budibase/packages/worker/src/sdk/users/users.ts

import env from "../../environment"
import { quotas } from "@budibase/pro"
import * as apps from "../../utilities/appService"
import * as eventHelpers from "./events"
import {
  tenancy,
  utils,
  db as dbUtils,
  constants,
  cache,
  users as usersCore,
  deprovisioning,
  sessions,
  HTTPError,
  accounts,
  migrations,
} from "@budibase/backend-core"
import { MigrationType } from "@budibase/types"

const PAGE_LIMIT = 10

/**
 * Retrieves all users from the current tenancy.
 */
export const allUsers = async () => {
  const db = tenancy.getGlobalDB()
  const response = await db.allDocs(
    dbUtils.getGlobalUserParams(null, {
      include_docs: true,
    })
  )
  return response.rows.map((row: any) => row.doc)
}

export const paginatedUsers = async (page?: string) => {
  const db = tenancy.getGlobalDB()
  // get one extra document, to have the next page
  const response = await db.allDocs(
    dbUtils.getGlobalUserParams(null, {
      include_docs: true,
      limit: PAGE_LIMIT + 1,
      startkey: page,
    })
  )
  return dbUtils.pagination(response, PAGE_LIMIT)
}

/**
 * Gets a user by ID from the global database, based on the current tenancy.
 */
export const getUser = async (userId: string) => {
  const db = tenancy.getGlobalDB()
  let user
  try {
    user = await db.get(userId)
  } catch (err: any) {
    // no user found, just return nothing
    if (err.status === 404) {
      return {}
    }
    throw err
  }
  if (user) {
    delete user.password
  }
  return user
}

interface SaveUserOpts {
  hashPassword?: boolean
  requirePassword?: boolean
  bulkCreate?: boolean
}

export const save = async (
  user: any,
  opts: SaveUserOpts = {
    hashPassword: true,
    requirePassword: true,
    bulkCreate: false,
  }
) => {
  const tenantId = tenancy.getTenantId()
  const db = tenancy.getGlobalDB()
  let { email, password, _id } = user
  // make sure another user isn't using the same email
  let dbUser: any
  if (opts.bulkCreate) {
    dbUser = null
  } else if (email) {
    // check budibase users inside the tenant
    dbUser = await usersCore.getGlobalUserByEmail(email)
    if (dbUser != null && (dbUser._id !== _id || Array.isArray(dbUser))) {
      throw `Email address ${email} already in use.`
    }

    // check budibase users in other tenants
    if (env.MULTI_TENANCY) {
      const tenantUser = await tenancy.getTenantUser(email)
      if (tenantUser != null && tenantUser.tenantId !== tenantId) {
        throw `Email address ${email} already in use.`
      }
    }

    // check root account users in account portal
    if (!env.SELF_HOSTED && !env.DISABLE_ACCOUNT_PORTAL) {
      const account = await accounts.getAccount(email)
      if (account && account.verified && account.tenantId !== tenantId) {
        throw `Email address ${email} already in use.`
      }
    }
  } else if (_id) {
    dbUser = await db.get(_id)
  }

  // get the password, make sure one is defined
  let hashedPassword
  if (password) {
    hashedPassword = opts.hashPassword ? await utils.hash(password) : password
  } else if (dbUser) {
    hashedPassword = dbUser.password
  } else if (opts.requirePassword) {
    throw "Password must be specified."
  }

  _id = _id || dbUtils.generateGlobalUserID()
  user = {
    createdAt: Date.now(),
    ...dbUser,
    ...user,
    _id,
    password: hashedPassword,
    tenantId,
  }
  // make sure the roles object is always present
  if (!user.roles) {
    user.roles = {}
  }
  // add the active status to a user if its not provided
  if (user.status == null) {
    user.status = constants.UserStatus.ACTIVE
  }
  try {
    const putOpts = {
      password: hashedPassword,
      ...user,
    }
    if (opts.bulkCreate) {
      return putOpts
    }
    // save the user to db
    let response
    const putUserFn = () => {
      return db.put(user)
    }
    if (eventHelpers.isAddingBuilder(user, dbUser)) {
      response = await quotas.addDeveloper(putUserFn)
    } else {
      response = await putUserFn()
    }
    user._rev = response.rev

