instanceid removal

packages/builder/src/builderStore/api.js

@@ -1,17 +1,17 @@
-const apiCall = method => async (url, body) => {
+const apiCall = (method, instanceId) => async (url, body) => {
+  const headers = {
+    "Content-Type": "application/json",
+    "x-user-agent": "Budibase Builder",
+  }
+  if (instanceId) {
+    headers["x-budibase-instanceid"] = instanceId
+  }
   const response = await fetch(url, {
     method: method,
-    headers: {
-      "Content-Type": "application/json",
-      "x-user-agent": "Budibase Builder",
-    },
     body: body && JSON.stringify(body),
+    headers,
   })
 
-  // if (response.status === 500) {
-  //   throw new Error("Server Error");
-  // }
-
   return response
 }
 
@@ -21,10 +21,20 @@ export const patch = apiCall("PATCH")
 export const del = apiCall("DELETE")
 export const put = apiCall("PUT")
 
-export default {
-  post,
-  get,
-  patch,
-  delete: del,
-  put,
-}
+// usage: api(instanceId).post(...) ... will supply instance Id in header
+const api = instanceId => ({
+  post: apiCall("POST", instanceId),
+  get: apiCall("GET", instanceId),
+  patch: apiCall("PATCH", instanceId),
+  delete: apiCall("DELETE", instanceId),
+  put: apiCall("PUT", instanceId),
+})
+
+// usage: api.post(...)... will not supply instanceid in header
+api.post = apiCall("POST")
+api.get = apiCall("GET")
+api.patch = apiCall("PATCH")
+api.delete = apiCall("DELETE")
+api.put = apiCall("PUT")
+
+export default api

packages/builder/src/builderStore/store/backend.js

@@ -24,8 +24,8 @@ export const getBackendUiStore = () => {
   store.actions = {
     database: {
       select: async db => {
-        const modelsResponse = await api.get(`/api/${db._id}/models`)
-        const viewsResponse = await api.get(`/api/${db._id}/views`)
+        const modelsResponse = await api(db._id).get(`/api/models`)
+        const viewsResponse = await api(db._id).get(`/api/views`)
         const models = await modelsResponse.json()
         const views = await viewsResponse.json()
         store.update(state => {

packages/builder/src/builderStore/store/index.js

@@ -1,5 +1,4 @@
 import { values } from "lodash/fp"
-import { backendUiStore } from "builderStore"
 import * as backendStoreActions from "./backend"
 import { writable, get } from "svelte/store"
 import api from "../api"
@@ -295,13 +294,10 @@ const addChildComponent = store => (componentToAdd, presetName) => {
 
     const presetProps = presetName ? component.presets[presetName] : {}
 
-    const instanceId = get(backendUiStore).selectedDatabase._id
-
     const newComponent = createProps(
       component,
       {
         ...presetProps,
-        _instanceId: instanceId,
       },
       state
     )

packages/builder/src/builderStore/store/workflow/index.js

@@ -4,8 +4,8 @@ import Workflow from "./Workflow"
 
 const workflowActions = store => ({
   fetch: async instanceId => {
-    const WORKFLOWS_URL = `/api/${instanceId}/workflows`
-    const workflowResponse = await api.get(WORKFLOWS_URL)
+    const WORKFLOWS_URL = `/api/workflows`
+    const workflowResponse = await api(instanceId).get(WORKFLOWS_URL)
     const json = await workflowResponse.json()
     store.update(state => {
       state.workflows = json
@@ -19,8 +19,8 @@ const workflowActions = store => ({
         steps: [],
       },
     }
-    const CREATE_WORKFLOW_URL = `/api/${instanceId}/workflows`
-    const response = await api.post(CREATE_WORKFLOW_URL, workflow)
+    const CREATE_WORKFLOW_URL = `/api/workflows`
+    const response = await api(instanceId).post(CREATE_WORKFLOW_URL, workflow)
     const json = await response.json()
     store.update(state => {
       state.workflows = state.workflows.concat(json.workflow)
@@ -29,8 +29,8 @@ const workflowActions = store => ({
     })
   },
   save: async ({ instanceId, workflow }) => {
-    const UPDATE_WORKFLOW_URL = `/api/${instanceId}/workflows`
-    const response = await api.put(UPDATE_WORKFLOW_URL, workflow)
+    const UPDATE_WORKFLOW_URL = `/api/workflows`
+    const response = await api(instanceId).put(UPDATE_WORKFLOW_URL, workflow)
     const json = await response.json()
     store.update(state => {
       const existingIdx = state.workflows.findIndex(
@@ -43,8 +43,8 @@ const workflowActions = store => ({
     })
   },
   update: async ({ instanceId, workflow }) => {
-    const UPDATE_WORKFLOW_URL = `/api/${instanceId}/workflows`
-    const response = await api.put(UPDATE_WORKFLOW_URL, workflow)
+    const UPDATE_WORKFLOW_URL = `/api/workflows`
+    const response = await api(instanceId).put(UPDATE_WORKFLOW_URL, workflow)
     const json = await response.json()
     store.update(state => {
       const existingIdx = state.workflows.findIndex(
@@ -57,8 +57,8 @@ const workflowActions = store => ({
   },
   delete: async ({ instanceId, workflow }) => {
     const { _id, _rev } = workflow
-    const DELETE_WORKFLOW_URL = `/api/${instanceId}/workflows/${_id}/${_rev}`
-    await api.delete(DELETE_WORKFLOW_URL)
+    const DELETE_WORKFLOW_URL = `/api/workflows/${_id}/${_rev}`
+    await api(instanceId).delete(DELETE_WORKFLOW_URL)
 
     store.update(state => {
       const existingIdx = state.workflows.findIndex(

packages/builder/src/components/database/ModelDataTable/api.js

@@ -1,8 +1,8 @@
 import api from "builderStore/api"
 
 export async function createUser(user, instanceId) {
-  const CREATE_USER_URL = `/api/${instanceId}/users`
-  const response = await api.post(CREATE_USER_URL, user)
+  const CREATE_USER_URL = `/api/users`
+  const response = await api(instanceId).post(CREATE_USER_URL, user)
   return await response.json()
 }
 
@@ -15,21 +15,21 @@ export async function createDatabase(appname, instanceName) {
 }
 
 export async function deleteRecord(record, instanceId) {
-  const DELETE_RECORDS_URL = `/api/${instanceId}/${record._modelId}/records/${record._id}/${record._rev}`
-  const response = await api.delete(DELETE_RECORDS_URL)
+  const DELETE_RECORDS_URL = `/api/${record._modelId}/records/${record._id}/${record._rev}`
+  const response = await api(instanceId).delete(DELETE_RECORDS_URL)
   return response
 }
 
 export async function saveRecord(record, instanceId, modelId) {
-  const SAVE_RECORDS_URL = `/api/${instanceId}/${modelId}/records`
-  const response = await api.post(SAVE_RECORDS_URL, record)
+  const SAVE_RECORDS_URL = `/api/${modelId}/records`
+  const response = await api(instanceId).post(SAVE_RECORDS_URL, record)
 
   return await response.json()
 }
 
 export async function fetchDataForView(viewName, instanceId) {
-  const FETCH_RECORDS_URL = `/api/${instanceId}/views/${viewName}`
+  const FETCH_RECORDS_URL = `/api/views/${viewName}`
 
-  const response = await api.get(FETCH_RECORDS_URL)
+  const response = await api(instanceId).get(FETCH_RECORDS_URL)
   return await response.json()
 }

packages/builder/src/components/database/ModelDataTable/modals/CreateEditModel/CreateEditModel.svelte

@@ -27,8 +27,8 @@
   function onFinishedFieldEdit() {}
 
   async function saveModel() {
-    const SAVE_MODEL_URL = `/api/${instanceId}/models`
-    const response = await api.post(SAVE_MODEL_URL, model)
+    const SAVE_MODEL_URL = `/api/models`
+    const response = await api(instanceId).post(SAVE_MODEL_URL, model)
     const newModel = await response.json()
     backendUiStore.actions.models.create(newModel)
     onClosed()

packages/builder/src/components/database/ModelDataTable/modals/CreateEditView.svelte

@@ -29,8 +29,8 @@
   function deleteView() {}
 
   async function saveView() {
-    const SAVE_VIEW_URL = `/api/${instanceId}/views`
-    const response = await api.post(SAVE_VIEW_URL, view)
+    const SAVE_VIEW_URL = `/api/views`
+    const response = await api(instanceId).post(SAVE_VIEW_URL, view)
     backendUiStore.update(state => {
       state.views = [...state.views, response.view]
       return state

packages/builder/src/components/nav/HierarchyRow.svelte

@@ -7,7 +7,6 @@
     CreateEditModelModal,
     CreateEditViewModal,
   } from "components/database/ModelDataTable/modals"
-  import api from "builderStore/api"
 
   const { open, close } = getContext("simple-modal")
 

packages/builder/src/components/nav/SchemaManagementDrawer.svelte

@@ -52,8 +52,8 @@
   }
 
   async function deleteModel(modelToDelete) {
-    const DELETE_MODEL_URL = `/api/${instanceId}/models/${node._id}/${node._rev}`
-    const response = await api.delete(DELETE_MODEL_URL)
+    const DELETE_MODEL_URL = `/api/models/${node._id}/${node._rev}`
+    const response = await api(instanceId).delete(DELETE_MODEL_URL)
     backendUiStore.update(state => {
       state.models = state.models.filter(
         model => model._id !== modelToDelete._id

packages/builder/src/components/nav/UsersList.svelte

@@ -16,8 +16,8 @@
   }
 
   async function fetchUsers() {
-    const FETCH_USERS_URL = `/api/${currentAppInfo.instanceId}/users`
-    const response = await api.get(FETCH_USERS_URL)
+    const FETCH_USERS_URL = `/api/users`
+    const response = await api(currentAppInfo.instanceId).get(FETCH_USERS_URL)
     const users = await response.json()
     backendUiStore.update(state => {
       state.users = users

packages/builder/src/components/userInterface/AppPreview/CurrentItemPreview.svelte

