budibase/packages/server/src/middleware/authenticated.js

const jwt = require("jsonwebtoken")
const STATUS_CODES = require("../utilities/statusCodes")
const { getRole, getBuiltinRoles } = require("../utilities/security/roles")
const { AuthTypes } = require("../constants")
const {
  getAppId,
  getCookieName,
  clearCookie,
  setCookie,
  isClient,
} = require("../utilities")

module.exports = async (ctx, next) => {
  if (ctx.path === "/_builder") {
    await next()
    return
  }

  // do everything we can to make sure the appId is held correctly
  // we hold it in state as a
  let appId = getAppId(ctx)
  const cookieAppId = ctx.cookies.get(getCookieName("currentapp"))
  const builtinRoles = getBuiltinRoles()
  if (appId && cookieAppId !== appId) {
    setCookie(ctx, appId, "currentapp")
  } else if (cookieAppId) {
    appId = cookieAppId
  }
  let token, authType
  if (!isClient(ctx)) {
    token = ctx.cookies.get(getCookieName())
    authType = AuthTypes.BUILDER
  }
  if (!token && appId) {
    token = ctx.cookies.get(getCookieName(appId))
    authType = AuthTypes.APP
  }

  if (!token) {
    ctx.auth.authenticated = false
    ctx.appId = appId
    ctx.user = {
      appId,
      role: builtinRoles.PUBLIC,
    }
    await next()
    return
  }

  try {
    ctx.auth.authenticated = authType
    const jwtPayload = jwt.verify(token, ctx.config.jwtSecret)
    ctx.appId = appId
    ctx.auth.apiKey = jwtPayload.apiKey
    ctx.user = {
      ...jwtPayload,
      appId: appId,
      role: await getRole(appId, jwtPayload.roleId),
    }
  } catch (err) {
    if (authType === AuthTypes.BUILDER) {
      clearCookie(ctx)
      ctx.status = 200
      return
    } else {
      ctx.throw(err.status || STATUS_CODES.FORBIDDEN, err.text)
    }
  }

  await next()
}
formatting + fixing builder tests 2020-05-07 11:53:34 +02:00			`const jwt = require("jsonwebtoken")`
server tests in-memory and passing 2020-05-14 16:12:30 +02:00			`const STATUS_CODES = require("../utilities/statusCodes")`
Fixing an issue with RBAC, there was a mutable issue where a server builtin resource was getting updated, fixed this by not exposing the mutable structure, instead exposing a function which provides a new object everytime. 2021-02-12 21:34:54 +01:00			`const { getRole, getBuiltinRoles } = require("../utilities/security/roles")`
simplify user authentication, remove anon user, fix login cookie issues 2020-10-13 22:33:56 +02:00			`const { AuthTypes } = require("../constants")`
This commit includes some fixes for a few auth issues I found when I was working on this and a static page which shows the self hosting info to get the user going (if they end up there). 2021-01-28 19:30:59 +01:00			`const {`
			`getAppId,`
			`getCookieName,`
			`clearCookie,`
			`setCookie,`
			`isClient,`
			`} = require("../utilities")`
pouchDB integration, use app id instead of app name for keying app packages 2020-04-23 15:37:08 +02:00
			`module.exports = async (ctx, next) => {`
removing Authorization header 2020-05-18 12:53:04 +02:00			`if (ctx.path === "/_builder") {`
server tests in-memory and passing 2020-05-14 16:12:30 +02:00			`await next()`
further simplification of server code 2020-05-07 15:04:32 +02:00			`return`
			`}`

