budibase/packages/server/src/middleware/authenticated.js

const jwt = require("jsonwebtoken")
const STATUS_CODES = require("../utilities/statusCodes")
const accessLevelController = require("../api/controllers/accesslevel")
const { BUILTIN_LEVEL_ID_ARRAY } = require("../utilities/security/accessLevels")
const env = require("../environment")
const { AuthTypes } = require("../constants")
const { getAppId, getCookieName, setCookie } = require("../utilities")

module.exports = async (ctx, next) => {
  if (ctx.path === "/_builder") {
    await next()
    return
  }

  // do everything we can to make sure the appId is held correctly
  // we hold it in state as a
  let appId = getAppId(ctx)
  const cookieAppId = ctx.cookies.get(getCookieName("currentapp"))
  if (appId && cookieAppId !== appId) {
    setCookie(ctx, "currentapp", appId)
  } else if (cookieAppId) {
    appId = cookieAppId
  }

  const appToken = ctx.cookies.get(getCookieName(appId))
  const builderToken = ctx.cookies.get(getCookieName())

  let token
  // if running locally in the builder itself
  if (!env.CLOUD && !appToken) {
    token = builderToken
    ctx.auth.authenticated = AuthTypes.BUILDER
  } else {
    token = appToken
    ctx.auth.authenticated = AuthTypes.APP
  }

  if (!token) {
    ctx.auth.authenticated = false
    ctx.appId = appId
    ctx.user = {
      appId,
    }
    await next()
    return
  }

  try {
    const jwtPayload = jwt.verify(token, ctx.config.jwtSecret)
    ctx.appId = appId
    ctx.auth.apiKey = jwtPayload.apiKey
    ctx.user = {
      ...jwtPayload,
      appId: appId,
      accessLevel: await getAccessLevel(appId, jwtPayload.accessLevelId),
    }
  } catch (err) {
    ctx.throw(err.status || STATUS_CODES.FORBIDDEN, err.text)
  }

  await next()
}

/**
 * Return the full access level object either from constants
 * or the database based on the access level ID passed.
 *
 * @param {*} appId - appId of the user
 * @param {*} accessLevelId - the id of the users access level
 */
const getAccessLevel = async (appId, accessLevelId) => {
  if (BUILTIN_LEVEL_ID_ARRAY.indexOf(accessLevelId) !== -1) {
    return {
      _id: accessLevelId,
      name: accessLevelId,
      permissions: [],
    }
  }

  const findAccessContext = {
    params: {
      levelId: accessLevelId,
    },
    user: {
      appId,
    },
  }
  await accessLevelController.find(findAccessContext)
  return findAccessContext.body
}
formatting + fixing builder tests 2020-05-07 11:53:34 +02:00			`const jwt = require("jsonwebtoken")`
server tests in-memory and passing 2020-05-14 16:12:30 +02:00			`const STATUS_CODES = require("../utilities/statusCodes")`
access levels 2020-05-27 18:23:01 +02:00			`const accessLevelController = require("../api/controllers/accesslevel")`
Large update, tests passing, have simplifed access level API, access levels and permissions are now totally separate. 2020-11-13 16:35:20 +01:00			`const { BUILTIN_LEVEL_ID_ARRAY } = require("../utilities/security/accessLevels")`
Initial work into multi-tenancy removal, experiencing issues with test cases at this point. 2020-10-28 21:35:06 +01:00			`const env = require("../environment")`
simplify user authentication, remove anon user, fix login cookie issues 2020-10-13 22:33:56 +02:00			`const { AuthTypes } = require("../constants")`
Further work towards the re-implementation of auth, changing how the appId is determined, now it mainly will use a header, and a cookie which will be written to store the current status of appId. 2020-11-03 14:45:49 +01:00			`const { getAppId, getCookieName, setCookie } = require("../utilities")`
pouchDB integration, use app id instead of app name for keying app packages 2020-04-23 15:37:08 +02:00
			`module.exports = async (ctx, next) => {`
removing Authorization header 2020-05-18 12:53:04 +02:00			`if (ctx.path === "/_builder") {`
server tests in-memory and passing 2020-05-14 16:12:30 +02:00			`await next()`
further simplification of server code 2020-05-07 15:04:32 +02:00			`return`
			`}`

Further work towards the re-implementation of auth, changing how the appId is determined, now it mainly will use a header, and a cookie which will be written to store the current status of appId. 2020-11-03 14:45:49 +01:00			`// do everything we can to make sure the appId is held correctly`
			`// we hold it in state as a`
			`let appId = getAppId(ctx)`
Updating server test cases with the header for appId. 2020-11-03 16:00:39 +01:00			`const cookieAppId = ctx.cookies.get(getCookieName("currentapp"))`
			`if (appId && cookieAppId !== appId) {`
Further work towards the re-implementation of auth, changing how the appId is determined, now it mainly will use a header, and a cookie which will be written to store the current status of appId. 2020-11-03 14:45:49 +01:00			`setCookie(ctx, "currentapp", appId)`
Updating server test cases with the header for appId. 2020-11-03 16:00:39 +01:00			`} else if (cookieAppId) {`
			`appId = cookieAppId`
Further work towards the re-implementation of auth, changing how the appId is determined, now it mainly will use a header, and a cookie which will be written to store the current status of appId. 2020-11-03 14:45:49 +01:00			`}`
Some more re-work, more testing needed to auth stuff. 2020-11-02 21:14:10 +01:00
			`const appToken = ctx.cookies.get(getCookieName(appId))`
			`const builderToken = ctx.cookies.get(getCookieName())`
logic to not use builder:token for apps running in dev 2020-06-03 18:05:36 +02:00
simplify user authentication, remove anon user, fix login cookie issues 2020-10-13 22:33:56 +02:00			`let token`
			`// if running locally in the builder itself`
Initial work into multi-tenancy removal, experiencing issues with test cases at this point. 2020-10-28 21:35:06 +01:00			`if (!env.CLOUD && !appToken) {`
simplify user authentication, remove anon user, fix login cookie issues 2020-10-13 22:33:56 +02:00			`token = builderToken`
			`ctx.auth.authenticated = AuthTypes.BUILDER`
			`} else {`
			`token = appToken`
			`ctx.auth.authenticated = AuthTypes.APP`
removing clientId from frontend, fixing invalid database name 2020-05-18 07:40:29 +02:00			`}`

