Fixing an issue with builder auth, adding a temporary endpoint which the server can set builder token on.

2021-04-07 16:08:29 +01:00 · 2021-04-07 16:08:29 +01:00 · 29787032f0
parent c926206ad7
commit 29787032f0
6 changed files with 19 additions and 8 deletions
--- a/packages/builder/src/builderStore/api.js
+++ b/packages/builder/src/builderStore/api.js
@ -20,6 +20,9 @@ export const get = apiCall("GET")
 export const patch = apiCall("PATCH")
 export const del = apiCall("DELETE")
 export const put = apiCall("PUT")
+export const getBuilderCookie = async () => {
+  await post("/api/builder/login", {})
+}

 export default {
  post: apiCall("POST"),
@ -27,4 +30,5 @@ export default {
  patch: apiCall("PATCH"),
  delete: apiCall("DELETE"),
  put: apiCall("PUT"),
+  getBuilderCookie,
 }
--- a/packages/builder/src/builderStore/index.js
+++ b/packages/builder/src/builderStore/index.js
@ -6,6 +6,7 @@ import { derived, writable } from "svelte/store"
 import analytics from "analytics"
 import { FrontendTypes, LAYOUT_NAMES } from "../constants"
 import { findComponent } from "./storeUtils"
+import { getBuilderCookie } from "./api"

 export const store = getFrontendStore()
 export const automationStore = getAutomationStore()
@ -57,6 +58,8 @@ export const selectedAccessRole = writable("BASIC")

 export const initialise = async () => {
  try {
+    // TODO this needs to be replaced by a real login
+    await getBuilderCookie()
    await analytics.activate()
    analytics.captureEvent("Builder Started")
  } catch (err) {
--- a/packages/server/src/api/controllers/auth.js
+++ b/packages/server/src/api/controllers/auth.js
@ -8,6 +8,7 @@ const { setCookie } = require("../../utilities")
 const { outputProcessing } = require("../../utilities/rowProcessor")
 const { ViewNames } = require("../../db/utils")
 const { UserStatus } = require("../../constants")
+const setBuilderToken = require("../../utilities/builder/setBuilderToken")

 const INVALID_ERR = "Invalid Credentials"

@ -69,6 +70,11 @@ exports.authenticate = async ctx => {
  }
 }

+exports.builderLogin = async ctx => {
+  await setBuilderToken(ctx)
+  ctx.status = 200
+}
+
 exports.fetchSelf = async ctx => {
  const { userId, appId } = ctx.user
  /* istanbul ignore next */
--- a/packages/server/src/api/routes/auth.js
+++ b/packages/server/src/api/routes/auth.js
@ -1,9 +1,13 @@
 const Router = require("@koa/router")
 const controller = require("../controllers/auth")
+const authorized = require("../../middleware/authorized")
+const { BUILDER } = require("../../utilities/security/permissions")

 const router = Router()

 router.post("/api/authenticate", controller.authenticate)
+// TODO: this is a hack simply to make sure builder has a cookie until auth reworked
+router.post("/api/builder/login", authorized(BUILDER), controller.builderLogin)
 // doesn't need authorization as can only fetch info about self
 router.get("/api/self", controller.fetchSelf)

--- a/packages/server/src/middleware/authorized.js
+++ b/packages/server/src/middleware/authorized.js
@ -42,11 +42,6 @@ module.exports = (permType, permLevel = null) => async (ctx, next) => {
  const isAdmin = ADMIN_ROLES.includes(role._id)
  const isAuthed = ctx.auth.authenticated

-  // TODO: this was added while we work towards a better auth method
-  if (permType === PermissionTypes.BUILDER) {
-    return next()
-  }
-
  const { basePermissions, permissions } = await getUserPermissions(
    ctx.appId,
    role._id
--- a/packages/server/src/middleware/tests/authorized.spec.js
+++ b/packages/server/src/middleware/tests/authorized.spec.js
@ -143,9 +143,8 @@ describe("Authorization middleware", () => {

      expect(config.next).toHaveBeenCalled()
    })
-
-    // TODO: this has been skipped while auth is still in flux
-    xit("throws if the user has only builder permissions", async () => {
+    
+    it("throws if the user has only builder permissions", async () => {
      config.setEnvironment(false)
      config.setMiddlewareRequiredPermission(PermissionTypes.BUILDER)
      config.setUser({