    await eventHelpers.handleSaveEvents(user, dbUser)

    if (env.MULTI_TENANCY) {
      const afterCreateTenant = () =>
        migrations.backPopulateMigrations({
          type: MigrationType.GLOBAL,
          tenantId,
        })
      await tenancy.tryAddTenant(tenantId, _id, email, afterCreateTenant)
    }
    await cache.user.invalidateUser(response.id)
    // let server know to sync user
    await apps.syncUserInApps(user._id)

    return {
      _id: response.id,
      _rev: response.rev,
      email,
    }
  } catch (err: any) {
    if (err.status === 409) {
      throw "User exists already"
    } else {
      throw err
    }
  }
}

export const destroy = async (id: string, currentUser: any) => {
  const db = tenancy.getGlobalDB()
  const dbUser = await db.get(id)

  if (!env.SELF_HOSTED && !env.DISABLE_ACCOUNT_PORTAL) {
    // root account holder can't be deleted from inside budibase
    const email = dbUser.email
    const account = await accounts.getAccount(email)
    if (account) {
      if (email === currentUser.email) {
        throw new HTTPError('Please visit "Account" to delete this user', 400)
      } else {
        throw new HTTPError("Account holder cannot be deleted", 400)
      }
    }
  }

  await deprovisioning.removeUserFromInfoDB(dbUser)
  await db.remove(dbUser._id, dbUser._rev)
  await eventHelpers.handleDeleteEvents(dbUser)
  await quotas.removeUser(dbUser)
  await cache.user.invalidateUser(dbUser._id)
  await sessions.invalidateSessions(dbUser._id)
  // let server know to sync user
  await apps.syncUserInApps(dbUser._id)
}
user / rbac events + tests 2022-04-08 12:28:22 +12:00			`import env from "../../environment"`
			`import { quotas } from "@budibase/pro"`
			`import * as apps from "../../utilities/appService"`
			`import * as eventHelpers from "./events"`
Merge branch 'develop' into feature/posthog-v2 2022-05-29 10:03:31 +12:00			`import {`
user / rbac events + tests 2022-04-08 12:28:22 +12:00			`tenancy,`
			`utils,`
Merge branch 'develop' into feature/posthog-v2 2022-05-29 10:03:31 +12:00			`db as dbUtils,`
user / rbac events + tests 2022-04-08 12:28:22 +12:00			`constants,`
			`cache,`
Merge branch 'develop' into feature/posthog-v2 2022-05-29 10:03:31 +12:00			`users as usersCore,`
user / rbac events + tests 2022-04-08 12:28:22 +12:00			`deprovisioning,`
			`sessions,`
			`HTTPError,`
Merge branch 'feature/posthog-v2' into feature/event-backfill 2022-05-29 11:25:40 +12:00			`accounts,`
Back populate no-op migrations on new app and tenant create 2022-06-13 21:51:29 +12:00			`migrations,`
Merge branch 'develop' into feature/posthog-v2 2022-05-29 10:03:31 +12:00			`} from "@budibase/backend-core"`
Back populate no-op migrations on new app and tenant create 2022-06-13 21:51:29 +12:00			`import { MigrationType } from "@budibase/types"`
Identity updates 2022-05-25 07:01:13 +12:00
Adding user pagination, removing usages of the global user list from builder and replacing with direct user lookups where possible, still need to apply filtering to username/email serverside. 2022-06-30 06:11:00 +12:00			`const PAGE_LIMIT = 10`

user / rbac events + tests 2022-04-08 12:28:22 +12:00			`/**`
			`* Retrieves all users from the current tenancy.`
			`*/`
			`export const allUsers = async () => {`
			`const db = tenancy.getGlobalDB()`
			`const response = await db.allDocs(`
			`dbUtils.getGlobalUserParams(null, {`
			`include_docs: true,`
			`})`
			`)`
			`return response.rows.map((row: any) => row.doc)`
			`}`

