From fc9e48e8e76c9feb3cf13e091a73fc8adfb57851 Mon Sep 17 00:00:00 2001
From: mike12345567 <me@michaeldrury.co.uk>
Date: Mon, 21 Jun 2021 17:13:06 +0100
Subject: [PATCH 1/5] Fixing authentication with API key issue.

---
 packages/auth/src/middleware/authenticated.js | 41 ++++++++++++-------
 packages/builder/cypress/setup.js             |  1 +
 .../src/api/controllers/admin/configs.js      |  3 +-
 3 files changed, 29 insertions(+), 16 deletions(-)

diff --git a/packages/auth/src/middleware/authenticated.js b/packages/auth/src/middleware/authenticated.js
index 5d9056b19a..b40e86e364 100644
--- a/packages/auth/src/middleware/authenticated.js
+++ b/packages/auth/src/middleware/authenticated.js
@@ -22,6 +22,12 @@ function buildNoAuthRegex(patterns) {
   })
 }
 
+function finalise(ctx, { authenticated, user, internal } = {}) {
+  ctx.isAuthenticated = authenticated || false
+  ctx.user = user
+  ctx.internal = internal || false
+}
+
 module.exports = (noAuthPatterns = [], opts) => {
   const noAuthOptions = noAuthPatterns ? buildNoAuthRegex(noAuthPatterns) : []
   return async (ctx, next) => {
@@ -36,35 +42,40 @@ module.exports = (noAuthPatterns = [], opts) => {
       return next()
     }
     try {
-      const apiKey = ctx.request.headers["x-budibase-api-key"]
       // check the actual user is authenticated first
       const authCookie = getCookie(ctx, Cookies.Auth)
-
-      // this is an internal request, no user made it
-      if (apiKey && apiKey === env.INTERNAL_API_KEY) {
-        ctx.isAuthenticated = true
-        ctx.internal = true
-      } else if (authCookie) {
+      let authenticated = false,
+        user = null,
+        internal = false
+      if (authCookie) {
         try {
           const db = database.getDB(StaticDatabases.GLOBAL.name)
-          const user = await db.get(authCookie.userId)
-          delete user.password
-          ctx.isAuthenticated = true
-          ctx.user = user
+          const foundUser = await db.get(authCookie.userId)
+          delete foundUser.password
+          authenticated = true
+          user = foundUser
         } catch (err) {
           // remove the cookie as the use does not exist anymore
           clearCookie(ctx, Cookies.Auth)
         }
       }
-      // be explicit
-      if (ctx.isAuthenticated !== true) {
-        ctx.isAuthenticated = false
+      const apiKey = ctx.request.headers["x-budibase-api-key"]
+      // this is an internal request, no user made it
+      if (!authenticated && apiKey && apiKey === env.INTERNAL_API_KEY) {
+        authenticated = true
+        internal = true
       }
+      // be explicit
+      if (authenticated !== true) {
+        authenticated = false
+      }
+      // isAuthenticated is a function, so use a variable to be able to check authed state
+      finalise(ctx, { authenticated, user, internal })
       return next()
     } catch (err) {
       // allow configuring for public access
       if (opts && opts.publicAllowed) {
-        ctx.isAuthenticated = false
+        finalise(ctx, { authenticated: false })
       } else {
         ctx.throw(err.status || 403, err)
       }
diff --git a/packages/builder/cypress/setup.js b/packages/builder/cypress/setup.js
index c55cef2afe..0aa43308af 100644
--- a/packages/builder/cypress/setup.js
+++ b/packages/builder/cypress/setup.js
@@ -20,6 +20,7 @@ process.env.MINIO_ACCESS_KEY = "budibase"
 process.env.MINIO_SECRET_KEY = "budibase"
 process.env.COUCH_DB_USER = "budibase"
 process.env.COUCH_DB_PASSWORD = "budibase"
+process.env.INTERNAL_API_KEY = "budibase"
 
 // Stop info logs polluting test outputs
 process.env.LOG_LEVEL = "error"
diff --git a/packages/worker/src/api/controllers/admin/configs.js b/packages/worker/src/api/controllers/admin/configs.js
index e1bd385384..27ba636bc8 100644
--- a/packages/worker/src/api/controllers/admin/configs.js
+++ b/packages/worker/src/api/controllers/admin/configs.js
@@ -90,7 +90,8 @@ exports.find = async function (ctx) {
     if (scopedConfig) {
       ctx.body = scopedConfig
     } else {
-      ctx.throw(400, "No configuration exists.")
+      // don't throw an error, there simply is nothing to return
+      ctx.body = {}
     }
   } catch (err) {
     ctx.throw(err.status, err)

From f244b7b075877ac3ec71be28be9da15340a6814a Mon Sep 17 00:00:00 2001
From: mike12345567 <me@michaeldrury.co.uk>
Date: Mon, 21 Jun 2021 18:01:25 +0100
Subject: [PATCH 2/5] Implementing feature #1700 and making it possible to
 remove logo.

