budibase/packages/auth/src/middleware/authenticated.js

const { Cookies } = require("../constants")
const { getCookie, clearCookie } = require("../utils")
const { getUser } = require("../cache/user")
const { getSession, updateSessionTTL } = require("../security/sessions")
const env = require("../environment")

const PARAM_REGEX = /\/:(.*?)\//g

function buildNoAuthRegex(patterns) {
  return patterns.map(pattern => {
    const isObj = typeof pattern === "object" && pattern.route
    const method = isObj ? pattern.method : "GET"
    let route = isObj ? pattern.route : pattern

    const matches = route.match(PARAM_REGEX)
    if (matches) {
      for (let match of matches) {
        route = route.replace(match, "/.*/")
      }
    }
    return { regex: new RegExp(route), method }
  })
}

function finalise(ctx, { authenticated, user, internal } = {}) {
  ctx.isAuthenticated = authenticated || false
  ctx.user = user
  ctx.internal = internal || false
}

module.exports = (noAuthPatterns = [], opts) => {
  const noAuthOptions = noAuthPatterns ? buildNoAuthRegex(noAuthPatterns) : []
  return async (ctx, next) => {
    // the path is not authenticated
    const found = noAuthOptions.find(({ regex, method }) => {
      return (
        regex.test(ctx.request.url) &&
        ctx.request.method.toLowerCase() === method.toLowerCase()
      )
    })
    if (found != null) {
      return next()
    }
    try {
      // check the actual user is authenticated first
      const authCookie = getCookie(ctx, Cookies.Auth)
      let authenticated = false,
        user = null,
        internal = false
      if (authCookie) {
        let error = null
        const sessionId = authCookie.sessionId, userId = authCookie.userId
        const session = await getSession(userId, sessionId)
        if (!session) {
          error = "No session found"
        } else {
          try {
            const user = await getUser(userId)
            delete user.password
            authenticated = true
          } catch (err) {
            error = err
          }
        }
        if (error) {
          // remove the cookie as the user does not exist anymore
          clearCookie(ctx, Cookies.Auth)
        } else {
          // make sure we denote that the session is still in use
          await updateSessionTTL(userId, sessionId)
        }
      }
      const apiKey = ctx.request.headers["x-budibase-api-key"]
      // this is an internal request, no user made it
      if (!authenticated && apiKey && apiKey === env.INTERNAL_API_KEY) {
        authenticated = true
        internal = true
      }
      // be explicit
      if (authenticated !== true) {
        authenticated = false
      }
      // isAuthenticated is a function, so use a variable to be able to check authed state
      finalise(ctx, { authenticated, user, internal })
      return next()
    } catch (err) {
      // allow configuring for public access
      if (opts && opts.publicAllowed) {
        finalise(ctx, { authenticated: false })
      } else {
        ctx.throw(err.status || 403, err)
      }
    }
  }
}
login page 2021-04-11 12:35:55 +02:00			`const { Cookies } = require("../constants")`
Updating test cases and some re-work of the email system. 2021-04-23 19:07:39 +02:00			`const { getCookie, clearCookie } = require("../utils")`
WIP - first version of user sessions. 2021-07-06 19:10:04 +02:00			`const { getUser } = require("../cache/user")`
			`const { getSession, updateSessionTTL } = require("../security/sessions")`
Some updates, working towards supporting automation send smtp email also removing the styling template, adding to base. 2021-05-11 13:02:29 +02:00			`const env = require("../environment")`
login page 2021-04-11 12:35:55 +02:00
Updating auth middleware to accomodate public endpoints for the server properly and some refactoring. 2021-04-28 19:13:21 +02:00			`const PARAM_REGEX = /\/:(.*?)\//g`
Fixing login issue. 2021-04-28 15:28:25 +02:00
Updating auth middleware to accomodate public endpoints for the server properly and some refactoring. 2021-04-28 19:13:21 +02:00			`function buildNoAuthRegex(patterns) {`
			`return patterns.map(pattern => {`
			`const isObj = typeof pattern === "object" && pattern.route`
			`const method = isObj ? pattern.method : "GET"`
			`let route = isObj ? pattern.route : pattern`

			`const matches = route.match(PARAM_REGEX)`
			`if (matches) {`
			`for (let match of matches) {`
			`route = route.replace(match, "/.*/")`
			`}`
			`}`
			`return { regex: new RegExp(route), method }`
			`})`
Fixing login issue. 2021-04-28 15:28:25 +02:00			`}`

