budibase/packages/server/src/middleware/builder.ts

import { APP_DEV_PREFIX, getGlobalIDFromUserMetadataID } from "../db/utils"
import {
  doesUserHaveLock,
  updateLock,
  checkDebounce,
  setDebounce,
} from "../utilities/redis"
import { db as dbCore, cache } from "@budibase/backend-core"
import { DocumentType, UserCtx, Database } from "@budibase/types"

const DEBOUNCE_TIME_SEC = 30

/************************************************** *
 * This middleware has been broken out of the       *
 * "authorized" middleware as it had nothing to do  *
 * with authorization, but requires the perms       *
 * imparted by it. This middleware shouldn't        *
 * be called directly, it should always be called   *
 * through the authorized middleware                *
 ****************************************************/

async function checkDevAppLocks(ctx: UserCtx) {
  const appId = ctx.appId

  // if any public usage, don't proceed
  if (!ctx.user?._id && !ctx.user?.userId) {
    return
  }

  // not a development app, don't need to do anything
  if (!appId || !appId.startsWith(APP_DEV_PREFIX)) {
    return
  }

  // If this user already owns the lock, then update it
  if (await doesUserHaveLock(appId, ctx.user)) {
    await updateLock(appId, ctx.user)
  }
}

async function updateAppUpdatedAt(ctx: UserCtx) {
  const appId = ctx.appId
  // if debouncing skip this update
  // get methods also aren't updating
  if (ctx.method === "GET" || (await checkDebounce(appId))) {
    return
  }
  await dbCore.doWithDB(appId, async (db: Database) => {
    try {
      const metadata = await db.get<any>(DocumentType.APP_METADATA)
      metadata.updatedAt = new Date().toISOString()

      metadata.updatedBy = getGlobalIDFromUserMetadataID(ctx.user?.userId!)

      const response = await db.put(metadata)
      metadata._rev = response.rev
      await cache.app.invalidateAppMetadata(appId, metadata)
      // set a new debounce record with a short TTL
      await setDebounce(appId, DEBOUNCE_TIME_SEC)
    } catch (err: any) {
      // if a 409 occurs, then multiple clients connected at the same time - ignore
      if (err?.status === 409) {
        return
      } else {
        throw err
      }
    }
  })
}

export default async function builder(ctx: UserCtx) {
  const appId = ctx.appId
  // this only functions within an app context
  if (!appId) {
    return
  }

  // check authenticated
  if (!ctx.isAuthenticated) {
    return ctx.throw(403, "Session not authenticated")
  }

  const referer = ctx.headers["referer"]

  const hasAppId = !referer ? false : referer.includes(appId)
  const editingApp = referer ? hasAppId : false
  // check this is a builder call and editing
  if (!editingApp) {
    return
  }
  // check locks
  await checkDevAppLocks(ctx)
  // set updated at time on app
  await updateAppUpdatedAt(ctx)
}
Merge branch 'develop' of github.com:Budibase/budibase into labday/sqs 2023-10-02 17:32:10 +02:00			`import { APP_DEV_PREFIX, getGlobalIDFromUserMetadataID } from "../db/utils"`
Updating middlewares to Typescript, as well as some fixes based on running tests. 2022-11-16 18:24:13 +01:00			`import {`
Adding a debounced updated at timestamp to applications. 2021-05-21 14:07:10 +02:00			`doesUserHaveLock,`
			`updateLock,`
			`checkDebounce,`
			`setDebounce,`
Updating middlewares to Typescript, as well as some fixes based on running tests. 2022-11-16 18:24:13 +01:00			`} from "../utilities/redis"`
Fix for debugging with webstorm the old way (if desired), updating the builder middleware to be more multi-dev capable, ignoring 409s when attempting to update the last updated at for apps (if multiple devs hit at same time, only use one) also updating writethrough cache to retry once, with the extended TTL on locks, plus the multi-dev collab it can take a minute to update usage quota doc when a lot of updates occur at once. 2023-05-30 18:41:20 +02:00			`import { db as dbCore, cache } from "@budibase/backend-core"`
Merge branch 'develop' of github.com:Budibase/budibase into labday/sqs 2023-10-02 17:32:10 +02:00			`import { DocumentType, UserCtx, Database } from "@budibase/types"`
Adding a debounced updated at timestamp to applications. 2021-05-21 14:07:10 +02:00
Upping debounce to 30 seconds as it has no real negative. 2021-05-21 16:14:35 +02:00			`const DEBOUNCE_TIME_SEC = 30`
Adding a debounced updated at timestamp to applications. 2021-05-21 14:07:10 +02:00
			`/************************************************** *`
			`* This middleware has been broken out of the *`
			`* "authorized" middleware as it had nothing to do *`
			`* with authorization, but requires the perms *`
			`* imparted by it. This middleware shouldn't *`
			`* be called directly, it should always be called *`
			`* through the authorized middleware *`
			`****************************************************/`

