Merge pull request #2881 from Budibase/api-keys

Add API keys between account portal and budibase
2021-10-04 14:17:17 +01:00 · 2021-10-04 14:17:17 +01:00 · 69871342bb
parent d4877ef9db 2f589a2f42
commit 69871342bb
9 changed files with 44 additions and 7 deletions
--- a/hosting/kubernetes/budibase/templates/worker-service-deployment.yaml
+++ b/hosting/kubernetes/budibase/templates/worker-service-deployment.yaml
@ -89,6 +89,8 @@ spec:
          value: {{ .Values.globals.selfHosted | quote }}
        - name: ACCOUNT_PORTAL_URL
          value: {{ .Values.globals.accountPortalUrl | quote }}
+        - name: ACCOUNT_PORTAL_API_KEY
+          value: {{ .Values.globals.accountPortalApiKey | quote }}
        - name: COOKIE_DOMAIN
          value: {{ .Values.globals.cookieDomain | quote }}
        image: budibase/worker
--- a/hosting/kubernetes/budibase/values.yaml
+++ b/hosting/kubernetes/budibase/values.yaml
@ -90,6 +90,7 @@ globals:
  logLevel: info
  selfHosted: 1
  accountPortalUrL: ""
+  accountPortalApiKey: ""
  cookieDomain: ""
  createSecrets: true # creates an internal API key, JWT secrets and redis password for you

--- a/packages/auth/src/cloud/accounts.js
+++ b/packages/auth/src/cloud/accounts.js
@ -1,16 +1,18 @@
 const API = require("./api")
 const env = require("../environment")
+const { Headers } = require("../constants")

 const api = new API(env.ACCOUNT_PORTAL_URL)

-// TODO: Authorization
-
 exports.getAccount = async email => {
  const payload = {
    email,
  }
  const response = await api.post(`/api/accounts/search`, {
    body: payload,
+    headers: {
+      [Headers.API_KEY]: env.ACCOUNT_PORTAL_API_KEY,
+    },
  })
  const json = await response.json()

--- a/packages/auth/src/environment.js
+++ b/packages/auth/src/environment.js
@ -21,6 +21,7 @@ module.exports = {
  INTERNAL_API_KEY: process.env.INTERNAL_API_KEY,
  MULTI_TENANCY: process.env.MULTI_TENANCY,
  ACCOUNT_PORTAL_URL: process.env.ACCOUNT_PORTAL_URL,
+  ACCOUNT_PORTAL_API_KEY: process.env.ACCOUNT_PORTAL_API_KEY,
  DISABLE_ACCOUNT_PORTAL: process.env.DISABLE_ACCOUNT_PORTAL,
  SELF_HOSTED: !!parseInt(process.env.SELF_HOSTED),
  COOKIE_DOMAIN: process.env.COOKIE_DOMAIN,
--- a/packages/auth/src/middleware/matchers.js
+++ b/packages/auth/src/middleware/matchers.js
@ -7,6 +7,7 @@ exports.buildMatcherRegex = patterns => {
  return patterns.map(pattern => {
    const isObj = typeof pattern === "object" && pattern.route
    const method = isObj ? pattern.method : "GET"
+    const strict = pattern.strict ? pattern.strict : false
    let route = isObj ? pattern.route : pattern

    const matches = route.match(PARAM_REGEX)
@ -16,13 +17,19 @@ exports.buildMatcherRegex = patterns => {
        route = route.replace(match, pattern)
      }
    }
-    return { regex: new RegExp(route), method }
+    return { regex: new RegExp(route), method, strict, route }
  })
 }

 exports.matches = (ctx, options) => {
-  return options.find(({ regex, method }) => {
-    const urlMatch = regex.test(ctx.request.url)
+  return options.find(({ regex, method, strict, route }) => {
+    let urlMatch
+    if (strict) {
+      urlMatch = ctx.request.url === route
+    } else {
+      urlMatch = regex.test(ctx.request.url)
+    }
+
    const methodMatch =
      method === "ALL"
        ? true
--- a/packages/server/src/api/controllers/row/ExternalRequest.ts
+++ b/packages/server/src/api/controllers/row/ExternalRequest.ts
@ -205,9 +205,13 @@ module External {
        } else {
          // we're not inserting a doc, will be a bunch of update calls
          const isUpdate = !field.through
-          const thisKey: string = isUpdate ? "id" : (field.throughTo || linkTablePrimary)
+          const thisKey: string = isUpdate
+            ? "id"
+            : field.throughTo || linkTablePrimary
          // @ts-ignore
-          const otherKey: string = isUpdate ? field.fieldName : (field.throughFrom || tablePrimary)
+          const otherKey: string = isUpdate
+            ? field.fieldName
+            : field.throughFrom || tablePrimary
          row[key].map((relationship: any) => {
            // we don't really support composite keys for relationships, this is why [0] is used
            manyRelationships.push({
--- a/packages/worker/scripts/dev/manage.js
+++ b/packages/worker/scripts/dev/manage.js
@ -23,6 +23,7 @@ async function init() {
      MULTI_TENANCY: "",
      DISABLE_ACCOUNT_PORTAL: "",
      ACCOUNT_PORTAL_URL: "http://localhost:10001",
+      ACCOUNT_PORTAL_API_KEY: "budibase",
      PLATFORM_URL: "http://localhost:10000",
    }
    let envFile = ""
--- a/packages/worker/src/api/routes/global/users.js
+++ b/packages/worker/src/api/routes/global/users.js
@ -3,6 +3,7 @@ const controller = require("../../controllers/global/users")
 const joiValidator = require("../../../middleware/joi-validator")
 const adminOnly = require("../../../middleware/adminOnly")
 const Joi = require("joi")
+const cloudRestricted = require("../../../middleware/cloudRestricted")

 const router = Router()

@ -90,6 +91,7 @@ router
  )
  .post(
    "/api/global/users/init",
+    cloudRestricted,
    buildAdminInitValidation(),
    controller.adminUser
  )
--- a/packages/worker/src/middleware/cloudRestricted.js
+++ b/packages/worker/src/middleware/cloudRestricted.js
@ -0,0 +1,17 @@
+const env = require("../environment")
+const { Headers } = require("@budibase/auth").constants
+
+/**
+ * This is a restricted endpoint in the cloud.
+ * Ensure that the correct API key has been supplied.
+ */
+module.exports = async (ctx, next) => {
+  if (!env.SELF_HOSTED) {
+    const apiKey = ctx.request.headers[Headers.API_KEY]
+    if (apiKey !== env.INTERNAL_API_KEY) {
+      ctx.throw(403, "Unauthorized")
+    }
+  }
+
+  return next()
+}