Adding user pagination, removing usages of the global user list from builder and replacing with direct user lookups where possible, still need to apply filtering to username/email serverside. 2022-06-30 06:11:00 +12:00			`export const paginatedUsers = async (page?: string) => {`
			`const db = tenancy.getGlobalDB()`
			`// get one extra document, to have the next page`
			`const response = await db.allDocs(`
			`dbUtils.getGlobalUserParams(null, {`
			`include_docs: true,`
			`limit: PAGE_LIMIT + 1,`
			`startkey: page,`
			`})`
			`)`
			`return dbUtils.pagination(response, PAGE_LIMIT)`
			`}`

user / rbac events + tests 2022-04-08 12:28:22 +12:00			`/**`
			`* Gets a user by ID from the global database, based on the current tenancy.`
			`*/`
			`export const getUser = async (userId: string) => {`
			`const db = tenancy.getGlobalDB()`
			`let user`
			`try {`
			`user = await db.get(userId)`
			`} catch (err: any) {`
			`// no user found, just return nothing`
			`if (err.status === 404) {`
			`return {}`
			`}`
			`throw err`
			`}`
			`if (user) {`
			`delete user.password`
			`}`
			`return user`
			`}`

Merge branch 'develop' into feature/posthog-v2 2022-05-29 10:03:31 +12:00			`interface SaveUserOpts {`
			`hashPassword?: boolean`
			`requirePassword?: boolean`
			`bulkCreate?: boolean`
			`}`

user / rbac events + tests 2022-04-08 12:28:22 +12:00			`export const save = async (`
			`user: any,`
Merge branch 'develop' into feature/posthog-v2 2022-05-29 10:03:31 +12:00			`opts: SaveUserOpts = {`
			`hashPassword: true,`
			`requirePassword: true,`
			`bulkCreate: false,`
			`}`
user / rbac events + tests 2022-04-08 12:28:22 +12:00			`) => {`
			`const tenantId = tenancy.getTenantId()`
Merge branch 'develop' into feature/posthog-v2 2022-04-28 03:32:00 +12:00			`const db = tenancy.getGlobalDB()`
user / rbac events + tests 2022-04-08 12:28:22 +12:00			`let { email, password, _id } = user`
			`// make sure another user isn't using the same email`
Merge branch 'develop' into feature/posthog-v2 2022-05-29 10:03:31 +12:00			`let dbUser: any`
			`if (opts.bulkCreate) {`
			`dbUser = null`
			`} else if (email) {`
user / rbac events + tests 2022-04-08 12:28:22 +12:00			`// check budibase users inside the tenant`
			`dbUser = await usersCore.getGlobalUserByEmail(email)`
			`if (dbUser != null && (dbUser._id !== _id \|\| Array.isArray(dbUser))) {`
			throw `Email address ${email} already in use.`
			`}`

			`// check budibase users in other tenants`
			`if (env.MULTI_TENANCY) {`
			`const tenantUser = await tenancy.getTenantUser(email)`
			`if (tenantUser != null && tenantUser.tenantId !== tenantId) {`
			throw `Email address ${email} already in use.`
			`}`
			`}`

			`// check root account users in account portal`
			`if (!env.SELF_HOSTED && !env.DISABLE_ACCOUNT_PORTAL) {`
			`const account = await accounts.getAccount(email)`
			`if (account && account.verified && account.tenantId !== tenantId) {`
			throw `Email address ${email} already in use.`
			`}`
			`}`
			`} else if (_id) {`
			`dbUser = await db.get(_id)`
			`}`

			`// get the password, make sure one is defined`
			`let hashedPassword`
			`if (password) {`
Merge branch 'develop' into feature/posthog-v2 2022-05-29 10:03:31 +12:00			`hashedPassword = opts.hashPassword ? await utils.hash(password) : password`
user / rbac events + tests 2022-04-08 12:28:22 +12:00			`} else if (dbUser) {`
			`hashedPassword = dbUser.password`
Merge branch 'develop' into feature/posthog-v2 2022-05-29 10:03:31 +12:00			`} else if (opts.requirePassword) {`
user / rbac events + tests 2022-04-08 12:28:22 +12:00			`throw "Password must be specified."`
			`}`

