budibase/packages/worker/src/api/controllers/admin/users.js

const CouchDB = require("../../../db")
const {
  generateGlobalUserID,
  getGlobalUserParams,
  StaticDatabases,
} = require("@budibase/auth").db
const { hash, getGlobalUserByEmail } = require("@budibase/auth").utils
const { UserStatus, EmailTemplatePurpose } = require("../../../constants")
const { checkInviteCode } = require("../../../utilities/redis")
const { sendEmail } = require("../../../utilities/email")

const GLOBAL_DB = StaticDatabases.GLOBAL.name

exports.save = async ctx => {
  const db = new CouchDB(GLOBAL_DB)
  const { email, password, _id } = ctx.request.body

  // make sure another user isn't using the same email
  let dbUser
  if (email) {
    dbUser = await getGlobalUserByEmail(email)
    if (dbUser != null && (dbUser._id !== _id || Array.isArray(dbUser))) {
      ctx.throw(400, "Email address already in use.")
    }
  } else {
    dbUser = await db.get(_id)
  }

  // get the password, make sure one is defined
  let hashedPassword
  if (password) {
    hashedPassword = await hash(password)
  } else if (dbUser) {
    hashedPassword = dbUser.password
  } else {
    ctx.throw(400, "Password must be specified.")
  }

  let user = {
    ...dbUser,
    ...ctx.request.body,
    _id: _id || generateGlobalUserID(),
    password: hashedPassword,
  }
  // make sure the roles object is always present
  if (!user.roles) {
    user.roles = {}
  }
  // add the active status to a user if its not provided
  if (user.status == null) {
    user.status = UserStatus.ACTIVE
  }
  try {
    const response = await db.put({
      password: hashedPassword,
      ...user,
    })
    ctx.body = {
      _id: response.id,
      _rev: response.rev,
      email,
    }
  } catch (err) {
    if (err.status === 409) {
      ctx.throw(400, "User exists already")
    } else {
      ctx.throw(err.status, err)
    }
  }
}

exports.adminUser = async ctx => {
  const db = new CouchDB(GLOBAL_DB)
  const response = await db.allDocs(
    getGlobalUserParams(null, {
      include_docs: true,
    })
  )

  if (response.rows.some(row => row.doc.admin)) {
    ctx.throw(403, "You cannot initialise once an admin user has been created.")
  }

  const { email, password } = ctx.request.body
  ctx.request.body = {
    email: email,
    password: password,
    roles: {},
    builder: {
      global: true,
    },
    admin: {
      global: true,
    },
  }
  await exports.save(ctx)
}

exports.destroy = async ctx => {
  const db = new CouchDB(GLOBAL_DB)
  const dbUser = await db.get(ctx.params.id)
  await db.remove(dbUser._id, dbUser._rev)
  ctx.body = {
    message: `User ${ctx.params.id} deleted.`,
  }
}

exports.getSelf = async ctx => {
  ctx.params = {
    id: ctx.user._id,
  }
  // this will set the body
  await exports.find(ctx)
}

exports.updateSelf = async ctx => {
  const db = new CouchDB(GLOBAL_DB)
  const user = await db.get(ctx.user._id)
  if (ctx.request.body.password) {
    ctx.request.body.password = await hash(ctx.request.body.password)
  }
  // don't allow sending up an ID/Rev, always use the existing one
  delete ctx.request.body._id
  delete ctx.request.body._rev
  const response = await db.put({
    ...user,
    ...ctx.request.body,
  })
  ctx.body = {
    _id: response.id,
    _rev: response.rev,
  }
}

// called internally by app server user fetch
exports.fetch = async ctx => {
  const db = new CouchDB(GLOBAL_DB)
  const response = await db.allDocs(
    getGlobalUserParams(null, {
      include_docs: true,
    })
  )
  const users = response.rows.map(row => row.doc)
  // user hashed password shouldn't ever be returned
  for (let user of users) {
    if (user) {
      delete user.password
    }
  }
  ctx.body = users
}

