Adding some controls around cookies, expiring them when a 403 is hit.

packages/builder/cypress/support/cookies.js

@@ -1,3 +1,3 @@
 Cypress.Cookies.defaults({
-  preserve: "budibase:builder:local",
+  preserve: "budibase:auth",
 })

packages/builder/src/builderStore/api.js

@@ -1,5 +1,6 @@
 import { store } from "./index"
 import { get as svelteGet } from "svelte/store"
+import { removeCookie, Cookies } from "./cookies"
 
 const apiCall = method => async (
   url,
@@ -8,11 +9,15 @@ const apiCall = method => async (
 ) => {
   headers["x-budibase-app-id"] = svelteGet(store).appId
   const json = headers["Content-Type"] === "application/json"
-  return await fetch(url, {
+  const resp = await fetch(url, {
     method: method,
     body: json ? JSON.stringify(body) : body,
     headers,
   })
+  if (resp.status === 403) {
+    removeCookie(Cookies.Auth)
+  }
+  return resp
 }
 
 export const post = apiCall("POST")

packages/builder/src/builderStore/cookies.js

@@ -0,0 +1,16 @@
+export const Cookies = {
+  Auth: "budibase:auth",
+  CurrentApp: "budibase:currentapp",
+}
+
+export function getCookie(cookieName) {
+  return document.cookie.split(";").some(cookie => {
+    return cookie.trim().startsWith(`${cookieName}=`)
+  })
+}
+
+export function removeCookie(cookieName) {
+  if (getCookie(cookieName)) {
+    document.cookie = `${cookieName}=; Max-Age=-99999999;`
+  }
+}

packages/builder/src/stores/backend/auth.js

@@ -1,4 +1,4 @@
-import { writable, get } from "svelte/store"
+import { writable } from "svelte/store"
 import api from "../../builderStore/api"
 
 async function checkAuth() {
@@ -14,7 +14,7 @@ export function createAuthStore() {
 
   checkAuth()
     .then(user => set({ user }))
-    .catch(err => set({ user: null }))
+    .catch(() => set({ user: null }))
 
   return {
     subscribe,
@@ -26,12 +26,12 @@ export function createAuthStore() {
     },
     logout: async () => {
       const response = await api.post(`/api/admin/auth/logout`)
-      const json = await response.json()
+      await response.json()
       set({ user: null })
     },
     createUser: async user => {
       const response = await api.post(`/api/admin/users`, user)
-      const json = await response.json()
+      await response.json()
     },
   }
 }

packages/server/src/api/controllers/auth.js

@@ -71,6 +71,7 @@ exports.authenticate = async ctx => {
 }
 
 exports.fetchSelf = async ctx => {
+  ctx.throw(403, "derp")
   const appId = ctx.appId
   const { userId } = ctx.user
   /* istanbul ignore next */

packages/server/src/api/routes/auth.js

@@ -3,7 +3,6 @@ const controller = require("../controllers/auth")
 
 const router = Router()
 
-// TODO: needs removed
 router.get("/api/self", controller.fetchSelf)
 
 module.exports = router