Fix user id generation 2022-06-14 09:26:15 +12:00			`_id = _id \|\| dbUtils.generateGlobalUserID()`
user / rbac events + tests 2022-04-08 12:28:22 +12:00			`user = {`
			`createdAt: Date.now(),`
			`...dbUser,`
			`...user,`
			`_id,`
			`password: hashedPassword,`
			`tenantId,`
			`}`
			`// make sure the roles object is always present`
			`if (!user.roles) {`
			`user.roles = {}`
			`}`
			`// add the active status to a user if its not provided`
			`if (user.status == null) {`
			`user.status = constants.UserStatus.ACTIVE`
			`}`
			`try {`
Merge branch 'develop' into feature/posthog-v2 2022-05-29 10:03:31 +12:00			`const putOpts = {`
			`password: hashedPassword,`
			`...user,`
			`}`
			`if (opts.bulkCreate) {`
			`return putOpts`
			`}`
user / rbac events + tests 2022-04-08 12:28:22 +12:00			`// save the user to db`
			`let response`
			`const putUserFn = () => {`
			`return db.put(user)`
			`}`
User management events 2022-04-12 23:34:36 +12:00			`if (eventHelpers.isAddingBuilder(user, dbUser)) {`
user / rbac events + tests 2022-04-08 12:28:22 +12:00			`response = await quotas.addDeveloper(putUserFn)`
			`} else {`
			`response = await putUserFn()`
			`}`
App migrations finished 2022-05-20 23:29:31 +12:00			`user._rev = response.rev`
user / rbac events + tests 2022-04-08 12:28:22 +12:00
Event identification 2022-05-24 09:14:44 +12:00			`await eventHelpers.handleSaveEvents(user, dbUser)`
app and account properties, add account details to all user and tenant identities 2022-05-26 21:13:26 +12:00
Merge branch 'develop' into feature/posthog-v2 2022-05-29 10:03:31 +12:00			`if (env.MULTI_TENANCY) {`
Back populate no-op migrations on new app and tenant create 2022-06-13 21:51:29 +12:00			`const afterCreateTenant = () =>`
			`migrations.backPopulateMigrations({`
			`type: MigrationType.GLOBAL,`
			`tenantId,`
			`})`
			`await tenancy.tryAddTenant(tenantId, _id, email, afterCreateTenant)`
app and account properties, add account details to all user and tenant identities 2022-05-26 21:13:26 +12:00			`}`
user / rbac events + tests 2022-04-08 12:28:22 +12:00			`await cache.user.invalidateUser(response.id)`
			`// let server know to sync user`
			`await apps.syncUserInApps(user._id)`

			`return {`
			`_id: response.id,`
			`_rev: response.rev,`
			`email,`
			`}`
			`} catch (err: any) {`
			`if (err.status === 409) {`
			`throw "User exists already"`
			`} else {`
			`throw err`
			`}`
			`}`
			`}`

			`export const destroy = async (id: string, currentUser: any) => {`
			`const db = tenancy.getGlobalDB()`
			`const dbUser = await db.get(id)`

			`if (!env.SELF_HOSTED && !env.DISABLE_ACCOUNT_PORTAL) {`
			`// root account holder can't be deleted from inside budibase`
			`const email = dbUser.email`
			`const account = await accounts.getAccount(email)`
			`if (account) {`
			`if (email === currentUser.email) {`
			`throw new HTTPError('Please visit "Account" to delete this user', 400)`
			`} else {`
			`throw new HTTPError("Account holder cannot be deleted", 400)`
			`}`
			`}`
			`}`

			`await deprovisioning.removeUserFromInfoDB(dbUser)`
			`await db.remove(dbUser._id, dbUser._rev)`
Event identification 2022-05-24 09:14:44 +12:00			`await eventHelpers.handleDeleteEvents(dbUser)`
user / rbac events + tests 2022-04-08 12:28:22 +12:00			`await quotas.removeUser(dbUser)`
			`await cache.user.invalidateUser(dbUser._id)`
			`await sessions.invalidateSessions(dbUser._id)`
			`// let server know to sync user`
			`await apps.syncUserInApps(dbUser._id)`
			`}`