// called internally by app server user find
exports.find = async ctx => {
  const db = new CouchDB(GLOBAL_DB)
  let user
  try {
    user = await db.get(ctx.params.id)
  } catch (err) {
    // no user found, just return nothing
    user = {}
  }
  if (user) {
    delete user.password
  }
  ctx.body = user
}

exports.invite = async ctx => {
  const { email } = ctx.request.body
  const existing = await getGlobalUserByEmail(email)
  if (existing) {
    ctx.throw(400, "Email address already in use.")
  }
  await sendEmail(email, EmailTemplatePurpose.INVITATION, {
    subject: "{{ company }} platform invitation",
  })
  ctx.body = {
    message: "Invitation has been sent.",
  }
}

exports.inviteAccept = async ctx => {
  const { inviteCode, password, firstName, lastName } = ctx.request.body
  try {
    const email = await checkInviteCode(inviteCode)
    // only pass through certain props for accepting
    ctx.request.body = {
      firstName,
      lastName,
      password,
      email,
    }
    // this will flesh out the body response
    await exports.save(ctx)
  } catch (err) {
    ctx.throw(400, "Unable to create new user, invitation invalid.")
  }
}
basic group apis 2021-04-19 22:34:07 +12:00			`const CouchDB = require("../../../db")`
			`const {`
Swapping over everything to use the new user ID and updating everything after some end to end testing. 2021-04-21 04:17:44 +12:00			`generateGlobalUserID,`
			`getGlobalUserParams,`
basic group apis 2021-04-19 22:34:07 +12:00			`StaticDatabases,`
Some re-work of the auth package, making it a bit easier to use/less likely to make a mistake. 2021-04-22 03:42:44 +12:00			`} = require("@budibase/auth").db`
			`const { hash, getGlobalUserByEmail } = require("@budibase/auth").utils`
Finishing invite send email. 2021-05-06 02:17:15 +12:00			`const { UserStatus, EmailTemplatePurpose } = require("../../../constants")`
			`const { checkInviteCode } = require("../../../utilities/redis")`
			`const { sendEmail } = require("../../../utilities/email")`
basic group apis 2021-04-19 22:34:07 +12:00
merge 2021-04-19 22:38:54 +12:00			`const GLOBAL_DB = StaticDatabases.GLOBAL.name`
basic group apis 2021-04-19 22:34:07 +12:00
Add explicit prettier options 2021-05-04 22:32:22 +12:00			`exports.save = async ctx => {`
merge 2021-04-19 22:38:54 +12:00			`const db = new CouchDB(GLOBAL_DB)`
basic group apis 2021-04-19 22:34:07 +12:00			`const { email, password, _id } = ctx.request.body`
Swapping over everything to use the new user ID and updating everything after some end to end testing. 2021-04-21 04:17:44 +12:00
			`// make sure another user isn't using the same email`
Fixing issues with the user table within the apps. 2021-05-20 02:55:00 +12:00			`let dbUser`
			`if (email) {`
			`dbUser = await getGlobalUserByEmail(email)`
			`if (dbUser != null && (dbUser._id !== _id \|\| Array.isArray(dbUser))) {`
			`ctx.throw(400, "Email address already in use.")`
			`}`
			`} else {`
			`dbUser = await db.get(_id)`
Swapping over everything to use the new user ID and updating everything after some end to end testing. 2021-04-21 04:17:44 +12:00			`}`

			`// get the password, make sure one is defined`
			`let hashedPassword`
			`if (password) {`
			`hashedPassword = await hash(password)`
			`} else if (dbUser) {`
			`hashedPassword = dbUser.password`
			`} else {`
			`ctx.throw(400, "Password must be specified.")`
			`}`

basic group apis 2021-04-19 22:34:07 +12:00			`let user = {`
Swapping over everything to use the new user ID and updating everything after some end to end testing. 2021-04-21 04:17:44 +12:00			`...dbUser,`
basic group apis 2021-04-19 22:34:07 +12:00			`...ctx.request.body,`
Swapping over everything to use the new user ID and updating everything after some end to end testing. 2021-04-21 04:17:44 +12:00			`_id: _id \|\| generateGlobalUserID(),`
basic group apis 2021-04-19 22:34:07 +12:00			`password: hashedPassword,`
			`}`
Making sure roles object is always present, issue #1529. 2021-05-22 01:56:06 +12:00			`// make sure the roles object is always present`
			`if (!user.roles) {`
			`user.roles = {}`
			`}`
basic group apis 2021-04-19 22:34:07 +12:00			`// add the active status to a user if its not provided`
			`if (user.status == null) {`
			`user.status = UserStatus.ACTIVE`
			`}`
			`try {`
Finalising the usage of redis in the password reset and invitation systems. 2021-05-06 02:10:28 +12:00			`const response = await db.put({`
Swapping over everything to use the new user ID and updating everything after some end to end testing. 2021-04-21 04:17:44 +12:00			`password: hashedPassword,`
basic group apis 2021-04-19 22:34:07 +12:00			`...user,`
			`})`
			`ctx.body = {`
			`_id: response.id,`
			`_rev: response.rev,`
			`email,`
			`}`
			`} catch (err) {`
			`if (err.status === 409) {`
			`ctx.throw(400, "User exists already")`
			`} else {`
			`ctx.throw(err.status, err)`
			`}`
			`}`
			`}`