Further work towards the re-implementation of auth, changing how the appId is determined, now it mainly will use a header, and a cookie which will be written to store the current status of appId. 2020-11-03 14:45:49 +01:00			`// do everything we can to make sure the appId is held correctly`
			`// we hold it in state as a`
			`let appId = getAppId(ctx)`
Updating server test cases with the header for appId. 2020-11-03 16:00:39 +01:00			`const cookieAppId = ctx.cookies.get(getCookieName("currentapp"))`
Fixing an issue with RBAC, there was a mutable issue where a server builtin resource was getting updated, fixed this by not exposing the mutable structure, instead exposing a function which provides a new object everytime. 2021-02-12 21:34:54 +01:00			`const builtinRoles = getBuiltinRoles()`
Updating server test cases with the header for appId. 2020-11-03 16:00:39 +01:00			`if (appId && cookieAppId !== appId) {`
This commit includes some fixes for a few auth issues I found when I was working on this and a static page which shows the self hosting info to get the user going (if they end up there). 2021-01-28 19:30:59 +01:00			`setCookie(ctx, appId, "currentapp")`
Updating server test cases with the header for appId. 2020-11-03 16:00:39 +01:00			`} else if (cookieAppId) {`
			`appId = cookieAppId`
Further work towards the re-implementation of auth, changing how the appId is determined, now it mainly will use a header, and a cookie which will be written to store the current status of appId. 2020-11-03 14:45:49 +01:00			`}`
This commit includes some fixes for a few auth issues I found when I was working on this and a static page which shows the self hosting info to get the user going (if they end up there). 2021-01-28 19:30:59 +01:00			`let token, authType`
			`if (!isClient(ctx)) {`
Minor update to make use of new client header to state the request is from the client, not the builder. 2020-11-19 21:16:37 +01:00			`token = ctx.cookies.get(getCookieName())`
This commit includes some fixes for a few auth issues I found when I was working on this and a static page which shows the self hosting info to get the user going (if they end up there). 2021-01-28 19:30:59 +01:00			`authType = AuthTypes.BUILDER`
Fixing a bug found by tests in auth. 2021-01-29 14:14:36 +01:00			`}`
			`if (!token && appId) {`
This commit includes some fixes for a few auth issues I found when I was working on this and a static page which shows the self hosting info to get the user going (if they end up there). 2021-01-28 19:30:59 +01:00			`token = ctx.cookies.get(getCookieName(appId))`
			`authType = AuthTypes.APP`
removing clientId from frontend, fixing invalid database name 2020-05-18 07:40:29 +02:00			`}`

simplify user authentication, remove anon user, fix login cookie issues 2020-10-13 22:33:56 +02:00			`if (!token) {`
adding auth object to context rather than separate booleans 2020-10-12 14:32:52 +02:00			`ctx.auth.authenticated = false`
The API that the components library would use was not always consistent with the API client library would use and this would sometimes break things. 2020-11-09 10:42:35 +01:00			`ctx.appId = appId`
simplify user authentication, remove anon user, fix login cookie issues 2020-10-13 22:33:56 +02:00			`ctx.user = {`
frontend bug fixes, remove bindable prop, add not equals filter 2020-10-14 22:43:36 +02:00			`appId,`
Fixing an issue with RBAC, there was a mutable issue where a server builtin resource was getting updated, fixed this by not exposing the mutable structure, instead exposing a function which provides a new object everytime. 2021-02-12 21:34:54 +01:00			`role: builtinRoles.PUBLIC,`
simplify user authentication, remove anon user, fix login cookie issues 2020-10-13 22:33:56 +02:00			`}`
formatting + fixing builder tests 2020-05-07 11:53:34 +02:00			`await next()`
			`return`
			`}`
pouchDB integration, use app id instead of app name for keying app packages 2020-04-23 15:37:08 +02:00
			`try {`
Another quick fix for apps to work again. 2020-11-19 21:42:49 +01:00			`ctx.auth.authenticated = authType`
simplify user authentication, remove anon user, fix login cookie issues 2020-10-13 22:33:56 +02:00			`const jwtPayload = jwt.verify(token, ctx.config.jwtSecret)`
Further work towards the re-implementation of auth, changing how the appId is determined, now it mainly will use a header, and a cookie which will be written to store the current status of appId. 2020-11-03 14:45:49 +01:00			`ctx.appId = appId`
simplify user authentication, remove anon user, fix login cookie issues 2020-10-13 22:33:56 +02:00			`ctx.auth.apiKey = jwtPayload.apiKey`
access levels 2020-05-27 18:23:01 +02:00			`ctx.user = {`
			`...jwtPayload,`
Further work towards the re-implementation of auth, changing how the appId is determined, now it mainly will use a header, and a cookie which will be written to store the current status of appId. 2020-11-03 14:45:49 +01:00			`appId: appId,`
Changing the naming of access levels to be roles. 2020-12-02 14:20:56 +01:00			`role: await getRole(appId, jwtPayload.roleId),`
access levels 2020-05-27 18:23:01 +02:00			`}`
pouchDB integration, use app id instead of app name for keying app packages 2020-04-23 15:37:08 +02:00			`} catch (err) {`
This commit includes some fixes for a few auth issues I found when I was working on this and a static page which shows the self hosting info to get the user going (if they end up there). 2021-01-28 19:30:59 +01:00			`if (authType === AuthTypes.BUILDER) {`
			`clearCookie(ctx)`
			`ctx.status = 200`
			`return`
			`} else {`
			`ctx.throw(err.status \|\| STATUS_CODES.FORBIDDEN, err.text)`
			`}`
pouchDB integration, use app id instead of app name for keying app packages 2020-04-23 15:37:08 +02:00			`}`

formatting + fixing builder tests 2020-05-07 11:53:34 +02:00			`await next()`
			`}`