Merge pull request #315 from mjashanks/master

Ignore builder:token for apps
2020-06-03 17:47:30 +01:00 · 2020-06-03 17:47:30 +01:00 · a49d383176
parent 9ec8e71624 583f024754
commit a49d383176
6 changed files with 31 additions and 24 deletions
--- a/packages/builder/src/builderStore/api.js
+++ b/packages/builder/src/builderStore/api.js
@ -3,6 +3,7 @@ const apiCall = method => async (url, body) => {
    method: method,
    headers: {
      "Content-Type": "application/json",
+      "User-Agent": "Budibase Builder",
    },
    body: body && JSON.stringify(body),
  })
@ -14,11 +15,11 @@ const apiCall = method => async (url, body) => {
  return response
 }

-const post = apiCall("POST")
-const get = apiCall("GET")
-const patch = apiCall("PATCH")
-const del = apiCall("DELETE")
-const put = apiCall("PUT")
+export const post = apiCall("POST")
+export const get = apiCall("GET")
+export const patch = apiCall("PATCH")
+export const del = apiCall("DELETE")
+export const put = apiCall("PUT")

 export default {
  post,
--- a/packages/builder/src/components/start/CreateAppModal.svelte
+++ b/packages/builder/src/components/start/CreateAppModal.svelte
@ -5,6 +5,7 @@
  import { AppsIcon, InfoIcon, CloseIcon } from "components/common/Icons/"
  import { getContext } from "svelte"
  import { fade } from "svelte/transition"
+  import { post } from "builderStore/api"

  const { open, close } = getContext("simple-modal")

@ -33,15 +34,7 @@
      const data = { name, description }
      loading = true
      try {
-        const response = await fetch("/api/applications", {
-          method: "POST", // *GET, POST, PUT, DELETE, etc.
-          credentials: "same-origin", // include, *same-origin, omit
-          headers: {
-            "Content-Type": "application/json",
-            // 'Content-Type': 'application/x-www-form-urlencoded',
-          },
-          body: JSON.stringify(data), // body data type must match "Content-Type" header
-        })
+        const response = await post("/api/applications", data)

        const res = await response.json()

--- a/packages/builder/src/pages/[application]/_reset.svelte
+++ b/packages/builder/src/pages/[application]/_reset.svelte
@ -1,6 +1,7 @@
 <script>
  import Modal from "svelte-simple-modal"
  import { store } from "builderStore"
+  import { get } from "builderStore/api"

  import { fade } from "svelte/transition"
  import { isActive, goto, layout } from "@sveltech/routify"
@ -14,7 +15,7 @@
  let promise = getPackage()

  async function getPackage() {
-    const res = await fetch(`/api/${application}/appPackage`)
+    const res = await get(`/api/${application}/appPackage`)
    const pkg = await res.json()

    if (res.ok) {
--- a/packages/builder/src/pages/index.svelte
+++ b/packages/builder/src/pages/index.svelte
@ -5,14 +5,14 @@
  import { onMount } from "svelte"
  import ActionButton from "components/common/ActionButton.svelte"
  import IconButton from "components/common/IconButton.svelte"
-
+  import { get } from "builderStore/api"
  import Spinner from "components/common/Spinner.svelte"
  import CreateAppModal from "components/start/CreateAppModal.svelte"

  let promise = getApps()

  async function getApps() {
-    const res = await fetch(`/api/applications`)
+    const res = await get("/api/applications")
    const json = await res.json()

    if (res.ok) {
--- a/packages/server/src/api/routes/tests/couchTestUtils.js
+++ b/packages/server/src/api/routes/tests/couchTestUtils.js
@ -22,6 +22,7 @@ exports.supertest = async () => {
 exports.defaultHeaders = {
  Accept: "application/json",
  Cookie: ["builder:token=test-admin-secret"],
+  "user-agent": "Budibase Builder",
 }

 exports.createModel = async (request, instanceId, model) => {
--- a/packages/server/src/middleware/authenticated.js
+++ b/packages/server/src/middleware/authenticated.js
@ -13,23 +13,34 @@ module.exports = async (ctx, next) => {
    return
  }

-  if (ctx.cookies.get("builder:token") === env.ADMIN_SECRET) {
-    ctx.isAuthenticated = true
-    ctx.isBuilder = true
+  const appToken = ctx.cookies.get("budibase:token")
+  const builderToken = ctx.cookies.get("builder:token")
+  const isBuilderAgent = ctx.headers["user-agent"] === "Budibase Builder"
+
+  // all admin api access should auth with buildertoken and 'Budibase Builder user agent
+  const shouldAuthAsBuilder = isBuilderAgent && builderToken
+
+  if (shouldAuthAsBuilder) {
+    if (builderToken === env.ADMIN_SECRET) {
+      ctx.isAuthenticated = true
+      ctx.isBuilder = true
+    } else {
+      ctx.isAuthenticated = false
+      ctx.isBuilder = false
+    }
+
    await next()
    return
  }

-  const token = ctx.cookies.get("budibase:token")
-
-  if (!token) {
+  if (!appToken) {
    ctx.isAuthenticated = false
    await next()
    return
  }

  try {
-    const jwtPayload = jwt.verify(token, ctx.config.jwtSecret)
+    const jwtPayload = jwt.verify(appToken, ctx.config.jwtSecret)

    ctx.user = {
      ...jwtPayload,