From d7b09f5b65d89680a98f0d710c6a289b63b58d7b Mon Sep 17 00:00:00 2001 From: Michael Shanks Date: Fri, 19 Jun 2020 16:59:46 +0100 Subject: [PATCH] removed x-user-agent --- packages/client/src/render/getAppId.js | 11 ++++++----- packages/client/src/render/screenRouter.js | 2 +- packages/client/src/state/bbComponentApi.js | 6 +++--- packages/server/src/api/controllers/auth.js | 9 +++++++-- packages/server/src/api/controllers/static.js | 8 ++++++-- packages/server/src/middleware/authenticated.js | 6 +----- packages/server/src/utilities/accessLevels.js | 1 + 7 files changed, 25 insertions(+), 18 deletions(-) diff --git a/packages/client/src/render/getAppId.js b/packages/client/src/render/getAppId.js index 8ac2dbc79b..6d3df8eac2 100644 --- a/packages/client/src/render/getAppId.js +++ b/packages/client/src/render/getAppId.js @@ -1,8 +1,9 @@ -export const getAppId = cookie => { - const base64Token = cookie - .split(";") - .find(c => c.trim().startsWith("budibase:token")) - .substring(lengthOfKey) +export const getAppId = docCookie => { + const cookie = + docCookie.split(";").find(c => c.trim().startsWith("budibase:token")) || + docCookie.split(";").find(c => c.trim().startsWith("builder:token")) + + const base64Token = cookie.substring(lengthOfKey) const user = JSON.parse(atob(base64Token.split(".")[1])) return user.appId diff --git a/packages/client/src/render/screenRouter.js b/packages/client/src/render/screenRouter.js index ae11c10949..fb0b005096 100644 --- a/packages/client/src/render/screenRouter.js +++ b/packages/client/src/render/screenRouter.js @@ -79,7 +79,7 @@ export const screenRouter = ({ screens, onScreenSelected, window }) => { ) return - const target = x.target || "_self" + const target = (x && x.target) || "_self" if (!y || target !== "_self" || x.host !== location.host) return e.preventDefault() diff --git a/packages/client/src/state/bbComponentApi.js b/packages/client/src/state/bbComponentApi.js index b022ddca27..112e3e8534 100644 --- a/packages/client/src/state/bbComponentApi.js +++ b/packages/client/src/state/bbComponentApi.js @@ -9,16 +9,16 @@ export const bbFactory = ({ componentLibraries, onScreenSlotRendered, }) => { - const apiCall = method => (url, body) => - fetch(url, { + const apiCall = method => (url, body) => { + return fetch(url, { method: method, headers: { "Content-Type": "application/json", - "x-user-agent": "Budibase Builder", }, body: body && JSON.stringify(body), credentials: "same-origin", }) + } const api = { post: apiCall("POST"), diff --git a/packages/server/src/api/controllers/auth.js b/packages/server/src/api/controllers/auth.js index 88eb86c472..e9570e270f 100644 --- a/packages/server/src/api/controllers/auth.js +++ b/packages/server/src/api/controllers/auth.js @@ -55,9 +55,14 @@ exports.authenticate = async ctx => { expiresIn: "1 day", }) - const ONE_DAY_FROM_NOW = new Date(Date.now() + 24 * 3600) + const expires = new Date() + expires.setDate(expires.getDate() + 1) - ctx.cookies.set("budibase:token", token, { expires: ONE_DAY_FROM_NOW }) + ctx.cookies.set("budibase:token", token, { + expires, + path: "/", + httpOnly: false, + }) ctx.body = { token, diff --git a/packages/server/src/api/controllers/static.js b/packages/server/src/api/controllers/static.js index 181af162c5..2f0ea8f4b0 100644 --- a/packages/server/src/api/controllers/static.js +++ b/packages/server/src/api/controllers/static.js @@ -6,10 +6,13 @@ const { } = require("../../utilities/budibaseDir") const setBuilderToken = require("../../utilities/builder/setBuilderToken") const { ANON_LEVEL_ID } = require("../../utilities/accessLevels") +const jwt = require("jsonwebtoken") exports.serveBuilder = async function(ctx) { let builderPath = resolve(__dirname, "../../../builder") - setBuilderToken(ctx) + if (ctx.file === "index.html") { + setBuilderToken(ctx) + } await send(ctx, ctx.file, { root: ctx.devPath || builderPath }) } @@ -24,11 +27,12 @@ exports.serveApp = async function(ctx) { // only set the appId cookie for /appId .. we COULD check for valid appIds // but would like to avoid that DB hit if (looksLikeAppId(ctx.params.appId) && !ctx.isAuthenticated) { - const anonToken = { + const anonUser = { userId: "ANON", accessLevelId: ANON_LEVEL_ID, appId: ctx.params.appId, } + const anonToken = jwt.sign(anonUser, ctx.config.jwtSecret) ctx.cookies.set("budibase:token", anonToken, { path: "/", httpOnly: false, diff --git a/packages/server/src/middleware/authenticated.js b/packages/server/src/middleware/authenticated.js index 2318512eea..36e2776abe 100644 --- a/packages/server/src/middleware/authenticated.js +++ b/packages/server/src/middleware/authenticated.js @@ -16,12 +16,8 @@ module.exports = async (ctx, next) => { const appToken = ctx.cookies.get("budibase:token") const builderToken = ctx.cookies.get("builder:token") - const isBuilderAgent = ctx.headers["x-user-agent"] === "Budibase Builder" - // all admin api access should auth with buildertoken and 'Budibase Builder user agent - const shouldAuthAsBuilder = isBuilderAgent && builderToken - - if (shouldAuthAsBuilder) { + if (builderToken) { try { const jwtPayload = jwt.verify(builderToken, ctx.config.jwtSecret) ctx.isAuthenticated = jwtPayload.accessLevelId === BUILDER_LEVEL_ID diff --git a/packages/server/src/utilities/accessLevels.js b/packages/server/src/utilities/accessLevels.js index d609d6fa2c..50ae559d07 100644 --- a/packages/server/src/utilities/accessLevels.js +++ b/packages/server/src/utilities/accessLevels.js @@ -94,6 +94,7 @@ module.exports = { USER_MANAGEMENT, BUILDER, LIST_USERS, + adminPermissions, generateAdminPermissions, generatePowerUserPermissions, }