@@ -108,6 +108,7 @@
         selectedComponentId,
         frontendDefinition,
         appId: $store.appId,
+        instanceId: $backendUiStore.selectedDatabase._id,
       })
     )
   }

packages/builder/src/components/userInterface/AppPreview/iframeTemplate.js

@@ -20,6 +20,7 @@ export default `<html>
           font-weight: bold;
         }
     </style>
+    <script src='/assets/budibase-client.js'></script>
     <script>
       function receiveMessage(event) { 
 
@@ -44,13 +45,11 @@ export default `<html>
         document.head.appendChild(styles)
         styles.appendChild(document.createTextNode(data.styles))
 
-        document.cookie = "budibase:appid=" + data.appId
         window["##BUDIBASE_FRONTEND_DEFINITION##"] = data.frontendDefinition;
-        if (clientModule) {
-          clientModule.loadBudibase({ window, localStorage })
+        if (window.loadBudibase) {
+          loadBudibase({ window, localStorage })
         }
       }
-      let clientModule
       let styles
       let selectedComponentStyle
 
@@ -60,12 +59,9 @@ export default `<html>
         return false;
       }, true)
 
-      import('/_builder/budibase-client.esm.mjs')
-      .then(module => {
-        clientModule = module
-        window.addEventListener('message', receiveMessage)
-        window.dispatchEvent(new Event('bb-ready'))
-      })
+      window.addEventListener('message', receiveMessage)
+      window.dispatchEvent(new Event('bb-ready'))
+      
     </script>
   </head>
   <body>

packages/builder/src/components/workflow/SetupPanel/DeleteWorkflowModal.svelte

@@ -1,7 +1,6 @@
 <script>
   import { store, backendUiStore, workflowStore } from "builderStore"
   import { notifier } from "@beyonk/svelte-notifications"
-  import api from "builderStore/api"
   import ActionButton from "components/common/ActionButton.svelte"
 
   export let onClosed

packages/builder/src/components/workflow/SetupPanel/SetupPanel.svelte

@@ -3,7 +3,6 @@
   import { onMount, getContext } from "svelte"
   import { backendUiStore, workflowStore } from "builderStore"
   import { notifier } from "@beyonk/svelte-notifications"
-  import api from "builderStore/api"
   import WorkflowBlockSetup from "./WorkflowBlockSetup.svelte"
   import DeleteWorkflowModal from "./DeleteWorkflowModal.svelte"
 

packages/builder/src/components/workflow/WorkflowBuilder/WorkflowBuilder.svelte

@@ -3,7 +3,6 @@
   import { workflowStore, backendUiStore } from "builderStore"
   import { notifier } from "@beyonk/svelte-notifications"
   import Flowchart from "./flowchart/FlowChart.svelte"
-  import api from "builderStore/api"
 
   let selectedWorkflow
   let uiTree

packages/builder/src/components/workflow/WorkflowPanel/BlockList/BlockList.svelte

@@ -3,7 +3,6 @@
   import { backendUiStore, workflowStore } from "builderStore"
   import { WorkflowList } from "../"
   import WorkflowBlock from "./WorkflowBlock.svelte"
-  import api from "builderStore/api"
   import blockDefinitions from "../blockDefinitions"
 
   let selectedTab = "TRIGGER"

packages/builder/src/components/workflow/WorkflowPanel/WorkflowList/CreateWorkflowModal.svelte

@@ -1,7 +1,6 @@
 <script>
   import { store, backendUiStore, workflowStore } from "builderStore"
   import { notifier } from "@beyonk/svelte-notifications"
-  import api from "builderStore/api"
   import ActionButton from "components/common/ActionButton.svelte"
 
   export let onClosed

packages/builder/src/components/workflow/WorkflowPanel/WorkflowList/WorkflowList.svelte

@@ -3,7 +3,6 @@
   import { notifier } from "@beyonk/svelte-notifications"
   import { onMount, getContext } from "svelte"
   import { backendUiStore, workflowStore } from "builderStore"
-  import api from "builderStore/api"
   import CreateWorkflowModal from "./CreateWorkflowModal.svelte"
 
   const { open, close } = getContext("simple-modal")

packages/builder/src/components/workflow/WorkflowPanel/WorkflowPanel.svelte

@@ -2,7 +2,6 @@
   import { onMount } from "svelte"
   import { backendUiStore, workflowStore } from "builderStore"
   import { WorkflowList, BlockList } from "./"
-  import api from "builderStore/api"
   import blockDefinitions from "./blockDefinitions"
 
   let selectedTab = "WORKFLOWS"

packages/client/src/render/getAppId.js

@@ -1,5 +1,9 @@
-export const getAppId = cookie =>
-  cookie
+export const getAppId = cookie => {
+  const base64Token = cookie
     .split(";")
-    .find(c => c.trim().startsWith("budibase:appid"))
+    .find(c => c.trim().startsWith("budibase:token"))
     .split("=")[1]
+
+  const user = JSON.parse(atob(base64Token.split(".")[1]))
+  return user.appId
+}

packages/client/tests/testAppDef.js

@@ -7,8 +7,9 @@ export const load = async (page, screens, url, host = "test.com") => {
 
   const fullUrl = `http://${host}${url}`
   const cookieJar = new jsdom.CookieJar()
+  const cookie = btoa('{}{"appId":"TEST_APP_ID"}signature')
   cookieJar.setCookie(
-    `budibase:appid=TEST_APP_ID;domain=${host};path=/`,
+    `budibase:token=${cookie};domain=${host};path=/`,
     fullUrl,
     {
       looseMode: false,
@@ -20,9 +21,6 @@ export const load = async (page, screens, url, host = "test.com") => {
     url: fullUrl,
     cookieJar,
   })
-  /*const cookie = tough.Cookie
-  cookie.key = "budibase:appid"
-  cookie.value = "TEST_APPID"*/
 
   autoAssignIds(page.props)
   for (let s of screens) {
@@ -44,7 +42,6 @@ export const load = async (page, screens, url, host = "test.com") => {
 }
 
 const addWindowGlobals = (window, page, screens) => {
-  window.document.cookie = "budibase:appid=TEST_APP_ID"
   window["##BUDIBASE_FRONTEND_DEFINITION##"] = {
     page,
     screens,

packages/server/src/api/controllers/accesslevel.js

@@ -8,7 +8,7 @@ const {
 } = require("../../utilities/accessLevels")
 
 exports.fetch = async function(ctx) {
-  const db = new CouchDB(ctx.params.instanceId)
+  const db = new CouchDB(ctx.user.instanceId)
   const body = await db.query("database/by_type", {
     include_docs: true,
     key: ["accesslevel"],
@@ -19,12 +19,12 @@ exports.fetch = async function(ctx) {
     {
       _id: ADMIN_LEVEL_ID,
       name: "Admin",
-      permissions: await generateAdminPermissions(ctx.params.instanceId),
+      permissions: await generateAdminPermissions(ctx.user.instanceId),
     },
     {
       _id: POWERUSER_LEVEL_ID,
       name: "Power User",
-      permissions: await generatePowerUserPermissions(ctx.params.instanceId),
+      permissions: await generatePowerUserPermissions(ctx.user.instanceId),
     },
   ]
 
@@ -32,12 +32,12 @@ exports.fetch = async function(ctx) {
 }
 
 exports.find = async function(ctx) {
-  const db = new CouchDB(ctx.params.instanceId)
+  const db = new CouchDB(ctx.user.instanceId)
   ctx.body = await db.get(ctx.params.levelId)
 }
 
 exports.update = async function(ctx) {
-  const db = new CouchDB(ctx.params.instanceId)
+  const db = new CouchDB(ctx.user.instanceId)
   const level = await db.get(ctx.params.levelId)
   level.name = ctx.body.name
   level.permissions = ctx.request.body.permissions
@@ -48,7 +48,7 @@ exports.update = async function(ctx) {
 }
 
 exports.patch = async function(ctx) {
-  const db = new CouchDB(ctx.params.instanceId)
+  const db = new CouchDB(ctx.user.instanceId)
   const level = await db.get(ctx.params.levelId)
   const { removedPermissions, addedPermissions, _rev } = ctx.request.body
 
