budibase/packages/server/src/api/controllers/user.js

const CouchDB = require("../../db")
const bcrypt = require("../../utilities/bcrypt")
const { generateUserID, getUserParams, ViewNames } = require("../../db/utils")
const { getRole } = require("../../utilities/security/roles")
const { UserStatus } = require("../../constants")

exports.fetch = async function(ctx) {
  const database = new CouchDB(ctx.user.appId)
  const users = (
    await database.allDocs(
      getUserParams(null, {
        include_docs: true,
      })
    )
  ).rows.map(row => row.doc)
  // user hashed password shouldn't ever be returned
  for (let user of users) {
    delete user.password
  }
  ctx.body = users
}

exports.create = async function(ctx) {
  const db = new CouchDB(ctx.user.appId)
  const { email, password, roleId } = ctx.request.body

  if (!email || !password) {
    ctx.throw(400, "email and Password Required.")
  }

  const role = await getRole(ctx.user.appId, roleId)

  if (!role) ctx.throw(400, "Invalid Role")

  const hashedPassword = await bcrypt.hash(password)
  const user = {
    ...ctx.request.body,
    // these must all be after the object spread, make sure
    // any values are overwritten, generateUserID will always
    // generate the same ID for the user as it is not UUID based
    _id: generateUserID(email),
    type: "user",
    password: hashedPassword,
    tableId: ViewNames.USERS,
  }
  // add the active status to a user if its not provided
  if (user.status == null) {
    user.status = UserStatus.ACTIVE
  }

  try {
    const response = await db.post(user)
    ctx.status = 200
    ctx.message = "User created successfully."
    ctx.userId = response._id
    ctx.body = {
      _rev: response.rev,
      email,
    }
  } catch (err) {
    if (err.status === 409) {
      ctx.throw(400, "User exists already")
    } else {
      ctx.throw(err.status, err)
    }
  }
}

exports.update = async function(ctx) {
  const db = new CouchDB(ctx.user.appId)
  const user = ctx.request.body
  let dbUser
  // get user incase password removed
  if (user._id) {
    dbUser = await db.get(user._id)
  }
  if (user.password) {
    user.password = await bcrypt.hash(user.password)
  } else {
    delete user.password
  }

  const response = await db.put({
    password: dbUser.password,
    ...user,
  })
  user._rev = response.rev

  ctx.status = 200
  ctx.message = `User ${ctx.request.body.email} updated successfully.`
  ctx.body = response
}

exports.destroy = async function(ctx) {
  const database = new CouchDB(ctx.user.appId)
  await database.destroy(generateUserID(ctx.params.email))
  ctx.message = `User ${ctx.params.email} deleted.`
  ctx.status = 200
}

