From 91b9a9824721b954f63e4ea888cec08129fcc89a Mon Sep 17 00:00:00 2001
From: Rory Powell <rory.codes@gmail.com>
Date: Fri, 17 Sep 2021 13:41:22 +0100
Subject: [PATCH] Password reset for budibase users

---
 packages/auth/src/tenancy/tenancy.js          |  1 +
 .../src/pages/builder/auth/_layout.svelte     |  2 +-
 .../worker/src/api/controllers/global/auth.js |  2 +-
 .../src/api/controllers/global/users.js       | 19 +++----------------
 .../worker/src/api/routes/global/users.js     |  2 +-
 packages/worker/src/utilities/email.js        |  2 +-
 packages/worker/src/utilities/redis.js        |  4 ++--
 7 files changed, 10 insertions(+), 22 deletions(-)

diff --git a/packages/auth/src/tenancy/tenancy.js b/packages/auth/src/tenancy/tenancy.js
index 6e18ea7154..ebd573496c 100644
--- a/packages/auth/src/tenancy/tenancy.js
+++ b/packages/auth/src/tenancy/tenancy.js
@@ -63,6 +63,7 @@ exports.tryAddTenant = async (tenantId, userId, email) => {
   }
   if (emailDoc) {
     emailDoc.tenantId = tenantId
+    emailDoc.userId = userId
     promises.push(db.put(emailDoc))
   }
   if (tenants.tenantIds.indexOf(tenantId) === -1) {
diff --git a/packages/builder/src/pages/builder/auth/_layout.svelte b/packages/builder/src/pages/builder/auth/_layout.svelte
index 3254f4ccc2..ce4e6015da 100644
--- a/packages/builder/src/pages/builder/auth/_layout.svelte
+++ b/packages/builder/src/pages/builder/auth/_layout.svelte
@@ -12,7 +12,7 @@
     }
 
     // redirect to account portal for authentication in the cloud
-    if ($admin.cloud && $admin.accountPortalUrl) {
+    if (!$auth.user && $admin.cloud && $admin.accountPortalUrl) {
       window.location.href = $admin.accountPortalUrl
     }
   })
diff --git a/packages/worker/src/api/controllers/global/auth.js b/packages/worker/src/api/controllers/global/auth.js
index 2ae0bbafea..f3188d7777 100644
--- a/packages/worker/src/api/controllers/global/auth.js
+++ b/packages/worker/src/api/controllers/global/auth.js
@@ -96,7 +96,7 @@ exports.reset = async ctx => {
 exports.resetUpdate = async ctx => {
   const { resetCode, password } = ctx.request.body
   try {
-    const userId = await checkResetPasswordCode(resetCode)
+    const { userId } = await checkResetPasswordCode(resetCode)
     const db = getGlobalDB()
     const user = await db.get(userId)
     user.password = await hash(password)
diff --git a/packages/worker/src/api/controllers/global/users.js b/packages/worker/src/api/controllers/global/users.js
index 415808bf86..8f754e2922 100644
--- a/packages/worker/src/api/controllers/global/users.js
+++ b/packages/worker/src/api/controllers/global/users.js
@@ -6,13 +6,11 @@ const {
 } = require("@budibase/auth/db")
 const { hash, getGlobalUserByEmail } = require("@budibase/auth").utils
 const { UserStatus, EmailTemplatePurpose } = require("../../../constants")
-const { DEFAULT_TENANT_ID } = require("@budibase/auth/constants")
 const { checkInviteCode } = require("../../../utilities/redis")
 const { sendEmail } = require("../../../utilities/email")
 const { user: userCache } = require("@budibase/auth/cache")
 const { invalidateSessions } = require("@budibase/auth/sessions")
 const CouchDB = require("../../../db")
-const env = require("../../../environment")
 const {
   getGlobalDB,
   getTenantId,
@@ -251,25 +249,14 @@ exports.find = async ctx => {
   ctx.body = user
 }
 
-exports.tenantLookup = async ctx => {
+exports.tenantUserLookup = async ctx => {
   const id = ctx.params.id
   // lookup, could be email or userId, either will return a doc
   const db = new CouchDB(PLATFORM_INFO_DB)
-  let tenantId = null
   try {
-    const doc = await db.get(id)
-    if (doc && doc.tenantId) {
-      tenantId = doc.tenantId
-    }
+    ctx.body = await db.get(id)
   } catch (err) {
-    if (!env.MULTI_TENANCY) {
-      tenantId = DEFAULT_TENANT_ID
-    } else {
-      ctx.throw(400, "No tenant found.")
-    }
-  }
-  ctx.body = {
-    tenantId,
+    ctx.throw(400, "No tenant user found.")
   }
 }
 
diff --git a/packages/worker/src/api/routes/global/users.js b/packages/worker/src/api/routes/global/users.js
index a0738acbf5..9af249260d 100644
--- a/packages/worker/src/api/routes/global/users.js
+++ b/packages/worker/src/api/routes/global/users.js
@@ -94,7 +94,7 @@ router
     controller.adminUser
   )
   .get("/api/global/users/self", controller.getSelf)
-  .get("/api/global/users/tenant/:id", controller.tenantLookup)
+  .get("/api/global/users/tenant/:id", controller.tenantUserLookup)
   // global endpoint but needs to come at end (blocks other endpoints otherwise)
   .get("/api/global/users/:id", adminOnly, controller.find)
 
diff --git a/packages/worker/src/utilities/email.js b/packages/worker/src/utilities/email.js
index c32ff05cf5..d22933ef36 100644
--- a/packages/worker/src/utilities/email.js
+++ b/packages/worker/src/utilities/email.js
@@ -51,7 +51,7 @@ function createSMTPTransport(config) {
 async function getLinkCode(purpose, email, user, info = null) {
   switch (purpose) {
     case EmailTemplatePurpose.PASSWORD_RECOVERY:
-      return getResetPasswordCode(user._id)
+      return getResetPasswordCode(user._id, info)
     case EmailTemplatePurpose.INVITATION:
       return getInviteCode(email, info)
     default:
diff --git a/packages/worker/src/utilities/redis.js b/packages/worker/src/utilities/redis.js
index 6dd4491bc4..b644d1bc57 100644
--- a/packages/worker/src/utilities/redis.js
+++ b/packages/worker/src/utilities/redis.js
@@ -63,8 +63,8 @@ exports.shutdown = async () => {
  * @param {string} userId the ID of the user which is to be reset.
  * @return {Promise<string>} returns the code that was stored to redis.
  */
-exports.getResetPasswordCode = async userId => {
-  return writeACode(utils.Databases.PW_RESETS, userId)
+exports.getResetPasswordCode = async (userId, info) => {
+  return writeACode(utils.Databases.PW_RESETS, { userId, info })
 }
 
 /**