From 0c81516662255a4759401d350898e688cd375ab3 Mon Sep 17 00:00:00 2001 From: mike12345567 Date: Mon, 2 Nov 2020 20:14:10 +0000 Subject: [PATCH] Some more re-work, more testing needed to auth stuff. --- packages/client/src/createApp.js | 4 +-- packages/client/src/index.js | 4 +-- packages/client/src/render/getAppId.js | 15 ++-------- packages/client/src/render/screenRouter.js | 4 +-- packages/client/tests/testAppDef.js | 2 +- packages/server/src/api/controllers/auth.js | 5 +++- .../server/src/middleware/authenticated.js | 17 ++++------- .../src/utilities/builder/setBuilderToken.js | 14 +++++++--- packages/server/src/utilities/index.js | 28 ++++++++++++++++++- 9 files changed, 55 insertions(+), 38 deletions(-) diff --git a/packages/client/src/createApp.js b/packages/client/src/createApp.js index 233abc0f58..f9d4f2bea5 100644 --- a/packages/client/src/createApp.js +++ b/packages/client/src/createApp.js @@ -2,7 +2,7 @@ import { attachChildren } from "./render/attachChildren" import { createTreeNode } from "./render/prepareRenderComponent" import { screenRouter } from "./render/screenRouter" import { createStateManager } from "./state/stateManager" -import { parseAppIdFromCookie } from "./render/getAppId" +import { getAppIdFromPath } from "./render/getAppId" export const createApp = ({ componentLibraries, @@ -38,7 +38,7 @@ export const createApp = ({ window, }) const fallbackPath = window.location.pathname.replace( - parseAppIdFromCookie(window.document.cookie), + getAppIdFromPath(), "" ) routeTo(currentUrl || fallbackPath) diff --git a/packages/client/src/index.js b/packages/client/src/index.js index 6bbe2aee2b..54dbb7af9e 100644 --- a/packages/client/src/index.js +++ b/packages/client/src/index.js @@ -1,6 +1,6 @@ import { createApp } from "./createApp" import { builtins, builtinLibName } from "./render/builtinComponents" -import { parseAppIdFromCookie } from "./render/getAppId" +import { getAppIdFromPath } from "./render/getAppId" /** * create a web application from static budibase definition files. @@ -9,7 +9,7 @@ import { parseAppIdFromCookie } from "./render/getAppId" export const loadBudibase = async opts => { const _window = (opts && opts.window) || window // const _localStorage = (opts && opts.localStorage) || localStorage - const appId = parseAppIdFromCookie(_window.document.cookie) + const appId = getAppIdFromPath() const frontendDefinition = _window["##BUDIBASE_FRONTEND_DEFINITION##"] const user = {} diff --git a/packages/client/src/render/getAppId.js b/packages/client/src/render/getAppId.js index 4cbb6692b5..d476eda44c 100644 --- a/packages/client/src/render/getAppId.js +++ b/packages/client/src/render/getAppId.js @@ -1,14 +1,3 @@ -export const parseAppIdFromCookie = docCookie => { - const cookie = - docCookie.split(";").find(c => c.trim().startsWith("budibase:token")) || - docCookie.split(";").find(c => c.trim().startsWith("builder:token")) - - if (!cookie) return location.pathname.replace(/\//g, "") - - const base64Token = cookie.substring(lengthOfKey) - - const user = JSON.parse(atob(base64Token.split(".")[1])) - return user.appId +export const getAppIdFromPath = () => { + return location.pathname.split("/")[1] } - -const lengthOfKey = "budibase:token=".length diff --git a/packages/client/src/render/screenRouter.js b/packages/client/src/render/screenRouter.js index 0c045097ed..32a12c167a 100644 --- a/packages/client/src/render/screenRouter.js +++ b/packages/client/src/render/screenRouter.js @@ -1,6 +1,6 @@ import regexparam from "regexparam" import appStore from "../state/store" -import { parseAppIdFromCookie } from "./getAppId" +import { getAppIdFromPath } from "./getAppId" export const screenRouter = ({ screens, onScreenSelected, window }) => { function sanitize(url) { @@ -27,7 +27,7 @@ export const screenRouter = ({ screens, onScreenSelected, window }) => { const makeRootedPath = url => { if (isRunningLocally()) { - const appId = parseAppIdFromCookie(window.document.cookie) + const appId = getAppIdFromPath() if (url) { url = sanitize(url) if (!url.startsWith("/")) { diff --git a/packages/client/tests/testAppDef.js b/packages/client/tests/testAppDef.js index c583d91545..90dbd2717d 100644 --- a/packages/client/tests/testAppDef.js +++ b/packages/client/tests/testAppDef.js @@ -9,7 +9,7 @@ export const load = async (page, screens, url, host = "test.com") => { const cookieJar = new jsdom.CookieJar() const cookie = `${btoa("{}")}.