first time setup E2E 2021-05-06 08:56:43 +12:00			`exports.adminUser = async ctx => {`
do not allow users to initialise again once an admin has been created 2021-05-06 09:06:31 +12:00			`const db = new CouchDB(GLOBAL_DB)`
			`const response = await db.allDocs(`
			`getGlobalUserParams(null, {`
			`include_docs: true,`
			`})`
			`)`

			`if (response.rows.some(row => row.doc.admin)) {`
			`ctx.throw(403, "You cannot initialise once an admin user has been created.")`
			`}`

first time setup E2E 2021-05-06 08:56:43 +12:00			`const { email, password } = ctx.request.body`
Swapping over everything to use the new user ID and updating everything after some end to end testing. 2021-04-21 04:17:44 +12:00			`ctx.request.body = {`
first time setup E2E 2021-05-06 08:56:43 +12:00			`email: email,`
			`password: password,`
Swapping over everything to use the new user ID and updating everything after some end to end testing. 2021-04-21 04:17:44 +12:00			`roles: {},`
			`builder: {`
first time setup E2E 2021-05-06 08:56:43 +12:00			`global: true,`
			`},`
			`admin: {`
Swapping over everything to use the new user ID and updating everything after some end to end testing. 2021-04-21 04:17:44 +12:00			`global: true,`
			`},`
			`}`
Major update, fixing email test case. 2021-04-24 05:54:12 +12:00			`await exports.save(ctx)`
Swapping over everything to use the new user ID and updating everything after some end to end testing. 2021-04-21 04:17:44 +12:00			`}`

Add explicit prettier options 2021-05-04 22:32:22 +12:00			`exports.destroy = async ctx => {`
merge 2021-04-19 22:38:54 +12:00			`const db = new CouchDB(GLOBAL_DB)`
Swapping over everything to use the new user ID and updating everything after some end to end testing. 2021-04-21 04:17:44 +12:00			`const dbUser = await db.get(ctx.params.id)`
basic group apis 2021-04-19 22:34:07 +12:00			`await db.remove(dbUser._id, dbUser._rev)`
			`ctx.body = {`
Swapping over everything to use the new user ID and updating everything after some end to end testing. 2021-04-21 04:17:44 +12:00			message: `User ${ctx.params.id} deleted.`,
basic group apis 2021-04-19 22:34:07 +12:00			`}`
			`}`

Adding a get self endpoint in the global users. 2021-05-20 00:37:59 +12:00			`exports.getSelf = async ctx => {`
			`ctx.params = {`
Adding the ability to get all apps, with the status attached. 2021-05-20 02:09:57 +12:00			`id: ctx.user._id,`
Adding a get self endpoint in the global users. 2021-05-20 00:37:59 +12:00			`}`
			`// this will set the body`
			`await exports.find(ctx)`
			`}`

			`exports.updateSelf = async ctx => {`
Adding admin only endpoint, removing the ability to create/delete global users from the app server and adding a global self user update. 2021-05-20 00:17:50 +12:00			`const db = new CouchDB(GLOBAL_DB)`
			`const user = await db.get(ctx.user._id)`
			`if (ctx.request.body.password) {`
			`ctx.request.body.password = await hash(ctx.request.body.password)`
			`}`
Allowing null for global user endpoint properties. 2021-05-20 00:30:55 +12:00			`// don't allow sending up an ID/Rev, always use the existing one`
			`delete ctx.request.body._id`
			`delete ctx.request.body._rev`
Adding admin only endpoint, removing the ability to create/delete global users from the app server and adding a global self user update. 2021-05-20 00:17:50 +12:00			`const response = await db.put({`
			`...user,`
			`...ctx.request.body,`
			`})`
			`ctx.body = {`
			`_id: response.id,`
			`_rev: response.rev,`
			`}`
			`}`

