2023-05-08 13:26:00 +02:00
|
|
|
import { getAllApps } from "../db"
|
2023-05-08 13:42:26 +02:00
|
|
|
import { Header, MAX_VALID_DATE, DocumentType, SEPARATOR } from "../constants"
|
2022-11-24 19:48:51 +01:00
|
|
|
import env from "../environment"
|
2022-11-28 18:54:04 +01:00
|
|
|
import * as tenancy from "../tenancy"
|
2023-02-21 09:23:53 +01:00
|
|
|
import * as context from "../context"
|
2023-02-27 12:42:52 +01:00
|
|
|
import {
|
|
|
|
App,
|
|
|
|
AuditedEventFriendlyName,
|
|
|
|
Ctx,
|
|
|
|
Event,
|
|
|
|
TenantResolutionStrategy,
|
|
|
|
} from "@budibase/types"
|
2022-11-09 17:35:16 +01:00
|
|
|
import { SetOption } from "cookies"
|
2021-04-11 12:35:55 +02:00
|
|
|
const jwt = require("jsonwebtoken")
|
2021-04-08 12:20:37 +02:00
|
|
|
|
2022-08-11 14:50:05 +02:00
|
|
|
const APP_PREFIX = DocumentType.APP + SEPARATOR
|
2022-03-23 17:45:06 +01:00
|
|
|
const PROD_APP_PREFIX = "/app/"
|
2021-04-08 12:20:37 +02:00
|
|
|
|
2023-01-11 11:24:57 +01:00
|
|
|
const BUILDER_PREVIEW_PATH = "/app/preview"
|
2023-05-08 13:26:00 +02:00
|
|
|
const BUILDER_PREFIX = "/builder"
|
|
|
|
const BUILDER_REFERER_PREFIX = `${BUILDER_PREFIX}/app/`
|
|
|
|
const PUBLIC_API_PREFIX = "/api/public/v1"
|
2023-01-11 11:24:57 +01:00
|
|
|
|
2022-11-09 17:35:16 +01:00
|
|
|
function confirmAppId(possibleAppId: string | undefined) {
|
2021-04-08 12:20:37 +02:00
|
|
|
return possibleAppId && possibleAppId.startsWith(APP_PREFIX)
|
|
|
|
? possibleAppId
|
|
|
|
: undefined
|
|
|
|
}
|
|
|
|
|
2023-01-11 11:24:57 +01:00
|
|
|
export async function resolveAppUrl(ctx: Ctx) {
|
2022-03-23 17:45:06 +01:00
|
|
|
const appUrl = ctx.path.split("/")[2]
|
|
|
|
let possibleAppUrl = `/${appUrl.toLowerCase()}`
|
|
|
|
|
2023-02-21 09:23:53 +01:00
|
|
|
let tenantId: string | null = context.getTenantId()
|
2022-11-16 12:34:16 +01:00
|
|
|
if (env.MULTI_TENANCY) {
|
|
|
|
// always use the tenant id from the subdomain in multi tenancy
|
2022-11-09 17:35:16 +01:00
|
|
|
// this ensures the logged-in user tenant id doesn't overwrite
|
|
|
|
// e.g. in the case of viewing a public app while already logged-in to another tenant
|
|
|
|
tenantId = tenancy.getTenantIDFromCtx(ctx, {
|
|
|
|
includeStrategies: [TenantResolutionStrategy.SUBDOMAIN],
|
|
|
|
})
|
2022-03-23 17:45:06 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// search prod apps for a url that matches
|
2023-04-24 10:31:48 +02:00
|
|
|
const apps: App[] = await context.doInTenant(
|
|
|
|
tenantId,
|
|
|
|
() => getAllApps({ dev: false }) as Promise<App[]>
|
2022-03-23 17:45:06 +01:00
|
|
|
)
|
|
|
|
const app = apps.filter(
|
|
|
|
a => a.url && a.url.toLowerCase() === possibleAppUrl
|
|
|
|
)[0]
|
|
|
|
|
|
|
|
return app && app.appId ? app.appId : undefined
|
|
|
|
}
|
2022-09-06 13:25:57 +02:00
|
|
|
|
2022-12-15 12:35:22 +01:00
|
|
|
export function isServingApp(ctx: Ctx) {
|
2022-09-06 13:25:57 +02:00
|
|
|
// dev app
|
|
|
|
if (ctx.path.startsWith(`/${APP_PREFIX}`)) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
// prod app
|
|
|
|
if (ctx.path.startsWith(PROD_APP_PREFIX)) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
2022-03-23 17:45:06 +01:00
|
|
|
|
2023-05-08 13:26:00 +02:00
|
|
|
export function isServingBuilder(ctx: Ctx): boolean {
|
|
|
|
return ctx.path.startsWith(BUILDER_REFERER_PREFIX)
|
|
|
|
}
|
|
|
|
|
|
|
|
export function isServingBuilderPreview(ctx: Ctx): boolean {
|
|
|
|
return ctx.path.startsWith(BUILDER_PREVIEW_PATH)
|
|
|
|
}
|
|
|
|
|
|
|
|
export function isPublicApiRequest(ctx: Ctx): boolean {
|
|
|
|
return ctx.path.startsWith(PUBLIC_API_PREFIX)
|
|
|
|
}
|
|
|
|
|
2021-04-08 12:20:37 +02:00
|
|
|
/**
|
|
|
|
* Given a request tries to find the appId, which can be located in various places
|
|
|
|
* @param {object} ctx The main request body to look through.
