Some work towards implementing the current app cookie, removing some old dead code and re-working some of the different middlewares involved.

2021-04-12 18:31:58 +01:00 · 2021-04-12 18:31:58 +01:00 · eaad867780
parent 0e583eb185
commit eaad867780
11 changed files with 95 additions and 136 deletions
--- a/packages/auth/src/db/utils.js
+++ b/packages/auth/src/db/utils.js
@ -22,6 +22,10 @@ exports.generateUserID = email => {
  return `${DocumentTypes.USER}${SEPARATOR}${email}`
 }
 exports.getEmailFromUserID = userId => {
  return userId.split(`${DocumentTypes.USER}${SEPARATOR}`)[1]
 }
 /**
 * Gets parameters for retrieving users, this is a utility function for the getDocParams function.
 */
--- a/packages/auth/src/index.js
+++ b/packages/auth/src/index.js
@ -7,7 +7,7 @@ const { StaticDatabases } = require("./db/utils")
 const { jwt, local, google, authenticated } = require("./middleware")
 const { Cookies, UserStatus } = require("./constants")
 const { hash, compare } = require("./hashing")
-const { getAppId, setCookie } = require("./utils")
+const { getAppId, setCookie, getCookie } = require("./utils")
 const {
  generateUserID,
  getUserParams,
@ -45,5 +45,6 @@ module.exports = {
  compare,
  getAppId,
  setCookie,
  getCookie,
  authenticated,
 }
--- a/packages/auth/src/middleware/authenticated.js
+++ b/packages/auth/src/middleware/authenticated.js
@ -1,57 +1,21 @@
 const CouchDB = require("../db")
 const { Cookies } = require("../constants")
-const { getAppId, setCookie, getCookie } = require("../utils")
+const { getCookie } = require("../utils")
-const { StaticDatabases } = require("../db/utils")
+const { getEmailFromUserID } = require("../db/utils")
 async function setCurrentAppContext(ctx) {
  let role = "PUBLIC"
  // Current app cookie
  let appId = getAppId(ctx)
  if (!appId) {
    ctx.user = {
      role,
    }
    return
  }
  console.log("THE APP ID", appId)
  const currentAppCookie = getCookie(ctx, Cookies.CurrentApp, { decrypt: true })
  const appIdChanged = appId && currentAppCookie.appId !== appId
  if (appIdChanged) {
    try {
      // get roles for user from global DB
      const db = new CouchDB(StaticDatabases.USER)
      const user = await db.get(ctx.user)
      role = user.roles[appId]
    } catch (err) {
      // no user exists
    }
  } else if (currentAppCookie.appId) {
    appId = currentAppCookie.appId
  }
  setCookie(ctx, { appId, role }, Cookies.CurrentApp, { encrypt: true })
  return appId
 }
 module.exports = async (ctx, next) => {
  try {
    // check the actual user is authenticated first
-    const authCookie = getCookie(ctx, Cookies.Auth, { decrypt: true })
+    const authCookie = getCookie(ctx, Cookies.Auth)
    if (authCookie) {
      ctx.isAuthenticated = true
-      ctx.user = authCookie._id
+      ctx.user = authCookie
      // make sure email is correct from ID
      ctx.user.email = getEmailFromUserID(authCookie._id)
    }
    ctx.appId = await setCurrentAppContext(ctx)
    console.log("CONTEXT", ctx)
    await next()
  } catch (err) {
    console.log(err)
    ctx.throw(err.status || 403, err.text)
  }
 }
--- a/packages/auth/src/middleware/passport/jwt.js
+++ b/packages/auth/src/middleware/passport/jwt.js
@ -1,9 +1,4 @@
 const { Cookies } = require("../../constants")
 exports.options = {
  jwtFromRequest: function(ctx) {
    return ctx.cookies.get(Cookies.Auth)
  },
  secretOrKey: process.env.JWT_SECRET,
 }
--- a/packages/auth/src/utils.js
+++ b/packages/auth/src/utils.js
@ -45,17 +45,15 @@ exports.getAppId = ctx => {
 * Get a cookie from context, and decrypt if necessary.
 * @param {object} ctx The request which is to be manipulated.
 * @param {string} name The name of the cookie to get.
 * @param {object} options options .
