Adding some controls around cookies, expiring them when a 403 is hit.

2021-04-14 15:43:34 +01:00 · 2021-04-14 15:43:34 +01:00 · e9767eabc5
parent e580628b9c
commit e9767eabc5
6 changed files with 28 additions and 7 deletions
--- a/packages/builder/cypress/support/cookies.js
+++ b/packages/builder/cypress/support/cookies.js
@ -1,3 +1,3 @@
 Cypress.Cookies.defaults({
-  preserve: "budibase:builder:local",
+  preserve: "budibase:auth",
 })
--- a/packages/builder/src/builderStore/api.js
+++ b/packages/builder/src/builderStore/api.js
@ -1,5 +1,6 @@
 import { store } from "./index"
 import { get as svelteGet } from "svelte/store"
+import { removeCookie, Cookies } from "./cookies"

 const apiCall = method => async (
  url,
@ -8,11 +9,15 @@ const apiCall = method => async (
 ) => {
  headers["x-budibase-app-id"] = svelteGet(store).appId
  const json = headers["Content-Type"] === "application/json"
-  return await fetch(url, {
+  const resp = await fetch(url, {
    method: method,
    body: json ? JSON.stringify(body) : body,
    headers,
  })
+  if (resp.status === 403) {
+    removeCookie(Cookies.Auth)
+  }
+  return resp
 }

 export const post = apiCall("POST")
--- a/packages/builder/src/builderStore/cookies.js
+++ b/packages/builder/src/builderStore/cookies.js
@ -0,0 +1,16 @@
+export const Cookies = {
+  Auth: "budibase:auth",
+  CurrentApp: "budibase:currentapp",
+}
+
+export function getCookie(cookieName) {
+  return document.cookie.split(";").some(cookie => {
+    return cookie.trim().startsWith(`${cookieName}=`)
+  })
+}
+
+export function removeCookie(cookieName) {
+  if (getCookie(cookieName)) {
+    document.cookie = `${cookieName}=; Max-Age=-99999999;`
+  }
+}
--- a/packages/builder/src/stores/backend/auth.js
+++ b/packages/builder/src/stores/backend/auth.js
@ -1,4 +1,4 @@
-import { writable, get } from "svelte/store"
+import { writable } from "svelte/store"
 import api from "../../builderStore/api"

 async function checkAuth() {
@ -14,7 +14,7 @@ export function createAuthStore() {

  checkAuth()
    .then(user => set({ user }))
-    .catch(err => set({ user: null }))
+    .catch(() => set({ user: null }))

  return {
    subscribe,
@ -26,12 +26,12 @@ export function createAuthStore() {
    },
    logout: async () => {
      const response = await api.post(`/api/admin/auth/logout`)
-      const json = await response.json()
+      await response.json()
      set({ user: null })
    },
    createUser: async user => {
      const response = await api.post(`/api/admin/users`, user)
-      const json = await response.json()
+      await response.json()
    },
  }
 }
--- a/packages/server/src/api/controllers/auth.js
+++ b/packages/server/src/api/controllers/auth.js
@ -71,6 +71,7 @@ exports.authenticate = async ctx => {
 }

 exports.fetchSelf = async ctx => {
+  ctx.throw(403, "derp")
  const appId = ctx.appId
  const { userId } = ctx.user
  /* istanbul ignore next */
--- a/packages/server/src/api/routes/auth.js
+++ b/packages/server/src/api/routes/auth.js
@ -3,7 +3,6 @@ const controller = require("../controllers/auth")

 const router = Router()

-// TODO: needs removed
 router.get("/api/self", controller.fetchSelf)

 module.exports = router