Fixing authentication with API key issue.

This commit is contained in:
mike12345567 2021-06-21 17:13:06 +01:00
parent 1a2a6855ca
commit fc9e48e8e7
3 changed files with 29 additions and 16 deletions

View File

@ -22,6 +22,12 @@ function buildNoAuthRegex(patterns) {
}) })
} }
function finalise(ctx, { authenticated, user, internal } = {}) {
ctx.isAuthenticated = authenticated || false
ctx.user = user
ctx.internal = internal || false
}
module.exports = (noAuthPatterns = [], opts) => { module.exports = (noAuthPatterns = [], opts) => {
const noAuthOptions = noAuthPatterns ? buildNoAuthRegex(noAuthPatterns) : [] const noAuthOptions = noAuthPatterns ? buildNoAuthRegex(noAuthPatterns) : []
return async (ctx, next) => { return async (ctx, next) => {
@ -36,35 +42,40 @@ module.exports = (noAuthPatterns = [], opts) => {
return next() return next()
} }
try { try {
const apiKey = ctx.request.headers["x-budibase-api-key"]
// check the actual user is authenticated first // check the actual user is authenticated first
const authCookie = getCookie(ctx, Cookies.Auth) const authCookie = getCookie(ctx, Cookies.Auth)
let authenticated = false,
// this is an internal request, no user made it user = null,
if (apiKey && apiKey === env.INTERNAL_API_KEY) { internal = false
ctx.isAuthenticated = true if (authCookie) {
ctx.internal = true
} else if (authCookie) {
try { try {
const db = database.getDB(StaticDatabases.GLOBAL.name) const db = database.getDB(StaticDatabases.GLOBAL.name)
const user = await db.get(authCookie.userId) const foundUser = await db.get(authCookie.userId)
delete user.password delete foundUser.password
ctx.isAuthenticated = true authenticated = true
ctx.user = user user = foundUser
} catch (err) { } catch (err) {
// remove the cookie as the use does not exist anymore // remove the cookie as the use does not exist anymore
clearCookie(ctx, Cookies.Auth) clearCookie(ctx, Cookies.Auth)
} }
} }
// be explicit const apiKey = ctx.request.headers["x-budibase-api-key"]
if (ctx.isAuthenticated !== true) { // this is an internal request, no user made it
ctx.isAuthenticated = false if (!authenticated && apiKey && apiKey === env.INTERNAL_API_KEY) {
authenticated = true
internal = true
} }
// be explicit
if (authenticated !== true) {
authenticated = false
}
// isAuthenticated is a function, so use a variable to be able to check authed state
finalise(ctx, { authenticated, user, internal })
return next() return next()
} catch (err) { } catch (err) {
// allow configuring for public access // allow configuring for public access
if (opts && opts.publicAllowed) { if (opts && opts.publicAllowed) {
ctx.isAuthenticated = false finalise(ctx, { authenticated: false })
} else { } else {
ctx.throw(err.status || 403, err) ctx.throw(err.status || 403, err)
} }

View File

@ -20,6 +20,7 @@ process.env.MINIO_ACCESS_KEY = "budibase"
process.env.MINIO_SECRET_KEY = "budibase" process.env.MINIO_SECRET_KEY = "budibase"
process.env.COUCH_DB_USER = "budibase" process.env.COUCH_DB_USER = "budibase"
process.env.COUCH_DB_PASSWORD = "budibase" process.env.COUCH_DB_PASSWORD = "budibase"
process.env.INTERNAL_API_KEY = "budibase"
// Stop info logs polluting test outputs // Stop info logs polluting test outputs
process.env.LOG_LEVEL = "error" process.env.LOG_LEVEL = "error"

View File

@ -90,7 +90,8 @@ exports.find = async function (ctx) {
if (scopedConfig) { if (scopedConfig) {
ctx.body = scopedConfig ctx.body = scopedConfig
} else { } else {
ctx.throw(400, "No configuration exists.") // don't throw an error, there simply is nothing to return
ctx.body = {}
} }
} catch (err) { } catch (err) {
ctx.throw(err.status, err) ctx.throw(err.status, err)