budibase/packages/server/src/api/controllers/auth.js

const jwt = require("jsonwebtoken")
const CouchDB = require("../../db")
const bcrypt = require("../../utilities/bcrypt")
const env = require("../../environment")
const { getAPIKey } = require("../../utilities/usageQuota")
const { generateUserID } = require("../../db/utils")
const { setCookie } = require("../../utilities")

exports.authenticate = async ctx => {
  const appId = ctx.appId
  if (!appId) ctx.throw(400, "No appId")

  const { email, password } = ctx.request.body

  if (!email) ctx.throw(400, "Email Required.")
  if (!password) ctx.throw(400, "Password Required.")

  // Check the user exists in the instance DB by email
  const db = new CouchDB(appId)
  const app = await db.get(appId)

  let dbUser
  try {
    dbUser = await db.get(generateUserID(email))
  } catch (_) {
    // do not want to throw a 404 - as this could be
    // used to determine valid emails
    ctx.throw(401, "Invalid Credentials")
  }

  // authenticate
  if (await bcrypt.compare(password, dbUser.password)) {
    const payload = {
      userId: dbUser._id,
      roleId: dbUser.roleId,
      version: app.version,
    }
    // if in cloud add the user api key, unless self hosted
    if (env.CLOUD && !env.SELF_HOSTED) {
      const { apiKey } = await getAPIKey(ctx.user.appId)
      payload.apiKey = apiKey
    }

    const token = jwt.sign(payload, ctx.config.jwtSecret, {
      expiresIn: "1 day",
    })

    setCookie(ctx, appId, token)

    delete dbUser.password
    ctx.body = {
      token,
      ...dbUser,
      appId,
    }
  } else {
    ctx.throw(401, "Invalid credentials.")
  }
}
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`const jwt = require("jsonwebtoken")`
			`const CouchDB = require("../../db")`
			`const bcrypt = require("../../utilities/bcrypt")`
Initial work into multi-tenancy removal, experiencing issues with test cases at this point. 2020-10-29 09:35:06 +13:00			`const env = require("../../environment")`
Fixing up middleware to handle uploads, views, records, automation runs and users. 2020-10-08 05:56:47 +13:00			`const { getAPIKey } = require("../../utilities/usageQuota")`
Fix for an issue detected by user test case. 2020-10-03 00:52:15 +13:00			`const { generateUserID } = require("../../db/utils")`
Further work towards the re-implementation of auth, changing how the appId is determined, now it mainly will use a header, and a cookie which will be written to store the current status of appId. 2020-11-04 02:45:49 +13:00			`const { setCookie } = require("../../utilities")`
correct resource paths 2020-04-08 07:34:21 +12:00
pouchDB integration, use app id instead of app name for keying app packages 2020-04-24 01:37:08 +12:00			`exports.authenticate = async ctx => {`
Further work towards the re-implementation of auth, changing how the appId is determined, now it mainly will use a header, and a cookie which will be written to store the current status of appId. 2020-11-04 02:45:49 +13:00			`const appId = ctx.appId`
Renaming instanceId -> appId to reduce confusion through the system, there only is one ID now. 2020-10-29 23:28:27 +13:00			`if (!appId) ctx.throw(400, "No appId")`
removal of appRoot - appId comes in cookie 2020-06-13 07:42:55 +12:00
email as default user identifier 2020-12-05 01:22:45 +13:00			`const { email, password } = ctx.request.body`
backend allowing creation of models, records and databases 2020-04-21 03:17:11 +12:00
email as default user identifier 2020-12-05 01:22:45 +13:00			`if (!email) ctx.throw(400, "Email Required.")`
Initial work into multi-tenancy removal, experiencing issues with test cases at this point. 2020-10-29 09:35:06 +13:00			`if (!password) ctx.throw(400, "Password Required.")`
development setup, adding data components 2020-05-06 21:33:30 +12:00
email as default user identifier 2020-12-05 01:22:45 +13:00			`// Check the user exists in the instance DB by email`
Renaming instanceId -> appId to reduce confusion through the system, there only is one ID now. 2020-10-29 23:28:27 +13:00			`const db = new CouchDB(appId)`
			`const app = await db.get(appId)`
development setup, adding data components 2020-05-06 21:33:30 +12:00
access levels 2020-05-28 04:23:01 +12:00			`let dbUser`
			`try {`
email as default user identifier 2020-12-05 01:22:45 +13:00			`dbUser = await db.get(generateUserID(email))`
access levels 2020-05-28 04:23:01 +12:00			`} catch (_) {`
			`// do not want to throw a 404 - as this could be`
email as default user identifier 2020-12-05 01:22:45 +13:00			`// used to determine valid emails`
access levels 2020-05-28 04:23:01 +12:00			`ctx.throw(401, "Invalid Credentials")`
			`}`
development setup, adding data components 2020-05-06 21:33:30 +12:00
			`// authenticate`
pouchDB integration, use app id instead of app name for keying app packages 2020-04-24 01:37:08 +12:00			`if (await bcrypt.compare(password, dbUser.password)) {`
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`const payload = {`
			`userId: dbUser._id,`
Changing the naming of access levels to be roles. 2020-12-03 02:20:56 +13:00			`roleId: dbUser.roleId,`
Linting and fixing client test case, have to mock getAppId as the location will never be set during testing. 2020-11-04 03:30:20 +13:00			`version: app.version,`
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`}`
Update after testing, it is now possible to make a deployment to a self hosted environment. Some work still required, better authentication around MINIO deployment, currently the bucket is set to public read and there is no signing/verification to the upload process, also right now four different URLs are needed for the builder to connect correctly, ideally this shouldn't be the case. 2020-12-19 01:54:20 +13:00			`// if in cloud add the user api key, unless self hosted`
			`if (env.CLOUD && !env.SELF_HOSTED) {`
deployment API usage complete 2020-10-10 09:42:20 +13:00			`const { apiKey } = await getAPIKey(ctx.user.appId)`
			`payload.apiKey = apiKey`
First work towards implementing Dynamo usage in the server when running in the cloud; this is for tracking usage against API keys. 2020-10-07 07:13:41 +13:00			`}`
Auth working 2020-05-07 07:29:47 +12:00
			`const token = jwt.sign(payload, ctx.config.jwtSecret, {`
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`expiresIn: "1 day",`
			`})`
removed core library 2020-05-07 07:49:21 +12:00
Further work towards the re-implementation of auth, changing how the appId is determined, now it mainly will use a header, and a cookie which will be written to store the current status of appId. 2020-11-04 02:45:49 +13:00			`setCookie(ctx, appId, token)`
Auth working 2020-05-07 07:29:47 +12:00
Some more re-work, more testing needed to auth stuff. 2020-11-03 09:14:10 +13:00			`delete dbUser.password`
development setup, adding data components 2020-05-06 21:33:30 +12:00			`ctx.body = {`
			`token,`
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`...dbUser,`
Some more re-work, more testing needed to auth stuff. 2020-11-03 09:14:10 +13:00			`appId,`
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`}`
pouchDB integration, use app id instead of app name for keying app packages 2020-04-24 01:37:08 +12:00			`} else {`
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`ctx.throw(401, "Invalid credentials.")`
pouchDB integration, use app id instead of app name for keying app packages 2020-04-24 01:37:08 +12:00			`}`
formatting + fixing builder tests 2020-05-07 21:53:34 +12:00			`}`