From e9767eabc53acf1e04811539225c259ee8a9bb41 Mon Sep 17 00:00:00 2001 From: mike12345567 Date: Wed, 14 Apr 2021 15:43:34 +0100 Subject: [PATCH] Adding some controls around cookies, expiring them when a 403 is hit. --- packages/builder/cypress/support/cookies.js | 2 +- packages/builder/src/builderStore/api.js | 7 ++++++- packages/builder/src/builderStore/cookies.js | 16 ++++++++++++++++ packages/builder/src/stores/backend/auth.js | 8 ++++---- packages/server/src/api/controllers/auth.js | 1 + packages/server/src/api/routes/auth.js | 1 - 6 files changed, 28 insertions(+), 7 deletions(-) create mode 100644 packages/builder/src/builderStore/cookies.js diff --git a/packages/builder/cypress/support/cookies.js b/packages/builder/cypress/support/cookies.js index 1245f84960..3e2fba6481 100644 --- a/packages/builder/cypress/support/cookies.js +++ b/packages/builder/cypress/support/cookies.js @@ -1,3 +1,3 @@ Cypress.Cookies.defaults({ - preserve: "budibase:builder:local", + preserve: "budibase:auth", }) diff --git a/packages/builder/src/builderStore/api.js b/packages/builder/src/builderStore/api.js index 0202c5e8ab..2e683238bc 100644 --- a/packages/builder/src/builderStore/api.js +++ b/packages/builder/src/builderStore/api.js @@ -1,5 +1,6 @@ import { store } from "./index" import { get as svelteGet } from "svelte/store" +import { removeCookie, Cookies } from "./cookies" const apiCall = method => async ( url, @@ -8,11 +9,15 @@ const apiCall = method => async ( ) => { headers["x-budibase-app-id"] = svelteGet(store).appId const json = headers["Content-Type"] === "application/json" - return await fetch(url, { + const resp = await fetch(url, { method: method, body: json ? JSON.stringify(body) : body, headers, }) + if (resp.status === 403) { + removeCookie(Cookies.Auth) + } + return resp } export const post = apiCall("POST") diff --git a/packages/builder/src/builderStore/cookies.js b/packages/builder/src/builderStore/cookies.js new file mode 100644 index 0000000000..a84f1a4f20 --- /dev/null +++ b/packages/builder/src/builderStore/cookies.js @@ -0,0 +1,16 @@ +export const Cookies = { + Auth: "budibase:auth", + CurrentApp: "budibase:currentapp", +} + +export function getCookie(cookieName) { + return document.cookie.split(";").some(cookie => { + return cookie.trim().startsWith(`${cookieName}=`) + }) +} + +export function removeCookie(cookieName) { + if (getCookie(cookieName)) { + document.cookie = `${cookieName}=; Max-Age=-99999999;` + } +} diff --git a/packages/builder/src/stores/backend/auth.js b/packages/builder/src/stores/backend/auth.js index 35bc9c9bf5..a3bc20676b 100644 --- a/packages/builder/src/stores/backend/auth.js +++ b/packages/builder/src/stores/backend/auth.js @@ -1,4 +1,4 @@ -import { writable, get } from "svelte/store" +import { writable } from "svelte/store" import api from "../../builderStore/api" async function checkAuth() { @@ -14,7 +14,7 @@ export function createAuthStore() { checkAuth() .then(user => set({ user })) - .catch(err => set({ user: null })) + .catch(() => set({ user: null })) return { subscribe, @@ -26,12 +26,12 @@ export function createAuthStore() { }, logout: async () => { const response = await api.post(`/api/admin/auth/logout`) - const json = await response.json() + await response.json() set({ user: null }) }, createUser: async user => { const response = await api.post(`/api/admin/users`, user) - const json = await response.json() + await response.json() }, } } diff --git a/packages/server/src/api/controllers/auth.js b/packages/server/src/api/controllers/auth.js index 64f4bf7bcb..5244b6e132 100644 --- a/packages/server/src/api/controllers/auth.js +++ b/packages/server/src/api/controllers/auth.js @@ -71,6 +71,7 @@ exports.authenticate = async ctx => { } exports.fetchSelf = async ctx => { + ctx.throw(403, "derp") const appId = ctx.appId const { userId } = ctx.user /* istanbul ignore next */ diff --git a/packages/server/src/api/routes/auth.js b/packages/server/src/api/routes/auth.js index b07627c29e..153c86a62d 100644 --- a/packages/server/src/api/routes/auth.js +++ b/packages/server/src/api/routes/auth.js @@ -3,7 +3,6 @@ const controller = require("../controllers/auth") const router = Router() -// TODO: needs removed router.get("/api/self", controller.fetchSelf) module.exports = router