Updating the server to remove use of the email in the user ID.

packages/server/src/api/controllers/auth.js

@@ -1,75 +1,8 @@
-const jwt = require("jsonwebtoken")
 const CouchDB = require("../../db")
-const bcrypt = require("../../utilities/bcrypt")
-const env = require("../../environment")
-const { getAPIKey } = require("../../utilities/usageQuota")
-const { generateUserMetadataID } = require("../../db/utils")
-const { setCookie } = require("../../utilities")
 const { outputProcessing } = require("../../utilities/rowProcessor")
 const { InternalTables } = require("../../db/utils")
-const { UserStatus } = require("@budibase/auth")
 const { getFullUser } = require("../../utilities/users")
 
-const INVALID_ERR = "Invalid Credentials"
-
-exports.authenticate = async ctx => {
-  const appId = ctx.appId
-  if (!appId) ctx.throw(400, "No appId")
-
-  const { email, password } = ctx.request.body
-
-  if (!email) ctx.throw(400, "Email Required.")
-  if (!password) ctx.throw(400, "Password Required.")
-
-  // Check the user exists in the instance DB by email
-  const db = new CouchDB(appId)
-  const app = await db.get(appId)
-
-  let dbUser
-  try {
-    dbUser = await db.get(generateUserMetadataID(email))
-  } catch (_) {
-    // do not want to throw a 404 - as this could be
-    // used to determine valid emails
-    ctx.throw(401, INVALID_ERR)
-  }
-
-  // check that the user is currently inactive, if this is the case throw invalid
-  if (dbUser.status === UserStatus.INACTIVE) {
-    ctx.throw(401, INVALID_ERR)
-  }
-
-  // authenticate
-  if (await bcrypt.compare(password, dbUser.password)) {
-    const payload = {
-      userId: dbUser._id,
-      roleId: dbUser.roleId,
-      version: app.version,
-    }
-    // if in prod add the user api key, unless self hosted
-    /* istanbul ignore next */
-    if (env.isProd() && !env.SELF_HOSTED) {
-      const { apiKey } = await getAPIKey(ctx.appId)
-      payload.apiKey = apiKey
-    }
-
-    const token = jwt.sign(payload, ctx.config.jwtSecret, {
-      expiresIn: "1 day",
-    })
-
-    setCookie(ctx, token, appId)
-
-    delete dbUser.password
-    ctx.body = {
-      token,
-      ...dbUser,
-      appId,
-    }
-  } else {
-    ctx.throw(401, INVALID_ERR)
-  }
-}
-
 exports.fetchSelf = async ctx => {
   if (!ctx.user) {
     ctx.throw(403, "No user logged in")
@@ -82,7 +15,7 @@ exports.fetchSelf = async ctx => {
     return
   }
 
-  const user = await getFullUser({ ctx, userId: userId })
+  const user = await getFullUser(ctx, userId)
 
   if (appId) {
     const db = new CouchDB(appId)

packages/server/src/api/controllers/row.js

@@ -42,7 +42,7 @@ async function findRow(ctx, db, tableId, rowId) {
   // TODO remove special user case in future
   if (tableId === InternalTables.USER_METADATA) {
     ctx.params = {
-      userId: rowId,
+      id: rowId,
     }
     await userController.findMetadata(ctx)
     row = ctx.body
@@ -140,12 +140,7 @@ exports.save = async function(ctx) {
   }
 
   if (!inputs._rev && !inputs._id) {
-    // TODO remove special user case in future
+    inputs._id = generateRowID(inputs.tableId)
-    if (inputs.tableId === InternalTables.USER_METADATA) {
-      inputs._id = generateUserMetadataID(inputs.email)
-    } else {
-      inputs._id = generateRowID(inputs.tableId)
-    }
   }
 
   // this returns the table and row incase they have been updated
@@ -342,7 +337,7 @@ exports.destroy = async function(ctx) {
   // TODO remove special user case in future
   if (ctx.params.tableId === InternalTables.USER_METADATA) {
     ctx.params = {
-      userId: ctx.params.rowId,
+      id: ctx.params.rowId,
     }
     await userController.destroyMetadata(ctx)
   } else {
@@ -449,7 +444,7 @@ async function bulkDelete(ctx) {
     updates = updates.concat(
       rows.map(row => {
         ctx.params = {
-          userId: row._id,
+          id: row._id,
         }
         return userController.destroyMetadata(ctx)
       })

