Fixing authentication with API key issue.
This commit is contained in:
parent
1a2a6855ca
commit
fc9e48e8e7
|
@ -22,6 +22,12 @@ function buildNoAuthRegex(patterns) {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function finalise(ctx, { authenticated, user, internal } = {}) {
|
||||||
|
ctx.isAuthenticated = authenticated || false
|
||||||
|
ctx.user = user
|
||||||
|
ctx.internal = internal || false
|
||||||
|
}
|
||||||
|
|
||||||
module.exports = (noAuthPatterns = [], opts) => {
|
module.exports = (noAuthPatterns = [], opts) => {
|
||||||
const noAuthOptions = noAuthPatterns ? buildNoAuthRegex(noAuthPatterns) : []
|
const noAuthOptions = noAuthPatterns ? buildNoAuthRegex(noAuthPatterns) : []
|
||||||
return async (ctx, next) => {
|
return async (ctx, next) => {
|
||||||
|
@ -36,35 +42,40 @@ module.exports = (noAuthPatterns = [], opts) => {
|
||||||
return next()
|
return next()
|
||||||
}
|
}
|
||||||
try {
|
try {
|
||||||
const apiKey = ctx.request.headers["x-budibase-api-key"]
|
|
||||||
// check the actual user is authenticated first
|
// check the actual user is authenticated first
|
||||||
const authCookie = getCookie(ctx, Cookies.Auth)
|
const authCookie = getCookie(ctx, Cookies.Auth)
|
||||||
|
let authenticated = false,
|
||||||
// this is an internal request, no user made it
|
user = null,
|
||||||
if (apiKey && apiKey === env.INTERNAL_API_KEY) {
|
internal = false
|
||||||
ctx.isAuthenticated = true
|
if (authCookie) {
|
||||||
ctx.internal = true
|
|
||||||
} else if (authCookie) {
|
|
||||||
try {
|
try {
|
||||||
const db = database.getDB(StaticDatabases.GLOBAL.name)
|
const db = database.getDB(StaticDatabases.GLOBAL.name)
|
||||||
const user = await db.get(authCookie.userId)
|
const foundUser = await db.get(authCookie.userId)
|
||||||
delete user.password
|
delete foundUser.password
|
||||||
ctx.isAuthenticated = true
|
authenticated = true
|
||||||
ctx.user = user
|
user = foundUser
|
||||||
} catch (err) {
|
} catch (err) {
|
||||||
// remove the cookie as the use does not exist anymore
|
// remove the cookie as the use does not exist anymore
|
||||||
clearCookie(ctx, Cookies.Auth)
|
clearCookie(ctx, Cookies.Auth)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
// be explicit
|
const apiKey = ctx.request.headers["x-budibase-api-key"]
|
||||||
if (ctx.isAuthenticated !== true) {
|
// this is an internal request, no user made it
|
||||||
ctx.isAuthenticated = false
|
if (!authenticated && apiKey && apiKey === env.INTERNAL_API_KEY) {
|
||||||
|
authenticated = true
|
||||||
|
internal = true
|
||||||
}
|
}
|
||||||
|
// be explicit
|
||||||
|
if (authenticated !== true) {
|
||||||
|
authenticated = false
|
||||||
|
}
|
||||||
|
// isAuthenticated is a function, so use a variable to be able to check authed state
|
||||||
|
finalise(ctx, { authenticated, user, internal })
|
||||||
return next()
|
return next()
|
||||||
} catch (err) {
|
} catch (err) {
|
||||||
// allow configuring for public access
|
// allow configuring for public access
|
||||||
if (opts && opts.publicAllowed) {
|
if (opts && opts.publicAllowed) {
|
||||||
ctx.isAuthenticated = false
|
finalise(ctx, { authenticated: false })
|
||||||
} else {
|
} else {
|
||||||
ctx.throw(err.status || 403, err)
|
ctx.throw(err.status || 403, err)
|
||||||
}
|
}
|
||||||
|
|
|
@ -20,6 +20,7 @@ process.env.MINIO_ACCESS_KEY = "budibase"
|
||||||
process.env.MINIO_SECRET_KEY = "budibase"
|
process.env.MINIO_SECRET_KEY = "budibase"
|
||||||
process.env.COUCH_DB_USER = "budibase"
|
process.env.COUCH_DB_USER = "budibase"
|
||||||
process.env.COUCH_DB_PASSWORD = "budibase"
|
process.env.COUCH_DB_PASSWORD = "budibase"
|
||||||
|
process.env.INTERNAL_API_KEY = "budibase"
|
||||||
|
|
||||||
// Stop info logs polluting test outputs
|
// Stop info logs polluting test outputs
|
||||||
process.env.LOG_LEVEL = "error"
|
process.env.LOG_LEVEL = "error"
|
||||||
|
|
|
@ -90,7 +90,8 @@ exports.find = async function (ctx) {
|
||||||
if (scopedConfig) {
|
if (scopedConfig) {
|
||||||
ctx.body = scopedConfig
|
ctx.body = scopedConfig
|
||||||
} else {
|
} else {
|
||||||
ctx.throw(400, "No configuration exists.")
|
// don't throw an error, there simply is nothing to return
|
||||||
|
ctx.body = {}
|
||||||
}
|
}
|
||||||
} catch (err) {
|
} catch (err) {
|
||||||
ctx.throw(err.status, err)
|
ctx.throw(err.status, err)
|
||||||
|
|
Loading…
Reference in New Issue