|
|
|
|
* @returns {string|undefined} If an appId was found it will be returned.
|
|
|
|
*/
|
2022-12-15 12:35:22 +01:00
|
|
|
export async function getAppIdFromCtx(ctx: Ctx) {
|
2022-03-23 17:45:06 +01:00
|
|
|
// look in headers
|
2023-01-11 11:24:57 +01:00
|
|
|
const options = [ctx.request.headers[Header.APP_ID]]
|
2021-04-08 12:20:37 +02:00
|
|
|
let appId
|
|
|
|
for (let option of options) {
|
2022-11-09 17:35:16 +01:00
|
|
|
appId = confirmAppId(option as string)
|
2021-04-08 12:20:37 +02:00
|
|
|
if (appId) {
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-03-23 17:45:06 +01:00
|
|
|
// look in body
|
2021-04-08 12:20:37 +02:00
|
|
|
if (!appId && ctx.request.body && ctx.request.body.appId) {
|
|
|
|
appId = confirmAppId(ctx.request.body.appId)
|
|
|
|
}
|
2022-03-23 17:45:06 +01:00
|
|
|
|
2022-12-15 12:35:22 +01:00
|
|
|
// look in the path
|
|
|
|
const pathId = parseAppIdFromUrl(ctx.path)
|
|
|
|
if (!appId && pathId) {
|
|
|
|
appId = confirmAppId(pathId)
|
|
|
|
}
|
|
|
|
|
2023-01-11 11:24:57 +01:00
|
|
|
// lookup using custom url - prod apps only
|
|
|
|
// filter out the builder preview path which collides with the prod app path
|
|
|
|
// to ensure we don't load all apps excessively
|
|
|
|
const isBuilderPreview = ctx.path.startsWith(BUILDER_PREVIEW_PATH)
|
|
|
|
const isViewingProdApp =
|
|
|
|
ctx.path.startsWith(PROD_APP_PREFIX) && !isBuilderPreview
|
|
|
|
if (!appId && isViewingProdApp) {
|
|
|
|
appId = confirmAppId(await resolveAppUrl(ctx))
|
2021-04-08 12:20:37 +02:00
|
|
|
}
|
2022-03-23 17:45:06 +01:00
|
|
|
|
2023-01-11 11:24:57 +01:00
|
|
|
// look in the referer - builder only
|
|
|
|
// make sure this is performed after prod app url resolution, in case the
|
|
|
|
// referer header is present from a builder redirect
|
|
|
|
const referer = ctx.request.headers.referer
|
|
|
|
if (!appId && referer?.includes(BUILDER_REFERER_PREFIX)) {
|
|
|
|
const refererId = parseAppIdFromUrl(ctx.request.headers.referer)
|
|
|
|
appId = confirmAppId(refererId)
|
2022-03-23 17:45:06 +01:00
|
|
|
}
|
|
|
|
|
2021-04-08 12:20:37 +02:00
|
|
|
return appId
|
|
|
|
}
|
|
|
|
|
2022-12-15 12:35:22 +01:00
|
|
|
function parseAppIdFromUrl(url?: string) {
|
|
|
|
if (!url) {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
return url.split("/").find(subPath => subPath.startsWith(APP_PREFIX))
|
|
|
|
}
|
|
|
|
|
2021-12-17 15:08:48 +01:00
|
|
|
/**
|
|
|
|
* opens the contents of the specified encrypted JWT.
|
|
|
|
* @return {object} the contents of the token.
|
|
|
|
*/
|
2022-11-16 19:12:31 +01:00
|
|
|
export function openJwt(token: string) {
|
2021-12-17 15:08:48 +01:00
|
|
|
if (!token) {
|
|
|
|
return token
|
|
|
|
}
|
2023-03-13 16:02:59 +01:00
|
|
|
try {
|
|
|
|
return jwt.verify(token, env.JWT_SECRET)
|
|
|
|
} catch (e) {
|
|
|
|
if (env.JWT_SECRET_FALLBACK) {
|
|
|
|
// fallback to enable rotation
|
|
|
|
return jwt.verify(token, env.JWT_SECRET_FALLBACK)
|
|
|
|
} else {
|
|
|
|
throw e
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
export function isValidInternalAPIKey(apiKey: string) {
|
|
|
|
if (env.INTERNAL_API_KEY && env.INTERNAL_API_KEY === apiKey) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
// fallback to enable rotation
|
|
|
|
if (
|
|
|
|
env.INTERNAL_API_KEY_FALLBACK &&
|
|
|
|
env.INTERNAL_API_KEY_FALLBACK === apiKey
|
|
|
|
) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
return false
|
2021-12-17 15:08:48 +01:00
|
|
|
}
|
|
|
|
|
2021-04-11 12:35:55 +02:00
|
|
|
/**
|
|
|
|
* Get a cookie from context, and decrypt if necessary.