packages/server/src/api/controllers/user.js

@@ -2,7 +2,7 @@ const CouchDB = require("../../db")
 const {
   generateUserMetadataID,
   getUserMetadataParams,
-  getEmailFromUserMetadataID,
+  getGlobalIDFromUserMetadataID,
 } = require("../../db/utils")
 const { InternalTables } = require("../../db/utils")
 const { getRole } = require("../../utilities/security/roles")
@@ -25,15 +25,14 @@ exports.fetchMetadata = async function(ctx) {
   ).rows.map(row => row.doc)
   const users = []
   for (let user of global) {
-    const info = metadata.find(meta => meta._id.includes(user.email))
+    // find the metadata that matches up to the global ID
+    const info = metadata.find(meta => meta._id.includes(user._id))
     // remove these props, not for the correct DB
-    delete user._id
-    delete user._rev
     users.push({
       ...user,
       ...info,
       // make sure the ID is always a local ID, not a global one
-      _id: generateUserMetadataID(user.email),
+      _id: generateUserMetadataID(user._id),
     })
   }
   ctx.body = users
@@ -43,17 +42,16 @@ exports.createMetadata = async function(ctx) {
   const appId = ctx.appId
   const db = new CouchDB(appId)
   const { roleId } = ctx.request.body
-  const email = ctx.request.body.email || ctx.user.email
 
   // check role valid
   const role = await getRole(appId, roleId)
   if (!role) ctx.throw(400, "Invalid Role")
 
-  const metadata = await saveGlobalUser(ctx, appId, email, ctx.request.body)
+  const globalUser = await saveGlobalUser(ctx, appId, ctx.request.body)
 
   const user = {
-    ...metadata,
+    ...globalUser,
-    _id: generateUserMetadataID(email),
+    _id: generateUserMetadataID(globalUser._id),
     type: "user",
     tableId: InternalTables.USER_METADATA,
   }
@@ -64,7 +62,7 @@ exports.createMetadata = async function(ctx) {
   ctx.body = {
     _id: response.id,
     _rev: response.rev,
-    email,
+    email: ctx.request.body.email,
   }
 }
 
@@ -72,39 +70,34 @@ exports.updateMetadata = async function(ctx) {
   const appId = ctx.appId
   const db = new CouchDB(appId)
   const user = ctx.request.body
-  let email = user.email || getEmailFromUserMetadataID(user._id)
+  const globalUser = await saveGlobalUser(
-  const metadata = await saveGlobalUser(ctx, appId, email, ctx.request.body)
+    ctx,
-  if (!metadata._id) {
+    appId,
-    metadata._id = generateUserMetadataID(email)
+    getGlobalIDFromUserMetadataID(user._id),
+    ctx.request.body
+  )
+  const metadata = {
+    ...globalUser,
+    _id: user._id || generateUserMetadataID(globalUser._id),
+    _rev: ctx.request.body._rev,
   }
-  if (!metadata._rev) {
+  ctx.body = await db.put(metadata)
-    metadata._rev = ctx.request.body._rev
-  }
-  ctx.body = await db.put({
-    ...metadata,
-  })
 }
 
 exports.destroyMetadata = async function(ctx) {
   const db = new CouchDB(ctx.appId)
-  const email =
+  await deleteGlobalUser(ctx, getGlobalIDFromUserMetadataID(ctx.params.id))
-    ctx.params.email || getEmailFromUserMetadataID(ctx.params.userId)
-  await deleteGlobalUser(ctx, email)
   try {
-    const dbUser = await db.get(generateUserMetadataID(email))
+    const dbUser = await db.get(ctx.params.id)
     await db.remove(dbUser._id, dbUser._rev)
   } catch (err) {
     // error just means the global user has no config in this app
   }
   ctx.body = {
-    message: `User ${ctx.params.email} deleted.`,
+    message: `User ${ctx.params.id} deleted.`,
   }
 }
 
 exports.findMetadata = async function(ctx) {
-  ctx.body = await getFullUser({
+  ctx.body = await getFullUser(ctx, ctx.params.id)
-    ctx,
-    email: ctx.params.email,
-    userId: ctx.params.userId,
-  })
 }

packages/server/src/api/routes/tests/auth.spec.js

@@ -1,13 +1,18 @@
 const setup = require("./utilities")
+const { generateUserMetadataID } = require("../../../db/utils")
 