@@ -84,7 +84,7 @@ exports.patch = async function(ctx) {
 }
 
 exports.create = async function(ctx) {
-  const db = new CouchDB(ctx.params.instanceId)
+  const db = new CouchDB(ctx.user.instanceId)
 
   const level = {
     name: ctx.request.body.name,
@@ -101,7 +101,7 @@ exports.create = async function(ctx) {
 }
 
 exports.destroy = async function(ctx) {
-  const db = new CouchDB(ctx.params.instanceId)
+  const db = new CouchDB(ctx.user.instanceId)
   await db.remove(ctx.params.levelId, ctx.params.rev)
   ctx.message = `Access Level ${ctx.params.id} deleted successfully`
   ctx.status = 200

packages/server/src/api/controllers/application.js

@@ -9,6 +9,7 @@ const { copy, exists, readFile, writeFile } = require("fs-extra")
 const { budibaseAppsDir } = require("../../utilities/budibaseDir")
 const { exec } = require("child_process")
 const sqrl = require("squirrelly")
+const setBuilderToken = require("../../utilities/builder/setBuilderToken")
 
 exports.fetch = async function(ctx) {
   const db = new CouchDB(ClientDb.name(getClientId(ctx)))
@@ -25,6 +26,14 @@ exports.fetchAppPackage = async function(ctx) {
   const db = new CouchDB(ClientDb.name(clientId))
   const application = await db.get(ctx.params.applicationId)
   ctx.body = await getPackageForBuilder(ctx.config, application)
+  /* 
+  instance is hardcoded now - this can only change when we move
+  pages and screens into the database 
+  */
+  const devInstance = application.instances.find(
+    i => i.name === `dev-${clientId}`
+  )
+  setBuilderToken(ctx, ctx.params.applicationId, devInstance._id)
 }
 
 exports.create = async function(ctx) {
@@ -37,10 +46,12 @@ exports.create = async function(ctx) {
   const appId = newid()
   // insert an appId -> clientId lookup
   const masterDb = new CouchDB("clientAppLookup")
+
   await masterDb.put({
     _id: appId,
     clientId,
   })
+
   const db = new CouchDB(ClientDb.name(clientId))
 
   const newApplication = {
@@ -56,18 +67,18 @@ exports.create = async function(ctx) {
     description: ctx.request.body.description,
   }
 
-  const { rev } = await db.post(newApplication)
+  const { rev } = await db.put(newApplication)
   newApplication._rev = rev
-
   const createInstCtx = {
-    params: {
-      applicationId: newApplication._id,
+    user: {
+      appId: newApplication._id,
     },
     request: {
       body: { name: `dev-${clientId}` },
     },
   }
   await instanceController.create(createInstCtx)
+  newApplication.instances.push(createInstCtx.body)
 
   if (ctx.isDev) {
     const newAppFolder = await createEmptyAppPackage(ctx, newApplication)

packages/server/src/api/controllers/auth.js

@@ -4,7 +4,7 @@ const ClientDb = require("../../db/clientDb")
 const bcrypt = require("../../utilities/bcrypt")
 
 exports.authenticate = async ctx => {
-  if (!ctx.appId) ctx.throw(400, "No appId")
+  if (!ctx.user.appId) ctx.throw(400, "No appId")
 
   const { username, password } = ctx.request.body
 
@@ -13,18 +13,22 @@ exports.authenticate = async ctx => {
 
   const masterDb = new CouchDB("clientAppLookup")
 
-  const { clientId } = await masterDb.get(ctx.appId)
+  const { clientId } = await masterDb.get(ctx.user.appId)
 
   if (!clientId) {
     ctx.throw(400, "ClientId not suplied")
   }
   // find the instance that the user is associated with
   const db = new CouchDB(ClientDb.name(clientId))
-  const app = await db.get(ctx.appId)
+  const app = await db.get(ctx.user.appId)
   const instanceId = app.userInstanceMap[username]
 
   if (!instanceId)
-    ctx.throw(500, "User is not associated with an instance of app", ctx.appId)
+    ctx.throw(
+      500,
+      "User is not associated with an instance of app",
+      ctx.user.appId
+    )
 
   // Check the user exists in the instance DB by username
   const instanceDb = new CouchDB(instanceId)
@@ -43,6 +47,7 @@ exports.authenticate = async ctx => {
     const payload = {
       userId: dbUser._id,
       accessLevelId: dbUser.accessLevelId,
+      appId: ctx.user.appId,
       instanceId,
     }
 

packages/server/src/api/controllers/instance.js

@@ -4,19 +4,19 @@ const newid = require("../../db/newid")
 
 exports.create = async function(ctx) {
   const instanceName = ctx.request.body.name
-  const appShortId = ctx.params.applicationId.substring(0, 7)
+  const { appId } = ctx.user
+  const appShortId = appId.substring(0, 7)
   const instanceId = `inst_${appShortId}_${newid()}`
-  const { applicationId } = ctx.params
 
   const masterDb = new CouchDB("clientAppLookup")
-  const { clientId } = await masterDb.get(applicationId)
+  const { clientId } = await masterDb.get(appId)
 
   const db = new CouchDB(instanceId)
   await db.put({
     _id: "_design/database",
     metadata: {
       clientId,
-      applicationId,
+      applicationId: appId,
     },
     views: {
       by_username: {
@@ -46,7 +46,7 @@ exports.create = async function(ctx) {
 
   // Add the new instance under the app clientDB
   const clientDb = new CouchDB(client.name(clientId))
-  const budibaseApp = await clientDb.get(applicationId)
+  const budibaseApp = await clientDb.get(appId)
   const instance = { _id: instanceId, name: instanceName }
   budibaseApp.instances.push(instance)
   await clientDb.put(budibaseApp)

packages/server/src/api/controllers/model.js

@@ -2,7 +2,7 @@ const CouchDB = require("../../db")
 const newid = require("../../db/newid")
 
 exports.fetch = async function(ctx) {
-  const db = new CouchDB(ctx.params.instanceId)
+  const db = new CouchDB(ctx.user.instanceId)
   const body = await db.query("database/by_type", {
     include_docs: true,
     key: ["model"],
@@ -11,13 +11,13 @@ exports.fetch = async function(ctx) {
 }
 
 exports.find = async function(ctx) {
-  const db = new CouchDB(ctx.params.instanceId)
+  const db = new CouchDB(ctx.user.instanceId)
   const model = await db.get(ctx.params.id)
   ctx.body = model
 }
 
 exports.create = async function(ctx) {
-  const db = new CouchDB(ctx.params.instanceId)
+  const db = new CouchDB(ctx.user.instanceId)
   const newModel = {
     type: "model",
     ...ctx.request.body,
@@ -65,7 +65,7 @@ exports.create = async function(ctx) {
 exports.update = async function() {}
 
 exports.destroy = async function(ctx) {
-  const db = new CouchDB(ctx.params.instanceId)
+  const db = new CouchDB(ctx.user.instanceId)
 
   const modelToDelete = await db.get(ctx.params.modelId)
 

packages/server/src/api/controllers/record.js

@@ -3,7 +3,7 @@ const validateJs = require("validate.js")
 const newid = require("../../db/newid")
 
 exports.save = async function(ctx) {
-  const db = new CouchDB(ctx.params.instanceId)
+  const db = new CouchDB(ctx.user.instanceId)
   const record = ctx.request.body
   record.modelId = ctx.params.modelId
 
@@ -46,7 +46,7 @@ exports.save = async function(ctx) {
   ctx.eventEmitter &&
     ctx.eventEmitter.emit(`record:save`, {
       record,
-      instanceId: ctx.params.instanceId,
+      instanceId: ctx.user.instanceId,
     })
   ctx.body = record
   ctx.status = 200
@@ -54,7 +54,7 @@ exports.save = async function(ctx) {
 }
 
 exports.fetchView = async function(ctx) {
-  const db = new CouchDB(ctx.params.instanceId)
+  const db = new CouchDB(ctx.user.instanceId)
   const response = await db.query(`database/${ctx.params.viewName}`, {
     include_docs: true,
   })
@@ -62,7 +62,7 @@ exports.fetchView = async function(ctx) {
 }
 
 exports.fetchModelRecords = async function(ctx) {
-  const db = new CouchDB(ctx.params.instanceId)
+  const db = new CouchDB(ctx.user.instanceId)
   const response = await db.query(`database/all_${ctx.params.modelId}`, {
     include_docs: true,
   })
@@ -70,7 +70,7 @@ exports.fetchModelRecords = async function(ctx) {
 }
 
 exports.search = async function(ctx) {
-  const db = new CouchDB(ctx.params.instanceId)
+  const db = new CouchDB(ctx.user.instanceId)
   const response = await db.allDocs({
     include_docs: true,
     ...ctx.request.body,
@@ -79,7 +79,7 @@ exports.search = async function(ctx) {
 }
 
 exports.find = async function(ctx) {
-  const db = new CouchDB(ctx.params.instanceId)
+  const db = new CouchDB(ctx.user.instanceId)
   const record = await db.get(ctx.params.recordId)
   if (record.modelId !== ctx.params.modelId) {
     ctx.throw(400, "Supplied modelId doe not match the record's modelId")
@@ -89,7 +89,7 @@ exports.find = async function(ctx) {
 }
 
 exports.destroy = async function(ctx) {
-  const db = new CouchDB(ctx.params.instanceId)
+  const db = new CouchDB(ctx.user.instanceId)
   const record = await db.get(ctx.params.recordId)
   if (record.modelId !== ctx.params.modelId) {
     ctx.throw(400, "Supplied modelId doe not match the record's modelId")
@@ -101,7 +101,7 @@ exports.destroy = async function(ctx) {
 
 exports.validate = async function(ctx) {
   const errors = await validate({
-    instanceId: ctx.params.instanceId,
+    instanceId: ctx.user.instanceId,
     modelId: ctx.params.modelId,
     record: ctx.request.body,
   })

packages/server/src/api/controllers/static.js

@@ -4,11 +4,12 @@ const {
   budibaseAppsDir,
   budibaseTempDir,
 } = require("../../utilities/budibaseDir")
-const env = require("../../environment")
+const setBuilderToken = require("../../utilities/builder/setBuilderToken")
+const { ANON_LEVEL_ID } = require("../../utilities/accessLevels")
 
 exports.serveBuilder = async function(ctx) {
   let builderPath = resolve(__dirname, "../../../builder")
-  ctx.cookies.set("builder:token", env.ADMIN_SECRET)
+  setBuilderToken(ctx)
   await send(ctx, ctx.file, { root: ctx.devPath || builderPath })
 }
 
