MirrorSave
/
budibase
mirror of https://github.com/Budibase/budibase.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix error message and extract tenantId from appId

This commit is contained in:
Martin McKeaveney 2025-02-17 10:32:12 +00:00
parent 257151dfa5
commit 06866111d3
4 changed files with 25 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
packages/backend-core/src/utils/tests/utils.spec.ts
View File

@ -67,6 +67,15 @@ describe("utils", () => {
}) })
}) })
it("gets appId from query params", async () => {
const ctx = structures.koa.newContext()
const expected = db.generateAppID()
ctx.query = { appId: expected }
const actual = await utils.getAppIdFromCtx(ctx)
expect(actual).toBe(expected)
})
it("doesn't get appId from url when previewing", async () => { it("doesn't get appId from url when previewing", async () => {
const ctx = structures.koa.newContext() const ctx = structures.koa.newContext()
const appId = db.generateAppID() const appId = db.generateAppID()

5
packages/backend-core/src/utils/utils.ts
View File

@ -101,6 +101,11 @@ export async function getAppIdFromCtx(ctx: Ctx) {
appId = confirmAppId(pathId) appId = confirmAppId(pathId)
} }
// look in queryParams
if (!appId && ctx.query?.appId) {
appId = confirmAppId(ctx.query?.appId as string)
}
// lookup using custom url - prod apps only // lookup using custom url - prod apps only
// filter out the builder preview path which collides with the prod app path // filter out the builder preview path which collides with the prod app path
// to ensure we don't load all apps excessively // to ensure we don't load all apps excessively

9
packages/server/src/middleware/ensureTenantAppOwnership.ts
View File

@ -1,4 +1,4 @@
import { tenancy, utils } from "@budibase/backend-core" import { tenancy, utils, context } from "@budibase/backend-core"
import { UserCtx } from "@budibase/types" import { UserCtx } from "@budibase/types"
async function ensureTenantAppOwnership(ctx: UserCtx, next: any) { async function ensureTenantAppOwnership(ctx: UserCtx, next: any) {
@ -6,9 +6,12 @@ async function ensureTenantAppOwnership(ctx: UserCtx, next: any) {
if (!appId) { if (!appId) {
ctx.throw(400, "appId must be provided") ctx.throw(400, "appId must be provided")
} }
const appTenantId = context.getTenantIDFromAppID(appId)
const tenantId = tenancy.getTenantId() const tenantId = tenancy.getTenantId()
if (appId !== tenantId) {
ctx.throw(403, `App does not belong to tenant`) if (appTenantId !== tenantId) {
ctx.throw(403, "Unauthorized")
} }
await next() await next()
} }

7
packages/server/src/middleware/tests/ensureTenantAppOwnership.spec.js
View File

@ -2,6 +2,7 @@ import ensureTenantAppOwnership from "../ensureTenantAppOwnership"
import { tenancy, utils } from "@budibase/backend-core" import { tenancy, utils } from "@budibase/backend-core"
jest.mock("@budibase/backend-core", () => ({ jest.mock("@budibase/backend-core", () => ({
...jest.requireActual("@budibase/backend-core"),
tenancy: { tenancy: {
getTenantId: jest.fn(), getTenantId: jest.fn(),
}, },
@ -53,7 +54,9 @@ describe("Ensure Tenant Ownership Middleware", () => {
expect(config.next).toHaveBeenCalled() expect(config.next).toHaveBeenCalled()
}) })
it("throws 403 when appId does not match tenant ID", async () => { it("throws when tenant appId does not match tenant ID", async () => {
const appId = "app_dev_tenant3_fce449c4d75b4e4a9c7a6980d82a3e22"
utils.getAppIdFromCtx.mockResolvedValue(appId)
tenancy.getTenantId.mockReturnValue("tenant_2") tenancy.getTenantId.mockReturnValue("tenant_2")
await config.executeMiddleware() await config.executeMiddleware()
@ -61,7 +64,7 @@ describe("Ensure Tenant Ownership Middleware", () => {
expect(utils.getAppIdFromCtx).toHaveBeenCalledWith(config.ctx) expect(utils.getAppIdFromCtx).toHaveBeenCalledWith(config.ctx)
expect(config.throw).toHaveBeenCalledWith( expect(config.throw).toHaveBeenCalledWith(
403, 403,
"App does not belong to tenant" "Unauthorized",
) )
}) })