exports.find = async function(ctx) {
  const database = new CouchDB(ctx.user.appId)
  let lookup = ctx.params.email
    ? generateUserID(ctx.params.email)
    : ctx.params.userId
  const user = await database.get(lookup)
  if (user) {
    delete user.password
  }
  ctx.body = user
}
formatting + fixing builder tests 2020-05-07 11:53:34 +02:00			`const CouchDB = require("../../db")`
			`const bcrypt = require("../../utilities/bcrypt")`
user table and relationships complete 2020-11-24 15:04:14 +01:00			`const { generateUserID, getUserParams, ViewNames } = require("../../db/utils")`
Changing the role system to have permissions integrated rather than the permissions being per user. 2020-12-02 18:08:25 +01:00			`const { getRole } = require("../../utilities/security/roles")`
Switching user activity state to an options field rather than boolean (more extensible). 2021-02-22 13:29:49 +01:00			`const { UserStatus } = require("../../constants")`
added more endpoints 2020-04-07 18:25:09 +02:00
lint fix 2020-06-29 15:56:41 +02:00			`exports.fetch = async function(ctx) {`
Renaming instanceId -> appId to reduce confusion through the system, there only is one ID now. 2020-10-29 11:28:27 +01:00			`const database = new CouchDB(ctx.user.appId)`
Updating builder/server in a few ways, to allow creating users with extra columns attached, allowing password to be updated in the builder and making sure that all row endpoints correctly pass through the user controller so that we can still have customised functionality for users (such as making sure password is never returned). 2020-12-08 18:33:08 +01:00			`const users = (`
			`await database.allDocs(`
			`getUserParams(null, {`
			`include_docs: true,`
			`})`
			`)`
			`).rows.map(row => row.doc)`
			`// user hashed password shouldn't ever be returned`
			`for (let user of users) {`
			`delete user.password`
			`}`
			`ctx.body = users`
formatting + fixing builder tests 2020-05-07 11:53:34 +02:00			`}`
added more endpoints 2020-04-07 18:25:09 +02:00
lint fix 2020-06-29 15:56:41 +02:00			`exports.create = async function(ctx) {`
Renaming instanceId -> appId to reduce confusion through the system, there only is one ID now. 2020-10-29 11:28:27 +01:00			`const db = new CouchDB(ctx.user.appId)`
Merge branch 'master' of github.com:Budibase/budibase into feature/security-update 2020-12-08 12:42:29 +01:00			`const { email, password, roleId } = ctx.request.body`
auth, first version, needing tested 2020-05-21 15:31:23 +02:00
email as default user identifier 2020-12-04 13:22:45 +01:00			`if (!email \|\| !password) {`
			`ctx.throw(400, "email and Password Required.")`
auth, first version, needing tested 2020-05-21 15:31:23 +02:00			`}`
pouchDB integration, use app id instead of app name for keying app packages 2020-04-23 15:37:08 +02:00
Changing the role system to have permissions integrated rather than the permissions being per user. 2020-12-02 18:08:25 +01:00			`const role = await getRole(ctx.user.appId, roleId)`
pouchDB integration, use app id instead of app name for keying app packages 2020-04-23 15:37:08 +02:00
Changing the naming of access levels to be roles. 2020-12-02 14:20:56 +01:00			`if (!role) ctx.throw(400, "Invalid Role")`
auth, first version, needing tested 2020-05-21 15:31:23 +02:00
Updating builder/server in a few ways, to allow creating users with extra columns attached, allowing password to be updated in the builder and making sure that all row endpoints correctly pass through the user controller so that we can still have customised functionality for users (such as making sure password is never returned). 2020-12-08 18:33:08 +01:00			`const hashedPassword = await bcrypt.hash(password)`
auth, first version, needing tested 2020-05-21 15:31:23 +02:00			`const user = {`
Updating builder/server in a few ways, to allow creating users with extra columns attached, allowing password to be updated in the builder and making sure that all row endpoints correctly pass through the user controller so that we can still have customised functionality for users (such as making sure password is never returned). 2020-12-08 18:33:08 +01:00			`...ctx.request.body,`
			`// these must all be after the object spread, make sure`
			`// any values are overwritten, generateUserID will always`
			`// generate the same ID for the user as it is not UUID based`
email as default user identifier 2020-12-04 13:22:45 +01:00			`_id: generateUserID(email),`
formatting + fixing builder tests 2020-05-07 11:53:34 +02:00			`type: "user",`
Updating builder/server in a few ways, to allow creating users with extra columns attached, allowing password to be updated in the builder and making sure that all row endpoints correctly pass through the user controller so that we can still have customised functionality for users (such as making sure password is never returned). 2020-12-08 18:33:08 +01:00			`password: hashedPassword,`
user table and relationships complete 2020-11-24 15:04:14 +01:00			`tableId: ViewNames.USERS,`
auth, first version, needing tested 2020-05-21 15:31:23 +02:00			`}`
Adding the ability to set whether a user is active or not rather than deleting them, stops them from being able to log in to the system. 2021-02-22 12:39:58 +01:00			`// add the active status to a user if its not provided`
Switching user activity state to an options field rather than boolean (more extensible). 2021-02-22 13:29:49 +01:00			`if (user.status == null) {`
			`user.status = UserStatus.ACTIVE`
Adding the ability to set whether a user is active or not rather than deleting them, stops them from being able to log in to the system. 2021-02-22 12:39:58 +01:00			`}`
auth, first version, needing tested 2020-05-21 15:31:23 +02:00
Updating templates to be able to run locally with an environment variable LOCAL_TEMPLATES and making them work using the DB. Users are also no longer included in the db dump. 2020-11-06 13:30:30 +01:00			`try {`
			`const response = await db.post(user)`
			`ctx.status = 200`
			`ctx.message = "User created successfully."`
			`ctx.userId = response._id`
			`ctx.body = {`
			`_rev: response.rev,`
email as default user identifier 2020-12-04 13:22:45 +01:00			`email,`
Updating templates to be able to run locally with an environment variable LOCAL_TEMPLATES and making them work using the DB. Users are also no longer included in the db dump. 2020-11-06 13:30:30 +01:00			`}`
			`} catch (err) {`
			`if (err.status === 409) {`
			`ctx.throw(400, "User exists already")`
			`} else {`
			`ctx.throw(err.status, err)`
			`}`
test coverage for user creation 2020-04-10 17:37:59 +02:00			`}`
formatting + fixing builder tests 2020-05-07 11:53:34 +02:00			`}`
api tests 2020-04-09 17:53:48 +02:00
lint fix 2020-06-29 15:56:41 +02:00			`exports.update = async function(ctx) {`
Renaming instanceId -> appId to reduce confusion through the system, there only is one ID now. 2020-10-29 11:28:27 +01:00			`const db = new CouchDB(ctx.user.appId)`
adds update functionality to users 2020-06-26 11:05:09 +02:00			`const user = ctx.request.body`
Adding the ability to set whether a user is active or not rather than deleting them, stops them from being able to log in to the system. 2021-02-22 12:39:58 +01:00			`let dbUser`
			`// get user incase password removed`
			`if (user._id) {`
			`dbUser = await db.get(user._id)`
			`}`
Updating builder/server in a few ways, to allow creating users with extra columns attached, allowing password to be updated in the builder and making sure that all row endpoints correctly pass through the user controller so that we can still have customised functionality for users (such as making sure password is never returned). 2020-12-08 18:33:08 +01:00			`if (user.password) {`
			`user.password = await bcrypt.hash(user.password)`
			`} else {`
			`delete user.password`
			`}`
auth, first version, needing tested 2020-05-21 15:31:23 +02:00
Adding the ability to set whether a user is active or not rather than deleting them, stops them from being able to log in to the system. 2021-02-22 12:39:58 +01:00			`const response = await db.put({`
			`password: dbUser.password,`
			`...user,`
			`})`
adds update functionality to users 2020-06-26 11:05:09 +02:00			`user._rev = response.rev`