@@ -22,11 +23,15 @@ exports.serveApp = async function(ctx) {
   )
   // only set the appId cookie for /appId .. we COULD check for valid appIds
   // but would like to avoid that DB hit
-  if (looksLikeAppId(ctx.params.appId)) {
-    ctx.cookies.set("budibase:appid", ctx.params.appId, {
+  if (looksLikeAppId(ctx.params.appId) && !ctx.isAuthenticated) {
+    const anonToken = {
+      userId: "ANON",
+      accessLevelId: ANON_LEVEL_ID,
+      appId: ctx.params.appId,
+    }
+    ctx.cookies.set("budibase:token", anonToken, {
       path: "/",
       httpOnly: false,
-      expires: new Date(2099, 1, 1),
     })
   }
 
@@ -37,7 +42,7 @@ exports.serveAppAsset = async function(ctx) {
   // default to homedir
   const appPath = resolve(
     budibaseAppsDir(),
-    ctx.appId,
+    ctx.user.appId,
     "public",
     ctx.isAuthenticated ? "main" : "unauthenticated"
   )
@@ -49,7 +54,7 @@ exports.serveComponentLibrary = async function(ctx) {
   // default to homedir
   let componentLibraryPath = resolve(
     budibaseAppsDir(),
-    ctx.appId,
+    ctx.user.appId,
     "node_modules",
     decodeURI(ctx.query.library),
     "dist"

packages/server/src/api/controllers/user.js

@@ -8,7 +8,7 @@ const {
 } = require("../../utilities/accessLevels")
 
 exports.fetch = async function(ctx) {
-  const database = new CouchDB(ctx.params.instanceId)
+  const database = new CouchDB(ctx.user.instanceId)
   const data = await database.query("database/by_type", {
     include_docs: true,
     key: ["user"],
@@ -18,7 +18,7 @@ exports.fetch = async function(ctx) {
 }
 
 exports.create = async function(ctx) {
-  const database = new CouchDB(ctx.params.instanceId)
+  const database = new CouchDB(ctx.user.instanceId)
   const appId = (await database.get("_design/database")).metadata.applicationId
   const { username, password, name, accessLevelId } = ctx.request.body
 
@@ -50,7 +50,7 @@ exports.create = async function(ctx) {
 
   app.userInstanceMap = {
     ...app.userInstanceMap,
-    [username]: ctx.params.instanceId,
+    [username]: ctx.user.instanceId,
   }
   await db.put(app)
 
@@ -66,14 +66,14 @@ exports.create = async function(ctx) {
 exports.update = async function() {}
 
 exports.destroy = async function(ctx) {
-  const database = new CouchDB(ctx.params.instanceId)
+  const database = new CouchDB(ctx.user.instanceId)
   await database.destroy(getUserId(ctx.params.username))
   ctx.message = `User ${ctx.params.username} deleted.`
   ctx.status = 200
 }
 
 exports.find = async function(ctx) {
-  const database = new CouchDB(ctx.params.instanceId)
+  const database = new CouchDB(ctx.user.instanceId)
   const user = await database.get(getUserId(ctx.params.username))
   ctx.body = {
     username: user.username,

packages/server/src/api/controllers/view.js

@@ -3,7 +3,7 @@ const CouchDB = require("../../db")
 const controller = {
   query: async () => {},
   fetch: async ctx => {
-    const db = new CouchDB(ctx.params.instanceId)
+    const db = new CouchDB(ctx.user.instanceId)
     const designDoc = await db.get("_design/database")
     const response = []
 
@@ -24,7 +24,7 @@ const controller = {
     ctx.body = response
   },
   create: async ctx => {
-    const db = new CouchDB(ctx.params.instanceId)
+    const db = new CouchDB(ctx.user.instanceId)
     const newView = ctx.request.body
 
     const designDoc = await db.get("_design/database")
@@ -38,7 +38,7 @@ const controller = {
     ctx.message = `View ${newView.name} created successfully.`
   },
   destroy: async ctx => {
-    const db = new CouchDB(ctx.params.instanceId)
+    const db = new CouchDB(ctx.user.instanceId)
     ctx.body = await db.destroy(ctx.params.userId)
   },
 }

packages/server/src/api/controllers/workflow/index.js

@@ -2,7 +2,7 @@ const CouchDB = require("../../../db")
 const newid = require("../../../db/newid")
 
 exports.create = async function(ctx) {
-  const db = new CouchDB(ctx.params.instanceId)
+  const db = new CouchDB(ctx.user.instanceId)
   const workflow = ctx.request.body
 
   workflow._id = newid()
@@ -22,7 +22,7 @@ exports.create = async function(ctx) {
 }
 
 exports.update = async function(ctx) {
-  const db = new CouchDB(ctx.params.instanceId)
+  const db = new CouchDB(ctx.user.instanceId)
   const workflow = ctx.request.body
 
   const response = await db.put(workflow)
@@ -40,7 +40,7 @@ exports.update = async function(ctx) {
 }
 
 exports.fetch = async function(ctx) {
-  const db = new CouchDB(ctx.params.instanceId)
+  const db = new CouchDB(ctx.user.instanceId)
   const response = await db.query(`database/by_type`, {
     key: ["workflow"],
     include_docs: true,
@@ -69,6 +69,6 @@ exports.fetchActionScript = async function(ctx) {
 }
 
 exports.destroy = async function(ctx) {
-  const db = new CouchDB(ctx.params.instanceId)
+  const db = new CouchDB(ctx.user.instanceId)
   ctx.body = await db.remove(ctx.params.id, ctx.params.rev)
 }

packages/server/src/api/index.js

@@ -60,11 +60,6 @@ router.use(async (ctx, next) => {
   }
 })
 
-router.use(async (ctx, next) => {
-  ctx.appId = ctx.cookies.get("budibase:appid")
-  await next()
-})
-
 router.use(authRoutes.routes())
 router.use(authRoutes.allowedMethods())
 

packages/server/src/api/routes/accesslevel.js

@@ -4,11 +4,11 @@ const controller = require("../controllers/accesslevel")
 const router = Router()
 
 router
-  .post("/api/:instanceId/accesslevels", controller.create)
-  .put("/api/:instanceId/accesslevels", controller.update)
-  .get("/api/:instanceId/accesslevels", controller.fetch)
-  .get("/api/:instanceId/accesslevels/:levelId", controller.find)
-  .delete("/api/:instanceId/accesslevels/:levelId/:rev", controller.destroy)
-  .patch("/api/:instanceId/accesslevels/:levelId", controller.patch)
+  .post("/api/accesslevels", controller.create)
+  .put("/api/accesslevels", controller.update)
+  .get("/api/accesslevels", controller.fetch)
+  .get("/api/accesslevels/:levelId", controller.find)
+  .delete("/api/accesslevels/:levelId/:rev", controller.destroy)
+  .patch("/api/accesslevels/:levelId", controller.patch)
 
 module.exports = router

packages/server/src/api/routes/instance.js

@@ -6,7 +6,7 @@ const { BUILDER } = require("../../utilities/accessLevels")
 const router = Router()
 
 router
-  .post("/api/:applicationId/instances", authorized(BUILDER), controller.create)
+  .post("/api/instances", authorized(BUILDER), controller.create)
   .delete("/api/instances/:instanceId", authorized(BUILDER), controller.destroy)
 
 module.exports = router

packages/server/src/api/routes/model.js

@@ -1,17 +1,21 @@
 const Router = require("@koa/router")
 const modelController = require("../controllers/model")
 const authorized = require("../../middleware/authorized")
-const { BUILDER } = require("../../utilities/accessLevels")
+const { BUILDER, READ_MODEL } = require("../../utilities/accessLevels")
 
 const router = Router()
 
 router
-  .get("/api/:instanceId/models", authorized(BUILDER), modelController.fetch)
-  .get("/api/:instanceId/models/:id", authorized(BUILDER), modelController.find)
-  .post("/api/:instanceId/models", authorized(BUILDER), modelController.create)
+  .get("/api/models", modelController.fetch)
+  .get(
+    "/api/models/:id",
+    authorized(READ_MODEL, ctx => ctx.params.id),
+    modelController.find
+  )
+  .post("/api/models", authorized(BUILDER), modelController.create)
   // .patch("/api/:instanceId/models", controller.update)
   .delete(
-    "/api/:instanceId/models/:modelId/:revId",
+    "/api/models/:modelId/:revId",
     authorized(BUILDER),
     modelController.destroy
   )

packages/server/src/api/routes/record.js

@@ -7,28 +7,28 @@ const router = Router()
 
 router
   .get(
-    "/api/:instanceId/:modelId/records",
+    "/api/:modelId/records",
     authorized(READ_MODEL, ctx => ctx.params.modelId),
     recordController.fetchModelRecords
   )
   .get(
-    "/api/:instanceId/:modelId/records/:recordId",
+    "/api/:modelId/records/:recordId",
     authorized(READ_MODEL, ctx => ctx.params.modelId),
     recordController.find
   )
-  .post("/api/:instanceId/records/search", recordController.search)
+  .post("/api/records/search", recordController.search)
   .post(
-    "/api/:instanceId/:modelId/records",
+    "/api/:modelId/records",
     authorized(WRITE_MODEL, ctx => ctx.params.modelId),
     recordController.save
   )
   .post(
-    "/api/:instanceId/:modelId/records/validate",
+    "/api/:modelId/records/validate",
     authorized(WRITE_MODEL, ctx => ctx.params.modelId),
     recordController.validate
   )
   .delete(
-    "/api/:instanceId/:modelId/records/:recordId/:revId",
+    "/api/:modelId/records/:recordId/:revId",
     authorized(WRITE_MODEL, ctx => ctx.params.modelId),
     recordController.destroy
   )

