budibase/packages/server/src/api/controllers/auth.js

const jwt = require("jsonwebtoken")
const CouchDB = require("../../db")
const bcrypt = require("../../utilities/bcrypt")
const env = require("../../environment")
const { getAPIKey } = require("../../utilities/usageQuota")
const { generateUserMetadataID } = require("../../db/utils")
const { setCookie } = require("../../utilities")
const { outputProcessing } = require("../../utilities/rowProcessor")
const { InternalTables } = require("../../db/utils")
const { UserStatus } = require("@budibase/auth")
const { getFullUser } = require("../../utilities/users")

const INVALID_ERR = "Invalid Credentials"

exports.authenticate = async ctx => {
  const appId = ctx.appId
  if (!appId) ctx.throw(400, "No appId")

  const { email, password } = ctx.request.body

  if (!email) ctx.throw(400, "Email Required.")
  if (!password) ctx.throw(400, "Password Required.")

  // Check the user exists in the instance DB by email
  const db = new CouchDB(appId)
  const app = await db.get(appId)

  let dbUser
  try {
    dbUser = await db.get(generateUserMetadataID(email))
  } catch (_) {
    // do not want to throw a 404 - as this could be
    // used to determine valid emails
    ctx.throw(401, INVALID_ERR)
  }

  // check that the user is currently inactive, if this is the case throw invalid
  if (dbUser.status === UserStatus.INACTIVE) {
    ctx.throw(401, INVALID_ERR)
  }

  // authenticate
  if (await bcrypt.compare(password, dbUser.password)) {
    const payload = {
      userId: dbUser._id,
      roleId: dbUser.roleId,
      version: app.version,
    }
    // if in prod add the user api key, unless self hosted
    /* istanbul ignore next */
    if (env.isProd() && !env.SELF_HOSTED) {
      const { apiKey } = await getAPIKey(ctx.appId)
      payload.apiKey = apiKey
    }

    const token = jwt.sign(payload, ctx.config.jwtSecret, {
      expiresIn: "1 day",
    })

    setCookie(ctx, token, appId)

    delete dbUser.password
    ctx.body = {
      token,
      ...dbUser,
      appId,
    }
  } else {
    ctx.throw(401, INVALID_ERR)
  }
}

exports.fetchSelf = async ctx => {
  const { userId, appId } = ctx.user
  /* istanbul ignore next */
  if (!userId || !appId) {
    ctx.body = {}
    return
  }
  const db = new CouchDB(appId)
  const user = await getFullUser({ ctx, userId: userId })
  const userTable = await db.get(InternalTables.USER_METADATA)
  if (user) {
    delete user.password
  }
  // specifically needs to make sure is enriched
  ctx.body = await outputProcessing(appId, userTable, user)
}
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`const jwt = require("jsonwebtoken")`
			`const CouchDB = require("../../db")`
			`const bcrypt = require("../../utilities/bcrypt")`
Initial work into multi-tenancy removal, experiencing issues with test cases at this point. 2020-10-29 09:35:06 +13:00			`const env = require("../../environment")`
Fixing up middleware to handle uploads, views, records, automation runs and users. 2020-10-08 05:56:47 +13:00			`const { getAPIKey } = require("../../utilities/usageQuota")`
Global users now working through the server, all requests proxied. 2021-04-10 02:11:49 +12:00			`const { generateUserMetadataID } = require("../../db/utils")`
Further work towards the re-implementation of auth, changing how the appId is determined, now it mainly will use a header, and a cookie which will be written to store the current status of appId. 2020-11-04 02:45:49 +13:00			`const { setCookie } = require("../../utilities")`
Updating the self auth endpoint to use the row processor. 2021-02-19 23:32:24 +13:00			`const { outputProcessing } = require("../../utilities/rowProcessor")`
Updating some test cases to work with new system. 2021-04-10 04:33:21 +12:00			`const { InternalTables } = require("../../db/utils")`
First pass of global user configuration through existing user API with role mappings. 2021-04-09 03:58:33 +12:00			`const { UserStatus } = require("@budibase/auth")`
Updating fetch self to get the global user as well as local metadata. 2021-04-13 02:54:14 +12:00			`const { getFullUser } = require("../../utilities/users")`
correct resource paths 2020-04-08 07:34:21 +12:00
Adding the ability to set whether a user is active or not rather than deleting them, stops them from being able to log in to the system. 2021-02-23 00:39:58 +13:00			`const INVALID_ERR = "Invalid Credentials"`