			`ctx.status = 200`
email as default user identifier 2020-12-04 13:22:45 +01:00			ctx.message = `User ${ctx.request.body.email} updated successfully.`
fix wrong stuff coming back after updating user 2020-06-29 13:14:15 +02:00			`ctx.body = response`
adds update functionality to users 2020-06-26 11:05:09 +02:00			`}`

lint fix 2020-06-29 15:56:41 +02:00			`exports.destroy = async function(ctx) {`
Renaming instanceId -> appId to reduce confusion through the system, there only is one ID now. 2020-10-29 11:28:27 +01:00			`const database = new CouchDB(ctx.user.appId)`
email as default user identifier 2020-12-04 13:22:45 +01:00			`await database.destroy(generateUserID(ctx.params.email))`
			ctx.message = `User ${ctx.params.email} deleted.`
server tests in-memory and passing 2020-05-14 16:12:30 +02:00			`ctx.status = 200`
			`}`

lint fix 2020-06-29 15:56:41 +02:00			`exports.find = async function(ctx) {`
Renaming instanceId -> appId to reduce confusion through the system, there only is one ID now. 2020-10-29 11:28:27 +01:00			`const database = new CouchDB(ctx.user.appId)`
Updating row controller to make sure that all user requests (bar deletion) are passed through correctly to the user controller so that any logic such as removing user password can be correctly held in the user controller logic. 2020-12-09 11:52:18 +01:00			`let lookup = ctx.params.email`
			`? generateUserID(ctx.params.email)`
			`: ctx.params.userId`
			`const user = await database.get(lookup)`
			`if (user) {`
			`delete user.password`
test coverage for user creation 2020-04-10 17:37:59 +02:00			`}`
Updating row controller to make sure that all user requests (bar deletion) are passed through correctly to the user controller so that any logic such as removing user password can be correctly held in the user controller logic. 2020-12-09 11:52:18 +01:00			`ctx.body = user`
formatting + fixing builder tests 2020-05-07 11:53:34 +02:00			`}`