From 105e1cc16f708861326e94aa7ebd631b7742aba2 Mon Sep 17 00:00:00 2001
From: mike12345567 <me@michaeldrury.co.uk>
Date: Tue, 13 Apr 2021 18:12:35 +0100
Subject: [PATCH] Getting most of the test auth working, adding in global
 builder configuration.

---
 .../src/components/login/LoginForm.svelte     |  3 ++
 packages/server/__mocks__/node-fetch.js       | 15 +++----
 packages/server/src/middleware/authorized.js  | 10 ++---
 packages/server/src/middleware/currentapp.js  |  7 ++--
 .../src/tests/utilities/TestConfiguration.js  | 39 ++++++++++++-------
 .../server/src/utilities/workerRequests.js    |  3 ++
 packages/worker/src/api/routes/admin/index.js |  6 ++-
 7 files changed, 50 insertions(+), 33 deletions(-)

diff --git a/packages/builder/src/components/login/LoginForm.svelte b/packages/builder/src/components/login/LoginForm.svelte
index 57ba75934c..9d05592076 100644
--- a/packages/builder/src/components/login/LoginForm.svelte
+++ b/packages/builder/src/components/login/LoginForm.svelte
@@ -29,6 +29,9 @@
         email: "test@test.com",
         password: "test",
         roles: {},
+        builder: {
+          global: true,
+        }
       })
       notifier.success("Test user created")
     } catch (err) {
diff --git a/packages/server/__mocks__/node-fetch.js b/packages/server/__mocks__/node-fetch.js
index 33b6e23454..dfca7fd379 100644
--- a/packages/server/__mocks__/node-fetch.js
+++ b/packages/server/__mocks__/node-fetch.js
@@ -10,8 +10,15 @@ module.exports = async (url, opts) => {
     }
   }
 
+  if (url.includes("/api/admin")) {
+    return json({
+      email: "test@test.com",
+      _id: "us_test@test.com",
+      status: "active",
+    })
+  }
   // mocked data based on url
-  if (url.includes("api/apps")) {
+  else if (url.includes("api/apps")) {
     return json({
       app1: {
         url: "/app1",
@@ -41,12 +48,6 @@ module.exports = async (url, opts) => {
       ],
       bookmark: "test",
     })
-  } else if (url.includes("/api/admin")) {
-    return json({
-      email: "test@test.com",
-      _id: "us_test@test.com",
-      status: "active",
-    })
   }
   return fetch(url, opts)
 }
diff --git a/packages/server/src/middleware/authorized.js b/packages/server/src/middleware/authorized.js
index 1ef58369ac..db3c81e95e 100644
--- a/packages/server/src/middleware/authorized.js
+++ b/packages/server/src/middleware/authorized.js
@@ -30,14 +30,10 @@ module.exports = (permType, permLevel = null) => async (ctx, next) => {
     ctx.roleId
   )
 
-  // TODO: need to determine if the user has permission to build here, global cookie
-
-  // this may need to change in the future, right now only admins
-  // can have access to builder features, this is hard coded into
-  // our rules
-  if (isAuthed) {
+  let isBuilder = ctx.user && ctx.user.builder && ctx.user.builder.global
+  if (permType === PermissionTypes.BUILDER && isBuilder) {
     return next()
-  } else if (permType === PermissionTypes.BUILDER) {
+  } else if (permType === PermissionTypes.BUILDER && !isBuilder) {
     return ctx.throw(403, "Not Authorized")
   }
 
diff --git a/packages/server/src/middleware/currentapp.js b/packages/server/src/middleware/currentapp.js
index 1a9468c6eb..6616888c57 100644
--- a/packages/server/src/middleware/currentapp.js
+++ b/packages/server/src/middleware/currentapp.js
@@ -15,12 +15,11 @@ module.exports = async (ctx, next) => {
 
