MirrorSave
/
budibase
mirror of https://github.com/Budibase/budibase.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10168 from Budibase/budi-6729-multiple-user-crossover-bug 

BUG - Multiple User Crossover Bug
This commit is contained in:
Adria Navarro 2023-03-31 12:35:15 +02:00 committed by GitHub
parent 90c8ae9ed3 ec0acadd0a
commit 4c7393460a
8 changed files with 12 additions and 112 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
packages/backend-core/src/auth/auth.ts
View File

@ -199,7 +199,6 @@ export async function platformLogout(opts: PlatformLogoutOpts) {
} else { } else {
// clear cookies // clear cookies
clearCookie(ctx, Cookie.Auth) clearCookie(ctx, Cookie.Auth)
clearCookie(ctx, Cookie.CurrentApp)
} }
const sessionIds = sessions.map(({ sessionId }) => sessionId) const sessionIds = sessions.map(({ sessionId }) => sessionId)

1
packages/backend-core/src/constants/misc.ts
View File

@ -4,7 +4,6 @@ export enum UserStatus {
} }
export enum Cookie { export enum Cookie {
CurrentApp = "budibase:currentapp",
Auth = "budibase:auth", Auth = "budibase:auth",
Init = "budibase:init", Init = "budibase:init",
ACCOUNT_RETURN_URL = "budibase:account:returnurl", ACCOUNT_RETURN_URL = "budibase:account:returnurl",

2
packages/builder/src/pages/builder/_layout.svelte
View File

@ -79,7 +79,7 @@
} }
// Validate tenant if in a multi-tenant env // Validate tenant if in a multi-tenant env
if (useAccountPortal && multiTenancyEnabled) { if (multiTenancyEnabled) {
await validateTenantId() await validateTenantId()
} }
} catch (error) { } catch (error) {

31
packages/server/src/middleware/currentapp.ts
View File

@ -2,7 +2,6 @@ import {
utils, utils,
constants, constants,
roles, roles,
db as dbCore,
tenancy, tenancy,
context, context,
} from "@budibase/backend-core" } from "@budibase/backend-core"
@ -15,29 +14,10 @@ import { UserCtx } from "@budibase/types"
export default async (ctx: UserCtx, next: any) => { export default async (ctx: UserCtx, next: any) => {
// try to get the appID from the request // try to get the appID from the request
let requestAppId = await utils.getAppIdFromCtx(ctx) let requestAppId = await utils.getAppIdFromCtx(ctx)
// get app cookie if it exists if (!requestAppId) {
let appCookie: { appId?: string } | undefined
try {
appCookie = utils.getCookie(ctx, constants.Cookie.CurrentApp)
} catch (err) {
utils.clearCookie(ctx, constants.Cookie.CurrentApp)
}
if (!appCookie && !requestAppId) {
return next() return next()
} }
// check the app exists referenced in cookie
if (appCookie) {
const appId = appCookie.appId
const exists = await dbCore.dbExists(appId)
if (!exists) {
utils.clearCookie(ctx, constants.Cookie.CurrentApp)
return next()
}
// if the request app ID wasn't set, update it with the cookie
requestAppId = requestAppId || appId
}
// deny access to application preview // deny access to application preview
if (!env.isTest()) { if (!env.isTest()) {
if ( if (
@ -45,7 +25,6 @@ export default async (ctx: UserCtx, next: any) => {
!isWebhookEndpoint(ctx) && !isWebhookEndpoint(ctx) &&
(!ctx.user || !ctx.user.builder || !ctx.user.builder.global) (!ctx.user || !ctx.user.builder || !ctx.user.builder.global)
) { ) {
utils.clearCookie(ctx, constants.Cookie.CurrentApp)
return ctx.redirect("/") return ctx.redirect("/")
} }
} }
@ -127,14 +106,6 @@ export default async (ctx: UserCtx, next: any) => {
role: await roles.getRole(roleId), role: await roles.getRole(roleId),
} }
} }
if (
(requestAppId !== appId ||
appCookie == null ||
appCookie.appId !== requestAppId) &&
!skipCookie
) {
utils.setCookie(ctx, { appId }, constants.Cookie.CurrentApp)
}
return next() return next()
}) })