 require("../../../utilities/workerRequests")
 jest.mock("../../../utilities/workerRequests", () => ({
   getGlobalUsers: jest.fn(() => {
     return {
-      email: "test@test.com",
+      _id: "us_uuid1",
+    }
+  }),
+  saveGlobalUser: jest.fn(() => {
+    return {
+      _id: "us_uuid1",
     }
   }),
-  saveGlobalUser: jest.fn(),
 }))
 
 describe("/authenticate", () => {
@@ -22,14 +27,14 @@ describe("/authenticate", () => {
 
   describe("fetch self", () => {
     it("should be able to fetch self", async () => {
-      await config.createUser("test@test.com", "p4ssw0rd")
+      const user = await config.createUser("test@test.com", "p4ssw0rd")
-      const headers = await config.login("test@test.com", "p4ssw0rd")
+      const headers = await config.login("test@test.com", "p4ssw0rd", { userId: user._id })
       const res = await request
         .get(`/api/self`)
         .set(headers)
         .expect("Content-Type", /json/)
         .expect(200)
-      expect(res.body.email).toEqual("test@test.com")
+      expect(res.body._id).toEqual(generateUserMetadataID("us_uuid1"))
     })
   })
 })

packages/server/src/api/routes/tests/routing.spec.js

@@ -4,11 +4,6 @@ const { checkBuilderEndpoint } = require("./utilities/TestFunctions")
 const { BUILTIN_ROLE_IDS } = require("../../../utilities/security/roles")
 const workerRequests = require("../../../utilities/workerRequests")
 
-jest.mock("../../../utilities/workerRequests", () => ({
-  getGlobalUsers: jest.fn(),
-  saveGlobalUser: jest.fn(),
-}))
-
 const route = "/test"
 
 describe("/routing", () => {

packages/server/src/api/routes/tests/user.spec.js

@@ -7,7 +7,10 @@ const workerRequests = require("../../../utilities/workerRequests")
 jest.mock("../../../utilities/workerRequests", () => ({
   getGlobalUsers: jest.fn(),
   saveGlobalUser: jest.fn(() => {
-    return {}
+    const uuid = require("uuid/v4")
+    return {
+      _id: `us_${uuid()}`
+    }
   }),
   deleteGlobalUser: jest.fn(),
 }))
@@ -26,10 +29,10 @@ describe("/users", () => {
     beforeEach(() => {
       workerRequests.getGlobalUsers.mockImplementationOnce(() => ([
           {
-            email: "brenda@brenda.com"
+            _id: "us_uuid1",
           },
           {
-            email: "pam@pam.com"
+            _id: "us_uuid2",
           }
         ]
       ))
@@ -45,8 +48,8 @@ describe("/users", () => {
         .expect(200)
 
       expect(res.body.length).toBe(2)
-      expect(res.body.find(u => u.email === "brenda@brenda.com")).toBeDefined()
+      expect(res.body.find(u => u._id === `ro_ta_users_us_uuid1`)).toBeDefined()
-      expect(res.body.find(u => u.email === "pam@pam.com")).toBeDefined()
+      expect(res.body.find(u => u._id === `ro_ta_users_us_uuid2`)).toBeDefined()
     })
 
     it("should apply authorization to endpoint", async () => {
@@ -66,10 +69,10 @@ describe("/users", () => {
     beforeEach(() => {
       workerRequests.getGlobalUsers.mockImplementationOnce(() => ([
           {
-            email: "bill@budibase.com"
+            _id: "us_uuid1",
           },
           {
-            email: "brandNewUser@user.com"
+            _id: "us_uuid2",
           }
         ]
       ))
@@ -86,7 +89,6 @@ describe("/users", () => {
 
     it("returns a success message when a user is successfully created", async () => {
       const body = basicUser(BUILTIN_ROLE_IDS.POWER)
-      body.email = "bill@budibase.com"
       const res = await create(body)
 
       expect(res.res.statusMessage).toEqual("OK")
@@ -95,7 +97,6 @@ describe("/users", () => {
 
     it("should apply authorization to endpoint", async () => {
       const body = basicUser(BUILTIN_ROLE_IDS.POWER)
-      body.email = "brandNewUser@user.com"
       await checkPermissionsEndpoint({
         config,
         method: "POST",
@@ -110,13 +111,6 @@ describe("/users", () => {
       const user = basicUser(null)
       await create(user, 400)
     })
-
-    it("should throw error if user exists already", async () => {
-      await config.createUser("test@test.com")
-      const user = basicUser(BUILTIN_ROLE_IDS.POWER)
-      user.email = "test@test.com"
-      await create(user, 409)
-    })
   })
 
