MirrorSave
/
budibase
mirror of https://github.com/Budibase/budibase.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Some various session fixes based on current data.

This commit is contained in:
mike12345567 2022-08-05 21:35:26 +01:00
parent 13e2a56f37
commit a24f2157a5
3 changed files with 42 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
packages/backend-core/src/middleware/authenticated.ts
View File

@ -84,19 +84,18 @@ module.exports = (
// check the actual user is authenticated first, try header or cookie // check the actual user is authenticated first, try header or cookie
const headerToken = ctx.request.headers[Headers.TOKEN] const headerToken = ctx.request.headers[Headers.TOKEN]
const authCookie = getCookie(ctx, Cookies.Auth) || openJwt(headerToken) const authCookie = getCookie(ctx, Cookies.Auth) || openJwt(headerToken)
const apiKey = ctx.request.headers[Headers.API_KEY]
const tenantId = ctx.request.headers[Headers.TENANT_ID]
let authenticated = false, let authenticated = false,
user = null, user = null,
internal = false, internal = false
error = null if (authCookie && !apiKey) {
if (authCookie) {
const sessionId = authCookie.sessionId const sessionId = authCookie.sessionId
const userId = authCookie.userId const userId = authCookie.userId
let session
const session = await getSession(userId, sessionId)
if (!session) {
error = `Session not found - ${userId} - ${sessionId}`
} else {
try { try {
// getting session handles error checking (if session exists etc)
session = await getSession(userId, sessionId)
if (opts && opts.populateUser) { if (opts && opts.populateUser) {
user = await getUser( user = await getUser(
userId, userId,
@ -107,22 +106,18 @@ module.exports = (
user = await getUser(userId, session.tenantId) user = await getUser(userId, session.tenantId)
} }
user.csrfToken = session.csrfToken user.csrfToken = session.csrfToken
authenticated = true if (session?.lastAccessedAt < timeMinusOneMinute()) {
} catch (err) {
error = err
}
}
if (error) {
console.error("Auth Error", error)
// remove the cookie as the user does not exist anymore
clearCookie(ctx, Cookies.Auth)
} else if (session?.lastAccessedAt < timeMinusOneMinute()) {
// make sure we denote that the session is still in use // make sure we denote that the session is still in use
await updateSessionTTL(session) await updateSessionTTL(session)
} }
authenticated = true
} catch (err: any) {
authenticated = false
console.error("Auth Error", err?.message || err)
// remove the cookie as the user does not exist anymore
clearCookie(ctx, Cookies.Auth)
}
} }
const apiKey = ctx.request.headers[Headers.API_KEY]
const tenantId = ctx.request.headers[Headers.TENANT_ID]
// this is an internal request, no user made it // this is an internal request, no user made it
if (!authenticated && apiKey) { if (!authenticated && apiKey) {
const populateUser = opts.populateUser ? opts.populateUser(ctx) : null const populateUser = opts.populateUser ? opts.populateUser(ctx) : null
@ -144,7 +139,7 @@ module.exports = (
delete user.password delete user.password
} }
// be explicit // be explicit
if (error || authenticated !== true) { if (authenticated !== true) {
authenticated = false authenticated = false
} }
// isAuthenticated is a function, so use a variable to be able to check authed state // isAuthenticated is a function, so use a variable to be able to check authed state

21
packages/backend-core/src/security/sessions.ts
View File

@ -38,7 +38,7 @@ export async function invalidateSessions(
let sessions: SessionKey let sessions: SessionKey
// If no sessionIds, get all the sessions for the user // If no sessionIds, get all the sessions for the user
if (!sessionIds) { if (sessionIds.length === 0) {
sessions = await getSessionsForUser(userId) sessions = await getSessionsForUser(userId)
sessions.forEach( sessions.forEach(
(session: any) => (session: any) =>
@ -103,18 +103,13 @@ export async function endSession(userId: string, sessionId: string) {
} }
export async function getSession(userId: string, sessionId: string) { export async function getSession(userId: string, sessionId: string) {
try { if (!userId || !sessionId) {
const client = await redis.getSessionClient() throw new Error(`Invalid session details - ${userId} - ${sessionId}`)
return client.get(makeSessionID(userId, sessionId))
} catch (err) {
// if can't get session don't error, just don't return anything
console.error(err)
return null
} }
}
export async function getAllSessions() {
const client = await redis.getSessionClient() const client = await redis.getSessionClient()
const sessions = await client.scan() const session = await client.get(makeSessionID(userId, sessionId))
return sessions.map((session: Session) => session.value) if (!session) {
throw new Error(`Session not found - ${userId} - ${sessionId}`)
}
return session
} }

2
packages/server/src/utilities/rowProcessor/index.js
View File

@ -278,7 +278,7 @@ exports.outputProcessing = async (table, rows, opts = { squash: true }) => {
for (let [property, column] of Object.entries(table.schema)) { for (let [property, column] of Object.entries(table.schema)) {
if (column.type === FieldTypes.ATTACHMENT) { if (column.type === FieldTypes.ATTACHMENT) {
for (let row of enriched) { for (let row of enriched) {
if (row[property] == null || row[property].length === 0) { if (row[property] == null || !Array.isArray(row[property])) {
continue continue
} }
row[property].forEach(attachment => { row[property].forEach(attachment => {