From 48b964378b950281b86a7582c8698a336439b1c8 Mon Sep 17 00:00:00 2001 From: adrinr Date: Thu, 30 Mar 2023 13:11:42 +0100 Subject: [PATCH 1/3] Remove all app cookie references (not really needed anymore) --- packages/backend-core/src/auth/auth.ts | 1 - packages/backend-core/src/constants/misc.ts | 1 - packages/server/src/middleware/currentapp.ts | 31 +------------------ .../src/tests/utilities/TestConfiguration.ts | 21 ++----------- .../worker/src/api/controllers/global/auth.ts | 5 --- .../worker/src/api/controllers/global/self.ts | 15 +-------- 6 files changed, 5 insertions(+), 69 deletions(-) diff --git a/packages/backend-core/src/auth/auth.ts b/packages/backend-core/src/auth/auth.ts index 26c7cd4e26..fb2fd2cf51 100644 --- a/packages/backend-core/src/auth/auth.ts +++ b/packages/backend-core/src/auth/auth.ts @@ -199,7 +199,6 @@ export async function platformLogout(opts: PlatformLogoutOpts) { } else { // clear cookies clearCookie(ctx, Cookie.Auth) - clearCookie(ctx, Cookie.CurrentApp) } const sessionIds = sessions.map(({ sessionId }) => sessionId) diff --git a/packages/backend-core/src/constants/misc.ts b/packages/backend-core/src/constants/misc.ts index e25c90575f..15cec7a6b9 100644 --- a/packages/backend-core/src/constants/misc.ts +++ b/packages/backend-core/src/constants/misc.ts @@ -4,7 +4,6 @@ export enum UserStatus { } export enum Cookie { - CurrentApp = "budibase:currentapp", Auth = "budibase:auth", Init = "budibase:init", ACCOUNT_RETURN_URL = "budibase:account:returnurl", diff --git a/packages/server/src/middleware/currentapp.ts b/packages/server/src/middleware/currentapp.ts index 7621bf61ee..efafc59e21 100644 --- a/packages/server/src/middleware/currentapp.ts +++ b/packages/server/src/middleware/currentapp.ts @@ -2,7 +2,6 @@ import { utils, constants, roles, - db as dbCore, tenancy, context, } from "@budibase/backend-core" @@ -15,29 +14,10 @@ import { UserCtx } from "@budibase/types" export default async (ctx: UserCtx, next: any) => { // try to get the appID from the request let requestAppId = await utils.getAppIdFromCtx(ctx) - // get app cookie if it exists - let appCookie: { appId?: string } | undefined - try { - appCookie = utils.getCookie(ctx, constants.Cookie.CurrentApp) - } catch (err) { - utils.clearCookie(ctx, constants.Cookie.CurrentApp) - } - if (!appCookie && !requestAppId) { + if (!requestAppId) { return next() } - // check the app exists referenced in cookie - if (appCookie) { - const appId = appCookie.appId - const exists = await dbCore.dbExists(appId) - if (!exists) { - utils.clearCookie(ctx, constants.Cookie.CurrentApp) - return next() - } - // if the request app ID wasn't set, update it with the cookie - requestAppId = requestAppId || appId - } - // deny access to application preview if (!env.isTest()) { if ( @@ -45,7 +25,6 @@ export default async (ctx: UserCtx, next: any) => { !isWebhookEndpoint(ctx) && (!ctx.user || !ctx.user.builder || !ctx.user.builder.global) ) { - utils.clearCookie(ctx, constants.Cookie.CurrentApp) return ctx.redirect("/") } } @@ -127,14 +106,6 @@ export default async (ctx: UserCtx, next: any) => { role: await roles.getRole(roleId), } } - if ( - (requestAppId !== appId || - appCookie == null || - appCookie.appId !== requestAppId) && - !skipCookie - ) { - utils.setCookie(ctx, { appId }, constants.Cookie.CurrentApp) - } return next() }) diff --git a/packages/server/src/tests/utilities/TestConfiguration.ts b/packages/server/src/tests/utilities/TestConfiguration.ts index cf337c689f..f5009e95a8 100644 --- a/packages/server/src/tests/utilities/TestConfiguration.ts +++ b/packages/server/src/tests/utilities/TestConfiguration.ts @@ -330,21 +330,13 @@ class TestConfiguration { sessionId: "sessionid", tenantId: this.getTenantId(), } - const app = { - roleId: roleId, - appId, - } const authToken = auth.jwt.sign(authObj, coreEnv.JWT_SECRET) - const appToken = auth.jwt.sign(app, coreEnv.JWT_SECRET) // returning necessary request headers await cache.user.invalidateUser(userId) return { Accept: "application/json", - Cookie: [ - `${constants.Cookie.Auth}=${authToken}`, - `${constants.Cookie.CurrentApp}=${appToken}`, - ], + Cookie: [`${constants.Cookie.Auth}=${authToken}`], [constants.Header.APP_ID]: appId, } }) @@ -359,18 +351,11 @@ class TestConfiguration { sessionId: "sessionid", tenantId, } - const app = { - roleId: roles.BUILTIN_ROLE_IDS.ADMIN, - appId: this.appId, - } const authToken = auth.jwt.sign(authObj, coreEnv.JWT_SECRET) - const appToken = auth.jwt.sign(app, coreEnv.JWT_SECRET) + const headers: any = { Accept: "application/json", - Cookie: [ - `${constants.Cookie.Auth}=${authToken}`, - `${constants.Cookie.CurrentApp}=${appToken}`, - ], + Cookie: [`${constants.Cookie.Auth}=${authToken}`], [constants.Header.CSRF_TOKEN]: this.defaultUserValues.csrfToken, Host: this.tenantHost(), ...extras, diff --git a/packages/worker/src/api/controllers/global/auth.ts b/packages/worker/src/api/controllers/global/auth.ts index 1286fd519d..c8f75b3610 100644 --- a/packages/worker/src/api/controllers/global/auth.ts +++ b/packages/worker/src/api/controllers/global/auth.ts @@ -50,11 +50,6 @@ async function passportCallback( setCookie(ctx, token, Cookie.Auth, { sign: false }) // set the token in a header as well for APIs ctx.set(Header.TOKEN, token) - // get rid of any app cookies on login - // have to check test because this breaks cypress - if (!env.isTest()) { - clearCookie(ctx, Cookie.CurrentApp) - } } export const login = async (ctx: Ctx, next: any) => { diff --git a/packages/worker/src/api/controllers/global/self.ts b/packages/worker/src/api/controllers/global/self.ts index 78e5bf7164..d0232bee60 100644 --- a/packages/worker/src/api/controllers/global/self.ts +++ b/packages/worker/src/api/controllers/global/self.ts @@ -2,7 +2,6 @@ import * as userSdk from "../../../sdk/users" import { featureFlags, tenancy, - constants, db as dbCore, utils, encryption, @@ -11,7 +10,7 @@ import { import env from "../../../environment" import { groups } from "@budibase/pro" import { UpdateSelfRequest, UpdateSelfResponse, UserCtx } from "@budibase/types" -const { getCookie, clearCookie, newid } = utils +const { newid } = utils function newTestApiKey() { return env.ENCRYPTED_TEST_PUBLIC_API_KEY @@ -71,16 +70,6 @@ export async function fetchAPIKey(ctx: any) { ctx.body = cleanupDevInfo(devInfo) } -const checkCurrentApp = (ctx: any) => { - const appCookie = getCookie(ctx, constants.Cookie.CurrentApp) - if (appCookie && !tenancy.isUserInAppTenant(appCookie.appId)) { - // there is a currentapp cookie from another tenant - // remove the cookie as this is incompatible with the builder - // due to builder and admin permissions being removed - clearCookie(ctx, constants.Cookie.CurrentApp) - } -} - /** * Add the attributes that are session based to the current user. */ @@ -101,8 +90,6 @@ export async function getSelf(ctx: any) { id: userId, } - checkCurrentApp(ctx) - // get the main body of the user const user = await userSdk.getUser(userId) ctx.body = await groups.enrichUserRolesFromGroups(user) From 6a257bf9c35c50e87ad6829f2af0d4c0c1ddc604 Mon Sep 17 00:00:00 2001 From: adrinr Date: Thu, 30 Mar 2023 14:53:49 +0100 Subject: [PATCH 2/3] Tweak tests --- .../src/middleware/tests/currentapp.spec.js | 48 +++---------------- 1 file changed, 6 insertions(+), 42 deletions(-) diff --git a/packages/server/src/middleware/tests/currentapp.spec.js b/packages/server/src/middleware/tests/currentapp.spec.js index 8770118da2..b80800fd96 100644 --- a/packages/server/src/middleware/tests/currentapp.spec.js +++ b/packages/server/src/middleware/tests/currentapp.spec.js @@ -158,27 +158,22 @@ describe("Current app middleware", () => { }) describe("check functionality when logged in", () => { - async function checkExpected(setCookie) { + async function checkExpected() { config.setUser() await config.executeMiddleware() - let { utils } = require("@budibase/backend-core") - if (setCookie) { - expect(utils.setCookie).toHaveBeenCalled() - } else { - expect(utils.setCookie).not.toHaveBeenCalled() - } + expect(config.ctx.roleId).toEqual("PUBLIC") expect(config.ctx.user.role._id).toEqual("PUBLIC") expect(config.ctx.appId).toEqual("app_test") expect(config.next).toHaveBeenCalled() } - it("should be able to setup an app token when cookie not setup", async () => { + it("should be able to setup an app token on a first call", async () => { mockAuthWithCookie() - await checkExpected(true) + await checkExpected() }) - it("should perform correct when no cookie exists", async () => { + it("should perform correct on a first call", async () => { mockReset() jest.mock("@budibase/backend-core", () => { const core = jest.requireActual("@budibase/backend-core") @@ -206,38 +201,7 @@ describe("Current app middleware", () => { }, } }) - await checkExpected(true) - }) - - it("lastly check what occurs when cookie doesn't need updated", async () => { - mockReset() - jest.mock("@budibase/backend-core", () => { - const core = jest.requireActual("@budibase/backend-core") - return { - ...core, - db: { - ...core.db, - dbExists: () => true, - }, - utils: { - getAppIdFromCtx: () => { - return "app_test" - }, - setCookie: jest.fn(), - getCookie: () => ({ appId: "app_test", roleId: "PUBLIC" }), - }, - cache: { - user: { - getUser: async id => { - return { - _id: "us_uuid1", - } - }, - }, - }, - } - }) - await checkExpected(false) + await checkExpected() }) }) }) From ec0acadd0a53a516929662693f3ab7aaa62a807b Mon Sep 17 00:00:00 2001 From: adrinr Date: Fri, 31 Mar 2023 09:46:56 +0100 Subject: [PATCH 3/3] Fix user crossover on the bulder when no using account portal --- packages/builder/src/pages/builder/_layout.svelte | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/builder/src/pages/builder/_layout.svelte b/packages/builder/src/pages/builder/_layout.svelte index a2b480f742..b216958045 100644 --- a/packages/builder/src/pages/builder/_layout.svelte +++ b/packages/builder/src/pages/builder/_layout.svelte @@ -79,7 +79,7 @@ } // Validate tenant if in a multi-tenant env - if (useAccountPortal && multiTenancyEnabled) { + if (multiTenancyEnabled) { await validateTenantId() } } catch (error) {