packages/server/src/api/routes/screen.js

@@ -6,12 +6,8 @@ const { BUILDER } = require("../../utilities/accessLevels")
 const router = Router()
 
 router
-  .get("/api/:instanceId/screens", authorized(BUILDER), controller.fetch)
-  .post("/api/:instanceId/screens", authorized(BUILDER), controller.save)
-  .delete(
-    "/api/:instanceId/:screenId/:revId",
-    authorized(BUILDER),
-    controller.destroy
-  )
+  .get("/api/screens", authorized(BUILDER), controller.fetch)
+  .post("/api/screens", authorized(BUILDER), controller.save)
+  .delete("/api/:screenId/:revId", authorized(BUILDER), controller.destroy)
 
 module.exports = router

packages/server/src/api/routes/tests/accesslevel.spec.js

@@ -36,8 +36,8 @@ describe("/accesslevels", () => {
 
   beforeEach(async () => {
     instanceId = (await createInstance(request, appId))._id
-    model = await createModel(request, instanceId)
-    view = await createView(request, instanceId)
+    model = await createModel(request, appId, instanceId)
+    view = await createView(request, appId, instanceId)
   })
 
   describe("create", () => {
@@ -46,7 +46,7 @@ describe("/accesslevels", () => {
       const res = await request
         .post(`/api/${instanceId}/accesslevels`)
         .send({ name: "user" })
-        .set(defaultHeaders)
+        .set(defaultHeaders(appId, instanceId))
         .expect('Content-Type', /json/)
         .expect(200)
 
@@ -64,7 +64,7 @@ describe("/accesslevels", () => {
       const createRes = await request
         .post(`/api/${instanceId}/accesslevels`)
         .send({ name: "user", permissions: [ { itemId: model._id, name: READ_MODEL }] })
-        .set(defaultHeaders)
+        .set(defaultHeaders(appId, instanceId))
         .expect('Content-Type', /json/)
         .expect(200)
 
@@ -72,7 +72,7 @@ describe("/accesslevels", () => {
 
       const res = await request
         .get(`/api/${instanceId}/accesslevels`)
-        .set(defaultHeaders)
+        .set(defaultHeaders(appId, instanceId))
         .expect('Content-Type', /json/)
         .expect(200)
 
@@ -97,7 +97,7 @@ describe("/accesslevels", () => {
       const createRes = await request
         .post(`/api/${instanceId}/accesslevels`)
         .send({ name: "user", permissions: [ { itemId: model._id, name: READ_MODEL } ] })
-        .set(defaultHeaders)
+        .set(defaultHeaders(appId, instanceId))
         .expect('Content-Type', /json/)
         .expect(200)
 
@@ -105,12 +105,12 @@ describe("/accesslevels", () => {
 
       await request
         .delete(`/api/${instanceId}/accesslevels/${customLevel._id}/${customLevel._rev}`)
-        .set(defaultHeaders)
+        .set(defaultHeaders(appId, instanceId))
         .expect(200)
 
       await request
         .get(`/api/${instanceId}/accesslevels/${customLevel._id}`)
-        .set(defaultHeaders)
+        .set(defaultHeaders(appId, instanceId))
         .expect(404)      
     })
   })
@@ -120,7 +120,7 @@ describe("/accesslevels", () => {
       const createRes = await request
         .post(`/api/${instanceId}/accesslevels`)
         .send({ name: "user", permissions: [ { itemId: model._id, name: READ_MODEL }] })
-        .set(defaultHeaders)
+        .set(defaultHeaders(appId, instanceId))
         .expect('Content-Type', /json/)
         .expect(200)
 
@@ -132,13 +132,13 @@ describe("/accesslevels", () => {
           _rev: customLevel._rev,
           addedPermissions:  [ { itemId: model._id, name: WRITE_MODEL } ] 
         })
-        .set(defaultHeaders)
+        .set(defaultHeaders(appId, instanceId))
         .expect('Content-Type', /json/)
         .expect(200)
 
       const finalRes = await request
         .get(`/api/${instanceId}/accesslevels/${customLevel._id}`)
-        .set(defaultHeaders)
+        .set(defaultHeaders(appId, instanceId))
         .expect(200) 
 
       expect(finalRes.body.permissions.length).toBe(2)
@@ -156,7 +156,7 @@ describe("/accesslevels", () => {
             { itemId: model._id, name: WRITE_MODEL },
           ] 
         })
-        .set(defaultHeaders)
+        .set(defaultHeaders(appId, instanceId))
         .expect('Content-Type', /json/)
         .expect(200)
 
@@ -168,13 +168,13 @@ describe("/accesslevels", () => {
           _rev: customLevel._rev,
           removedPermissions:  [ { itemId: model._id, name: WRITE_MODEL }] 
         })
-        .set(defaultHeaders)
+        .set(defaultHeaders(appId, instanceId))
         .expect('Content-Type', /json/)
         .expect(200)
 
       const finalRes = await request
         .get(`/api/${instanceId}/accesslevels/${customLevel._id}`)
-        .set(defaultHeaders)
+        .set(defaultHeaders(appId, instanceId))
         .expect(200) 
 
       expect(finalRes.body.permissions.length).toBe(1)

packages/server/src/api/routes/tests/application.spec.js

@@ -34,14 +34,14 @@ describe("/applications", () => {
       const res = await request
         .post("/api/applications")
         .send({ name: "My App" })
-        .set(defaultHeaders)
+        .set(defaultHeaders())
         .expect('Content-Type', /json/)
         .expect(200)
       expect(res.res.statusMessage).toEqual("Application My App created successfully")
       expect(res.body._id).toBeDefined()
     })
 
-    it("should apply authorization to endpoint", async () => {
+    fit("should apply authorization to endpoint", async () => {
       const otherApplication = await createApplication(request) 
       const instance = await createInstance(request, otherApplication._id)
       await builderEndpointShouldBlockNormalUsers({
@@ -49,6 +49,7 @@ describe("/applications", () => {
         method: "POST",
         url: `/api/applications`,
         instanceId: instance._id,
+        appId: otherApplication._id,
         body: { name: "My App" }
       })
     })
@@ -63,7 +64,7 @@ describe("/applications", () => {
 
       const res = await request
         .get("/api/applications")
-        .set(defaultHeaders)
+        .set(defaultHeaders())
         .expect('Content-Type', /json/)
         .expect(200)
 
@@ -77,13 +78,13 @@ describe("/applications", () => {
       const blah = await request
         .post("/api/applications")
         .send({ name: "app2", clientId: "new_client"})
-        .set(defaultHeaders)
+        .set(defaultHeaders())
         .expect('Content-Type', /json/)
         //.expect(200)
 
       const client1Res = await request
         .get(`/api/applications?clientId=${TEST_CLIENT_ID}`)
-        .set(defaultHeaders)
+        .set(defaultHeaders())
         .expect('Content-Type', /json/)
         .expect(200)
       
@@ -92,7 +93,7 @@ describe("/applications", () => {
 
       const client2Res = await request
         .get(`/api/applications?clientId=new_client`)
-        .set(defaultHeaders)
+        .set(defaultHeaders())
         .expect('Content-Type', /json/)
         .expect(200)
       
@@ -109,6 +110,7 @@ describe("/applications", () => {
         method: "GET",
         url: `/api/applications`,
         instanceId: instance._id,
+        appId: otherApplication._id,
       })
     })
   })

packages/server/src/api/routes/tests/couchTestUtils.js

@@ -4,8 +4,12 @@ const supertest = require("supertest")
 const app = require("../../../app")
 const {
   POWERUSER_LEVEL_ID,
+  ANON_LEVEL_ID,
+  BUILDER_LEVEL_ID,
   generateAdminPermissions,
 } = require("../../../utilities/accessLevels")
+const jwt = require("jsonwebtoken")
+const env = require("../../../environment")
 
 const TEST_CLIENT_ID = "test-client-id"
 
@@ -20,13 +24,24 @@ exports.supertest = async () => {
   return { request, server }
 }
 
-exports.defaultHeaders = {
-  Accept: "application/json",
-  Cookie: ["builder:token=test-admin-secret"],
-  "x-user-agent": "Budibase Builder",
+exports.defaultHeaders = (appId, instanceId) => {
+  const builderUser = {
+    userId: "BUILDER",
+    accessLevelId: BUILDER_LEVEL_ID,
+    appId,
+    instanceId,
+  }
+
+  const builderToken = jwt.sign(builderUser, env.JWT_SECRET)
+
+  return {
+    Accept: "application/json",
+    Cookie: [`builder:token=${builderToken}`],
+    "x-user-agent": "Budibase Builder",
+  }
 }
 
-exports.createModel = async (request, instanceId, model) => {
+exports.createModel = async (request, appId, instanceId, model) => {
   model = model || {
     name: "TestModel",
     type: "model",
@@ -43,19 +58,19 @@ exports.createModel = async (request, instanceId, model) => {
 
   const res = await request
     .post(`/api/${instanceId}/models`)
-    .set(exports.defaultHeaders)
+    .set(exports.defaultHeaders(appId, instanceId))
     .send(model)
   return res.body
 }
 
