budibase/packages/server/src/middleware/authorized.js

const { getUserPermissions } = require("@budibase/auth/roles")
const {
  PermissionTypes,
  doesHaveResourcePermission,
  doesHaveBasePermission,
} = require("@budibase/auth/permissions")
const builderMiddleware = require("./builder")

function hasResource(ctx) {
  return ctx.resourceId != null
}

const WEBHOOK_ENDPOINTS = new RegExp(
  ["webhooks/trigger", "webhooks/schema"].join("|")
)

module.exports =
  (permType, permLevel = null) =>
  async (ctx, next) => {
    // webhooks don't need authentication, each webhook unique
    if (WEBHOOK_ENDPOINTS.test(ctx.request.url)) {
      return next()
    }

    if (!ctx.user) {
      return ctx.throw(403, "No user info found")
    }

    // check general builder stuff, this middleware is a good way
    // to find API endpoints which are builder focused
    await builderMiddleware(ctx, permType)

    const isAuthed = ctx.isAuthenticated
    const { basePermissions, permissions } = await getUserPermissions(
      ctx.appId,
      ctx.roleId
    )

    // builders for now have permission to do anything
    // TODO: in future should consider separating permissions with an require("@budibase/auth").isClient check
    let isBuilder = ctx.user && ctx.user.builder && ctx.user.builder.global
    const isBuilderApi = permType === PermissionTypes.BUILDER
    if (isBuilder) {
      return next()
    } else if (isBuilderApi && !isBuilder) {
      return ctx.throw(403, "Not Authorized")
    }

    if (
      hasResource(ctx) &&
      doesHaveResourcePermission(permissions, permLevel, ctx)
    ) {
      return next()
    }

    if (!isAuthed) {
      ctx.throw(403, "Session not authenticated")
    }

    if (!doesHaveBasePermission(permType, permLevel, basePermissions)) {
      ctx.throw(403, "User does not have permission")
    }

    return next()
  }
A general re-work of some parts of the auth lib, as well as moving roles/permissions around to make it possible to build an admin API which has role knowledge. 2021-05-15 02:43:41 +12:00			`const { getUserPermissions } = require("@budibase/auth/roles")`
Tests failing but starting to progress. 2020-11-13 06:06:55 +13:00			`const {`
			`PermissionTypes,`
Making use of the resourceId in the middleware package. 2021-02-09 06:52:22 +13:00			`doesHaveResourcePermission,`
			`doesHaveBasePermission,`
A general re-work of some parts of the auth lib, as well as moving roles/permissions around to make it possible to build an admin API which has role knowledge. 2021-05-15 02:43:41 +12:00			`} = require("@budibase/auth/permissions")`
Adding a debounced updated at timestamp to applications. 2021-05-22 00:07:10 +12:00			`const builderMiddleware = require("./builder")`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-12 06:34:15 +13:00
Making use of the resourceId in the middleware package. 2021-02-09 06:52:22 +13:00			`function hasResource(ctx) {`
			`return ctx.resourceId != null`
			`}`

Some work towards implementing the current app cookie, removing some old dead code and re-working some of the different middlewares involved. 2021-04-13 05:31:58 +12:00			`const WEBHOOK_ENDPOINTS = new RegExp(`
			`["webhooks/trigger", "webhooks/schema"].join("\|")`
			`)`
support for external webhooks 2020-10-12 23:57:37 +13:00
Lint with prettier 2021-06-16 06:39:40 +12:00			`module.exports =`
			`(permType, permLevel = null) =>`
			`async (ctx, next) => {`
			`// webhooks don't need authentication, each webhook unique`
			`if (WEBHOOK_ENDPOINTS.test(ctx.request.url)) {`
			`return next()`
			`}`
support for external webhooks 2020-10-12 23:57:37 +13:00
Lint with prettier 2021-06-16 06:39:40 +12:00			`if (!ctx.user) {`
			`return ctx.throw(403, "No user info found")`
			`}`
instanceid removal 2020-06-19 03:59:31 +12:00
Lint with prettier 2021-06-16 06:39:40 +12:00			`// check general builder stuff, this middleware is a good way`
			`// to find API endpoints which are builder focused`
			`await builderMiddleware(ctx, permType)`
access levels 2020-05-28 04:23:01 +12:00
Lint with prettier 2021-06-16 06:39:40 +12:00			`const isAuthed = ctx.isAuthenticated`
			`const { basePermissions, permissions } = await getUserPermissions(`
			`ctx.appId,`
			`ctx.roleId`
			`)`
Making use of the resourceId in the middleware package. 2021-02-09 06:52:22 +13:00
Lint with prettier 2021-06-16 06:39:40 +12:00			`// builders for now have permission to do anything`
			`// TODO: in future should consider separating permissions with an require("@budibase/auth").isClient check`
			`let isBuilder = ctx.user && ctx.user.builder && ctx.user.builder.global`
			`const isBuilderApi = permType === PermissionTypes.BUILDER`
			`if (isBuilder) {`
			`return next()`
			`} else if (isBuilderApi && !isBuilder) {`
			`return ctx.throw(403, "Not Authorized")`
			`}`
Adding basic permissions test which proves a public user can read from a table, but cannot write. 2021-02-10 06:24:36 +13:00
Lint with prettier 2021-06-16 06:39:40 +12:00			`if (`
			`hasResource(ctx) &&`
			`doesHaveResourcePermission(permissions, permLevel, ctx)`
			`) {`
			`return next()`
			`}`
access levels 2020-05-28 04:23:01 +12:00
Lint with prettier 2021-06-16 06:39:40 +12:00			`if (!isAuthed) {`
			`ctx.throw(403, "Session not authenticated")`
			`}`

			`if (!doesHaveBasePermission(permType, permLevel, basePermissions)) {`
			`ctx.throw(403, "User does not have permission")`
			`}`

			`return next()`
			`}`