pouchDB integration, use app id instead of app name for keying app packages 2020-04-24 01:37:08 +12:00			`exports.authenticate = async ctx => {`
Further work towards the re-implementation of auth, changing how the appId is determined, now it mainly will use a header, and a cookie which will be written to store the current status of appId. 2020-11-04 02:45:49 +13:00			`const appId = ctx.appId`
Renaming instanceId -> appId to reduce confusion through the system, there only is one ID now. 2020-10-29 23:28:27 +13:00			`if (!appId) ctx.throw(400, "No appId")`
removal of appRoot - appId comes in cookie 2020-06-13 07:42:55 +12:00
email as default user identifier 2020-12-05 01:22:45 +13:00			`const { email, password } = ctx.request.body`
backend allowing creation of models, records and databases 2020-04-21 03:17:11 +12:00
email as default user identifier 2020-12-05 01:22:45 +13:00			`if (!email) ctx.throw(400, "Email Required.")`
Initial work into multi-tenancy removal, experiencing issues with test cases at this point. 2020-10-29 09:35:06 +13:00			`if (!password) ctx.throw(400, "Password Required.")`
development setup, adding data components 2020-05-06 21:33:30 +12:00
email as default user identifier 2020-12-05 01:22:45 +13:00			`// Check the user exists in the instance DB by email`
Renaming instanceId -> appId to reduce confusion through the system, there only is one ID now. 2020-10-29 23:28:27 +13:00			`const db = new CouchDB(appId)`
			`const app = await db.get(appId)`
development setup, adding data components 2020-05-06 21:33:30 +12:00
access levels 2020-05-28 04:23:01 +12:00			`let dbUser`
			`try {`
Global users now working through the server, all requests proxied. 2021-04-10 02:11:49 +12:00			`dbUser = await db.get(generateUserMetadataID(email))`
access levels 2020-05-28 04:23:01 +12:00			`} catch (_) {`
			`// do not want to throw a 404 - as this could be`
email as default user identifier 2020-12-05 01:22:45 +13:00			`// used to determine valid emails`
Adding the ability to set whether a user is active or not rather than deleting them, stops them from being able to log in to the system. 2021-02-23 00:39:58 +13:00			`ctx.throw(401, INVALID_ERR)`
			`}`

