budibase/packages/server/src/api/controllers/auth.js

const jwt = require("jsonwebtoken")
const CouchDB = require("../../db")
const ClientDb = require("../../db/clientDb")
const bcrypt = require("../../utilities/bcrypt")
const environment = require("../../environment")
const { apiKeyTable } = require("../../db/dynamoClient")
const { generateUserID } = require("../../db/utils")

exports.authenticate = async ctx => {
  if (!ctx.user.appId) ctx.throw(400, "No appId")

  const { username, password } = ctx.request.body

  if (!username) ctx.throw(400, "Username Required.")
  if (!password) ctx.throw(400, "Password Required")

  const masterDb = new CouchDB("client_app_lookup")

  const { clientId } = await masterDb.get(ctx.user.appId)

  if (!clientId) {
    ctx.throw(400, "ClientId not supplied")
  }
  // find the instance that the user is associated with
  const db = new CouchDB(ClientDb.name(clientId))
  const app = await db.get(ctx.user.appId)
  const instanceId = app.userInstanceMap[username]

  if (!instanceId)
    ctx.throw(
      500,
      "User is not associated with an instance of app",
      ctx.user.appId
    )

  // Check the user exists in the instance DB by username
  const instanceDb = new CouchDB(instanceId)

  let dbUser
  try {
    dbUser = await instanceDb.get(generateUserID(username))
  } catch (_) {
    // do not want to throw a 404 - as this could be
    // used to dtermine valid usernames
    ctx.throw(401, "Invalid Credentials")
  }

  // authenticate
  if (await bcrypt.compare(password, dbUser.password)) {
    const payload = {
      userId: dbUser._id,
      accessLevelId: dbUser.accessLevelId,
      appId: ctx.user.appId,
      instanceId,
    }
    // if in cloud add the user api key
    if (environment.CLOUD) {
      payload.apiKey = await apiKeyTable.get({ primary: ctx.user.appId })
    }

    const token = jwt.sign(payload, ctx.config.jwtSecret, {
      expiresIn: "1 day",
    })

    const expires = new Date()
    expires.setDate(expires.getDate() + 1)

    ctx.cookies.set("budibase:token", token, {
      expires,
      path: "/",
      httpOnly: false,
    })