48
packages/server/src/middleware/tests/currentapp.spec.js
View File

@ -158,27 +158,22 @@ describe("Current app middleware", () => {
}) })
describe("check functionality when logged in", () => { describe("check functionality when logged in", () => {
async function checkExpected(setCookie) { async function checkExpected() {
config.setUser() config.setUser()
await config.executeMiddleware() await config.executeMiddleware()
let { utils } = require("@budibase/backend-core")
if (setCookie) {
expect(utils.setCookie).toHaveBeenCalled()
} else {
expect(utils.setCookie).not.toHaveBeenCalled()
}
expect(config.ctx.roleId).toEqual("PUBLIC") expect(config.ctx.roleId).toEqual("PUBLIC")
expect(config.ctx.user.role._id).toEqual("PUBLIC") expect(config.ctx.user.role._id).toEqual("PUBLIC")
expect(config.ctx.appId).toEqual("app_test") expect(config.ctx.appId).toEqual("app_test")
expect(config.next).toHaveBeenCalled() expect(config.next).toHaveBeenCalled()
} }
it("should be able to setup an app token when cookie not setup", async () => { it("should be able to setup an app token on a first call", async () => {
mockAuthWithCookie() mockAuthWithCookie()
await checkExpected(true) await checkExpected()
}) })
it("should perform correct when no cookie exists", async () => { it("should perform correct on a first call", async () => {
mockReset() mockReset()
jest.mock("@budibase/backend-core", () => { jest.mock("@budibase/backend-core", () => {
const core = jest.requireActual("@budibase/backend-core") const core = jest.requireActual("@budibase/backend-core")
@ -206,38 +201,7 @@ describe("Current app middleware", () => {
}, },
} }
}) })
await checkExpected(true) await checkExpected()
})
it("lastly check what occurs when cookie doesn't need updated", async () => {
mockReset()
jest.mock("@budibase/backend-core", () => {
const core = jest.requireActual("@budibase/backend-core")
return {
...core,
db: {
...core.db,
dbExists: () => true,
},
utils: {
getAppIdFromCtx: () => {
return "app_test"
},
setCookie: jest.fn(),
getCookie: () => ({ appId: "app_test", roleId: "PUBLIC" }),
},
cache: {
user: {
getUser: async id => {
return {
_id: "us_uuid1",
}
},
},
},
}
})
await checkExpected(false)
}) })
}) })
}) })

21
packages/server/src/tests/utilities/TestConfiguration.ts
View File

@ -330,21 +330,13 @@ class TestConfiguration {
sessionId: "sessionid", sessionId: "sessionid",
tenantId: this.getTenantId(), tenantId: this.getTenantId(),
} }
const app = {
roleId: roleId,
appId,
}
const authToken = auth.jwt.sign(authObj, coreEnv.JWT_SECRET) const authToken = auth.jwt.sign(authObj, coreEnv.JWT_SECRET)
const appToken = auth.jwt.sign(app, coreEnv.JWT_SECRET)
// returning necessary request headers // returning necessary request headers
await cache.user.invalidateUser(userId) await cache.user.invalidateUser(userId)
return { return {
Accept: "application/json", Accept: "application/json",
Cookie: [ Cookie: [`${constants.Cookie.Auth}=${authToken}`],
`${constants.Cookie.Auth}=${authToken}`,
`${constants.Cookie.CurrentApp}=${appToken}`,
],
[constants.Header.APP_ID]: appId, [constants.Header.APP_ID]: appId,
} }
}) })
@ -359,18 +351,11 @@ class TestConfiguration {
sessionId: "sessionid", sessionId: "sessionid",
tenantId, tenantId,
} }
const app = {
roleId: roles.BUILTIN_ROLE_IDS.ADMIN,
appId: this.appId,
}
const authToken = auth.jwt.sign(authObj, coreEnv.JWT_SECRET) const authToken = auth.jwt.sign(authObj, coreEnv.JWT_SECRET)
const appToken = auth.jwt.sign(app, coreEnv.JWT_SECRET)
const headers: any = { const headers: any = {
Accept: "application/json", Accept: "application/json",
Cookie: [ Cookie: [`${constants.Cookie.Auth}=${authToken}`],
`${constants.Cookie.Auth}=${authToken}`,
`${constants.Cookie.CurrentApp}=${appToken}`,
],
[constants.Header.CSRF_TOKEN]: this.defaultUserValues.csrfToken, [constants.Header.CSRF_TOKEN]: this.defaultUserValues.csrfToken,
Host: this.tenantHost(), Host: this.tenantHost(),
...extras, ...extras,

