Merge pull request #12500 from Budibase/fix/BUDI-7811

Cross tenant app denial
2023-12-04 17:17:46 +00:00 · 2023-12-04 17:17:46 +00:00 · 864fe6be68
parent 661735a3fd c321c83916
commit 864fe6be68
2 changed files with 34 additions and 19 deletions
--- a/packages/backend-core/src/tenancy/tenancy.ts
+++ b/packages/backend-core/src/tenancy/tenancy.ts
@ -93,11 +93,19 @@ export const getTenantIDFromCtx = (
  // subdomain
  if (isAllowed(TenantResolutionStrategy.SUBDOMAIN)) {
    // e.g. budibase.app or local.com:10000
-    const platformHost = new URL(getPlatformURL()).host.split(":")[0]
+    let platformHost
+    try {
+      platformHost = new URL(getPlatformURL()).host.split(":")[0]
+    } catch (err: any) {
+      // if invalid URL, just don't try to process subdomain
+      if (err.code !== "ERR_INVALID_URL") {
+        throw err
+      }
+    }
    // e.g. tenant.budibase.app or tenant.local.com
    const requestHost = ctx.host
    // parse the tenant id from the difference
-    if (requestHost.includes(platformHost)) {
+    if (platformHost && requestHost.includes(platformHost)) {
      const tenantId = requestHost.substring(
        0,
        requestHost.indexOf(`.${platformHost}`)
--- a/packages/server/src/middleware/currentapp.ts
+++ b/packages/server/src/middleware/currentapp.ts
@ -5,6 +5,7 @@ import {
  tenancy,
  context,
  users,
+  auth,
 } from "@budibase/backend-core"
 import { generateUserMetadataID, isDevAppID } from "../db/utils"
 import { getCachedSelf } from "../utilities/global"
@ -69,28 +70,34 @@ export default async (ctx: UserCtx, next: any) => {
    return next()
  }

-  return context.doInAppContext(appId, async () => {
-    // if the user not in the right tenant then make sure they have no permissions
-    // need to judge this only based on the request app ID,
-    if (
-      env.MULTI_TENANCY &&
-      ctx.user?._id &&
-      requestAppId &&
-      !tenancy.isUserInAppTenant(requestAppId, ctx.user)
-    ) {
-      // don't error, simply remove the users rights (they are a public user)
-      ctx.user = users.cleanseUserObject(ctx.user) as ContextUser
-      ctx.isAuthenticated = false
-      roleId = roles.BUILTIN_ROLE_IDS.PUBLIC
-    }
+  const userId = ctx.user ? generateUserMetadataID(ctx.user._id!) : undefined

+  // if the user is not in the right tenant then make sure to wipe their cookie
+  // also cleanse any information about them that has been allocated
+  // this avoids apps making calls to say the worker which are cross tenant,
+  // we simply remove the authentication
+  if (
+    env.MULTI_TENANCY &&
+    userId &&
+    requestAppId &&
+    !tenancy.isUserInAppTenant(requestAppId, ctx.user)
+  ) {
+    // clear out the user
+    ctx.user = users.cleanseUserObject(ctx.user) as ContextUser
+    ctx.isAuthenticated = false
+    roleId = roles.BUILTIN_ROLE_IDS.PUBLIC
+    // remove the cookie, so future calls are public
+    await auth.platformLogout({
+      ctx,
+      userId,
+    })
+  }
+
+  return context.doInAppContext(appId, async () => {
    ctx.appId = appId
    if (roleId) {
      ctx.roleId = roleId
      const globalId = ctx.user ? ctx.user._id : undefined
-      const userId = ctx.user
-        ? generateUserMetadataID(ctx.user._id!)
-        : undefined
      ctx.user = {
        ...ctx.user!,
        // override userID with metadata one