|
|
|
|
* @param {object} ctx The request which is to be manipulated.
|
|
|
|
* @param {string} name The name of the cookie to get.
|
|
|
|
*/
|
2022-12-15 12:35:22 +01:00
|
|
|
export function getCookie(ctx: Ctx, name: string) {
|
2021-04-12 19:31:58 +02:00
|
|
|
const cookie = ctx.cookies.get(name)
|
2021-04-11 12:35:55 +02:00
|
|
|
|
2021-04-12 19:31:58 +02:00
|
|
|
if (!cookie) {
|
|
|
|
return cookie
|
|
|
|
}
|
2021-04-11 12:35:55 +02:00
|
|
|
|
2022-11-09 17:35:16 +01:00
|
|
|
return openJwt(cookie)
|
2021-04-11 12:35:55 +02:00
|
|
|
}
|
|
|
|
|
2021-04-08 12:20:37 +02:00
|
|
|
/**
|
2021-07-06 19:10:04 +02:00
|
|
|
* Store a cookie for the request - it will not expire.
|
2021-04-08 12:20:37 +02:00
|
|
|
* @param {object} ctx The request which is to be manipulated.
|
|
|
|
* @param {string} name The name of the cookie to set.
|
|
|
|
* @param {string|object} value The value of cookie which will be set.
|
2021-12-03 13:39:20 +01:00
|
|
|
* @param {object} opts options like whether to sign.
|
2021-04-08 12:20:37 +02:00
|
|
|
*/
|
2022-11-16 19:12:31 +01:00
|
|
|
export function setCookie(
|
2022-12-15 12:35:22 +01:00
|
|
|
ctx: Ctx,
|
2022-11-09 17:35:16 +01:00
|
|
|
value: any,
|
|
|
|
name = "builder",
|
|
|
|
opts = { sign: true }
|
2022-11-16 19:12:31 +01:00
|
|
|
) {
|
2021-12-03 13:39:20 +01:00
|
|
|
if (value && opts && opts.sign) {
|
2023-03-13 16:02:59 +01:00
|
|
|
value = jwt.sign(value, env.JWT_SECRET)
|
2021-09-29 14:51:33 +02:00
|
|
|
}
|
2021-09-28 17:35:31 +02:00
|
|
|
|
2022-11-09 17:35:16 +01:00
|
|
|
const config: SetOption = {
|
2021-12-03 13:39:20 +01:00
|
|
|
expires: MAX_VALID_DATE,
|
2021-09-29 14:51:33 +02:00
|
|
|
path: "/",
|
|
|
|
httpOnly: false,
|
|
|
|
overwrite: true,
|
|
|
|
}
|
2021-09-28 17:35:31 +02:00
|
|
|
|
2022-04-08 02:28:22 +02:00
|
|
|
if (env.COOKIE_DOMAIN) {
|
|
|
|
config.domain = env.COOKIE_DOMAIN
|
2021-04-08 12:20:37 +02:00
|
|
|
}
|
2021-09-29 14:51:33 +02:00
|
|
|
|
|
|
|
ctx.cookies.set(name, value, config)
|
2021-04-08 12:20:37 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Utility function, simply calls setCookie with an empty string for value
|
|
|
|
*/
|
2022-12-15 12:35:22 +01:00
|
|
|
export function clearCookie(ctx: Ctx, name: string) {
|
2022-11-09 17:35:16 +01:00
|
|
|
setCookie(ctx, null, name)
|
2021-04-08 12:20:37 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Checks if the API call being made (based on the provided ctx object) is from the client. If
|
|
|
|
* the call is not from a client app then it is from the builder.
|
|
|
|
* @param {object} ctx The koa context object to be tested.
|
|
|
|
* @return {boolean} returns true if the call is from the client lib (a built app rather than the builder).
|
|
|
|
*/
|
2022-12-15 12:35:22 +01:00
|
|
|
export function isClient(ctx: Ctx) {
|
2022-11-16 18:23:12 +01:00
|
|
|
return ctx.headers[Header.TYPE] === "client"
|
2021-04-08 12:20:37 +02:00
|
|
|
}
|
2021-04-19 18:31:47 +02:00
|
|
|
|
2022-11-16 19:12:31 +01:00
|
|
|
export function timeout(timeMs: number) {
|
2022-06-23 21:22:51 +02:00
|
|
|
return new Promise(resolve => setTimeout(resolve, timeMs))
|
|
|
|
}
|
2023-02-27 12:42:52 +01:00
|
|
|
|
|
|
|
export function isAudited(event: Event) {
|
|
|
|
return !!AuditedEventFriendlyName[event]
|
|
|
|
}
|