5
packages/worker/src/api/controllers/global/auth.ts
View File

@ -50,11 +50,6 @@ async function passportCallback(
setCookie(ctx, token, Cookie.Auth, { sign: false }) setCookie(ctx, token, Cookie.Auth, { sign: false })
// set the token in a header as well for APIs // set the token in a header as well for APIs
ctx.set(Header.TOKEN, token) ctx.set(Header.TOKEN, token)
// get rid of any app cookies on login
// have to check test because this breaks cypress
if (!env.isTest()) {
clearCookie(ctx, Cookie.CurrentApp)
}
} }
export const login = async (ctx: Ctx<LoginRequest>, next: any) => { export const login = async (ctx: Ctx<LoginRequest>, next: any) => {

15
packages/worker/src/api/controllers/global/self.ts
View File

@ -2,7 +2,6 @@ import * as userSdk from "../../../sdk/users"
import { import {
featureFlags, featureFlags,
tenancy, tenancy,
constants,
db as dbCore, db as dbCore,
utils, utils,
encryption, encryption,
@ -11,7 +10,7 @@ import {
import env from "../../../environment" import env from "../../../environment"
import { groups } from "@budibase/pro" import { groups } from "@budibase/pro"
import { UpdateSelfRequest, UpdateSelfResponse, UserCtx } from "@budibase/types" import { UpdateSelfRequest, UpdateSelfResponse, UserCtx } from "@budibase/types"
const { getCookie, clearCookie, newid } = utils const { newid } = utils
function newTestApiKey() { function newTestApiKey() {
return env.ENCRYPTED_TEST_PUBLIC_API_KEY return env.ENCRYPTED_TEST_PUBLIC_API_KEY
@ -71,16 +70,6 @@ export async function fetchAPIKey(ctx: any) {
ctx.body = cleanupDevInfo(devInfo) ctx.body = cleanupDevInfo(devInfo)
} }
const checkCurrentApp = (ctx: any) => {
const appCookie = getCookie(ctx, constants.Cookie.CurrentApp)
if (appCookie && !tenancy.isUserInAppTenant(appCookie.appId)) {
// there is a currentapp cookie from another tenant
// remove the cookie as this is incompatible with the builder
// due to builder and admin permissions being removed
clearCookie(ctx, constants.Cookie.CurrentApp)
}
}
/** /**
* Add the attributes that are session based to the current user. * Add the attributes that are session based to the current user.
*/ */
@ -101,8 +90,6 @@ export async function getSelf(ctx: any) {
id: userId, id: userId,
} }
checkCurrentApp(ctx)
// get the main body of the user // get the main body of the user
const user = await userSdk.getUser(userId) const user = await userSdk.getUser(userId)
ctx.body = await groups.enrichUserRolesFromGroups(user) ctx.body = await groups.enrichUserRolesFromGroups(user)