budibase/packages/server/src/middleware/authenticated.js

78 lines
1.8 KiB
JavaScript
Raw Normal View History

2020-05-07 11:53:34 +02:00
const jwt = require("jsonwebtoken")
2020-05-14 16:12:30 +02:00
const STATUS_CODES = require("../utilities/statusCodes")
const env = require("../environment")
2020-05-27 18:23:01 +02:00
const accessLevelController = require("../api/controllers/accesslevel")
const {
ADMIN_LEVEL_ID,
POWERUSER_LEVEL_ID,
} = require("../utilities/accessLevels")
module.exports = async (ctx, next) => {
2020-05-18 12:53:04 +02:00
if (ctx.path === "/_builder") {
2020-05-14 16:12:30 +02:00
await next()
2020-05-07 15:04:32 +02:00
return
}
const appToken = ctx.cookies.get("budibase:token")
const builderToken = ctx.cookies.get("builder:token")
2020-06-03 20:35:04 +02:00
const isBuilderAgent = ctx.headers["x-user-agent"] === "Budibase Builder"
// all admin api access should auth with buildertoken and 'Budibase Builder user agent
const shouldAuthAsBuilder = isBuilderAgent && builderToken
if (shouldAuthAsBuilder) {
2020-06-03 20:35:04 +02:00
const builderTokenValid = builderToken === env.ADMIN_SECRET
ctx.isAuthenticated = builderTokenValid
ctx.isBuilder = builderTokenValid
await next()
return
}
if (!appToken) {
2020-05-04 18:13:57 +02:00
ctx.isAuthenticated = false
2020-05-07 11:53:34 +02:00
await next()
return
}
try {
const jwtPayload = jwt.verify(appToken, ctx.config.jwtSecret)
2020-05-27 18:23:01 +02:00
ctx.user = {
...jwtPayload,
accessLevel: await getAccessLevel(
jwtPayload.instanceId,
jwtPayload.accessLevelId
),
}
2020-05-07 11:53:34 +02:00
ctx.isAuthenticated = true
} catch (err) {
2020-05-07 15:04:32 +02:00
ctx.throw(err.status || STATUS_CODES.FORBIDDEN, err.text)
}
2020-05-07 11:53:34 +02:00
await next()
}
2020-05-27 18:23:01 +02:00
const getAccessLevel = async (instanceId, accessLevelId) => {
if (
accessLevelId === POWERUSER_LEVEL_ID ||
accessLevelId === ADMIN_LEVEL_ID
) {
return {
_id: accessLevelId,
name: accessLevelId,
permissions: [],
}
}
const findAccessContext = {
params: {
levelId: accessLevelId,
instanceId,
},
}
await accessLevelController.find(findAccessContext)
return findAccessContext.body
}