From 5dfeb9b3ca6de99fec45b5ca30100d4c0f67617b Mon Sep 17 00:00:00 2001
From: mike12345567 <me@michaeldrury.co.uk>
Date: Tue, 27 Jul 2021 18:02:59 +0100
Subject: [PATCH] Limiting use of query string to a few select endpoints for
 determining tenant ID.

---
 packages/auth/src/db/utils.js                         | 11 +++++++----
 packages/worker/src/api/controllers/global/configs.js |  9 +++++----
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/packages/auth/src/db/utils.js b/packages/auth/src/db/utils.js
index 1eaf9ddfb6..9b6f8fcbed 100644
--- a/packages/auth/src/db/utils.js
+++ b/packages/auth/src/db/utils.js
@@ -92,21 +92,24 @@ exports.getGlobalDB = tenantId => {
 /**
  * Given a koa context this tries to extra what tenant is being accessed.
  */
-exports.getTenantIdFromCtx = ctx => {
+exports.getTenantIdFromCtx = (ctx, opts = { includeQuery: false }) => {
   if (!ctx) {
     return null
   }
   const user = ctx.user || {}
   const params = ctx.request.params || {}
-  const query = ctx.request.query || {}
+  let query = {}
+  if (opts && opts.includeQuery) {
+    query = ctx.request.query || {}
+  }
   return user.tenantId || params.tenantId || query.tenantId
 }
 
 /**
  * Given a koa context this tries to find the correct tenant Global DB.
  */
-exports.getGlobalDBFromCtx = ctx => {
-  const tenantId = exports.getTenantIdFromCtx(ctx)
+exports.getGlobalDBFromCtx = (ctx, opts) => {
+  const tenantId = exports.getTenantIdFromCtx(ctx, opts)
   return exports.getGlobalDB(tenantId)
 }
 
diff --git a/packages/worker/src/api/controllers/global/configs.js b/packages/worker/src/api/controllers/global/configs.js
index ca066e1492..000ce85381 100644
--- a/packages/worker/src/api/controllers/global/configs.js
+++ b/packages/worker/src/api/controllers/global/configs.js
@@ -99,7 +99,7 @@ exports.find = async function (ctx) {
 }
 
 exports.publicOidc = async function (ctx) {
-  const db = getGlobalDBFromCtx(ctx)
+  const db = getGlobalDBFromCtx(ctx, { includeQuery: true })
   try {
     // Find the config with the most granular scope based on context
     const oidcConfig = await getScopedFullConfig(db, {
@@ -121,7 +121,7 @@ exports.publicOidc = async function (ctx) {
 }
 
 exports.publicSettings = async function (ctx) {
-  const db = getGlobalDBFromCtx(ctx)
+  const db = getGlobalDBFromCtx(ctx, { includeQuery: true })
 
   try {
     // Find the config with the most granular scope based on context
@@ -218,8 +218,9 @@ exports.destroy = async function (ctx) {
 }
 
 exports.configChecklist = async function (ctx) {
-  const tenantId = getTenantIdFromCtx(ctx)
-  const db = getGlobalDBFromCtx(ctx)
+  // include the query string only for a select few endpoints
+  const tenantId = getTenantIdFromCtx(ctx, { includeQuery: true })
+  const db = getGlobalDBFromCtx(ctx, { includeQuery: true })
 
   try {
     // TODO: Watch get started video