budibase/packages/auth/src/middleware/authenticated.js

const { Cookies, Headers } = require("../constants")
const { getCookie, clearCookie } = require("../utils")
const { getUser } = require("../cache/user")
const { getSession, updateSessionTTL } = require("../security/sessions")
const env = require("../environment")

const PARAM_REGEX = /\/:(.*?)\//g

function buildNoAuthRegex(patterns) {
  return patterns.map(pattern => {
    const isObj = typeof pattern === "object" && pattern.route
    const method = isObj ? pattern.method : "GET"
    let route = isObj ? pattern.route : pattern

    const matches = route.match(PARAM_REGEX)
    if (matches) {
      for (let match of matches) {
        route = route.replace(match, "/.*/")
      }
    }
    return { regex: new RegExp(route), method }
  })
}

function finalise(ctx, { authenticated, user, internal, version } = {}) {
  ctx.isAuthenticated = authenticated || false
  ctx.user = user
  ctx.internal = internal || false
  ctx.version = version
}

module.exports = (noAuthPatterns = [], opts) => {
  const noAuthOptions = noAuthPatterns ? buildNoAuthRegex(noAuthPatterns) : []
  return async (ctx, next) => {
    const version = ctx.request.headers[Headers.API_VER]
    // the path is not authenticated
    const found = noAuthOptions.find(({ regex, method }) => {
      return (
        regex.test(ctx.request.url) &&
        ctx.request.method.toLowerCase() === method.toLowerCase()
      )
    })
    if (found != null) {
      return next()
    }
    try {
      // check the actual user is authenticated first
      const authCookie = getCookie(ctx, Cookies.Auth)
      let authenticated = false,
        user = null,
        internal = false
      if (authCookie) {
        let error = null
        const sessionId = authCookie.sessionId,
          userId = authCookie.userId
        const session = await getSession(userId, sessionId)
        if (!session) {
          error = "No session found"
        } else {
          try {
            user = await getUser(userId)
            delete user.password
            authenticated = true
          } catch (err) {
            error = err
          }
        }
        if (error) {
          console.error("Auth Error", error)
          // remove the cookie as the user does not exist anymore
          clearCookie(ctx, Cookies.Auth)
        } else {
          // make sure we denote that the session is still in use
          await updateSessionTTL(session)
        }
      }
      const apiKey = ctx.request.headers[Headers.API_KEY]
      // this is an internal request, no user made it
      if (!authenticated && apiKey && apiKey === env.INTERNAL_API_KEY) {
        authenticated = true
        internal = true
      }
      // be explicit
      if (authenticated !== true) {
        authenticated = false
      }
      // isAuthenticated is a function, so use a variable to be able to check authed state
      finalise(ctx, { authenticated, user, internal, version })
      return next()
    } catch (err) {
      // allow configuring for public access
      if (opts && opts.publicAllowed) {
        finalise(ctx, { authenticated: false, version })
      } else {
        ctx.throw(err.status || 403, err)
      }
    }
  }
}
Adding concept of version to APIs. 2021-07-24 02:29:14 +12:00			`const { Cookies, Headers } = require("../constants")`
Updating test cases and some re-work of the email system. 2021-04-24 05:07:39 +12:00			`const { getCookie, clearCookie } = require("../utils")`
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00			`const { getUser } = require("../cache/user")`
			`const { getSession, updateSessionTTL } = require("../security/sessions")`
Some updates, working towards supporting automation send smtp email also removing the styling template, adding to base. 2021-05-11 23:02:29 +12:00			`const env = require("../environment")`
login page 2021-04-11 22:35:55 +12:00
Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`const PARAM_REGEX = /\/:(.*?)\//g`

			`function buildNoAuthRegex(patterns) {`
			`return patterns.map(pattern => {`
			`const isObj = typeof pattern === "object" && pattern.route`
			`const method = isObj ? pattern.method : "GET"`
			`let route = isObj ? pattern.route : pattern`

			`const matches = route.match(PARAM_REGEX)`
			`if (matches) {`
			`for (let match of matches) {`
			`route = route.replace(match, "/.*/")`
			`}`
			`}`
			`return { regex: new RegExp(route), method }`
			`})`
			`}`

			`function finalise(ctx, { authenticated, user, internal, version } = {}) {`
Fixing authentication with API key issue. 2021-06-22 04:13:06 +12:00			`ctx.isAuthenticated = authenticated \|\| false`
			`ctx.user = user`
			`ctx.internal = internal \|\| false`
Adding concept of version to APIs. 2021-07-24 02:29:14 +12:00			`ctx.version = version`
Fixing authentication with API key issue. 2021-06-22 04:13:06 +12:00			`}`

Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`module.exports = (noAuthPatterns = [], opts) => {`
			`const noAuthOptions = noAuthPatterns ? buildNoAuthRegex(noAuthPatterns) : []`
Some re-work of the auth package, making it a bit easier to use/less likely to make a mistake. 2021-04-22 03:42:44 +12:00			`return async (ctx, next) => {`
Adding concept of version to APIs. 2021-07-24 02:29:14 +12:00			`const version = ctx.request.headers[Headers.API_VER]`
Some re-work of the auth package, making it a bit easier to use/less likely to make a mistake. 2021-04-22 03:42:44 +12:00			`// the path is not authenticated`
Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`const found = noAuthOptions.find(({ regex, method }) => {`
			`return (`
			`regex.test(ctx.request.url) &&`
			`ctx.request.method.toLowerCase() === method.toLowerCase()`
			`)`
			`})`
			`if (found != null) {`
			`return next()`
login page 2021-04-11 22:35:55 +12:00			`}`
Some re-work of the auth package, making it a bit easier to use/less likely to make a mistake. 2021-04-22 03:42:44 +12:00			`try {`
			`// check the actual user is authenticated first`
			`const authCookie = getCookie(ctx, Cookies.Auth)`
Fixing authentication with API key issue. 2021-06-22 04:13:06 +12:00			`let authenticated = false,`
			`user = null,`
			`internal = false`
			`if (authCookie) {`
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00			`let error = null`
Fixing session issues after testing a bit. 2021-07-08 04:15:53 +12:00			`const sessionId = authCookie.sessionId,`
			`userId = authCookie.userId`
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00			`const session = await getSession(userId, sessionId)`
			`if (!session) {`
			`error = "No session found"`
			`} else {`
			`try {`
Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`user = await getUser(userId)`
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00			`delete user.password`
			`authenticated = true`
			`} catch (err) {`
			`error = err`
			`}`
			`}`
			`if (error) {`
adding log to authenticated middleware for K8S env 2021-08-04 21:38:49 +12:00			`console.error("Auth Error", error)`
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00			`// remove the cookie as the user does not exist anymore`
Updating test cases and some re-work of the email system. 2021-04-24 05:07:39 +12:00			`clearCookie(ctx, Cookies.Auth)`
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00			`} else {`
			`// make sure we denote that the session is still in use`
Adding sessions API. 2021-07-08 10:29:19 +12:00			`await updateSessionTTL(session)`
Updating test cases and some re-work of the email system. 2021-04-24 05:07:39 +12:00			`}`
			`}`
Adding concept of version to APIs. 2021-07-24 02:29:14 +12:00			`const apiKey = ctx.request.headers[Headers.API_KEY]`
Fixing authentication with API key issue. 2021-06-22 04:13:06 +12:00			`// this is an internal request, no user made it`
			`if (!authenticated && apiKey && apiKey === env.INTERNAL_API_KEY) {`
			`authenticated = true`
			`internal = true`
			`}`
Updating test cases and some re-work of the email system. 2021-04-24 05:07:39 +12:00			`// be explicit`
Fixing authentication with API key issue. 2021-06-22 04:13:06 +12:00			`if (authenticated !== true) {`
			`authenticated = false`
Some re-work of the auth package, making it a bit easier to use/less likely to make a mistake. 2021-04-22 03:42:44 +12:00			`}`
Fixing authentication with API key issue. 2021-06-22 04:13:06 +12:00			`// isAuthenticated is a function, so use a variable to be able to check authed state`
Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`finalise(ctx, { authenticated, user, internal, version })`
Some re-work of the auth package, making it a bit easier to use/less likely to make a mistake. 2021-04-22 03:42:44 +12:00			`return next()`
			`} catch (err) {`
Updating auth middleware to accomodate public endpoints for the server properly and some refactoring. 2021-04-29 05:13:21 +12:00			`// allow configuring for public access`
Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`if (opts && opts.publicAllowed) {`
			`finalise(ctx, { authenticated: false, version })`
Updating auth middleware to accomodate public endpoints for the server properly and some refactoring. 2021-04-29 05:13:21 +12:00			`} else {`
			`ctx.throw(err.status \|\| 403, err)`
			`}`
Some re-work of the auth package, making it a bit easier to use/less likely to make a mistake. 2021-04-22 03:42:44 +12:00			`}`
login page 2021-04-11 22:35:55 +12:00			`}`
			`}`