 */
-exports.getCookie = (ctx, value, options = {}) => {
+exports.getCookie = (ctx, name) => {
-  const cookie = ctx.cookies.get(value)
+  const cookie = ctx.cookies.get(name)
-  if (!cookie) return
+  if (!cookie) {
    return cookie
  }
-  if (!options.decrypt) return cookie
+  return jwt.verify(cookie, options.secretOrKey)
  const payload = jwt.verify(cookie, process.env.JWT_SECRET)
  return payload
 }
 /**
@ -71,11 +69,9 @@ exports.setCookie = (ctx, value, name = "builder") => {
  if (!value) {
    ctx.cookies.set(name)
  } else {
-    if (options.encrypt) {
+    value = jwt.sign(value, options.secretOrKey, {
-      value = jwt.sign(value, process.env.JWT_SECRET, {
+      expiresIn: "1 day",
-        expiresIn: "1 day",
+    })
      })
    }
    ctx.cookies.set(name, value, {
      expires,
      path: "/",
--- a/packages/server/src/api/index.js
+++ b/packages/server/src/api/index.js
@ -1,5 +1,6 @@
 const Router = require("@koa/router")
 const { authenticated } = require("@budibase/auth")
 const currentApp = require("../middleware/currentapp")
 const compress = require("koa-compress")
 const zlib = require("zlib")
 const { mainRoutes, authRoutes, staticRoutes } = require("./routes")
@ -31,6 +32,7 @@ router
  .use("/health", ctx => (ctx.status = 200))
  .use("/version", ctx => (ctx.body = pkg.version))
  .use(authenticated)
  .use(currentApp)
 // error handling middleware
 router.use(async (ctx, next) => {
--- a/packages/server/src/middleware/authorized.js
+++ b/packages/server/src/middleware/authorized.js
@ -1,52 +1,37 @@
-const {
+const { getUserPermissions } = require("../utilities/security/roles")
  BUILTIN_ROLE_IDS,
  getUserPermissions,
 } = require("../utilities/security/roles")
 const {
  PermissionTypes,
  doesHaveResourcePermission,
  doesHaveBasePermission,
 } = require("../utilities/security/permissions")
 const env = require("../environment")
 const { isAPIKeyValid } = require("../utilities/security/apikey")
 const { AuthTypes } = require("../constants")
 const ADMIN_ROLES = [BUILTIN_ROLE_IDS.ADMIN, BUILTIN_ROLE_IDS.BUILDER]
 function hasResource(ctx) {
  return ctx.resourceId != null
 }
-module.exports = (permType, permLevel = null) => async (ctx, next) => {
+const WEBHOOK_ENDPOINTS = new RegExp(
-  if (env.isProd() && ctx.headers["x-api-key"] && ctx.headers["x-instanceid"]) {
+  ["webhooks/trigger", "webhooks/schema"].join("|")
-    // api key header passed by external webhook
+)
    if (await isAPIKeyValid(ctx.headers["x-api-key"])) {
      ctx.auth = {
        authenticated: AuthTypes.EXTERNAL,
        apiKey: ctx.headers["x-api-key"],
      }
      ctx.user = {
        appId: ctx.headers["x-instanceid"],
      }
      return next()
    }
-    return ctx.throw(403, "API key invalid")
+module.exports = (permType, permLevel = null) => async (ctx, next) => {
  // webhooks don't need authentication, each webhook unique
  if (WEBHOOK_ENDPOINTS.test(ctx.request.url)) {
    return next()
  }
  if (!ctx.user) {
    return ctx.throw(403, "No user info found")
  }
  const role = ctx.user.role
  const isAdmin = ADMIN_ROLES.includes(role._id)
  const isAuthed = ctx.isAuthenticated
  const { basePermissions, permissions } = await getUserPermissions(
    ctx.appId,
-    role._id
+    ctx.roleId
  )
  // TODO: need to determine if the user has permission to build here, global cookie
  // this may need to change in the future, right now only admins
  // can have access to builder features, this is hard coded into
  // our rules
--- a/packages/server/src/middleware/currentapp.js
+++ b/packages/server/src/middleware/currentapp.js
@ -0,0 +1,57 @@
 const { getAppId, setCookie, getCookie, Cookies } = require("@budibase/auth")
 const { getGlobalUsers } = require("../utilities/workerRequests")
 const { BUILTIN_ROLE_IDS } = require("../utilities/security/roles")
 function CurrentAppCookie(appId, roleId) {
  this.appId = appId
  this.roleId = roleId
 }
 function finish(ctx, next, { appId, roleId, cookie = false }) {
  if (appId) {
    ctx.appId = appId
  }
  if (roleId) {