Switching user activity state to an options field rather than boolean (more extensible). 2021-02-23 01:29:49 +13:00			`// check that the user is currently inactive, if this is the case throw invalid`
			`if (dbUser.status === UserStatus.INACTIVE) {`
Adding the ability to set whether a user is active or not rather than deleting them, stops them from being able to log in to the system. 2021-02-23 00:39:58 +13:00			`ctx.throw(401, INVALID_ERR)`
access levels 2020-05-28 04:23:01 +12:00			`}`
development setup, adding data components 2020-05-06 21:33:30 +12:00
			`// authenticate`
pouchDB integration, use app id instead of app name for keying app packages 2020-04-24 01:37:08 +12:00			`if (await bcrypt.compare(password, dbUser.password)) {`
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`const payload = {`
			`userId: dbUser._id,`
Changing the naming of access levels to be roles. 2020-12-03 02:20:56 +13:00			`roleId: dbUser.roleId,`
Linting and fixing client test case, have to mock getAppId as the location will never be set during testing. 2020-11-04 03:30:20 +13:00			`version: app.version,`
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`}`
Getting rid of the CLOUD environment variable, this makes no sense anymore, now there is isDev() and isProd() which will work out the current state of the cluster. 2021-03-25 07:21:23 +13:00			`// if in prod add the user api key, unless self hosted`
Adding auth tests. 2021-03-11 01:20:07 +13:00			`/* istanbul ignore next */`
Getting rid of the CLOUD environment variable, this makes no sense anymore, now there is isDev() and isProd() which will work out the current state of the cluster. 2021-03-25 07:21:23 +13:00			`if (env.isProd() && !env.SELF_HOSTED) {`
Removing use of the , replacing to ctx.appId to make it clear appId not part of the auth. 2021-03-30 05:32:05 +13:00			`const { apiKey } = await getAPIKey(ctx.appId)`
deployment API usage complete 2020-10-10 09:42:20 +13:00			`payload.apiKey = apiKey`
First work towards implementing Dynamo usage in the server when running in the cloud; this is for tracking usage against API keys. 2020-10-07 07:13:41 +13:00			`}`
Auth working 2020-05-07 07:29:47 +12:00
			`const token = jwt.sign(payload, ctx.config.jwtSecret, {`
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`expiresIn: "1 day",`
			`})`
removed core library 2020-05-07 07:49:21 +12:00
This commit includes some fixes for a few auth issues I found when I was working on this and a static page which shows the self hosting info to get the user going (if they end up there). 2021-01-29 07:30:59 +13:00			`setCookie(ctx, token, appId)`
Auth working 2020-05-07 07:29:47 +12:00
Some more re-work, more testing needed to auth stuff. 2020-11-03 09:14:10 +13:00			`delete dbUser.password`
development setup, adding data components 2020-05-06 21:33:30 +12:00			`ctx.body = {`
			`token,`
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`...dbUser,`
Some more re-work, more testing needed to auth stuff. 2020-11-03 09:14:10 +13:00			`appId,`
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`}`
pouchDB integration, use app id instead of app name for keying app packages 2020-04-24 01:37:08 +12:00			`} else {`
Adding the ability to set whether a user is active or not rather than deleting them, stops them from being able to log in to the system. 2021-02-23 00:39:58 +13:00			`ctx.throw(401, INVALID_ERR)`
pouchDB integration, use app id instead of app name for keying app packages 2020-04-24 01:37:08 +12:00			`}`
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`}`
Add current user bindings, and current user relationships as data sources 2021-01-29 03:29:35 +13:00
			`exports.fetchSelf = async ctx => {`
			`const { userId, appId } = ctx.user`
Adding auth tests. 2021-03-11 01:20:07 +13:00			`/* istanbul ignore next */`
Add current user bindings, and current user relationships as data sources 2021-01-29 03:29:35 +13:00			`if (!userId \|\| !appId) {`
			`ctx.body = {}`
Updating the self auth endpoint to use the row processor. 2021-02-19 23:32:24 +13:00			`return`
			`}`
			`const db = new CouchDB(appId)`
Updating fetch self to get the global user as well as local metadata. 2021-04-13 02:54:14 +12:00			`const user = await getFullUser({ ctx, userId: userId })`
Updating some test cases to work with new system. 2021-04-10 04:33:21 +12:00			`const userTable = await db.get(InternalTables.USER_METADATA)`
Updating the self auth endpoint to use the row processor. 2021-02-19 23:32:24 +13:00			`if (user) {`
			`delete user.password`
Add current user bindings, and current user relationships as data sources 2021-01-29 03:29:35 +13:00			`}`
Updating the self auth endpoint to use the row processor. 2021-02-19 23:32:24 +13:00			`// specifically needs to make sure is enriched`
			`ctx.body = await outputProcessing(appId, userTable, user)`
Add current user bindings, and current user relationships as data sources 2021-01-29 03:29:35 +13:00			`}`