Fix for debugging with webstorm the old way (if desired), updating the builder middleware to be more multi-dev capable, ignoring 409s when attempting to update the last updated at for apps (if multiple devs hit at same time, only use one) also updating writethrough cache to retry once, with the extended TTL on locks, plus the multi-dev collab it can take a minute to update usage quota doc when a lot of updates occur at once. 2023-05-30 18:41:20 +02:00			`async function checkDevAppLocks(ctx: UserCtx) {`
Adding a debounced updated at timestamp to applications. 2021-05-21 14:07:10 +02:00			`const appId = ctx.appId`

			`// if any public usage, don't proceed`
Updating middlewares to Typescript, as well as some fixes based on running tests. 2022-11-16 18:24:13 +01:00			`if (!ctx.user?._id && !ctx.user?.userId) {`
Adding a debounced updated at timestamp to applications. 2021-05-21 14:07:10 +02:00			`return`
			`}`

			`// not a development app, don't need to do anything`
			`if (!appId \|\| !appId.startsWith(APP_DEV_PREFIX)) {`
			`return`
			`}`

Remove single user restriction and notify users if they are the primary builder or not 2023-05-12 14:55:08 +02:00			`// If this user already owns the lock, then update it`
			`if (await doesUserHaveLock(appId, ctx.user)) {`
			`await updateLock(appId, ctx.user)`
			`}`
Adding a debounced updated at timestamp to applications. 2021-05-21 14:07:10 +02:00			`}`