---
 .../src/pages/builder/auth/forgot.svelte       |  5 +++++
 .../src/pages/builder/auth/login.svelte        | 15 +++++++++++----
 .../src/pages/builder/auth/reset.svelte        |  9 +++++++--
 .../portal/settings/organisation.svelte        | 18 ++++++++++++++----
 .../builder/src/stores/portal/organisation.js  |  2 +-
 .../src/api/controllers/admin/configs.js       | 12 ++++++++++++
 packages/worker/src/api/index.js               |  4 ++++
 .../worker/src/api/routes/admin/configs.js     |  3 ++-
 8 files changed, 56 insertions(+), 12 deletions(-)

diff --git a/packages/builder/src/pages/builder/auth/forgot.svelte b/packages/builder/src/pages/builder/auth/forgot.svelte
index c4452a0f68..85301b3f02 100644
--- a/packages/builder/src/pages/builder/auth/forgot.svelte
+++ b/packages/builder/src/pages/builder/auth/forgot.svelte
@@ -9,6 +9,7 @@
   } from "@budibase/bbui"
   import { organisation, auth } from "stores/portal"
   import Logo from "assets/bb-emblem.svg"
+  import { onMount } from "svelte"
 
   let email = ""
 
@@ -20,6 +21,10 @@
       notifications.error("Unable to send reset password link")
     }
   }
+
+  onMount(async () => {
+    await organisation.init()
+  })
 </script>
 
 <div class="login">
diff --git a/packages/builder/src/pages/builder/auth/login.svelte b/packages/builder/src/pages/builder/auth/login.svelte
index 1669a5577b..9fb984c73e 100644
--- a/packages/builder/src/pages/builder/auth/login.svelte
+++ b/packages/builder/src/pages/builder/auth/login.svelte
@@ -10,13 +10,16 @@
     notifications,
   } from "@budibase/bbui"
   import { goto, params } from "@roxi/routify"
-  import { auth } from "stores/portal"
+  import { auth, organisation } from "stores/portal"
   import GoogleButton from "./_components/GoogleButton.svelte"
   import Logo from "assets/bb-emblem.svg"
+  import { onMount } from "svelte"
 
   let username = ""
   let password = ""
 
+  $: company = $organisation.company || "Budibase"
+
   async function login() {
     try {
       await auth.login({
@@ -43,6 +46,10 @@
   function handleKeydown(evt) {
     if (evt.key === "Enter") login()
   }
+
+  onMount(async () => {
+    await organisation.init()
+  })
 </script>
 
 <svelte:window on:keydown={handleKeydown} />
@@ -50,8 +57,8 @@
   <div class="main">
     <Layout>
       <Layout noPadding justifyItems="center">
-        <img alt="logo" src={Logo} />
-        <Heading>Sign in to Budibase</Heading>
+        <img alt="logo" src={$organisation.logoUrl || Logo} />
+        <Heading>Sign in to {company}</Heading>
       </Layout>
       <GoogleButton />
       <Divider noGrid />
@@ -66,7 +73,7 @@
         />
       </Layout>
       <Layout gap="XS" noPadding>
-        <Button cta on:click={login}>Sign in to Budibase</Button>
+        <Button cta on:click={login}>Sign in to {company}</Button>
         <ActionButton quiet on:click={() => $goto("./forgot")}>
           Forgot password?
         </ActionButton>
diff --git a/packages/builder/src/pages/builder/auth/reset.svelte b/packages/builder/src/pages/builder/auth/reset.svelte
index aed2034aff..e38a5d8b24 100644
--- a/packages/builder/src/pages/builder/auth/reset.svelte
+++ b/packages/builder/src/pages/builder/auth/reset.svelte
@@ -2,8 +2,9 @@
   import { Body, Button, Heading, Layout, notifications } from "@budibase/bbui"
   import { goto, params } from "@roxi/routify"
   import PasswordRepeatInput from "components/common/users/PasswordRepeatInput.svelte"
-  import { auth } from "stores/portal"
+  import { auth, organisation } from "stores/portal"
   import Logo from "assets/bb-emblem.svg"
+  import { onMount } from "svelte"
 
   const resetCode = $params["?code"]
   let password, error
@@ -28,13 +29,17 @@
       notifications.error("Unable to reset password")
     }
   }
+
+  onMount(async () => {
+    await organisation.init()
+  })
 </script>
 