   describe("update", () => {
@@ -141,10 +135,9 @@ describe("/users", () => {
 
   describe("destroy", () => {
     it("should be able to delete the user", async () => {
-      const email = "test@test.com"
+      const user = await config.createUser()
-      await config.createUser(email)
       const res = await request
-        .delete(`/api/users/metadata/${email}`)
+        .delete(`/api/users/metadata/${user._id}`)
         .set(config.defaultHeaders())
         .expect(200)
         .expect("Content-Type", /json/)
@@ -156,21 +149,23 @@ describe("/users", () => {
   describe("find", () => {
     beforeEach(() => {
       jest.resetAllMocks()
+      workerRequests.saveGlobalUser.mockImplementationOnce(() => ({
+        _id: "us_uuid1",
+      }))
       workerRequests.getGlobalUsers.mockImplementationOnce(() => ({
-        email: "test@test.com",
+        _id: "us_uuid1",
         roleId: BUILTIN_ROLE_IDS.POWER,
       }))
     })
 
     it("should be able to find the user", async () => {
-      const email = "test@test.com"
+      const user = await config.createUser()
-      await config.createUser(email)
       const res = await request
-        .get(`/api/users/metadata/${email}`)
+        .get(`/api/users/metadata/${user._id}`)
         .set(config.defaultHeaders())
         .expect(200)
         .expect("Content-Type", /json/)
-      expect(res.body.email).toEqual(email)
+      expect(res.body._id).toEqual(user._id)
       expect(res.body.roleId).toEqual(BUILTIN_ROLE_IDS.POWER)
       expect(res.body.tableId).toBeDefined()
     })

packages/server/src/api/routes/tests/utilities/TestFunctions.js

@@ -63,11 +63,9 @@ exports.checkPermissionsEndpoint = async ({
 }) => {
   const password = "PASSWORD"
   await config.createUser("passUser@budibase.com", password, passRole)
-  const passHeader = await config.login(
+  const passHeader = await config.login("passUser@budibase.com", password, {
-    "passUser@budibase.com",
+    roleId: passRole,
-    password,
+  })
-    passRole
-  )
 
   await exports
     .createRequest(config.request, method, url, body)
@@ -75,11 +73,9 @@ exports.checkPermissionsEndpoint = async ({
     .expect(200)
 
   await config.createUser("failUser@budibase.com", password, failRole)
-  const failHeader = await config.login(
+  const failHeader = await config.login("failUser@budibase.com", password, {
-    "failUser@budibase.com",
+    roleId: failRole,
-    password,
+  })
-    failRole
-  )
 
   await exports
     .createRequest(config.request, method, url, body)

packages/server/src/api/routes/tests/utilities/index.js

@@ -2,6 +2,15 @@ const TestConfig = require("../../../../tests/utilities/TestConfiguration")
 const structures = require("../../../../tests/utilities/structures")
 const env = require("../../../../environment")
 
+jest.mock("../../../../utilities/workerRequests", () => ({
+  getGlobalUsers: jest.fn(),
+  saveGlobalUser: jest.fn(() => {
+    return {
+      _id: "us_uuid1",
+    }
+  }),
+}))
+
 exports.delay = ms => new Promise(resolve => setTimeout(resolve, ms))
 
 let request, config

packages/server/src/api/routes/user.js

@@ -16,7 +16,7 @@ router
     controller.fetchMetadata
   )
   .get(
-    "/api/users/metadata/:email",
+    "/api/users/metadata/:id",
     authorized(PermissionTypes.USER, PermissionLevels.READ),
     controller.findMetadata
   )
@@ -32,7 +32,7 @@ router
     controller.createMetadata
   )
   .delete(
-    "/api/users/metadata/:email",
+    "/api/users/metadata/:id",
     authorized(PermissionTypes.USER, PermissionLevels.WRITE),
     usage,
     controller.destroyMetadata

packages/server/src/automations/tests/createUser.spec.js

@@ -25,6 +25,7 @@ describe("test the create user action", () => {
     expect(res.id).toBeDefined()
     expect(res.revision).toBeDefined()
     const userDoc = await config.getRow(InternalTables.USER_METADATA, res.id)
+    expect(userDoc).toBeDefined()
   })
 