simplify user authentication, remove anon user, fix login cookie issues 2020-10-13 22:33:56 +02:00			`if (!token) {`
adding auth object to context rather than separate booleans 2020-10-12 14:32:52 +02:00			`ctx.auth.authenticated = false`
The API that the components library would use was not always consistent with the API client library would use and this would sometimes break things. 2020-11-09 10:42:35 +01:00			`ctx.appId = appId`
simplify user authentication, remove anon user, fix login cookie issues 2020-10-13 22:33:56 +02:00			`ctx.user = {`
frontend bug fixes, remove bindable prop, add not equals filter 2020-10-14 22:43:36 +02:00			`appId,`
simplify user authentication, remove anon user, fix login cookie issues 2020-10-13 22:33:56 +02:00			`}`
formatting + fixing builder tests 2020-05-07 11:53:34 +02:00			`await next()`
			`return`
			`}`
pouchDB integration, use app id instead of app name for keying app packages 2020-04-23 15:37:08 +02:00
			`try {`
simplify user authentication, remove anon user, fix login cookie issues 2020-10-13 22:33:56 +02:00			`const jwtPayload = jwt.verify(token, ctx.config.jwtSecret)`
Further work towards the re-implementation of auth, changing how the appId is determined, now it mainly will use a header, and a cookie which will be written to store the current status of appId. 2020-11-03 14:45:49 +01:00			`ctx.appId = appId`
simplify user authentication, remove anon user, fix login cookie issues 2020-10-13 22:33:56 +02:00			`ctx.auth.apiKey = jwtPayload.apiKey`
access levels 2020-05-27 18:23:01 +02:00			`ctx.user = {`
			`...jwtPayload,`
Further work towards the re-implementation of auth, changing how the appId is determined, now it mainly will use a header, and a cookie which will be written to store the current status of appId. 2020-11-03 14:45:49 +01:00			`appId: appId,`
			`accessLevel: await getAccessLevel(appId, jwtPayload.accessLevelId),`
access levels 2020-05-27 18:23:01 +02:00			`}`
pouchDB integration, use app id instead of app name for keying app packages 2020-04-23 15:37:08 +02:00			`} catch (err) {`
further simplification of server code 2020-05-07 15:04:32 +02:00			`ctx.throw(err.status \|\| STATUS_CODES.FORBIDDEN, err.text)`
pouchDB integration, use app id instead of app name for keying app packages 2020-04-23 15:37:08 +02:00			`}`

formatting + fixing builder tests 2020-05-07 11:53:34 +02:00			`await next()`
			`}`
access levels 2020-05-27 18:23:01 +02:00
upload assets to s3 2020-06-29 19:57:17 +02:00			`/**`
lint :sparkles: 2020-07-07 22:29:20 +02:00			`* Return the full access level object either from constants`
upload assets to s3 2020-06-29 19:57:17 +02:00			`* or the database based on the access level ID passed.`
lint :sparkles: 2020-07-07 22:29:20 +02:00			`*`
Renaming instanceId -> appId to reduce confusion through the system, there only is one ID now. 2020-10-29 11:28:27 +01:00			`* @param {*} appId - appId of the user`
lint :sparkles: 2020-07-07 22:29:20 +02:00			`* @param {*} accessLevelId - the id of the users access level`
upload assets to s3 2020-06-29 19:57:17 +02:00			`*/`
Renaming instanceId -> appId to reduce confusion through the system, there only is one ID now. 2020-10-29 11:28:27 +01:00			`const getAccessLevel = async (appId, accessLevelId) => {`
Large update, tests passing, have simplifed access level API, access levels and permissions are now totally separate. 2020-11-13 16:35:20 +01:00			`if (BUILTIN_LEVEL_ID_ARRAY.indexOf(accessLevelId) !== -1) {`
access levels 2020-05-27 18:23:01 +02:00			`return {`
			`_id: accessLevelId,`
			`name: accessLevelId,`
			`permissions: [],`
			`}`
			`}`

			`const findAccessContext = {`
			`params: {`
			`levelId: accessLevelId,`
fixing broken tests 2020-06-18 21:41:37 +02:00			`},`
			`user: {`
Renaming instanceId -> appId to reduce confusion through the system, there only is one ID now. 2020-10-29 11:28:27 +01:00			`appId,`
access levels 2020-05-27 18:23:01 +02:00			`},`
			`}`
			`await accessLevelController.find(findAccessContext)`
			`return findAccessContext.body`
			`}`