 <div class="login">
   <div class="main">
     <Layout>
       <Layout noPadding justifyItems="center">
-        <img src={Logo} alt="Organisation logo" />
+        <img src={$organisation.logoUrl || Logo} alt="Organisation logo" />
       </Layout>
       <Layout gap="XS" noPadding>
         <Heading textAlign="center">Reset your password</Heading>
diff --git a/packages/builder/src/pages/builder/portal/settings/organisation.svelte b/packages/builder/src/pages/builder/portal/settings/organisation.svelte
index 4e23b12dbd..682b0c4ee9 100644
--- a/packages/builder/src/pages/builder/portal/settings/organisation.svelte
+++ b/packages/builder/src/pages/builder/portal/settings/organisation.svelte
@@ -57,11 +57,17 @@
       await organisation.init()
     }
 
-    // Update settings
-    const res = await organisation.save({
+    const config = {
       company: $values.company ?? "",
       platformUrl: $values.platformUrl ?? "",
-    })
+    }
+    // remove logo if required
+    if (!$values.logo) {
+      config.logoUrl = ""
+    }
+
+    // Update settings
+    const res = await organisation.save(config)
     if (res.status === 200) {
       notifications.success("Settings saved successfully")
     } else {
@@ -98,7 +104,11 @@
           <Dropzone
             value={[$values.logo]}
             on:change={e => {
-              $values.logo = e.detail?.[0]
+              if (!e.detail || e.detail.length === 0) {
+                $values.logo = null
+              } else {
+                $values.logo = e.detail[0]
+              }
             }}
           />
         </div>
diff --git a/packages/builder/src/stores/portal/organisation.js b/packages/builder/src/stores/portal/organisation.js
index a0be3a5553..7e6a777cd4 100644
--- a/packages/builder/src/stores/portal/organisation.js
+++ b/packages/builder/src/stores/portal/organisation.js
@@ -13,7 +13,7 @@ export function createOrganisationStore() {
   const { subscribe, set } = store
 
   async function init() {
-    const res = await api.get(`/api/admin/configs/settings`)
+    const res = await api.get(`/api/admin/configs/public`)
     const json = await res.json()
 
     if (json.status === 400) {
diff --git a/packages/worker/src/api/controllers/admin/configs.js b/packages/worker/src/api/controllers/admin/configs.js
index 27ba636bc8..b5ef087665 100644
--- a/packages/worker/src/api/controllers/admin/configs.js
+++ b/packages/worker/src/api/controllers/admin/configs.js
@@ -98,6 +98,18 @@ exports.find = async function (ctx) {
   }
 }
 
+exports.publicSettings = async function (ctx) {
+  const db = new CouchDB(GLOBAL_DB)
+  try {
+    // Find the config with the most granular scope based on context
+    ctx.body = await getScopedFullConfig(db, {
+      type: Configs.SETTINGS,
+    })
+  } catch (err) {
+    ctx.throw(err.status, err)
+  }
+}
+
 exports.upload = async function (ctx) {
   if (ctx.request.files == null || ctx.request.files.file.length > 1) {
     ctx.throw(400, "One file must be uploaded.")
diff --git a/packages/worker/src/api/index.js b/packages/worker/src/api/index.js
index d456778d54..f3153f4b2c 100644
--- a/packages/worker/src/api/index.js
+++ b/packages/worker/src/api/index.js
@@ -37,6 +37,10 @@ const PUBLIC_ENDPOINTS = [
     route: "/api/apps",
     method: "GET",
   },
+  {
+    route: "/api/admin/configs/public",
+    method: "GET",
+  }
 ]
 
 const router = new Router()
diff --git a/packages/worker/src/api/routes/admin/configs.js b/packages/worker/src/api/routes/admin/configs.js
index c388b83456..8056ad8cbd 100644
--- a/packages/worker/src/api/routes/admin/configs.js
+++ b/packages/worker/src/api/routes/admin/configs.js
@@ -26,7 +26,7 @@ function settingValidation() {
   // prettier-ignore
   return Joi.object({
     platformUrl: Joi.string().optional(),
-    logoUrl: Joi.string().optional(),
+    logoUrl: Joi.string().optional().allow("", null),
     docsUrl: Joi.string().optional(),
     company: Joi.string().required(),
   }).unknown(true)
@@ -91,6 +91,7 @@ router
     buildConfigGetValidation(),
     controller.fetch
   )
+  .get("/api/admin/configs/public", controller.publicSettings)
   .get("/api/admin/configs/:type", buildConfigGetValidation(), controller.find)
   .post(
     "/api/admin/configs/upload/:type/:name",

From 14d4ee13f04a4a384dec8ccb17f5cab7c3e75b3b Mon Sep 17 00:00:00 2001
From: mike12345567 <me@michaeldrury.co.uk>
Date: Mon, 21 Jun 2021 18:02:09 +0100
Subject: [PATCH 3/5] Linting.

