MirrorSave
/
budibase
mirror of https://github.com/Budibase/budibase.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10168 from Budibase/budi-6729-multiple-user-crossover-bug 

BUG - Multiple User Crossover Bug
This commit is contained in:
Adria Navarro 2023-03-31 12:35:15 +02:00 committed by GitHub
parent 90c8ae9ed3 ec0acadd0a
commit 4c7393460a
8 changed files with 12 additions and 112 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
packages/backend-core/src/auth/auth.ts
View File

@ -199,7 +199,6 @@ export async function platformLogout(opts: PlatformLogoutOpts) {
} else {
// clear cookies
clearCookie(ctx, Cookie.Auth)
clearCookie(ctx, Cookie.CurrentApp)
}
const sessionIds = sessions.map(({ sessionId }) => sessionId)

1
packages/backend-core/src/constants/misc.ts
View File

@ -4,7 +4,6 @@ export enum UserStatus {
}
export enum Cookie {
CurrentApp = "budibase:currentapp",
Auth = "budibase:auth",
Init = "budibase:init",
ACCOUNT_RETURN_URL = "budibase:account:returnurl",

2
packages/builder/src/pages/builder/_layout.svelte
View File

@ -79,7 +79,7 @@
}
// Validate tenant if in a multi-tenant env
if (useAccountPortal && multiTenancyEnabled) {
if (multiTenancyEnabled) {
await validateTenantId()
}
} catch (error) {

31
packages/server/src/middleware/currentapp.ts
View File

@ -2,7 +2,6 @@ import {
utils,
constants,
roles,
db as dbCore,
tenancy,
context,
} from "@budibase/backend-core"
@ -15,29 +14,10 @@ import { UserCtx } from "@budibase/types"
export default async (ctx: UserCtx, next: any) => {
// try to get the appID from the request
let requestAppId = await utils.getAppIdFromCtx(ctx)
// get app cookie if it exists
let appCookie: { appId?: string } | undefined
try {
appCookie = utils.getCookie(ctx, constants.Cookie.CurrentApp)
} catch (err) {
utils.clearCookie(ctx, constants.Cookie.CurrentApp)
}
if (!appCookie && !requestAppId) {
if (!requestAppId) {
return next()
}
// check the app exists referenced in cookie
if (appCookie) {
const appId = appCookie.appId
const exists = await dbCore.dbExists(appId)
if (!exists) {
utils.clearCookie(ctx, constants.Cookie.CurrentApp)
return next()
}
// if the request app ID wasn't set, update it with the cookie
requestAppId = requestAppId || appId
}
// deny access to application preview
if (!env.isTest()) {
if (
@ -45,7 +25,6 @@ export default async (ctx: UserCtx, next: any) => {
!isWebhookEndpoint(ctx) &&
(!ctx.user || !ctx.user.builder || !ctx.user.builder.global)
) {
utils.clearCookie(ctx, constants.Cookie.CurrentApp)
return ctx.redirect("/")
}
}
@ -127,14 +106,6 @@ export default async (ctx: UserCtx, next: any) => {
role: await roles.getRole(roleId),
}
}
if (
(requestAppId !== appId ||
appCookie == null ||
appCookie.appId !== requestAppId) &&
!skipCookie
) {
utils.setCookie(ctx, { appId }, constants.Cookie.CurrentApp)
}
return next()
})

48
packages/server/src/middleware/tests/currentapp.spec.js
View File

@ -158,27 +158,22 @@ describe("Current app middleware", () => {
})
describe("check functionality when logged in", () => {
async function checkExpected(setCookie) {
async function checkExpected() {
config.setUser()
await config.executeMiddleware()
let { utils } = require("@budibase/backend-core")
if (setCookie) {
expect(utils.setCookie).toHaveBeenCalled()
} else {
expect(utils.setCookie).not.toHaveBeenCalled()
}
expect(config.ctx.roleId).toEqual("PUBLIC")
expect(config.ctx.user.role._id).toEqual("PUBLIC")
expect(config.ctx.appId).toEqual("app_test")
expect(config.next).toHaveBeenCalled()
}
it("should be able to setup an app token when cookie not setup", async () => {
it("should be able to setup an app token on a first call", async () => {
mockAuthWithCookie()
await checkExpected(true)
await checkExpected()
})
it("should perform correct when no cookie exists", async () => {
it("should perform correct on a first call", async () => {
mockReset()
jest.mock("@budibase/backend-core", () => {
const core = jest.requireActual("@budibase/backend-core")
@ -206,38 +201,7 @@ describe("Current app middleware", () => {
},
}
})
await checkExpected(true)
})
it("lastly check what occurs when cookie doesn't need updated", async () => {
mockReset()
jest.mock("@budibase/backend-core", () => {
const core = jest.requireActual("@budibase/backend-core")
return {
...core,
db: {
...core.db,
dbExists: () => true,
},
utils: {
getAppIdFromCtx: () => {
return "app_test"
},
setCookie: jest.fn(),
getCookie: () => ({ appId: "app_test", roleId: "PUBLIC" }),
},
cache: {
user: {
getUser: async id => {
return {
_id: "us_uuid1",
}
},
},
},
}
})
await checkExpected(false)
await checkExpected()
})
})
})