    ctx.body = {
      token,
      ...dbUser,
    }
  } else {
    ctx.throw(401, "Invalid credentials.")
  }
}
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`const jwt = require("jsonwebtoken")`
			`const CouchDB = require("../../db")`
removing clientId from frontend, fixing invalid database name 2020-05-18 17:40:29 +12:00			`const ClientDb = require("../../db/clientDb")`
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`const bcrypt = require("../../utilities/bcrypt")`
First work towards implementing Dynamo usage in the server when running in the cloud; this is for tracking usage against API keys. 2020-10-07 07:13:41 +13:00			`const environment = require("../../environment")`
			`const { apiKeyTable } = require("../../db/dynamoClient")`
Fix for an issue detected by user test case. 2020-10-03 00:52:15 +13:00			`const { generateUserID } = require("../../db/utils")`
correct resource paths 2020-04-08 07:34:21 +12:00
pouchDB integration, use app id instead of app name for keying app packages 2020-04-24 01:37:08 +12:00			`exports.authenticate = async ctx => {`
instanceid removal 2020-06-19 03:59:31 +12:00			`if (!ctx.user.appId) ctx.throw(400, "No appId")`
removal of appRoot - appId comes in cookie 2020-06-13 07:42:55 +12:00
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`const { username, password } = ctx.request.body`
backend allowing creation of models, records and databases 2020-04-21 03:17:11 +12:00
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`if (!username) ctx.throw(400, "Username Required.")`
			`if (!password) ctx.throw(400, "Password Required")`
correct resource paths 2020-04-08 07:34:21 +12:00
enable renaming of records by using IDs 2020-06-24 10:26:54 +12:00			`const masterDb = new CouchDB("client_app_lookup")`
removal of appRoot - appId comes in cookie 2020-06-13 07:42:55 +12:00
instanceid removal 2020-06-19 03:59:31 +12:00			`const { clientId } = await masterDb.get(ctx.user.appId)`
application supports multiple concurrent client DB 2020-06-11 08:39:30 +12:00
			`if (!clientId) {`
Implementing the block definitions as list APIs for the workflow, meaning client has to retrieve structure from API instead of inherently knowing it. 2020-09-10 22:06:13 +12:00			`ctx.throw(400, "ClientId not supplied")`
application supports multiple concurrent client DB 2020-06-11 08:39:30 +12:00			`}`
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`// find the instance that the user is associated with`
application supports multiple concurrent client DB 2020-06-11 08:39:30 +12:00			`const db = new CouchDB(ClientDb.name(clientId))`
instanceid removal 2020-06-19 03:59:31 +12:00			`const app = await db.get(ctx.user.appId)`
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`const instanceId = app.userInstanceMap[username]`
development setup, adding data components 2020-05-06 21:33:30 +12:00
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`if (!instanceId)`
instanceid removal 2020-06-19 03:59:31 +12:00			`ctx.throw(`
			`500,`
			`"User is not associated with an instance of app",`
			`ctx.user.appId`
			`)`
development setup, adding data components 2020-05-06 21:33:30 +12:00
			`// Check the user exists in the instance DB by username`
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`const instanceDb = new CouchDB(instanceId)`
development setup, adding data components 2020-05-06 21:33:30 +12:00
access levels 2020-05-28 04:23:01 +12:00			`let dbUser`
			`try {`
Fix for an issue detected by user test case. 2020-10-03 00:52:15 +13:00			`dbUser = await instanceDb.get(generateUserID(username))`
access levels 2020-05-28 04:23:01 +12:00			`} catch (_) {`
			`// do not want to throw a 404 - as this could be`
			`// used to dtermine valid usernames`
			`ctx.throw(401, "Invalid Credentials")`
			`}`
development setup, adding data components 2020-05-06 21:33:30 +12:00
			`// authenticate`
pouchDB integration, use app id instead of app name for keying app packages 2020-04-24 01:37:08 +12:00			`if (await bcrypt.compare(password, dbUser.password)) {`
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`const payload = {`
			`userId: dbUser._id,`
access levels 2020-05-28 04:23:01 +12:00			`accessLevelId: dbUser.accessLevelId,`
instanceid removal 2020-06-19 03:59:31 +12:00			`appId: ctx.user.appId,`
removal of appRoot - appId comes in cookie 2020-06-13 07:42:55 +12:00			`instanceId,`
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`}`
First work towards implementing Dynamo usage in the server when running in the cloud; this is for tracking usage against API keys. 2020-10-07 07:13:41 +13:00			`// if in cloud add the user api key`
			`if (environment.CLOUD) {`
			`payload.apiKey = await apiKeyTable.get({ primary: ctx.user.appId })`
			`}`
Auth working 2020-05-07 07:29:47 +12:00
			`const token = jwt.sign(payload, ctx.config.jwtSecret, {`
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`expiresIn: "1 day",`
			`})`
removed core library 2020-05-07 07:49:21 +12:00
removed x-user-agent 2020-06-20 03:59:46 +12:00			`const expires = new Date()`
			`expires.setDate(expires.getDate() + 1)`
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00
removed x-user-agent 2020-06-20 03:59:46 +12:00			`ctx.cookies.set("budibase:token", token, {`
			`expires,`
			`path: "/",`
			`httpOnly: false,`
			`})`
Auth working 2020-05-07 07:29:47 +12:00
development setup, adding data components 2020-05-06 21:33:30 +12:00			`ctx.body = {`
			`token,`
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`...dbUser,`
			`}`
pouchDB integration, use app id instead of app name for keying app packages 2020-04-24 01:37:08 +12:00			`} else {`
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`ctx.throw(401, "Invalid credentials.")`
pouchDB integration, use app id instead of app name for keying app packages 2020-04-24 01:37:08 +12:00			`}`
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`}`