budibase/packages/server/src/middleware/authorized.js

const { getUserPermissions } = require("@budibase/auth/roles")
const {
  PermissionTypes,
  doesHaveResourcePermission,
  doesHaveBasePermission,
} = require("@budibase/auth/permissions")
const { APP_DEV_PREFIX } = require("../db/utils")
const { doesUserHaveLock, updateLock } = require("../utilities/redis")

function hasResource(ctx) {
  return ctx.resourceId != null
}

const WEBHOOK_ENDPOINTS = new RegExp(
  ["webhooks/trigger", "webhooks/schema"].join("|")
)

async function checkDevAppLocks(ctx) {
  const appId = ctx.appId

  // if any public usage, don't proceed
  if (!ctx.user._id && !ctx.user.userId) {
    return
  }

  // not a development app, don't need to do anything
  if (!appId || !appId.startsWith(APP_DEV_PREFIX)) {
    return
  }
  if (!(await doesUserHaveLock(appId, ctx.user))) {
    ctx.throw(403, "User does not hold app lock.")
  }

  // they do have lock, update it
  await updateLock(appId, ctx.user)
}

module.exports = (permType, permLevel = null) => async (ctx, next) => {
  // webhooks don't need authentication, each webhook unique
  if (WEBHOOK_ENDPOINTS.test(ctx.request.url)) {
    return next()
  }

  if (!ctx.user) {
    return ctx.throw(403, "No user info found")
  }

  const builderCall = permType === PermissionTypes.BUILDER
  const referer = ctx.headers["referer"]
  const editingApp = referer ? referer.includes(ctx.appId) : false
  // this makes sure that builder calls abide by dev locks
  if (builderCall && editingApp) {
    await checkDevAppLocks(ctx)
  }

  const isAuthed = ctx.isAuthenticated
  const { basePermissions, permissions } = await getUserPermissions(
    ctx.appId,
    ctx.roleId
  )

  // builders for now have permission to do anything
  // TODO: in future should consider separating permissions with an require("@budibase/auth").isClient check
  let isBuilder = ctx.user && ctx.user.builder && ctx.user.builder.global
  if (isBuilder) {
    return next()
  } else if (builderCall && !isBuilder) {
    return ctx.throw(403, "Not Authorized")
  }

  if (
    hasResource(ctx) &&
    doesHaveResourcePermission(permissions, permLevel, ctx)
  ) {
    return next()
  }

  if (!isAuthed) {
    ctx.throw(403, "Session not authenticated")
  }

  if (!doesHaveBasePermission(permType, permLevel, basePermissions)) {
    ctx.throw(403, "User does not have permission")
  }

  return next()
}
A general re-work of some parts of the auth lib, as well as moving roles/permissions around to make it possible to build an admin API which has role knowledge. 2021-05-14 16:43:41 +02:00			`const { getUserPermissions } = require("@budibase/auth/roles")`
Tests failing but starting to progress. 2020-11-12 18:06:55 +01:00			`const {`
			`PermissionTypes,`
Making use of the resourceId in the middleware package. 2021-02-08 18:52:22 +01:00			`doesHaveResourcePermission,`
			`doesHaveBasePermission,`
A general re-work of some parts of the auth lib, as well as moving roles/permissions around to make it possible to build an admin API which has role knowledge. 2021-05-14 16:43:41 +02:00			`} = require("@budibase/auth/permissions")`
Updating locks to store the whole global user as well as implementing the locks on dev apps fetch. 2021-05-13 13:16:09 +02:00			`const { APP_DEV_PREFIX } = require("../db/utils")`
Putting together redis lock system. 2021-05-12 18:37:09 +02:00			`const { doesUserHaveLock, updateLock } = require("../utilities/redis")`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00
Making use of the resourceId in the middleware package. 2021-02-08 18:52:22 +01:00			`function hasResource(ctx) {`
			`return ctx.resourceId != null`
			`}`

Some work towards implementing the current app cookie, removing some old dead code and re-working some of the different middlewares involved. 2021-04-12 19:31:58 +02:00			`const WEBHOOK_ENDPOINTS = new RegExp(`
			`["webhooks/trigger", "webhooks/schema"].join("\|")`
			`)`
support for external webhooks 2020-10-12 12:57:37 +02:00
Putting together redis lock system. 2021-05-12 18:37:09 +02:00			`async function checkDevAppLocks(ctx) {`
			`const appId = ctx.appId`

Fixing some issues found when testing. 2021-05-20 21:48:24 +02:00			`// if any public usage, don't proceed`
			`if (!ctx.user._id && !ctx.user.userId) {`
			`return`
			`}`

