budibase/packages/server/src/middleware/authorized.js

const {
  BUILTIN_ROLE_IDS,
  getUserPermissions,
} = require("../utilities/security/roles")
const {
  PermissionTypes,
  doesHaveResourcePermission,
  doesHaveBasePermission,
} = require("../utilities/security/permissions")
const env = require("../environment")
const { isAPIKeyValid } = require("../utilities/security/apikey")
const { AuthTypes } = require("../constants")

const ADMIN_ROLES = [BUILTIN_ROLE_IDS.ADMIN, BUILTIN_ROLE_IDS.BUILDER]

function hasResource(ctx) {
  return ctx.resourceId != null
}

module.exports = (permType, permLevel = null) => async (ctx, next) => {
  if (env.isProd() && ctx.headers["x-api-key"] && ctx.headers["x-instanceid"]) {
    // api key header passed by external webhook
    if (await isAPIKeyValid(ctx.headers["x-api-key"])) {
      ctx.auth = {
        authenticated: AuthTypes.EXTERNAL,
        apiKey: ctx.headers["x-api-key"],
      }
      ctx.user = {
        appId: ctx.headers["x-instanceid"],
      }
      return next()
    }

    return ctx.throw(403, "API key invalid")
  }

  if (!ctx.user) {
    return ctx.throw(403, "No user info found")
  }

  const role = ctx.user.role
  const isAdmin = ADMIN_ROLES.includes(role._id)
  // const isAuthed = ctx.auth.authenticated
  const isAuthed = ctx.isAuthenticated

  const { basePermissions, permissions } = await getUserPermissions(
    ctx.appId,
    role._id
  )

  // this may need to change in the future, right now only admins
  // can have access to builder features, this is hard coded into
  // our rules
  // if (isAdmin && isAuthed) {
  //   return next()
  // } else if (permType === PermissionTypes.BUILDER) {
  //   return ctx.throw(403, "Not Authorized")
  // }

  if (
    hasResource(ctx) &&
    doesHaveResourcePermission(permissions, permLevel, ctx)
  ) {
    return next()
  }

  if (!isAuthed) {
    ctx.throw(403, "Session not authenticated")
  }

  if (!doesHaveBasePermission(permType, permLevel, basePermissions)) {
    ctx.throw(403, "User does not have permission")
  }

  return next()
}
Changing the role system to have permissions integrated rather than the permissions being per user. 2020-12-03 06:08:25 +13:00			`const {`
			`BUILTIN_ROLE_IDS,`
Making use of the resourceId in the middleware package. 2021-02-09 06:52:22 +13:00			`getUserPermissions,`
Changing the role system to have permissions integrated rather than the permissions being per user. 2020-12-03 06:08:25 +13:00			`} = require("../utilities/security/roles")`
Tests failing but starting to progress. 2020-11-13 06:06:55 +13:00			`const {`
			`PermissionTypes,`
Making use of the resourceId in the middleware package. 2021-02-09 06:52:22 +13:00			`doesHaveResourcePermission,`
			`doesHaveBasePermission,`
Tests failing but starting to progress. 2020-11-13 06:06:55 +13:00			`} = require("../utilities/security/permissions")`
Initial work into multi-tenancy removal, experiencing issues with test cases at this point. 2020-10-29 09:35:06 +13:00			`const env = require("../environment")`
Updating API key controller in self-host mode to return self host API key. 2020-12-10 06:10:53 +13:00			`const { isAPIKeyValid } = require("../utilities/security/apikey")`
simplify user authentication, remove anon user, fix login cookie issues 2020-10-14 09:33:56 +13:00			`const { AuthTypes } = require("../constants")`
access levels 2020-05-28 04:23:01 +12:00
Changing the naming of access levels to be roles. 2020-12-03 02:20:56 +13:00			`const ADMIN_ROLES = [BUILTIN_ROLE_IDS.ADMIN, BUILTIN_ROLE_IDS.BUILDER]`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-12 06:34:15 +13:00
Making use of the resourceId in the middleware package. 2021-02-09 06:52:22 +13:00			`function hasResource(ctx) {`
			`return ctx.resourceId != null`
			`}`

WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-12 06:34:15 +13:00			`module.exports = (permType, permLevel = null) => async (ctx, next) => {`
Getting rid of the CLOUD environment variable, this makes no sense anymore, now there is isDev() and isProd() which will work out the current state of the cluster. 2021-03-25 07:21:23 +13:00			`if (env.isProd() && ctx.headers["x-api-key"] && ctx.headers["x-instanceid"]) {`
support for external webhooks 2020-10-12 23:57:37 +13:00			`// api key header passed by external webhook`
Updating API key controller in self-host mode to return self host API key. 2020-12-10 06:10:53 +13:00			`if (await isAPIKeyValid(ctx.headers["x-api-key"])) {`
adding auth object to context rather than separate booleans 2020-10-13 01:32:52 +13:00			`ctx.auth = {`
simplify user authentication, remove anon user, fix login cookie issues 2020-10-14 09:33:56 +13:00			`authenticated: AuthTypes.EXTERNAL,`
adding auth object to context rather than separate booleans 2020-10-13 01:32:52 +13:00			`apiKey: ctx.headers["x-api-key"],`
			`}`
support for external webhooks 2020-10-12 23:57:37 +13:00			`ctx.user = {`
Renaming instanceId -> appId to reduce confusion through the system, there only is one ID now. 2020-10-29 23:28:27 +13:00			`appId: ctx.headers["x-instanceid"],`
support for external webhooks 2020-10-12 23:57:37 +13:00			`}`
			`return next()`
			`}`

tests for authorized middleware 2021-03-10 00:27:12 +13:00			`return ctx.throw(403, "API key invalid")`
support for external webhooks 2020-10-12 23:57:37 +13:00			`}`

instanceid removal 2020-06-19 03:59:31 +12:00			`if (!ctx.user) {`
tests for authorized middleware 2021-03-10 00:27:12 +13:00			`return ctx.throw(403, "No user info found")`
instanceid removal 2020-06-19 03:59:31 +12:00			`}`

Changing the naming of access levels to be roles. 2020-12-03 02:20:56 +13:00			`const role = ctx.user.role`
Updating API keys and changing over system to allow use of builder endpoints when running in cloud. 2021-03-23 05:39:11 +13:00			`const isAdmin = ADMIN_ROLES.includes(role._id)`
login page 2021-04-11 22:35:55 +12:00			`// const isAuthed = ctx.auth.authenticated`
			`const isAuthed = ctx.isAuthenticated`
Updating API keys and changing over system to allow use of builder endpoints when running in cloud. 2021-03-23 05:39:11 +13:00
Making use of the resourceId in the middleware package. 2021-02-09 06:52:22 +13:00			`const { basePermissions, permissions } = await getUserPermissions(`
			`ctx.appId,`
			`role._id`
			`)`
access levels 2020-05-28 04:23:01 +12:00
Adding basic permissions test which proves a public user can read from a table, but cannot write. 2021-02-10 06:24:36 +13:00			`// this may need to change in the future, right now only admins`
			`// can have access to builder features, this is hard coded into`
			`// our rules`
login page 2021-04-11 22:35:55 +12:00			`// if (isAdmin && isAuthed) {`
			`// return next()`
			`// } else if (permType === PermissionTypes.BUILDER) {`
			`// return ctx.throw(403, "Not Authorized")`
			`// }`
access levels 2020-05-28 04:23:01 +12:00
Some more fixes after testing permissions a bit further. 2021-02-10 05:01:02 +13:00			`if (`
			`hasResource(ctx) &&`
			`doesHaveResourcePermission(permissions, permLevel, ctx)`
			`) {`
			`return next()`
			`}`
Making use of the resourceId in the middleware package. 2021-02-09 06:52:22 +13:00
Adding basic permissions test which proves a public user can read from a table, but cannot write. 2021-02-10 06:24:36 +13:00			`if (!isAuthed) {`
			`ctx.throw(403, "Session not authenticated")`
			`}`

Making use of the resourceId in the middleware package. 2021-02-09 06:52:22 +13:00			`if (!doesHaveBasePermission(permType, permLevel, basePermissions)) {`
Tests failing but starting to progress. 2020-11-13 06:06:55 +13:00			`ctx.throw(403, "User does not have permission")`
			`}`
access levels 2020-05-28 04:23:01 +12:00
Tests failing but starting to progress. 2020-11-13 06:06:55 +13:00			`return next()`
access levels 2020-05-28 04:23:01 +12:00			`}`