Some fixes after testing dynamic variables in rest a bit more.

This commit is contained in:
mike12345567 2021-12-17 14:08:48 +00:00
parent 4ceed6c340
commit 5326284075
8 changed files with 35 additions and 8 deletions

View File

@ -16,6 +16,7 @@ exports.Headers = {
APP_ID: "x-budibase-app-id", APP_ID: "x-budibase-app-id",
TYPE: "x-budibase-type", TYPE: "x-budibase-type",
TENANT_ID: "x-budibase-tenant-id", TENANT_ID: "x-budibase-tenant-id",
TOKEN: "x-budibase-token",
} }
exports.GlobalRoles = { exports.GlobalRoles = {

View File

@ -1,5 +1,5 @@
const { Cookies, Headers } = require("../constants") const { Cookies, Headers } = require("../constants")
const { getCookie, clearCookie } = require("../utils") const { getCookie, clearCookie, openJwt } = require("../utils")
const { getUser } = require("../cache/user") const { getUser } = require("../cache/user")
const { getSession, updateSessionTTL } = require("../security/sessions") const { getSession, updateSessionTTL } = require("../security/sessions")
const { buildMatcherRegex, matches } = require("./matchers") const { buildMatcherRegex, matches } = require("./matchers")
@ -35,8 +35,9 @@ module.exports = (
publicEndpoint = true publicEndpoint = true
} }
try { try {
// check the actual user is authenticated first // check the actual user is authenticated first, try header or cookie
const authCookie = getCookie(ctx, Cookies.Auth) const headerToken = ctx.request.headers[Headers.TOKEN]
const authCookie = getCookie(ctx, Cookies.Auth) || openJwt(headerToken)
let authenticated = false, let authenticated = false,
user = null, user = null,
internal = false internal = false

View File

@ -63,6 +63,17 @@ exports.getAppId = ctx => {
return appId return appId
} }
/**
* opens the contents of the specified encrypted JWT.
* @return {object} the contents of the token.
*/
exports.openJwt = token => {
if (!token) {
return token
}
return jwt.verify(token, options.secretOrKey)
}
/** /**
* Get a cookie from context, and decrypt if necessary. * Get a cookie from context, and decrypt if necessary.
* @param {object} ctx The request which is to be manipulated. * @param {object} ctx The request which is to be manipulated.
@ -75,7 +86,7 @@ exports.getCookie = (ctx, name) => {
return cookie return cookie
} }
return jwt.verify(cookie, options.secretOrKey) return exports.openJwt(cookie)
} }
/** /**

View File

@ -91,6 +91,7 @@ export function createQueriesStore() {
{} {}
), ),
datasourceId: query.datasourceId, datasourceId: query.datasourceId,
queryId: query._id || undefined,
}) })
if (response.status !== 200) { if (response.status !== 200) {

View File

@ -104,8 +104,10 @@ exports.preview = async function (ctx) {
const db = new CouchDB(ctx.appId) const db = new CouchDB(ctx.appId)
const datasource = await db.get(ctx.request.body.datasourceId) const datasource = await db.get(ctx.request.body.datasourceId)
// preview may not have a queryId as it hasn't been saved, but if it does
const { fields, parameters, queryVerb, transformer } = ctx.request.body // this stops dynamic variables from calling the same query
const { fields, parameters, queryVerb, transformer, queryId } =
ctx.request.body
try { try {
const { rows, keys, info, extra } = await Runner.run({ const { rows, keys, info, extra } = await Runner.run({
@ -115,6 +117,7 @@ exports.preview = async function (ctx) {
fields, fields,
parameters, parameters,
transformer, transformer,
queryId,
}) })
ctx.body = { ctx.body = {
@ -143,6 +146,7 @@ async function execute(ctx, opts = { rowsOnly: false }) {
fields: query.fields, fields: query.fields,
parameters: ctx.request.body.parameter, parameters: ctx.request.body.parameter,
transformer: query.transformer, transformer: query.transformer,
queryId: ctx.params.queryId,
}) })
if (opts && opts.rowsOnly) { if (opts && opts.rowsOnly) {
ctx.body = rows ctx.body = rows

View File

@ -36,6 +36,7 @@ exports.generateQueryPreviewValidation = () => {
extra: Joi.object().optional(), extra: Joi.object().optional(),
datasourceId: Joi.string().required(), datasourceId: Joi.string().required(),
transformer: Joi.string().optional(), transformer: Joi.string().optional(),
parameters: Joi.object({}).required().unknown(true) parameters: Joi.object({}).required().unknown(true),
queryId: Joi.string().optional(),
})) }))
} }

View File

@ -13,6 +13,7 @@ class QueryRunner {
this.fields = input.fields this.fields = input.fields
this.parameters = input.parameters this.parameters = input.parameters
this.transformer = input.transformer this.transformer = input.transformer
this.queryId = input.queryId
this.noRecursiveQuery = flags.noRecursiveQuery this.noRecursiveQuery = flags.noRecursiveQuery
} }
@ -108,6 +109,10 @@ class QueryRunner {
// need to see if this uses any variables // need to see if this uses any variables
const stringFields = JSON.stringify(fields) const stringFields = JSON.stringify(fields)
const foundVars = dynamicVars.filter(variable => { const foundVars = dynamicVars.filter(variable => {
// don't allow a query to use its own dynamic variable (loop)
if (variable.queryId === this.queryId) {
return false
}
// look for {{ variable }} but allow spaces between handlebars // look for {{ variable }} but allow spaces between handlebars
const regex = new RegExp(`{{[ ]*${variable.name}[ ]*}}`) const regex = new RegExp(`{{[ ]*${variable.name}[ ]*}}`)
return regex.test(stringFields) return regex.test(stringFields)

View File

@ -12,7 +12,7 @@ const {
hash, hash,
platformLogout, platformLogout,
} = authPkg.utils } = authPkg.utils
const { Cookies } = authPkg.constants const { Cookies, Headers } = authPkg.constants
const { passport } = authPkg.auth const { passport } = authPkg.auth
const { checkResetPasswordCode } = require("../../../utilities/redis") const { checkResetPasswordCode } = require("../../../utilities/redis")
const { const {
@ -60,7 +60,10 @@ async function authInternal(ctx, user, err = null, info = null) {
return ctx.throw(403, info ? info : "Unauthorized") return ctx.throw(403, info ? info : "Unauthorized")
} }
// set a cookie for browser access
setCookie(ctx, user.token, Cookies.Auth, { sign: false }) setCookie(ctx, user.token, Cookies.Auth, { sign: false })
// set the token in a header as well for APIs
ctx.set(Headers.TOKEN, user.token)
// get rid of any app cookies on login // get rid of any app cookies on login
// have to check test because this breaks cypress // have to check test because this breaks cypress
if (!env.isTest()) { if (!env.isTest()) {