removed x-user-agent

This commit is contained in:
Michael Shanks 2020-06-19 16:59:46 +01:00
parent bd927564b2
commit eb2b6ec56f
7 changed files with 25 additions and 18 deletions

View File

@ -1,8 +1,9 @@
export const getAppId = cookie => {
const base64Token = cookie
.split(";")
.find(c => c.trim().startsWith("budibase:token"))
.substring(lengthOfKey)
export const getAppId = docCookie => {
const cookie =
docCookie.split(";").find(c => c.trim().startsWith("budibase:token")) ||
docCookie.split(";").find(c => c.trim().startsWith("builder:token"))
const base64Token = cookie.substring(lengthOfKey)
const user = JSON.parse(atob(base64Token.split(".")[1]))
return user.appId

View File

@ -79,7 +79,7 @@ export const screenRouter = ({ screens, onScreenSelected, window }) => {
)
return
const target = x.target || "_self"
const target = (x && x.target) || "_self"
if (!y || target !== "_self" || x.host !== location.host) return
e.preventDefault()

View File

@ -9,16 +9,16 @@ export const bbFactory = ({
componentLibraries,
onScreenSlotRendered,
}) => {
const apiCall = method => (url, body) =>
fetch(url, {
const apiCall = method => (url, body) => {
return fetch(url, {
method: method,
headers: {
"Content-Type": "application/json",
"x-user-agent": "Budibase Builder",
},
body: body && JSON.stringify(body),
credentials: "same-origin",
})
}
const api = {
post: apiCall("POST"),

View File

@ -55,9 +55,14 @@ exports.authenticate = async ctx => {
expiresIn: "1 day",
})
const ONE_DAY_FROM_NOW = new Date(Date.now() + 24 * 3600)
const expires = new Date()
expires.setDate(expires.getDate() + 1)
ctx.cookies.set("budibase:token", token, { expires: ONE_DAY_FROM_NOW })
ctx.cookies.set("budibase:token", token, {
expires,
path: "/",
httpOnly: false,
})
ctx.body = {
token,

View File

@ -6,10 +6,13 @@ const {
} = require("../../utilities/budibaseDir")
const setBuilderToken = require("../../utilities/builder/setBuilderToken")
const { ANON_LEVEL_ID } = require("../../utilities/accessLevels")
const jwt = require("jsonwebtoken")
exports.serveBuilder = async function(ctx) {
let builderPath = resolve(__dirname, "../../../builder")
if (ctx.file === "index.html") {
setBuilderToken(ctx)
}
await send(ctx, ctx.file, { root: ctx.devPath || builderPath })
}
@ -24,11 +27,12 @@ exports.serveApp = async function(ctx) {
// only set the appId cookie for /appId .. we COULD check for valid appIds
// but would like to avoid that DB hit
if (looksLikeAppId(ctx.params.appId) && !ctx.isAuthenticated) {
const anonToken = {
const anonUser = {
userId: "ANON",
accessLevelId: ANON_LEVEL_ID,
appId: ctx.params.appId,
}
const anonToken = jwt.sign(anonUser, ctx.config.jwtSecret)
ctx.cookies.set("budibase:token", anonToken, {
path: "/",
httpOnly: false,

View File

@ -16,12 +16,8 @@ module.exports = async (ctx, next) => {
const appToken = ctx.cookies.get("budibase:token")
const builderToken = ctx.cookies.get("builder:token")
const isBuilderAgent = ctx.headers["x-user-agent"] === "Budibase Builder"
// all admin api access should auth with buildertoken and 'Budibase Builder user agent
const shouldAuthAsBuilder = isBuilderAgent && builderToken
if (shouldAuthAsBuilder) {
if (builderToken) {
try {
const jwtPayload = jwt.verify(builderToken, ctx.config.jwtSecret)
ctx.isAuthenticated = jwtPayload.accessLevelId === BUILDER_LEVEL_ID

View File

@ -94,6 +94,7 @@ module.exports = {
USER_MANAGEMENT,
BUILDER,
LIST_USERS,
adminPermissions,
generateAdminPermissions,
generatePowerUserPermissions,
}