budibase/packages/worker/src/api/index.js

129 lines
2.8 KiB
JavaScript
Raw Normal View History

const Router = require("@koa/router")
const compress = require("koa-compress")
const zlib = require("zlib")
const { routes } = require("./routes")
const {
buildAuthMiddleware,
auditLog,
buildTenancyMiddleware,
2022-01-25 23:54:50 +01:00
buildCsrfMiddleware,
} = require("@budibase/backend-core/auth")
const PUBLIC_ENDPOINTS = [
// old deprecated endpoints kept for backwards compat
{
route: "/api/admin/auth/google/callback",
method: "GET",
},
{
route: "/api/admin/auth/oidc/callback",
method: "GET",
},
{
// this covers all of the POST auth routes
route: "/api/global/auth/:tenantId",
method: "POST",
},
{
// this covers all of the GET auth routes
route: "/api/global/auth/:tenantId",
2021-06-27 16:46:04 +02:00
method: "GET",
},
{
// this covers all of the public config routes
route: "/api/global/configs/public",
method: "GET",
},
{
route: "/api/global/configs/checklist",
2021-08-04 11:02:24 +02:00
method: "GET",
},
2021-05-06 12:56:53 +02:00
{
2021-09-07 12:22:11 +02:00
// TODO: Add an provisioning API key to this endpoint in the cloud
route: "/api/global/users/init",
method: "POST",
2021-05-06 12:56:53 +02:00
},
{
route: "/api/global/users/invite/accept",
method: "POST",
},
{
route: "api/system/environment",
2021-08-04 11:02:24 +02:00
method: "GET",
},
2021-09-07 12:22:11 +02:00
{
route: "/api/global/users/tenant/:id",
method: "GET",
},
]
const NO_TENANCY_ENDPOINTS = [
...PUBLIC_ENDPOINTS,
2021-08-04 11:02:24 +02:00
{
route: "/api/system",
method: "ALL",
},
{
route: "/api/global/users/self",
method: "GET",
},
2021-04-26 16:44:28 +02:00
]
2022-01-25 23:54:50 +01:00
// most public endpoints are gets, but some are posts
// add them all to be safe
const NO_CSRF_ENDPOINTS = [...PUBLIC_ENDPOINTS]
const router = new Router()
router
.use(
compress({
threshold: 2048,
gzip: {
2021-03-29 16:06:00 +02:00
flush: zlib.constants.Z_SYNC_FLUSH,
},
deflate: {
2021-03-29 16:06:00 +02:00
flush: zlib.constants.Z_SYNC_FLUSH,
},
br: false,
})
)
2021-05-04 12:32:22 +02:00
.use("/health", ctx => (ctx.status = 200))
.use(buildAuthMiddleware(PUBLIC_ENDPOINTS))
.use(buildTenancyMiddleware(PUBLIC_ENDPOINTS, NO_TENANCY_ENDPOINTS))
2022-01-25 23:54:50 +01:00
.use(buildCsrfMiddleware({ noCsrfPatterns: NO_CSRF_ENDPOINTS }))
// for now no public access is allowed to worker (bar health check)
.use((ctx, next) => {
if (ctx.publicEndpoint) {
return next()
}
if ((!ctx.isAuthenticated || !ctx.user.budibaseAccess) && !ctx.internal) {
2021-05-12 13:38:49 +02:00
ctx.throw(403, "Unauthorized - no public worker access")
}
return next()
})
2021-05-28 11:09:32 +02:00
.use(auditLog)
// error handling middleware
router.use(async (ctx, next) => {
try {
await next()
} catch (err) {
ctx.log.error(err)
ctx.status = err.status || err.statusCode || 500
ctx.body = {
message: err.message,
status: ctx.status,
}
}
})
2021-05-04 12:32:22 +02:00
router.get("/health", ctx => (ctx.status = 200))
// authenticated routes
for (let route of routes) {
router.use(route.routes())
router.use(route.allowedMethods())
}
module.exports = router