Fixing authentication with API key issue. 2021-06-21 18:13:06 +02:00			`function finalise(ctx, { authenticated, user, internal } = {}) {`
			`ctx.isAuthenticated = authenticated \|\| false`
			`ctx.user = user`
			`ctx.internal = internal \|\| false`
			`}`

Updating auth middleware to accomodate public endpoints for the server properly and some refactoring. 2021-04-28 19:13:21 +02:00			`module.exports = (noAuthPatterns = [], opts) => {`
			`const noAuthOptions = noAuthPatterns ? buildNoAuthRegex(noAuthPatterns) : []`
Some re-work of the auth package, making it a bit easier to use/less likely to make a mistake. 2021-04-21 17:42:44 +02:00			`return async (ctx, next) => {`
			`// the path is not authenticated`
Updating auth middleware to accomodate public endpoints for the server properly and some refactoring. 2021-04-28 19:13:21 +02:00			`const found = noAuthOptions.find(({ regex, method }) => {`
			`return (`
			`regex.test(ctx.request.url) &&`
			`ctx.request.method.toLowerCase() === method.toLowerCase()`
			`)`
			`})`
			`if (found != null) {`
Some re-work of the auth package, making it a bit easier to use/less likely to make a mistake. 2021-04-21 17:42:44 +02:00			`return next()`
login page 2021-04-11 12:35:55 +02:00			`}`
Some re-work of the auth package, making it a bit easier to use/less likely to make a mistake. 2021-04-21 17:42:44 +02:00			`try {`
			`// check the actual user is authenticated first`
			`const authCookie = getCookie(ctx, Cookies.Auth)`
Fixing authentication with API key issue. 2021-06-21 18:13:06 +02:00			`let authenticated = false,`
			`user = null,`
			`internal = false`
			`if (authCookie) {`
WIP - first version of user sessions. 2021-07-06 19:10:04 +02:00			`let error = null`
			`const sessionId = authCookie.sessionId, userId = authCookie.userId`
			`const session = await getSession(userId, sessionId)`
			`if (!session) {`
			`error = "No session found"`
			`} else {`
			`try {`
			`const user = await getUser(userId)`
			`delete user.password`
			`authenticated = true`
			`} catch (err) {`
			`error = err`
			`}`
			`}`
			`if (error) {`
			`// remove the cookie as the user does not exist anymore`
Updating test cases and some re-work of the email system. 2021-04-23 19:07:39 +02:00			`clearCookie(ctx, Cookies.Auth)`
WIP - first version of user sessions. 2021-07-06 19:10:04 +02:00			`} else {`
			`// make sure we denote that the session is still in use`
			`await updateSessionTTL(userId, sessionId)`
Updating test cases and some re-work of the email system. 2021-04-23 19:07:39 +02:00			`}`
			`}`
Fixing authentication with API key issue. 2021-06-21 18:13:06 +02:00			`const apiKey = ctx.request.headers["x-budibase-api-key"]`
			`// this is an internal request, no user made it`
			`if (!authenticated && apiKey && apiKey === env.INTERNAL_API_KEY) {`
			`authenticated = true`
			`internal = true`
			`}`
Updating test cases and some re-work of the email system. 2021-04-23 19:07:39 +02:00			`// be explicit`
Fixing authentication with API key issue. 2021-06-21 18:13:06 +02:00			`if (authenticated !== true) {`
			`authenticated = false`
Some re-work of the auth package, making it a bit easier to use/less likely to make a mistake. 2021-04-21 17:42:44 +02:00			`}`
Fixing authentication with API key issue. 2021-06-21 18:13:06 +02:00			`// isAuthenticated is a function, so use a variable to be able to check authed state`
			`finalise(ctx, { authenticated, user, internal })`
Some re-work of the auth package, making it a bit easier to use/less likely to make a mistake. 2021-04-21 17:42:44 +02:00			`return next()`
			`} catch (err) {`
Updating auth middleware to accomodate public endpoints for the server properly and some refactoring. 2021-04-28 19:13:21 +02:00			`// allow configuring for public access`
			`if (opts && opts.publicAllowed) {`
Fixing authentication with API key issue. 2021-06-21 18:13:06 +02:00			`finalise(ctx, { authenticated: false })`
Updating auth middleware to accomodate public endpoints for the server properly and some refactoring. 2021-04-28 19:13:21 +02:00			`} else {`
			`ctx.throw(err.status \|\| 403, err)`
			`}`
Some re-work of the auth package, making it a bit easier to use/less likely to make a mistake. 2021-04-21 17:42:44 +02:00			`}`
login page 2021-04-11 12:35:55 +02:00			`}`
			`}`