${btoa('{"appId":"TEST_APP_ID"}')}.signature` cookieJar.setCookie( - `budibase:token=${cookie};domain=${host};path=/`, + `budibase:local:TEST_APP_ID=${cookie};domain=${host};path=/`, fullUrl, { looseMode: false, diff --git a/packages/server/src/api/controllers/auth.js b/packages/server/src/api/controllers/auth.js index 0cdaa25a85..2c7e43d2cc 100644 --- a/packages/server/src/api/controllers/auth.js +++ b/packages/server/src/api/controllers/auth.js @@ -4,6 +4,7 @@ const bcrypt = require("../../utilities/bcrypt") const env = require("../../environment") const { getAPIKey } = require("../../utilities/usageQuota") const { generateUserID } = require("../../db/utils") +const { getCookieName } = require("../../utilities") exports.authenticate = async ctx => { const appId = ctx.user.appId @@ -48,16 +49,18 @@ exports.authenticate = async ctx => { const expires = new Date() expires.setDate(expires.getDate() + 1) - ctx.cookies.set(`budibase:token`, token, { + ctx.cookies.set(getCookieName(appId), token, { expires, path: "/", httpOnly: false, overwrite: true, }) + delete dbUser.password ctx.body = { token, ...dbUser, + appId, } } else { ctx.throw(401, "Invalid credentials.") diff --git a/packages/server/src/middleware/authenticated.js b/packages/server/src/middleware/authenticated.js index 74f133cbde..a4bd347b75 100644 --- a/packages/server/src/middleware/authenticated.js +++ b/packages/server/src/middleware/authenticated.js @@ -9,6 +9,7 @@ const { } = require("../utilities/accessLevels") const env = require("../environment") const { AuthTypes } = require("../constants") +const { getAppId, getCookieName } = require("../utilities") module.exports = async (ctx, next) => { if (ctx.path === "/_builder") { @@ -16,8 +17,10 @@ module.exports = async (ctx, next) => { return } - const appToken = ctx.cookies.get("budibase:token") - const builderToken = ctx.cookies.get("builder:token") + const appId = getAppId(ctx) + + const appToken = ctx.cookies.get(getCookieName(appId)) + const builderToken = ctx.cookies.get(getCookieName()) let token // if running locally in the builder itself @@ -31,16 +34,6 @@ module.exports = async (ctx, next) => { if (!token) { ctx.auth.authenticated = false - - let appId = env.CLOUD ? ctx.subdomains[1] : ctx.params.appId - - // if appId can't be determined from path param or subdomain - if (!appId && ctx.request.headers.referer) { - const url = new URL(ctx.request.headers.referer) - // remove leading and trailing slashes from appId - appId = url.pathname.replace(/\//g, "") - } - ctx.user = { appId, } diff --git a/packages/server/src/utilities/builder/setBuilderToken.js b/packages/server/src/utilities/builder/setBuilderToken.js index 811f273d40..f77bfe49a4 100644 --- a/packages/server/src/utilities/builder/setBuilderToken.js +++ b/packages/server/src/utilities/builder/setBuilderToken.js @@ -2,6 +2,9 @@ const { BUILDER_LEVEL_ID } = require("../accessLevels") const env = require("../../environment") const CouchDB = require("../../db") const jwt = require("jsonwebtoken") +const { DocumentTypes, SEPARATOR } = require("../../db/utils") +const { getCookieName } = require("../index") +const APP_PREFIX = DocumentTypes.APP + SEPARATOR module.exports = async (ctx, appId, version) => { const builderUser = { @@ -20,15 +23,18 @@ module.exports = async (ctx, appId, version) => { const expiry = new Date() expiry.setDate(expiry.getDate() + 30) // set the builder token - ctx.cookies.set("builder:token", token, { + ctx.cookies.set(getCookieName(), token, { expires: expiry, httpOnly: false, overwrite: true, }) // need to clear all app tokens or else unable to use the app in the builder let allDbNames = await CouchDB.allDbs() - allDbNames.map(dbName => {}) - ctx.cookies.set(`budibase:${appId}`, "", { - overwrite: true, + allDbNames.map(dbName => { + if (dbName.startsWith(APP_PREFIX)) { + ctx.cookies.set(getCookieName(dbName), "", { + overwrite: true, + }) + } }) } diff --git a/packages/server/src/utilities/index.js b/packages/server/src/utilities/index.js index 4fdc9f8b49..4c324cbfdf 100644 --- a/packages/server/src/utilities/index.js +++ b/packages/server/src/utilities/index.js @@ -11,6 +11,32 @@ exports.isDev = () => { ) } +/** + * Given a request tries to find the appId, which can be located in various places + * @param {object} ctx The main request body to look through. + * @returns {string|undefined} If an appId was found it will be returned. + */ exports.getAppId = ctx => { - + let appId = env.CLOUD ? ctx.subdomains[1] : ctx.params.appId + // look in body if can't find it in subdomain + if (!appId && ctx.request.body && ctx.request.body.appId) { + appId = ctx.request.body.appId + } + // if appId can't be determined from path param or subdomain + if (!appId && ctx.request.headers.referer) { + const url = new URL(ctx.request.headers.referer) + // remove leading and trailing slashes from appId + appId = url.pathname.replace(/\//g, "") + } + return appId +} + +/** + * Get the name of the cookie which is to be updated/retrieved + * @param {string|undefined|null} appId OPTIONAL can specify the specific app if previewing etc + * @returns {string} The name of the token trying to find + */ +exports.getCookieName = (appId = null) => { + let mid = env.CLOUD ? "cloud" : "local" + return `budibase:${mid}:${appId ? appId : "builder"}` }