---
 packages/worker/src/api/index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/worker/src/api/index.js b/packages/worker/src/api/index.js
index f3153f4b2c..bda57863f6 100644
--- a/packages/worker/src/api/index.js
+++ b/packages/worker/src/api/index.js
@@ -40,7 +40,7 @@ const PUBLIC_ENDPOINTS = [
   {
     route: "/api/admin/configs/public",
     method: "GET",
-  }
+  },
 ]
 
 const router = new Router()

From 44c6b77c55e365dc499ebdf4aa0f7765a3f2c622 Mon Sep 17 00:00:00 2001
From: mike12345567 <me@michaeldrury.co.uk>
Date: Mon, 21 Jun 2021 18:37:14 +0100
Subject: [PATCH 4/5] Fixing issues discovered by cypress tests.

---
 packages/auth/src/middleware/authenticated.js        | 5 ++---
 packages/server/src/api/controllers/dev.js           | 2 +-
 packages/worker/src/api/controllers/admin/configs.js | 7 ++++++-
 packages/worker/src/api/controllers/admin/users.js   | 3 +++
 4 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/packages/auth/src/middleware/authenticated.js b/packages/auth/src/middleware/authenticated.js
index b40e86e364..64494f709d 100644
--- a/packages/auth/src/middleware/authenticated.js
+++ b/packages/auth/src/middleware/authenticated.js
@@ -50,10 +50,9 @@ module.exports = (noAuthPatterns = [], opts) => {
       if (authCookie) {
         try {
           const db = database.getDB(StaticDatabases.GLOBAL.name)
-          const foundUser = await db.get(authCookie.userId)
-          delete foundUser.password
+          user = await db.get(authCookie.userId)
+          delete user.password
           authenticated = true
-          user = foundUser
         } catch (err) {
           // remove the cookie as the use does not exist anymore
           clearCookie(ctx, Cookies.Auth)
diff --git a/packages/server/src/api/controllers/dev.js b/packages/server/src/api/controllers/dev.js
index ae7ab631d0..af937da7f2 100644
--- a/packages/server/src/api/controllers/dev.js
+++ b/packages/server/src/api/controllers/dev.js
@@ -14,7 +14,7 @@ async function redirect(ctx, method) {
     request(ctx, {
       method,
       body: ctx.request.body,
-    })
+    }, true)
   )
   if (response.status !== 200) {
     ctx.throw(response.status, response.statusText)
diff --git a/packages/worker/src/api/controllers/admin/configs.js b/packages/worker/src/api/controllers/admin/configs.js
index b5ef087665..b93bd22c80 100644
--- a/packages/worker/src/api/controllers/admin/configs.js
+++ b/packages/worker/src/api/controllers/admin/configs.js
@@ -102,9 +102,14 @@ exports.publicSettings = async function (ctx) {
   const db = new CouchDB(GLOBAL_DB)
   try {
     // Find the config with the most granular scope based on context
-    ctx.body = await getScopedFullConfig(db, {
+    const config = await getScopedFullConfig(db, {
       type: Configs.SETTINGS,
     })
+    if (!config) {
+      ctx.body = {}
+    } else {
+      ctx.body = config
+    }
   } catch (err) {
     ctx.throw(err.status, err)
   }
diff --git a/packages/worker/src/api/controllers/admin/users.js b/packages/worker/src/api/controllers/admin/users.js
index 5b95b2808f..dbe34d7ded 100644
--- a/packages/worker/src/api/controllers/admin/users.js
+++ b/packages/worker/src/api/controllers/admin/users.js
@@ -130,6 +130,9 @@ exports.removeAppRole = async ctx => {
 }
 
 exports.getSelf = async ctx => {
+  if (!ctx.user) {
+    ctx.throw(403, "User not logged in")
+  }
   ctx.params = {
     id: ctx.user._id,
   }

From 57d2f349ae3ae778bd8a8541e3a9838f91c3e2e7 Mon Sep 17 00:00:00 2001
From: mike12345567 <me@michaeldrury.co.uk>
Date: Mon, 21 Jun 2021 18:40:36 +0100
Subject: [PATCH 5/5] Linting.

---
 packages/server/src/api/controllers/dev.js | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/packages/server/src/api/controllers/dev.js b/packages/server/src/api/controllers/dev.js
index af937da7f2..6dcd5727fb 100644
--- a/packages/server/src/api/controllers/dev.js
+++ b/packages/server/src/api/controllers/dev.js
@@ -11,10 +11,14 @@ async function redirect(ctx, method) {
   const { devPath } = ctx.params
   const response = await fetch(
     checkSlashesInUrl(`${env.WORKER_URL}/api/admin/${devPath}`),
-    request(ctx, {
-      method,
-      body: ctx.request.body,
-    }, true)
+    request(
+      ctx,
+      {
+        method,
+        body: ctx.request.body,
+      },
+      true
+    )
   )
   if (response.status !== 200) {
     ctx.throw(response.status, response.statusText)