21
packages/server/src/tests/utilities/TestConfiguration.ts
View File

@ -330,21 +330,13 @@ class TestConfiguration {
sessionId: "sessionid",
tenantId: this.getTenantId(),
}
const app = {
roleId: roleId,
appId,
}
const authToken = auth.jwt.sign(authObj, coreEnv.JWT_SECRET)
const appToken = auth.jwt.sign(app, coreEnv.JWT_SECRET)
// returning necessary request headers
await cache.user.invalidateUser(userId)
return {
Accept: "application/json",
Cookie: [
`${constants.Cookie.Auth}=${authToken}`,
`${constants.Cookie.CurrentApp}=${appToken}`,
],
Cookie: [`${constants.Cookie.Auth}=${authToken}`],
[constants.Header.APP_ID]: appId,
}
})
@ -359,18 +351,11 @@ class TestConfiguration {
sessionId: "sessionid",
tenantId,
}
const app = {
roleId: roles.BUILTIN_ROLE_IDS.ADMIN,
appId: this.appId,
}
const authToken = auth.jwt.sign(authObj, coreEnv.JWT_SECRET)
const appToken = auth.jwt.sign(app, coreEnv.JWT_SECRET)
const headers: any = {
Accept: "application/json",
Cookie: [
`${constants.Cookie.Auth}=${authToken}`,
`${constants.Cookie.CurrentApp}=${appToken}`,
],
Cookie: [`${constants.Cookie.Auth}=${authToken}`],
[constants.Header.CSRF_TOKEN]: this.defaultUserValues.csrfToken,
Host: this.tenantHost(),
...extras,

5
packages/worker/src/api/controllers/global/auth.ts
View File

@ -50,11 +50,6 @@ async function passportCallback(
setCookie(ctx, token, Cookie.Auth, { sign: false })
// set the token in a header as well for APIs
ctx.set(Header.TOKEN, token)
// get rid of any app cookies on login
// have to check test because this breaks cypress
if (!env.isTest()) {
clearCookie(ctx, Cookie.CurrentApp)
}
}
export const login = async (ctx: Ctx<LoginRequest>, next: any) => {

15
packages/worker/src/api/controllers/global/self.ts
View File

@ -2,7 +2,6 @@ import * as userSdk from "../../../sdk/users"
import {
featureFlags,
tenancy,
constants,
db as dbCore,
utils,
encryption,
@ -11,7 +10,7 @@ import {
import env from "../../../environment"
import { groups } from "@budibase/pro"
import { UpdateSelfRequest, UpdateSelfResponse, UserCtx } from "@budibase/types"
const { getCookie, clearCookie, newid } = utils
const { newid } = utils
function newTestApiKey() {
return env.ENCRYPTED_TEST_PUBLIC_API_KEY
@ -71,16 +70,6 @@ export async function fetchAPIKey(ctx: any) {
ctx.body = cleanupDevInfo(devInfo)
}
const checkCurrentApp = (ctx: any) => {
const appCookie = getCookie(ctx, constants.Cookie.CurrentApp)
if (appCookie && !tenancy.isUserInAppTenant(appCookie.appId)) {
// there is a currentapp cookie from another tenant
// remove the cookie as this is incompatible with the builder
// due to builder and admin permissions being removed
clearCookie(ctx, constants.Cookie.CurrentApp)
}
}
/**
* Add the attributes that are session based to the current user.
*/
@ -101,8 +90,6 @@ export async function getSelf(ctx: any) {
id: userId,
}
checkCurrentApp(ctx)
// get the main body of the user
const user = await userSdk.getUser(userId)
ctx.body = await groups.enrichUserRolesFromGroups(user)