self endpoint, simple auth

packages/builder/src/pages/builder/_layout.svelte

@@ -13,6 +13,8 @@
   import { auth } from "stores/backend"
 
   let modal
+
+  console.log($auth.user)
 </script>
 
 {#if $auth.user}

packages/builder/src/stores/backend/auth.js

@@ -1,11 +1,16 @@
 import { writable, get } from "svelte/store"
 import api from "../../builderStore/api"
 
+async function checkAuth() {
+  const response = await api.get("/api/self")
+  const user = await response.json()
+  if (json) return json
+}
+
 export function createAuthStore() {
   const { subscribe, set } = writable({})
 
-  const user = localStorage.getItem("auth:user")
-  if (user) set({ user: JSON.parse(user) })
+  checkAuth().then(user => set({ user }))
 
   return {
     subscribe,

packages/server/src/middleware/authorized.js

@@ -51,11 +51,11 @@ module.exports = (permType, permLevel = null) => async (ctx, next) => {
   // this may need to change in the future, right now only admins
   // can have access to builder features, this is hard coded into
   // our rules
-  // if (isAdmin && isAuthed) {
-  //   return next()
-  // } else if (permType === PermissionTypes.BUILDER) {
-  //   return ctx.throw(403, "Not Authorized")
-  // }
+  if (isAuthed) {
+    return next()
+  } else if (permType === PermissionTypes.BUILDER) {
+    return ctx.throw(403, "Not Authorized")
+  }
 
   if (
     hasResource(ctx) &&

packages/worker/src/api/controllers/auth.js

@@ -10,8 +10,8 @@ exports.authenticate = async (ctx, next) => {
     expires.setDate(expires.getDate() + 1)
 
     if (!user) {
-      ctx.body = { success: false, user }
-      return
+      ctx.body = { success: false }
+      return next()
     }
 
     ctx.cookies.set(Cookies.Auth, user.token, {

packages/worker/src/api/routes/app.js

@@ -1,6 +1,6 @@
 const Router = require("@koa/router")
 const controller = require("../controllers/app")
-const authenticated = require("../../middleware/authenticated")
+const { authenticated } = require("@budibase/auth")
 
 const router = Router()