budibase/packages/server/src/middleware/authorized.js

const {
  BUILTIN_ROLE_IDS,
  getUserPermissionIds,
} = require("../utilities/security/roles")
const {
  PermissionTypes,
  doesHavePermission,
} = require("../utilities/security/permissions")
const env = require("../environment")
const { isAPIKeyValid } = require("../utilities/security/apikey")
const { AuthTypes } = require("../constants")

const ADMIN_ROLES = [BUILTIN_ROLE_IDS.ADMIN, BUILTIN_ROLE_IDS.BUILDER]

const LOCAL_PASS = new RegExp(["webhooks/trigger", "webhooks/schema"].join("|"))

module.exports = (permType, permLevel = null) => async (ctx, next) => {
  // webhooks can pass locally
  if (!env.CLOUD && LOCAL_PASS.test(ctx.request.url)) {
    return next()
  }
  if (env.CLOUD && ctx.headers["x-api-key"] && ctx.headers["x-instanceid"]) {
    // api key header passed by external webhook
    if (await isAPIKeyValid(ctx.headers["x-api-key"])) {
      ctx.auth = {
        authenticated: AuthTypes.EXTERNAL,
        apiKey: ctx.headers["x-api-key"],
      }
      ctx.user = {
        appId: ctx.headers["x-instanceid"],
      }
      return next()
    }

    ctx.throw(403, "API key invalid")
  }

  // don't expose builder endpoints in the cloud
  if (env.CLOUD && permType === PermissionTypes.BUILDER) return

  if (!ctx.auth.authenticated) {
    ctx.throw(403, "Session not authenticated")
  }

  if (!ctx.user) {
    ctx.throw(403, "User not found")
  }

  const role = ctx.user.role
  const permissions = await getUserPermissionIds(ctx.appId, role._id)
  if (ADMIN_ROLES.indexOf(role._id) !== -1) {
    return next()
  }

  if (permType === PermissionTypes.BUILDER) {
    ctx.throw(403, "Not Authorized")
  }

  if (!doesHavePermission(permType, permLevel, permissions)) {
    ctx.throw(403, "User does not have permission")
  }

  return next()
}
Changing the role system to have permissions integrated rather than the permissions being per user. 2020-12-02 18:08:25 +01:00			`const {`
			`BUILTIN_ROLE_IDS,`
			`getUserPermissionIds,`
			`} = require("../utilities/security/roles")`
Tests failing but starting to progress. 2020-11-12 18:06:55 +01:00			`const {`
			`PermissionTypes,`
			`doesHavePermission,`
			`} = require("../utilities/security/permissions")`
Initial work into multi-tenancy removal, experiencing issues with test cases at this point. 2020-10-28 21:35:06 +01:00			`const env = require("../environment")`
Updating API key controller in self-host mode to return self host API key. 2020-12-09 18:10:53 +01:00			`const { isAPIKeyValid } = require("../utilities/security/apikey")`
simplify user authentication, remove anon user, fix login cookie issues 2020-10-13 22:33:56 +02:00			`const { AuthTypes } = require("../constants")`
access levels 2020-05-27 18:23:01 +02:00
Changing the naming of access levels to be roles. 2020-12-02 14:20:56 +01:00			`const ADMIN_ROLES = [BUILTIN_ROLE_IDS.ADMIN, BUILTIN_ROLE_IDS.BUILDER]`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00
Some initial work towards webhooks, that generates schema similar to integromat. 2020-10-22 18:48:32 +02:00			`const LOCAL_PASS = new RegExp(["webhooks/trigger", "webhooks/schema"].join("\|"))`

WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00			`module.exports = (permType, permLevel = null) => async (ctx, next) => {`
Some initial work towards webhooks, that generates schema similar to integromat. 2020-10-22 18:48:32 +02:00			`// webhooks can pass locally`
Initial work into multi-tenancy removal, experiencing issues with test cases at this point. 2020-10-28 21:35:06 +01:00			`if (!env.CLOUD && LOCAL_PASS.test(ctx.request.url)) {`
Some initial work towards webhooks, that generates schema similar to integromat. 2020-10-22 18:48:32 +02:00			`return next()`
			`}`
Initial work into multi-tenancy removal, experiencing issues with test cases at this point. 2020-10-28 21:35:06 +01:00			`if (env.CLOUD && ctx.headers["x-api-key"] && ctx.headers["x-instanceid"]) {`
support for external webhooks 2020-10-12 12:57:37 +02:00			`// api key header passed by external webhook`
Updating API key controller in self-host mode to return self host API key. 2020-12-09 18:10:53 +01:00			`if (await isAPIKeyValid(ctx.headers["x-api-key"])) {`
adding auth object to context rather than separate booleans 2020-10-12 14:32:52 +02:00			`ctx.auth = {`
simplify user authentication, remove anon user, fix login cookie issues 2020-10-13 22:33:56 +02:00			`authenticated: AuthTypes.EXTERNAL,`
adding auth object to context rather than separate booleans 2020-10-12 14:32:52 +02:00			`apiKey: ctx.headers["x-api-key"],`
			`}`
support for external webhooks 2020-10-12 12:57:37 +02:00			`ctx.user = {`
Renaming instanceId -> appId to reduce confusion through the system, there only is one ID now. 2020-10-29 11:28:27 +01:00			`appId: ctx.headers["x-instanceid"],`
support for external webhooks 2020-10-12 12:57:37 +02:00			`}`
			`return next()`
			`}`

			`ctx.throw(403, "API key invalid")`
			`}`

don't show login component on logged in page, fix auth for app assets 2020-10-14 17:47:53 +02:00			`// don't expose builder endpoints in the cloud`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00			`if (env.CLOUD && permType === PermissionTypes.BUILDER) return`
don't show login component on logged in page, fix auth for app assets 2020-10-14 17:47:53 +02:00
adding auth object to context rather than separate booleans 2020-10-12 14:32:52 +02:00			`if (!ctx.auth.authenticated) {`
access levels 2020-05-27 18:23:01 +02:00			`ctx.throw(403, "Session not authenticated")`
			`}`

instanceid removal 2020-06-18 17:59:31 +02:00			`if (!ctx.user) {`
			`ctx.throw(403, "User not found")`
			`}`

Changing the naming of access levels to be roles. 2020-12-02 14:20:56 +01:00			`const role = ctx.user.role`
Changing the role system to have permissions integrated rather than the permissions being per user. 2020-12-02 18:08:25 +01:00			`const permissions = await getUserPermissionIds(ctx.appId, role._id)`
Changing the naming of access levels to be roles. 2020-12-02 14:20:56 +01:00			`if (ADMIN_ROLES.indexOf(role._id) !== -1) {`
Updates for API usage after testing against local Dynamo. 2020-10-08 18:34:41 +02:00			`return next()`
access levels 2020-05-27 18:23:01 +02:00			`}`

WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00			`if (permType === PermissionTypes.BUILDER) {`
access levels 2020-05-27 18:23:01 +02:00			`ctx.throw(403, "Not Authorized")`
			`}`

Tests failing but starting to progress. 2020-11-12 18:06:55 +01:00			`if (!doesHavePermission(permType, permLevel, permissions)) {`
			`ctx.throw(403, "User does not have permission")`
			`}`
access levels 2020-05-27 18:23:01 +02:00
Tests failing but starting to progress. 2020-11-12 18:06:55 +01:00			`return next()`
access levels 2020-05-27 18:23:01 +02:00			`}`