    ctx.roleId = roleId
  }
  if (cookie && appId) {
    setCookie(ctx, new CurrentAppCookie(appId, roleId))
  }
  return next()
 }
 module.exports = async (ctx, next) => {
  // try to get the appID from the request
  const requestAppId = getAppId(ctx)
  // get app cookie if it exists
  const appCookie = getCookie(ctx, Cookies.CurrentApp)
  if (!appCookie && !requestAppId) {
    return next()
  }
  let updateCookie = false,
    appId,
    roleId
  if (!ctx.user) {
    // not logged in, try to set a cookie for public apps
    updateCookie = true
    appId = requestAppId
    roleId = BUILTIN_ROLE_IDS.PUBLIC
  } else if (
    requestAppId != null &&
    (appCookie == null || requestAppId === appCookie.appId)
  ) {
    const globalUser = await getGlobalUsers(ctx, requestAppId, ctx.user.email)
    updateCookie = true
    appId = requestAppId
    roleId = globalUser.roles[requestAppId] || BUILTIN_ROLE_IDS.PUBLIC
  } else if (requestAppId == null && appCookie != null) {
    appId = appCookie.appId
    roleId = appCookie.roleId || BUILTIN_ROLE_IDS.PUBLIC
  }
  return finish(ctx, next, {
    appId: appId,
    roleId: roleId,
    cookie: updateCookie,
  })
 }
--- a/packages/server/src/middleware/tests/authorized.spec.js
+++ b/packages/server/src/middleware/tests/authorized.spec.js
@ -1,6 +1,5 @@
 const authorizedMiddleware = require("../authorized")
 const env = require("../../environment")
 const apiKey = require("../../utilities/security/apikey")
 const { AuthTypes } = require("../../constants")
 const { PermissionTypes, PermissionLevels } = require("../../utilities/security/permissions")
 jest.mock("../../environment", () => ({
@ -12,7 +11,6 @@ jest.mock("../../environment", () => ({
    }
  })
 )
 jest.mock("../../utilities/security/apikey")
 class TestConfiguration {
  constructor(role) {
@ -92,29 +90,6 @@ describe("Authorization middleware", () => {
        "x-instanceid": "instance123",
      })
    })
    it("passes to next() if api key is valid", async () => {
      apiKey.isAPIKeyValid.mockResolvedValueOnce(true)
      await config.executeMiddleware()
      expect(config.next).toHaveBeenCalled()
      expect(config.ctx.auth).toEqual({
        authenticated: AuthTypes.EXTERNAL,
        apiKey: config.ctx.headers["x-api-key"],
      })
      expect(config.ctx.user).toEqual({
        appId: config.ctx.headers["x-instanceid"],
      })
    })
    it("throws if api key is invalid", async () => {
      apiKey.isAPIKeyValid.mockResolvedValueOnce(false)
      await config.executeMiddleware()
      expect(config.throw).toHaveBeenCalledWith(403, "API key invalid")
    })
  })
  describe("non-webhook call", () => {
--- a/packages/server/src/utilities/index.js
+++ b/packages/server/src/utilities/index.js
@ -49,12 +49,11 @@ exports.getAppId = ctx => {
 /**
 * Get the name of the cookie which is to be updated/retrieved
- * @param {string|undefined|null} name OPTIONAL can specify the specific app if previewing etc
+ * @param {string} name The name/type of cookie.
- * @returns {string} The name of the token trying to find
+ * @returns {string} The full name of the cookie to retrieve/update.
 */
-exports.getCookieName = (name = "builder") => {
+exports.getCookieName = name => {
-  let environment = env.isProd() ? "cloud" : "local"
+  return `budibase:${name}`
  return `budibase:${name}:${environment}`
 }
 /**
--- a/packages/server/src/utilities/security/apikey.js
+++ b/packages/server/src/utilities/security/apikey.js
@ -1,19 +0,0 @@
 const { apiKeyTable } = require("../../db/dynamoClient")
 const env = require("../../environment")
 /**
 * This file purely exists so that we can centralise all logic pertaining to API keys, as their usage differs
 * in our Cloud environment versus self hosted.
 */
 exports.isAPIKeyValid = async apiKeyId => {
  if (!env.SELF_HOSTED) {
    let apiKeyInfo = await apiKeyTable.get({
      primary: apiKeyId,
    })
    return apiKeyInfo != null
  } else {
    // if the api key supplied is correct then return structure similar
    return apiKeyId === env.HOSTING_KEY
  }
 }