basic group apis 2021-04-19 22:34:07 +12:00			`// called internally by app server user fetch`
Add explicit prettier options 2021-05-04 22:32:22 +12:00			`exports.fetch = async ctx => {`
merge 2021-04-19 22:38:54 +12:00			`const db = new CouchDB(GLOBAL_DB)`
basic group apis 2021-04-19 22:34:07 +12:00			`const response = await db.allDocs(`
Swapping over everything to use the new user ID and updating everything after some end to end testing. 2021-04-21 04:17:44 +12:00			`getGlobalUserParams(null, {`
basic group apis 2021-04-19 22:34:07 +12:00			`include_docs: true,`
			`})`
			`)`
Add explicit prettier options 2021-05-04 22:32:22 +12:00			`const users = response.rows.map(row => row.doc)`
basic group apis 2021-04-19 22:34:07 +12:00			`// user hashed password shouldn't ever be returned`
			`for (let user of users) {`
			`if (user) {`
			`delete user.password`
			`}`
			`}`
			`ctx.body = users`
			`}`

			`// called internally by app server user find`
Add explicit prettier options 2021-05-04 22:32:22 +12:00			`exports.find = async ctx => {`
merge 2021-04-19 22:38:54 +12:00			`const db = new CouchDB(GLOBAL_DB)`
basic group apis 2021-04-19 22:34:07 +12:00			`let user`
			`try {`
Swapping over everything to use the new user ID and updating everything after some end to end testing. 2021-04-21 04:17:44 +12:00			`user = await db.get(ctx.params.id)`
basic group apis 2021-04-19 22:34:07 +12:00			`} catch (err) {`
			`// no user found, just return nothing`
			`user = {}`
			`}`
			`if (user) {`
			`delete user.password`
			`}`
			`ctx.body = user`
			`}`
Finalising the usage of redis in the password reset and invitation systems. 2021-05-06 02:10:28 +12:00
			`exports.invite = async ctx => {`
Finishing invite send email. 2021-05-06 02:17:15 +12:00			`const { email } = ctx.request.body`
Updating testing system across the board after playing around with it, having the worker tests run when top level test is ran, fixing environment in worker when testing, removing the use of redis (replacing with ioredis-mock) when in test. 2021-05-06 04:49:34 +12:00			`const existing = await getGlobalUserByEmail(email)`
Finishing invite send email. 2021-05-06 02:17:15 +12:00			`if (existing) {`
			`ctx.throw(400, "Email address already in use.")`
			`}`
Formatting. 2021-05-12 02:24:17 +12:00			`await sendEmail(email, EmailTemplatePurpose.INVITATION, {`
			`subject: "{{ company }} platform invitation",`
			`})`
Finishing invite send email. 2021-05-06 02:17:15 +12:00			`ctx.body = {`
Formatting. 2021-05-06 02:19:44 +12:00			`message: "Invitation has been sent.",`
Finishing invite send email. 2021-05-06 02:17:15 +12:00			`}`
Finalising the usage of redis in the password reset and invitation systems. 2021-05-06 02:10:28 +12:00			`}`

			`exports.inviteAccept = async ctx => {`
Adding the ability to get all apps, with the status attached. 2021-05-20 02:09:57 +12:00			`const { inviteCode, password, firstName, lastName } = ctx.request.body`
Finishing invite send email. 2021-05-06 02:17:15 +12:00			`try {`
			`const email = await checkInviteCode(inviteCode)`
Adding the ability to get all apps, with the status attached. 2021-05-20 02:09:57 +12:00			`// only pass through certain props for accepting`
			`ctx.request.body = {`
			`firstName,`
			`lastName,`
			`password,`
			`email,`
			`}`
Finishing invite send email. 2021-05-06 02:17:15 +12:00			`// this will flesh out the body response`
			`await exports.save(ctx)`
			`} catch (err) {`
			`ctx.throw(400, "Unable to create new user, invitation invalid.")`
Finalising the usage of redis in the password reset and invitation systems. 2021-05-06 02:10:28 +12:00			`}`
			`}`