Fix for debugging with webstorm the old way (if desired), updating the builder middleware to be more multi-dev capable, ignoring 409s when attempting to update the last updated at for apps (if multiple devs hit at same time, only use one) also updating writethrough cache to retry once, with the extended TTL on locks, plus the multi-dev collab it can take a minute to update usage quota doc when a lot of updates occur at once. 2023-05-30 18:41:20 +02:00			`async function updateAppUpdatedAt(ctx: UserCtx) {`
Adding a debounced updated at timestamp to applications. 2021-05-21 14:07:10 +02:00			`const appId = ctx.appId`
			`// if debouncing skip this update`
			`// get methods also aren't updating`
Switching logic for lazy evaluation. 2021-05-21 16:03:28 +02:00			`if (ctx.method === "GET" \|\| (await checkDebounce(appId))) {`
Adding a debounced updated at timestamp to applications. 2021-05-21 14:07:10 +02:00			`return`
			`}`
Updating PouchLike to be an interface in types, with its impl stored in backend-core, now called Database. 2022-11-17 15:35:03 +01:00			`await dbCore.doWithDB(appId, async (db: Database) => {`
Fix for debugging with webstorm the old way (if desired), updating the builder middleware to be more multi-dev capable, ignoring 409s when attempting to update the last updated at for apps (if multiple devs hit at same time, only use one) also updating writethrough cache to retry once, with the extended TTL on locks, plus the multi-dev collab it can take a minute to update usage quota doc when a lot of updates occur at once. 2023-05-30 18:41:20 +02:00			`try {`
Type internal db.get 2023-07-18 11:41:51 +02:00			`const metadata = await db.get<any>(DocumentType.APP_METADATA)`
Fix for debugging with webstorm the old way (if desired), updating the builder middleware to be more multi-dev capable, ignoring 409s when attempting to update the last updated at for apps (if multiple devs hit at same time, only use one) also updating writethrough cache to retry once, with the extended TTL on locks, plus the multi-dev collab it can take a minute to update usage quota doc when a lot of updates occur at once. 2023-05-30 18:41:20 +02:00			`metadata.updatedAt = new Date().toISOString()`
Initial Commit for app overview 2022-05-05 13:52:17 +02:00
Fix for debugging with webstorm the old way (if desired), updating the builder middleware to be more multi-dev capable, ignoring 409s when attempting to update the last updated at for apps (if multiple devs hit at same time, only use one) also updating writethrough cache to retry once, with the extended TTL on locks, plus the multi-dev collab it can take a minute to update usage quota doc when a lot of updates occur at once. 2023-05-30 18:41:20 +02:00			`metadata.updatedBy = getGlobalIDFromUserMetadataID(ctx.user?.userId!)`
Initial Commit for app overview 2022-05-05 13:52:17 +02:00
Fix for debugging with webstorm the old way (if desired), updating the builder middleware to be more multi-dev capable, ignoring 409s when attempting to update the last updated at for apps (if multiple devs hit at same time, only use one) also updating writethrough cache to retry once, with the extended TTL on locks, plus the multi-dev collab it can take a minute to update usage quota doc when a lot of updates occur at once. 2023-05-30 18:41:20 +02:00			`const response = await db.put(metadata)`
			`metadata._rev = response.rev`
			`await cache.app.invalidateAppMetadata(appId, metadata)`
			`// set a new debounce record with a short TTL`
			`await setDebounce(appId, DEBOUNCE_TIME_SEC)`
			`} catch (err: any) {`
			`// if a 409 occurs, then multiple clients connected at the same time - ignore`
			`if (err?.status === 409) {`
			`return`
			`} else {`
			`throw err`
			`}`
			`}`
Initial version of memory leak protection, making sure that PouchDB databases are closed correctly after use, using a combination of closures wrapping DB gets (this replaces the getDB, leaving only a dangerousGetDB function which can be used in very very specific scenarios) and then closing the DB as part of CLS hooked functions finishing. Also moving the GlobalDB init to the tenancy middleware as this is used everywhere in the worker/app services - means that not all getGlobalDB calls require an async closure around them. 2022-04-19 20:42:52 +02:00			`})`
Adding a debounced updated at timestamp to applications. 2021-05-21 14:07:10 +02:00			`}`

Fix for debugging with webstorm the old way (if desired), updating the builder middleware to be more multi-dev capable, ignoring 409s when attempting to update the last updated at for apps (if multiple devs hit at same time, only use one) also updating writethrough cache to retry once, with the extended TTL on locks, plus the multi-dev collab it can take a minute to update usage quota doc when a lot of updates occur at once. 2023-05-30 18:41:20 +02:00			`export default async function builder(ctx: UserCtx) {`
Adding a debounced updated at timestamp to applications. 2021-05-21 14:07:10 +02:00			`const appId = ctx.appId`
			`// this only functions within an app context`
			`if (!appId) {`
			`return`
			`}`
Update builder and authorized middleware to be more strict towards unauthenticated (#9774) * Update builder and authorized middleware to be more strict towards unauthenticated * Remove unnecessary variable 2023-02-22 14:39:31 +01:00
			`// check authenticated`
			`if (!ctx.isAuthenticated) {`
			`return ctx.throw(403, "Session not authenticated")`
			`}`

Adding a debounced updated at timestamp to applications. 2021-05-21 14:07:10 +02:00			`const referer = ctx.headers["referer"]`
Initial Commit for app overview 2022-05-05 13:52:17 +02:00
			`const hasAppId = !referer ? false : referer.includes(appId)`
			`const editingApp = referer ? hasAppId : false`
Adding a debounced updated at timestamp to applications. 2021-05-21 14:07:10 +02:00			`// check this is a builder call and editing`
Update builder and authorized middleware to be more strict towards unauthenticated (#9774) * Update builder and authorized middleware to be more strict towards unauthenticated * Remove unnecessary variable 2023-02-22 14:39:31 +01:00			`if (!editingApp) {`
Adding a debounced updated at timestamp to applications. 2021-05-21 14:07:10 +02:00			`return`
			`}`
			`// check locks`
			`await checkDevAppLocks(ctx)`
			`// set updated at time on app`
			`await updateAppUpdatedAt(ctx)`
Formatting 2021-05-21 15:49:59 +02:00			`}`