Putting together redis lock system. 2021-05-12 18:37:09 +02:00			`// not a development app, don't need to do anything`
Updating locks to store the whole global user as well as implementing the locks on dev apps fetch. 2021-05-13 13:16:09 +02:00			`if (!appId \|\| !appId.startsWith(APP_DEV_PREFIX)) {`
Putting together redis lock system. 2021-05-12 18:37:09 +02:00			`return`
			`}`
Updating locks to store the whole global user as well as implementing the locks on dev apps fetch. 2021-05-13 13:16:09 +02:00			`if (!(await doesUserHaveLock(appId, ctx.user))) {`
Putting together redis lock system. 2021-05-12 18:37:09 +02:00			`ctx.throw(403, "User does not hold app lock.")`
			`}`

			`// they do have lock, update it`
Updating locks to store the whole global user as well as implementing the locks on dev apps fetch. 2021-05-13 13:16:09 +02:00			`await updateLock(appId, ctx.user)`
Putting together redis lock system. 2021-05-12 18:37:09 +02:00			`}`

Some work towards implementing the current app cookie, removing some old dead code and re-working some of the different middlewares involved. 2021-04-12 19:31:58 +02:00			`module.exports = (permType, permLevel = null) => async (ctx, next) => {`
			`// webhooks don't need authentication, each webhook unique`
			`if (WEBHOOK_ENDPOINTS.test(ctx.request.url)) {`
			`return next()`
support for external webhooks 2020-10-12 12:57:37 +02:00			`}`

instanceid removal 2020-06-18 17:59:31 +02:00			`if (!ctx.user) {`
tests for authorized middleware 2021-03-09 12:27:12 +01:00			`return ctx.throw(403, "No user info found")`
instanceid removal 2020-06-18 17:59:31 +02:00			`}`

Putting together redis lock system. 2021-05-12 18:37:09 +02:00			`const builderCall = permType === PermissionTypes.BUILDER`
Fixing an issue with portal calls causing the app to be re-locked. 2021-05-13 16:32:03 +02:00			`const referer = ctx.headers["referer"]`
			`const editingApp = referer ? referer.includes(ctx.appId) : false`
Putting together redis lock system. 2021-05-12 18:37:09 +02:00			`// this makes sure that builder calls abide by dev locks`
Fixing an issue with portal calls causing the app to be re-locked. 2021-05-13 16:32:03 +02:00			`if (builderCall && editingApp) {`
Putting together redis lock system. 2021-05-12 18:37:09 +02:00			`await checkDevAppLocks(ctx)`
			`}`

			`const isAuthed = ctx.isAuthenticated`
Making use of the resourceId in the middleware package. 2021-02-08 18:52:22 +01:00			`const { basePermissions, permissions } = await getUserPermissions(`
			`ctx.appId,`
Some work towards implementing the current app cookie, removing some old dead code and re-working some of the different middlewares involved. 2021-04-12 19:31:58 +02:00			`ctx.roleId`
Making use of the resourceId in the middleware package. 2021-02-08 18:52:22 +01:00			`)`
access levels 2020-05-27 18:23:01 +02:00
Some more server-side fixes, updating it so that builders have permissions to do anything for now (means that a builder user doesn't have to be present in app database to work. 2021-04-14 17:00:58 +02:00			`// builders for now have permission to do anything`
			`// TODO: in future should consider separating permissions with an require("@budibase/auth").isClient check`
Getting most of the test auth working, adding in global builder configuration. 2021-04-13 19:12:35 +02:00			`let isBuilder = ctx.user && ctx.user.builder && ctx.user.builder.global`
Some more server-side fixes, updating it so that builders have permissions to do anything for now (means that a builder user doesn't have to be present in app database to work. 2021-04-14 17:00:58 +02:00			`if (isBuilder) {`
self endpoint, simple auth 2021-04-12 12:20:01 +02:00			`return next()`
Putting together redis lock system. 2021-05-12 18:37:09 +02:00			`} else if (builderCall && !isBuilder) {`
self endpoint, simple auth 2021-04-12 12:20:01 +02:00			`return ctx.throw(403, "Not Authorized")`
			`}`
access levels 2020-05-27 18:23:01 +02:00
Some more fixes after testing permissions a bit further. 2021-02-09 17:01:02 +01:00			`if (`
			`hasResource(ctx) &&`
			`doesHaveResourcePermission(permissions, permLevel, ctx)`
			`) {`
			`return next()`
			`}`
Making use of the resourceId in the middleware package. 2021-02-08 18:52:22 +01:00
Adding basic permissions test which proves a public user can read from a table, but cannot write. 2021-02-09 18:24:36 +01:00			`if (!isAuthed) {`
			`ctx.throw(403, "Session not authenticated")`
			`}`

Making use of the resourceId in the middleware package. 2021-02-08 18:52:22 +01:00			`if (!doesHaveBasePermission(permType, permLevel, basePermissions)) {`
Tests failing but starting to progress. 2020-11-12 18:06:55 +01:00			`ctx.throw(403, "User does not have permission")`
			`}`
access levels 2020-05-27 18:23:01 +02:00
Tests failing but starting to progress. 2020-11-12 18:06:55 +01:00			`return next()`
access levels 2020-05-27 18:23:01 +02:00			`}`