-exports.createView = async (request, instanceId, view) => {
+exports.createView = async (request, appId, instanceId, view) => {
   view = view || {
     map: "function(doc) { emit(doc[doc.key], doc._id); } ",
   }
 
   const res = await request
     .post(`/api/${instanceId}/views`)
-    .set(exports.defaultHeaders)
+    .set(exports.defaultHeaders(appId, instanceId))
     .send(view)
   return res.body
 }
@@ -65,7 +80,7 @@ exports.createClientDatabase = async id => await create(id || TEST_CLIENT_ID)
 exports.createApplication = async (request, name = "test_application") => {
   const res = await request
     .post("/api/applications")
-    .set(exports.defaultHeaders)
+    .set(exports.defaultHeaders())
     .send({
       name,
     })
@@ -76,8 +91,8 @@ exports.destroyClientDatabase = async () => await destroy(TEST_CLIENT_ID)
 
 exports.createInstance = async (request, appId) => {
   const res = await request
-    .post(`/api/${appId}/instances`)
-    .set(exports.defaultHeaders)
+    .post(`/api/instances`)
+    .set(exports.defaultHeaders(appId))
     .send({
       name: "test-instance",
     })
@@ -86,13 +101,14 @@ exports.createInstance = async (request, appId) => {
 
 exports.createUser = async (
   request,
+  appId,
   instanceId,
   username = "babs",
   password = "babs_password"
 ) => {
   const res = await request
-    .post(`/api/${instanceId}/users`)
-    .set(exports.defaultHeaders)
+    .post(`/api/users`)
+    .set(exports.defaultHeaders(appId, instanceId))
     .send({
       name: "Bill",
       username,
@@ -104,6 +120,7 @@ exports.createUser = async (
 
 const createUserWithOnePermission = async (
   request,
+  appId,
   instanceId,
   permName,
   itemId
@@ -115,17 +132,19 @@ const createUserWithOnePermission = async (
 
   return await createUserWithPermissions(
     request,
+    appId,
     instanceId,
     permissions,
     "onePermOnlyUser"
   )
 }
 
-const createUserWithAdminPermissions = async (request, instanceId) => {
+const createUserWithAdminPermissions = async (request, appId, instanceId) => {
   let permissions = await generateAdminPermissions(instanceId)
 
   return await createUserWithPermissions(
     request,
+    appId,
     instanceId,
     permissions,
     "adminUser"
@@ -134,6 +153,7 @@ const createUserWithAdminPermissions = async (request, instanceId) => {
 
 const createUserWithAllPermissionExceptOne = async (
   request,
+  appId,
   instanceId,
   permName,
   itemId
@@ -145,6 +165,7 @@ const createUserWithAllPermissionExceptOne = async (
 
   return await createUserWithPermissions(
     request,
+    appId,
     instanceId,
     permissions,
     "allPermsExceptOneUser"
@@ -153,6 +174,7 @@ const createUserWithAllPermissionExceptOne = async (
 
 const createUserWithPermissions = async (
   request,
+  appId,
   instanceId,
   permissions,
   username
@@ -160,12 +182,12 @@ const createUserWithPermissions = async (
   const accessRes = await request
     .post(`/api/${instanceId}/accesslevels`)
     .send({ name: "TestLevel", permissions })
-    .set(exports.defaultHeaders)
+    .set(exports.defaultHeaders(appId, instanceId))
 
   const password = `password_${username}`
   await request
     .post(`/api/${instanceId}/users`)
-    .set(exports.defaultHeaders)
+    .set(exports.defaultHeaders(appId, instanceId))
     .send({
       name: username,
       username,
@@ -173,12 +195,20 @@ const createUserWithPermissions = async (
       accessLevelId: accessRes.body._id,
     })
 
-  const db = new CouchDB(instanceId)
-  const designDoc = await db.get("_design/database")
+  //const db = new CouchDB(instanceId)
+  //const designDoc = await db.get("_design/database")
+
+  const anonUser = {
+    userId: "ANON",
+    accessLevelId: ANON_LEVEL_ID,
+    appId: appId,
+  }
+
+  const anonToken = jwt.sign(anonUser, env.JWT_SECRET)
 
   const loginResult = await request
     .post(`/api/authenticate`)
-    .set({ Cookie: `budibase:appid=${designDoc.metadata.applicationId}` })
+    .set({ Cookie: `budibase:token=${anonToken}` })
     .send({ username, password })
 
   // returning necessary request headers
@@ -193,12 +223,14 @@ exports.testPermissionsForEndpoint = async ({
   method,
   url,
   body,
+  appId,
   instanceId,
   permissionName,
   itemId,
 }) => {
   const headers = await createUserWithOnePermission(
     request,
+    appId,
     instanceId,
     permissionName,
     itemId
@@ -210,6 +242,7 @@ exports.testPermissionsForEndpoint = async ({
 
   const noPermsHeaders = await createUserWithAllPermissionExceptOne(
     request,
+    appId,
     instanceId,
     permissionName,
     itemId
@@ -225,9 +258,14 @@ exports.builderEndpointShouldBlockNormalUsers = async ({
   method,
   url,
   body,
+  appId,
   instanceId,
 }) => {
-  const headers = await createUserWithAdminPermissions(request, instanceId)
+  const headers = await createUserWithAdminPermissions(
+    request,
+    appId,
+    instanceId
+  )
 
   await createRequest(request, method, url, body)
     .set(headers)

packages/server/src/api/routes/tests/instance.spec.js

@@ -24,9 +24,9 @@ describe("/instances", () => {
 
     it("returns a success message when the instance database is successfully created", async () => {
       const res = await request
-        .post(`/api/${TEST_APP_ID}/instances`)
+        .post(`/api/instances`)
         .send({ name: "test-instance" })
-        .set(defaultHeaders)
+        .set(defaultHeaders(TEST_APP_ID))
         .expect('Content-Type', /json/)
         .expect(200)
 
@@ -42,7 +42,7 @@ describe("/instances", () => {
       const instance = await createInstance(request, TEST_APP_ID);
       const res = await request
         .delete(`/api/instances/${instance._id}`)
-        .set(defaultHeaders)
+        .set(defaultHeaders(TEST_APP_ID))
         .expect(200)
 
       expect(res.res.statusMessage).toEqual(`Instance Database ${instance._id} successfully destroyed.`);

packages/server/src/api/routes/tests/model.spec.js

@@ -41,7 +41,7 @@ describe("/models", () => {
             name: { type: "string" }
           }
         })
-        .set(defaultHeaders)
+        .set(defaultHeaders(app._id, instance._id))
         .expect('Content-Type', /json/)
         .expect(200)
         .end(async (err, res) => {
@@ -73,13 +73,13 @@ describe("/models", () => {
 
     beforeEach(async () => {
       instance = await createInstance(request, app._id)
-      testModel = await createModel(request, instance._id, testModel)
+      testModel = await createModel(request, app._id, instance._id, testModel)
     });
 
     it("returns all the models for that instance in the response body", done => {
       request
         .get(`/api/${instance._id}/models`)
-        .set(defaultHeaders)
+        .set(defaultHeaders(app._id, instance._id))
         .expect('Content-Type', /json/)
         .expect(200)
         .end(async (_, res) => {
@@ -105,7 +105,7 @@ describe("/models", () => {
 
     beforeEach(async () => {
       instance = await createInstance(request, app._id)
-      testModel = await createModel(request, instance._id, testModel)
+      testModel = await createModel(request, app._id, instance._id, testModel)
     });
 
     afterEach(() => {
@@ -115,7 +115,7 @@ describe("/models", () => {
     it("returns a success response when a model is deleted.", async done => {
       request
         .delete(`/api/${instance._id}/models/${testModel._id}/${testModel._rev}`)
-        .set(defaultHeaders)
+        .set(defaultHeaders(app._id, instance._id))
         .expect('Content-Type', /json/)
         .expect(200)
         .end(async (_, res) => {
@@ -125,7 +125,7 @@ describe("/models", () => {
       })
 
     it("deletes linked references to the model after deletion", async done => {
-      const linkedModel = await createModel(request, instance._id, {
+      const linkedModel = await createModel(request, app._id, instance._id, {
         name: "LinkedModel",
         type: "model",
         key: "name",
@@ -148,7 +148,7 @@ describe("/models", () => {
 
       request
         .delete(`/api/${instance._id}/models/${testModel._id}/${testModel._rev}`)
-        .set(defaultHeaders)
+        .set(defaultHeaders(app._id, instance._id))
         .expect('Content-Type', /json/)
         .expect(200)
         .end(async (_, res) => {

packages/server/src/api/routes/tests/record.spec.js

@@ -27,7 +27,7 @@ describe("/records", () => {
 
   beforeEach(async () => {
     instance = await createInstance(request, app._id)
-    model = await createModel(request, instance._id)
+    model = await createModel(request, app._id, instance._id)
     record = {
       name: "Test Contact",
       status: "new",
@@ -39,13 +39,13 @@ describe("/records", () => {
 
     const createRecord = async r => 
       await request
-        .post(`/api/${instance._id}/${model._id}/records`)
+        .post(`/api/${model._id}/records`)
         .send(r || record)
-        .set(defaultHeaders)
+        .set(defaultHeaders(app._id, instance._id))
         .expect('Content-Type', /json/)
         .expect(200)
 