   it("should return an error if no inputs provided", async () => {

packages/server/src/constants/index.js

@@ -33,6 +33,7 @@ exports.USERS_TABLE_SCHEMA = {
   type: "table",
   views: {},
   name: "Users",
+  // TODO: ADMIN PANEL - when implemented this doesn't need to be carried out
   schema: {
     email: {
       type: exports.FieldTypes.STRING,

packages/server/src/db/utils.js

@@ -127,23 +127,23 @@ exports.generateRowID = (tableId, id = null) => {
 /**
  * Gets parameters for retrieving users, this is a utility function for the getDocParams function.
  */
-exports.getUserMetadataParams = (email = "", otherProps = {}) => {
+exports.getUserMetadataParams = (userId = null, otherProps = {}) => {
-  return exports.getRowParams(InternalTables.USER_METADATA, email, otherProps)
+  return exports.getRowParams(InternalTables.USER_METADATA, userId, otherProps)
 }
 
 /**
- * Generates a new user ID based on the passed in email.
+ * Generates a new user ID based on the passed in global ID.
- * @param {string} email The email which the ID is going to be built up of.
+ * @param {string} globalId The ID of the global user.
  * @returns {string} The new user ID which the user doc can be stored under.
  */
-exports.generateUserMetadataID = email => {
+exports.generateUserMetadataID = globalId => {
-  return exports.generateRowID(InternalTables.USER_METADATA, email)
+  return exports.generateRowID(InternalTables.USER_METADATA, globalId)
 }
 
 /**
- * Breaks up the ID to get the email address back out of it.
+ * Breaks up the ID to get the global ID.
  */
-exports.getEmailFromUserMetadataID = id => {
+exports.getGlobalIDFromUserMetadataID = id => {
   return id.split(
     `${DocumentTypes.ROW}${SEPARATOR}${InternalTables.USER_METADATA}${SEPARATOR}`
   )[1]

packages/server/src/middleware/currentapp.js

@@ -1,6 +1,5 @@
 const { getAppId, setCookie, getCookie, Cookies } = require("@budibase/auth")
 const { getRole } = require("../utilities/security/roles")
-const { generateUserMetadataID } = require("../db/utils")
 const { getGlobalUsers } = require("../utilities/workerRequests")
 const { BUILTIN_ROLE_IDS } = require("../utilities/security/roles")
 
@@ -40,14 +39,10 @@ module.exports = async (ctx, next) => {
   if (appId) {
     ctx.appId = appId
     if (roleId) {
-      const userId = ctx.user
-        ? generateUserMetadataID(ctx.user.email)
-        : undefined
       ctx.roleId = roleId
       ctx.user = {
         ...ctx.user,
-        _id: userId,
+        _id: ctx.user ? ctx.user.userId : null,
-        userId,
         role: await getRole(appId, roleId),
       }
     }

packages/server/src/middleware/tests/currentapp.spec.js

@@ -5,7 +5,7 @@ function mockWorker() {
   jest.mock("../../utilities/workerRequests", () => ({
     getGlobalUsers: () => {
       return {
-        email: "test@test.com",
+        email: "us_uuid1",
         roles: {
           "app_test": "BASIC",
         }
@@ -59,7 +59,7 @@ class TestConfiguration {
 
   setUser() {
     this.ctx.user = {
-      email: "test@test.com",
+      userId: "ro_ta_user_us_uuid1",
     }
   }
 

packages/server/src/tests/utilities/TestConfiguration.js

@@ -70,8 +70,7 @@ class TestConfiguration {
 
   defaultHeaders() {
     const user = {
-      userId: "us_test@test.com",
+      userId: "ro_ta_user_us_uuid1",
-      email: "test@test.com",
       builder: {
         global: true,
       },
@@ -106,12 +105,13 @@ class TestConfiguration {
   }
 
   async roleHeaders(email = EMAIL, roleId = BUILTIN_ROLE_IDS.ADMIN) {
+    let user
     try {
-      await this.createUser(email, PASSWORD, roleId)
+      user = await this.createUser(email, PASSWORD, roleId)
     } catch (err) {
       // allow errors here
     }
-    return this.login(email, PASSWORD, roleId)
+    return this.login(email, PASSWORD, { roleId, userId: user._id })
   }
 
   async createApp(appName) {
@@ -293,33 +293,19 @@ class TestConfiguration {
     )
   }
 
