`if (opts && opts.publicAllowed) {`
			`ctx.isAuthenticated = false`
			`} else {`
			`ctx.throw(err.status \|\| 403, err)`
			`}`
Some re-work of the auth package, making it a bit easier to use/less likely to make a mistake. 2021-04-21 17:42:44 +02:00			`}`
login page 2021-04-11 12:35:55 +02:00			`}`
			`}`