-    it("returns a success message when the record is created", async () => {
+    fit("returns a success message when the record is created", async () => {
       const res = await createRecord()
       expect(res.res.statusMessage).toEqual(`${model.name} created successfully`)           
       expect(res.body.name).toEqual("Test Contact")
@@ -57,14 +57,14 @@ describe("/records", () => {
       const existing = rec.body
 
       const res = await request
-        .post(`/api/${instance._id}/${model._id}/records`)
+        .post(`/api/${model._id}/records`)
         .send({
           _id: existing._id,
           _rev: existing._rev,
           modelId: model._id,
           name: "Updated Name",
         })
-        .set(defaultHeaders)
+        .set(defaultHeaders(app._id, instance._id))
         .expect('Content-Type', /json/)
         .expect(200)
       
@@ -77,8 +77,8 @@ describe("/records", () => {
       const existing = rec.body
 
       const res = await request
-        .get(`/api/${instance._id}/${model._id}/records/${existing._id}`)
-        .set(defaultHeaders)
+        .get(`/api/${model._id}/records/${existing._id}`)
+        .set(defaultHeaders(app._id, instance._id))
         .expect('Content-Type', /json/)
         .expect(200)
 
@@ -100,8 +100,8 @@ describe("/records", () => {
       await createRecord(newRecord)
 
       const res = await request
-        .get(`/api/${instance._id}/${model._id}/records`)
-        .set(defaultHeaders)
+        .get(`/api/${model._id}/records`)
+        .set(defaultHeaders(app._id, instance._id))
         .expect('Content-Type', /json/)
         .expect(200)
 
@@ -122,8 +122,8 @@ describe("/records", () => {
       const recordIds = [record.body._id, secondRecord.body._id]
 
       const res = await request
-        .post(`/api/${instance._id}/records/search`)
-        .set(defaultHeaders)
+        .post(`/api/records/search`)
+        .set(defaultHeaders(app._id, instance._id))
         .send({
           keys: recordIds
         })
@@ -137,8 +137,8 @@ describe("/records", () => {
     it("load should return 404 when record does not exist", async () => {
       await createRecord()
       await request
-        .get(`/api/${instance._id}/${model._id}/records/not-a-valid-id`)
-        .set(defaultHeaders)
+        .get(`/api/${model._id}/records/not-a-valid-id`)
+        .set(defaultHeaders(app._id, instance._id))
         .expect('Content-Type', /json/)
         .expect(404)
     })
@@ -147,9 +147,9 @@ describe("/records", () => {
   describe("validate", () => {
     it("should return no errors on valid record", async () => {
       const result = await request
-        .post(`/api/${instance._id}/${model._id}/records/validate`)
+        .post(`/api/${model._id}/records/validate`)
         .send({ name: "ivan" })
-        .set(defaultHeaders)
+        .set(defaultHeaders(app._id, instance._id))
         .expect('Content-Type', /json/)
         .expect(200)
       
@@ -159,9 +159,9 @@ describe("/records", () => {
 
     it("should errors on invalid record", async () => {
       const result = await request
-        .post(`/api/${instance._id}/${model._id}/records/validate`)
+        .post(`/api/${model._id}/records/validate`)
         .send({ name: 1 })
-        .set(defaultHeaders)
+        .set(defaultHeaders(app._id, instance._id))
         .expect('Content-Type', /json/)
         .expect(200)
       

packages/server/src/api/routes/tests/user.spec.js

@@ -36,11 +36,11 @@ describe("/users", () => {
   describe("fetch", () => {    
 
     it("returns a list of users from an instance db", async () => {
-      await createUser(request, instance._id, "brenda", "brendas_password")
-      await createUser(request, instance._id, "pam", "pam_password")
+      await createUser(request, app._id, instance._id, "brenda", "brendas_password")
+      await createUser(request, app._id, instance._id, "pam", "pam_password")
       const res = await request
-        .get(`/api/${instance._id}/users`)
-        .set(defaultHeaders)
+        .get(`/api/users`)
+        .set(defaultHeaders(app._id, instance._id))
         .expect('Content-Type', /json/)
         .expect(200)
       
@@ -50,7 +50,7 @@ describe("/users", () => {
     })
 
     it("should apply authorization to endpoint", async () => {
-      await createUser(request, instance._id, "brenda", "brendas_password")
+      await createUser(request, app._id, instance._id, "brenda", "brendas_password")
       await testPermissionsForEndpoint({
         request,
         method: "GET",
@@ -67,7 +67,7 @@ describe("/users", () => {
     it("returns a success message when a user is successfully created", async () => {
       const res = await request
         .post(`/api/${instance._id}/users`)
-        .set(defaultHeaders)
+        .set(defaultHeaders(app._id, instance._id))
         .send({ name: "Bill", username: "bill", password: "bills_password", accessLevelId: POWERUSER_LEVEL_ID })
         .expect(200)
         .expect('Content-Type', /json/)

packages/server/src/api/routes/tests/view.spec.js

@@ -40,7 +40,7 @@ describe("/views", () => {
       }`,
       reduce: `function(keys, values) { }`
     })
-    .set(defaultHeaders)
+    .set(defaultHeaders(app._id, instance._id))
     .expect('Content-Type', /json/)
     .expect(200)
 
@@ -56,14 +56,14 @@ describe("/views", () => {
   describe("fetch", () => {
 
     beforeEach(async () => {
-      model = await createModel(request, instance._id);
+      model = await createModel(request, app._id, instance._id);
     });
 
     it("should only return custom views", async () => {
       const view = await createView()
       const res = await request
         .get(`/api/${instance._id}/views`)
-        .set(defaultHeaders)
+        .set(defaultHeaders(app._id, instance._id))
         .expect('Content-Type', /json/)
         .expect(200)
       expect(res.body.length).toBe(1)

packages/server/src/api/routes/tests/workflow.spec.js

@@ -64,7 +64,7 @@ describe("/workflows", () => {
     it("returns a success message when the workflow is successfully created", async () => {
       const res = await request
         .post(`/api/${instance._id}/workflows`)
-        .set(defaultHeaders)
+        .set(defaultHeaders(app._id, instance._id))
         .send(TEST_WORKFLOW)
         .expect('Content-Type', /json/)
         .expect(200)
@@ -93,7 +93,7 @@ describe("/workflows", () => {
 
       const res = await request
         .put(`/api/${instance._id}/workflows`)
-        .set(defaultHeaders)
+        .set(defaultHeaders(app._id, instance._id))
         .send(workflow)
         .expect('Content-Type', /json/)
         .expect(200)
@@ -108,7 +108,7 @@ describe("/workflows", () => {
       await createWorkflow();
       const res = await request
         .get(`/api/${instance._id}/workflows`)
-        .set(defaultHeaders)
+        .set(defaultHeaders(app._id, instance._id))
         .expect('Content-Type', /json/)
         .expect(200)
 
@@ -130,7 +130,7 @@ describe("/workflows", () => {
       await createWorkflow();
       const res = await request
         .delete(`/api/${instance._id}/workflows/${workflow.id}/${workflow.rev}`)
-        .set(defaultHeaders)
+        .set(defaultHeaders(app._id, instance._id))
         .expect('Content-Type', /json/)
         .expect(200)
 

packages/server/src/api/routes/user.js

@@ -6,19 +6,11 @@ const { USER_MANAGEMENT, LIST_USERS } = require("../../utilities/accessLevels")
 const router = Router()
 
 router
-  .get("/api/:instanceId/users", authorized(LIST_USERS), controller.fetch)
-  .get(
-    "/api/:instanceId/users/:username",
-    authorized(USER_MANAGEMENT),
-    controller.find
-  )
-  .post(
-    "/api/:instanceId/users",
-    authorized(USER_MANAGEMENT),
-    controller.create
-  )
+  .get("/api/users", authorized(LIST_USERS), controller.fetch)
+  .get("/api/users/:username", authorized(USER_MANAGEMENT), controller.find)
+  .post("/api/users", authorized(USER_MANAGEMENT), controller.create)
   .delete(
-    "/api/:instanceId/users/:username",
+    "/api/users/:username",
     authorized(USER_MANAGEMENT),
     controller.destroy
   )

packages/server/src/api/routes/view.js

@@ -8,13 +8,13 @@ const router = Router()
 
 router
   .get(
-    "/api/:instanceId/views/:viewName",
+    "/api/views/:viewName",
     authorized(READ_VIEW, ctx => ctx.params.viewName),
     recordController.fetchView
   )
-  .get("/api/:instanceId/views", authorized(BUILDER), viewController.fetch)
+  .get("/api/views", authorized(BUILDER), viewController.fetch)
   // .patch("/api/:databaseId/views", controller.update);
   // .delete("/api/:instanceId/views/:viewId/:revId", controller.destroy);
-  .post("/api/:instanceId/views", authorized(BUILDER), viewController.create)
+  .post("/api/views", authorized(BUILDER), viewController.create)
 
 module.exports = router

packages/server/src/api/routes/workflow.js

@@ -6,20 +6,16 @@ const { BUILDER } = require("../../utilities/accessLevels")
 const router = Router()
 