-  async makeUserInactive(email) {
+  async login(email, password, { roleId, userId } = {}) {
-    const user = await this._req(
+    if (!roleId) {
-      null,
+      roleId = BUILTIN_ROLE_IDS.BUILDER
-      {
+    }
-        email,
-      },
-      controllers.user.findMetadata
-    )
-    return this._req(
-      {
-        ...user,
-        status: "inactive",
-      },
-      null,
-      controllers.user.updateMetadata
-    )
-  }
-
-  async login(email, password, roleId = BUILTIN_ROLE_IDS.BUILDER) {
     if (!this.request) {
       throw "Server has not been opened, cannot login."
     }
     if (!email || !password) {
       await this.createUser()
     }
+    // have to fake this
     const user = {
-      userId: `us_${email || EMAIL}`,
+      userId: userId || `ro_ta_users_us_uuid1`,
       email: email || EMAIL,
     }
     const app = {

packages/server/src/utilities/users.js

@@ -1,20 +1,18 @@
 const CouchDB = require("../db")
-const {
+const { getGlobalIDFromUserMetadataID } = require("../db/utils")
-  generateUserMetadataID,
-  getEmailFromUserMetadataID,
-} = require("../db/utils")
 const { getGlobalUsers } = require("../utilities/workerRequests")
 
-exports.getFullUser = async ({ ctx, email, userId }) => {
+exports.getFullUser = async (ctx, userId) => {
-  if (!email) {
+  const global = await getGlobalUsers(
-    email = getEmailFromUserMetadataID(userId)
+    ctx,
-  }
+    ctx.appId,
-  const global = await getGlobalUsers(ctx, ctx.appId, email)
+    getGlobalIDFromUserMetadataID(userId)
+  )
   let metadata
   try {
     // this will throw an error if the db doesn't exist, or there is no appId
     const db = new CouchDB(ctx.appId)
-    metadata = await db.get(generateUserMetadataID(email))
+    metadata = await db.get(userId)
   } catch (err) {
     // it is fine if there is no user metadata, just remove global db info
     delete global._id
@@ -24,6 +22,6 @@ exports.getFullUser = async ({ ctx, email, userId }) => {
     ...global,
     ...metadata,
     // make sure the ID is always a local ID, not a global one
-    _id: generateUserMetadataID(email),
+    _id: userId,
   }
 }

packages/server/src/utilities/workerRequests.js

@@ -60,8 +60,8 @@ exports.getDeployedApps = async ctx => {
   }
 }
 
-exports.deleteGlobalUser = async (ctx, email) => {
+exports.deleteGlobalUser = async (ctx, globalId) => {
-  const endpoint = `/api/admin/users/${email}`
+  const endpoint = `/api/admin/users/${globalId}`
   const reqCfg = { method: "DELETE" }
   const response = await fetch(
     checkSlashesInUrl(env.WORKER_URL + endpoint),
@@ -70,8 +70,10 @@ exports.deleteGlobalUser = async (ctx, email) => {
   return response.json()
 }
 
-exports.getGlobalUsers = async (ctx, appId = null, email = null) => {
+exports.getGlobalUsers = async (ctx, appId = null, globalId = null) => {
-  const endpoint = email ? `/api/admin/users/${email}` : `/api/admin/users`
+  const endpoint = globalId
+    ? `/api/admin/users/${globalId}`
+    : `/api/admin/users`
   const reqCfg = { method: "GET" }
   const response = await fetch(
     checkSlashesInUrl(env.WORKER_URL + endpoint),
@@ -89,8 +91,8 @@ exports.getGlobalUsers = async (ctx, appId = null, email = null) => {
   return users
 }
 
-exports.saveGlobalUser = async (ctx, appId, email, body) => {
+exports.saveGlobalUser = async (ctx, appId, body, globalId = null) => {
-  const globalUser = await exports.getGlobalUsers(ctx, appId, email)
+  const globalUser = await exports.getGlobalUsers(ctx, appId, globalId)
   const roles = globalUser.roles || {}
   if (body.roleId) {
     roles[appId] = body.roleId
@@ -100,9 +102,9 @@ exports.saveGlobalUser = async (ctx, appId, email, body) => {
     method: "POST",
     body: {
       ...globalUser,
-      email,
       password: body.password || undefined,
       status: body.status,
+      email: body.email,
       roles,
       builder: {
         global: true,
@@ -124,5 +126,8 @@ exports.saveGlobalUser = async (ctx, appId, email, body) => {
   delete body.status
   delete body.roles
   delete body.builder
-  return body
+  return {
+    ...body,
+    _id: json._id,
+  }
 }