   let updateCookie = false,
     appId,
-    roleId
+    roleId = BUILTIN_ROLE_IDS.PUBLIC
   if (!ctx.user) {
     // not logged in, try to set a cookie for public apps
     updateCookie = true
     appId = requestAppId
-    roleId = BUILTIN_ROLE_IDS.PUBLIC
   } else if (
     requestAppId != null &&
     (appCookie == null ||
@@ -31,7 +30,9 @@ module.exports = async (ctx, next) => {
     const globalUser = await getGlobalUsers(ctx, requestAppId, ctx.user.email)
     updateCookie = true
     appId = requestAppId
-    roleId = globalUser.roles[requestAppId] || BUILTIN_ROLE_IDS.PUBLIC
+    if (globalUser.roles && globalUser.roles[requestAppId]) {
+      roleId = globalUser.roles[requestAppId]
+    }
   } else if (appCookie != null) {
     appId = appCookie.appId
     roleId = appCookie.roleId || BUILTIN_ROLE_IDS.PUBLIC
diff --git a/packages/server/src/tests/utilities/TestConfiguration.js b/packages/server/src/tests/utilities/TestConfiguration.js
index 002cf4d004..3e148970b1 100644
--- a/packages/server/src/tests/utilities/TestConfiguration.js
+++ b/packages/server/src/tests/utilities/TestConfiguration.js
@@ -15,6 +15,7 @@ const {
 const controllers = require("./controllers")
 const supertest = require("supertest")
 const { cleanup } = require("../../utilities/fileSystem")
+const { Cookies } = require("@budibase/auth")
 
 const EMAIL = "babs@babs.com"
 const PASSWORD = "babs_password"
@@ -68,16 +69,26 @@ class TestConfiguration {
   }
 
   defaultHeaders() {
-    const builderUser = {
-      userId: "BUILDER",
+    const user = {
+      userId: "us_test@test.com",
+      email: "test@test.com",
       roleId: BUILTIN_ROLE_IDS.BUILDER,
+      builder: {
+        global: true,
+      },
     }
-    const builderToken = jwt.sign(builderUser, env.JWT_SECRET)
-    // can be "production" for test case
-    const type = env.isProd() ? "cloud" : "local"
+    const app = {
+      roleId: BUILTIN_ROLE_IDS.BUILDER,
+      appId: this.appId,
+    }
+    const authToken = jwt.sign(user, env.JWT_SECRET)
+    const appToken = jwt.sign(app, env.JWT_SECRET)
     const headers = {
       Accept: "application/json",
-      Cookie: [`budibase:builder:${type}=${builderToken}`],
+      Cookie: [
+        `${Cookies.Auth}=${authToken}`,
+        `${Cookies.CurrentApp}=${appToken}`,
+      ],
     }
     if (this.appId) {
       headers["x-budibase-app-id"] = this.appId
@@ -307,20 +318,18 @@ class TestConfiguration {
     }
     if (!email || !password) {
       await this.createUser()
-      email = EMAIL
-      password = PASSWORD
     }
-    const result = await this.request
-      .post(`/api/authenticate`)
-      .set({
-        "x-budibase-app-id": this.appId,
-      })
-      .send({ email, password })
+    const user = {
+      userId: "us_test@test.com",
+      email: EMAIL,
+      roleId: BUILTIN_ROLE_IDS.BASIC,
+    }
+    const token = jwt.sign(user, env.JWT_SECRET)
 
     // returning necessary request headers
     return {
       Accept: "application/json",
-      Cookie: result.headers["set-cookie"],
+      Cookie: [`${Cookies.Auth}=${token}`],
       "x-budibase-app-id": this.appId,
     }
   }
diff --git a/packages/server/src/utilities/workerRequests.js b/packages/server/src/utilities/workerRequests.js
index b04b3698f4..16be0daa0b 100644
--- a/packages/server/src/utilities/workerRequests.js
+++ b/packages/server/src/utilities/workerRequests.js
@@ -99,6 +99,9 @@ exports.saveGlobalUser = async (ctx, appId, email, body) => {
       password: body.password || undefined,
       status: body.status,
       roles,
+      builder: {
+        global: true,
+      },
     },
   }
 
diff --git a/packages/worker/src/api/routes/admin/index.js b/packages/worker/src/api/routes/admin/index.js
index 88a1809fc5..2d46174c68 100644
--- a/packages/worker/src/api/routes/admin/index.js
+++ b/packages/worker/src/api/routes/admin/index.js
@@ -13,12 +13,16 @@ function buildUserSaveValidation() {
     _rev: Joi.string(),
     email: Joi.string(),
     password: Joi.string().allow(null, ""),
+    builder: Joi.object({
+      global: Joi.boolean().allow(undefined),
+      apps: Joi.array().allow(undefined),
+    }).unknown(true).allow(undefined),
     // maps appId -> roleId for the user
     roles: Joi.object()
       .pattern(/.*/, Joi.string())
       .required()
       .unknown(true)
-  }).required().unknown(true))
+  }).required().unknown(true).allow(undefined))
 }
 
 router