 router
-  .get("/api/:instanceId/workflows", authorized(BUILDER), controller.fetch)
+  .get("/api/workflows", authorized(BUILDER), controller.fetch)
   .get("/api/workflows/:id", authorized(BUILDER), controller.find)
   .get(
-    "/api/:instanceId/workflows/:id/:action",
+    "/api/workflows/:id/:action",
     authorized(BUILDER),
     controller.fetchActionScript
   )
-  .put("/api/:instanceId/workflows", authorized(BUILDER), controller.update)
-  .post("/api/:instanceId/workflows", authorized(BUILDER), controller.create)
+  .put("/api/workflows", authorized(BUILDER), controller.update)
+  .post("/api/workflows", authorized(BUILDER), controller.create)
   .post("/api/workflows/action", controller.executeAction)
-  .delete(
-    "/api/:instanceId/workflows/:id/:rev",
-    authorized(BUILDER),
-    controller.destroy
-  )
+  .delete("/api/workflows/:id/:rev", authorized(BUILDER), controller.destroy)
 
 module.exports = router

packages/server/src/middleware/authenticated.js

@@ -1,10 +1,11 @@
 const jwt = require("jsonwebtoken")
 const STATUS_CODES = require("../utilities/statusCodes")
-const env = require("../environment")
 const accessLevelController = require("../api/controllers/accesslevel")
 const {
   ADMIN_LEVEL_ID,
   POWERUSER_LEVEL_ID,
+  BUILDER_LEVEL_ID,
+  ANON_LEVEL_ID,
 } = require("../utilities/accessLevels")
 
 module.exports = async (ctx, next) => {
@@ -21,10 +22,19 @@ module.exports = async (ctx, next) => {
   const shouldAuthAsBuilder = isBuilderAgent && builderToken
 
   if (shouldAuthAsBuilder) {
-    const builderTokenValid = builderToken === env.ADMIN_SECRET
-
-    ctx.isAuthenticated = builderTokenValid
-    ctx.isBuilder = builderTokenValid
+    try {
+      const jwtPayload = jwt.verify(builderToken, ctx.config.jwtSecret)
+      ctx.isAuthenticated = jwtPayload.accessLevelId === BUILDER_LEVEL_ID
+      ctx.user = {
+        ...jwtPayload,
+        accessLevel: await getAccessLevel(
+          jwtPayload.instanceId,
+          jwtPayload.accessLevelId
+        ),
+      }
+    } catch (_) {
+      // empty: do nothing
+    }
 
     await next()
     return
@@ -46,7 +56,7 @@ module.exports = async (ctx, next) => {
         jwtPayload.accessLevelId
       ),
     }
-    ctx.isAuthenticated = true
+    ctx.isAuthenticated = ctx.user.accessLevelId !== ANON_LEVEL_ID
   } catch (err) {
     ctx.throw(err.status || STATUS_CODES.FORBIDDEN, err.text)
   }
@@ -57,7 +67,9 @@ module.exports = async (ctx, next) => {
 const getAccessLevel = async (instanceId, accessLevelId) => {
   if (
     accessLevelId === POWERUSER_LEVEL_ID ||
-    accessLevelId === ADMIN_LEVEL_ID
+    accessLevelId === ADMIN_LEVEL_ID ||
+    accessLevelId === BUILDER_LEVEL_ID ||
+    accessLevelId === ANON_LEVEL_ID
   ) {
     return {
       _id: accessLevelId,

packages/server/src/middleware/authorized.js

@@ -2,6 +2,7 @@ const {
   adminPermissions,
   ADMIN_LEVEL_ID,
   POWERUSER_LEVEL_ID,
+  BUILDER_LEVEL_ID,
   BUILDER,
 } = require("../utilities/accessLevels")
 
@@ -10,7 +11,11 @@ module.exports = (permName, getItemId) => async (ctx, next) => {
     ctx.throw(403, "Session not authenticated")
   }
 
-  if (ctx.isBuilder) {
+  if (!ctx.user) {
+    ctx.throw(403, "User not found")
+  }
+
+  if (ctx.user.accessLevel._id === BUILDER_LEVEL_ID) {
     await next()
     return
   }
@@ -20,10 +25,6 @@ module.exports = (permName, getItemId) => async (ctx, next) => {
     return
   }
 
-  if (!ctx.user) {
-    ctx.throw(403, "User not found")
-  }
-
   const permissionId = ({ name, itemId }) => name + (itemId ? `-${itemId}` : "")
 
   if (ctx.user.accessLevel._id === ADMIN_LEVEL_ID) {

packages/server/src/utilities/accessLevels.js

@@ -5,6 +5,8 @@ const workflowController = require("../api/controllers/workflow")
 // Access Level IDs
 const ADMIN_LEVEL_ID = "ADMIN"
 const POWERUSER_LEVEL_ID = "POWER_USER"
+const BUILDER_LEVEL_ID = "BUILDER"
+const ANON_LEVEL_ID = "ANON"
 
 // Permissions
 const READ_MODEL = "read-model"
@@ -28,7 +30,7 @@ const generateAdminPermissions = async instanceId => [
 
 const generatePowerUserPermissions = async instanceId => {
   const fetchModelsCtx = {
-    params: {
+    user: {
       instanceId,
     },
   }
@@ -36,7 +38,7 @@ const generatePowerUserPermissions = async instanceId => {
   const models = fetchModelsCtx.body
 
   const fetchViewsCtx = {
-    params: {
+    user: {
       instanceId,
     },
   }
@@ -44,7 +46,7 @@ const generatePowerUserPermissions = async instanceId => {
   const views = fetchViewsCtx.body
 
   const fetchWorkflowsCtx = {
-    params: {
+    user: {
       instanceId,
     },
   }
@@ -83,6 +85,8 @@ const generatePowerUserPermissions = async instanceId => {
 module.exports = {
   ADMIN_LEVEL_ID,
   POWERUSER_LEVEL_ID,
+  BUILDER_LEVEL_ID,
+  ANON_LEVEL_ID,
   READ_MODEL,
   WRITE_MODEL,
   READ_VIEW,

packages/server/src/utilities/builder/setBuilderToken.js

@@ -0,0 +1,19 @@
+const { BUILDER_LEVEL_ID } = require("../accessLevels")
+const jwt = require("jsonwebtoken")
+
+module.exports = (ctx, appId, instanceId) => {
+  const builderUser = {
+    userId: "BUILDER",
+    accessLevelId: BUILDER_LEVEL_ID,
+    instanceId,
+    appId,
+  }
+
+  const token = jwt.sign(builderUser, ctx.config.jwtSecret, {
+    expiresIn: "30 days",
+  })
+
+  var expiry = new Date()
+  expiry.setDate(expiry.getDate() + 30)
+  ctx.cookies.set("builder:token", token, { expires: expiry, httpOnly: false })
+}

packages/standard-components/src/DataChart.svelte

@@ -8,7 +8,6 @@
   fcRoot(FusionCharts, Charts, FusionTheme)
 
   export let _bb
-  export let _instanceId
   export let model
   export let type = "column2d"
 
@@ -25,7 +24,7 @@
   }
 
   async function fetchData() {
-    const FETCH_RECORDS_URL = `/api/${_instanceId}/views/all_${model}`
+    const FETCH_RECORDS_URL = `/api/views/all_${model}`
     const response = await _bb.api.get(FETCH_RECORDS_URL)
     if (response.status === 200) {
       const json = await response.json()

packages/standard-components/src/DataForm.svelte

@@ -2,7 +2,6 @@
   import { onMount } from "svelte"
 
   export let _bb
-  export let _instanceId
   export let model
 
   let username
@@ -21,14 +20,14 @@
   $: fields = Object.keys(schema)
 
   async function fetchModel() {
-    const FETCH_MODEL_URL = `/api/${_instanceId}/models/${model}`
+    const FETCH_MODEL_URL = `/api/models/${model}`
     const response = await _bb.api.get(FETCH_MODEL_URL)
     modelDef = await response.json()
     schema = modelDef.schema
   }
 
   async function save() {
-    const SAVE_RECORD_URL = `/api/${_instanceId}/${model}/records`
+    const SAVE_RECORD_URL = `/api/${model}/records`
     const response = await _bb.api.post(SAVE_RECORD_URL, newModel)
     const json = await response.json()
 

packages/standard-components/src/DataList.svelte

@@ -2,7 +2,6 @@
   import { onMount } from "svelte"
 
   export let _bb
-  export let _instanceId
   export let model
   export let layout = "list"
 
@@ -12,7 +11,7 @@
   async function fetchData() {
     if (!model || !model.length) return
 
-    const FETCH_RECORDS_URL = `/api/${_instanceId}/views/all_${model}`
+    const FETCH_RECORDS_URL = `/api/views/all_${model}`
     const response = await _bb.api.get(FETCH_RECORDS_URL)
     if (response.status === 200) {
       const json = await response.json()

packages/standard-components/src/DataTable.svelte

@@ -3,14 +3,13 @@
 
   export let _bb
   export let onLoad
-  export let _instanceId
   export let model
 
   let headers = []
   let store = _bb.store
 
   async function fetchData() {
-    const FETCH_RECORDS_URL = `/api/${_instanceId}/views/all_${model}`
+    const FETCH_RECORDS_URL = `/api/views/all_${model}`
 
     const response = await _bb.api.get(FETCH_RECORDS_URL)
     if (response.status === 200) {

packages/standard-components/src/List.svelte

@@ -2,7 +2,6 @@
   import { onMount } from "svelte"
 
   export let _bb
-  export let _instanceId
   export let model
   export let layout = "list"
 
@@ -13,7 +12,7 @@
   async function fetchData() {
     if (!model || !model.length) return
 
-    const FETCH_RECORDS_URL = `/api/${_instanceId}/views/all_${model}`
+    const FETCH_RECORDS_URL = `/api/views/all_${model}`
     const response = await _bb.api.get(FETCH_RECORDS_URL)
     if (response.status === 200) {
       const json = await response.json()