budibase/packages/server/src/middleware/authorized.js

const {
  getUserRoleHierarchy,
  getRequiredResourceRole,
  BUILTIN_ROLE_IDS,
} = require("@budibase/backend-core/roles")
const {
  PermissionTypes,
  doesHaveBasePermission,
} = require("@budibase/backend-core/permissions")
const builderMiddleware = require("./builder")
const { isWebhookEndpoint } = require("./utils")
const { buildCsrfMiddleware } = require("@budibase/backend-core/auth")
const { getAppId } = require("@budibase/backend-core/context")

function hasResource(ctx) {
  return ctx.resourceId != null
}

const csrf = buildCsrfMiddleware()

/**
 * Apply authorization to the requested resource:
 * - If this is a builder resource the user must be a builder.
 * - Builders can access all resources.
 * - Otherwise the user must have the required role.
 */
const checkAuthorized = async (ctx, resourceRoles, permType, permLevel) => {
  // check if this is a builder api and the user is not a builder
  const isBuilder = ctx.user && ctx.user.builder && ctx.user.builder.global
  const isBuilderApi = permType === PermissionTypes.BUILDER
  if (isBuilderApi && !isBuilder) {
    return ctx.throw(403, "Not Authorized")
  }

  // check for resource authorization
  if (!isBuilder) {
    await checkAuthorizedResource(ctx, resourceRoles, permType, permLevel)
  }
}

const checkAuthorizedResource = async (
  ctx,
  resourceRoles,
  permType,
  permLevel
) => {
  // get the user's roles
  const roleId = ctx.roleId || BUILTIN_ROLE_IDS.PUBLIC
  const userRoles = await getUserRoleHierarchy(roleId, {
    idOnly: false,
  })
  const permError = "User does not have permission"
  // check if the user has the required role
  if (resourceRoles.length > 0) {
    // deny access if the user doesn't have the required resource role
    const found = userRoles.find(role => resourceRoles.indexOf(role._id) !== -1)
    if (!found) {
      ctx.throw(403, permError)
    }
    // fallback to the base permissions when no resource roles are found
  } else if (!doesHaveBasePermission(permType, permLevel, userRoles)) {
    ctx.throw(403, permError)
  }
}

module.exports =
  (permType, permLevel = null) =>
  async (ctx, next) => {
    // webhooks don't need authentication, each webhook unique
    // also internal requests (between services) don't need authorized
    if (isWebhookEndpoint(ctx) || ctx.internal) {
      return next()
    }

    if (!ctx.user) {
      return ctx.throw(403, "No user info found")
    }

    // check general builder stuff, this middleware is a good way
    // to find API endpoints which are builder focused
    await builderMiddleware(ctx, permType)

    // get the resource roles
    let resourceRoles = []
    const appId = getAppId()
    if (appId && hasResource(ctx)) {
      resourceRoles = await getRequiredResourceRole(permLevel, ctx)
    }

    // if the resource is public, proceed
    const isPublicResource = resourceRoles.includes(BUILTIN_ROLE_IDS.PUBLIC)
    if (isPublicResource) {
      return next()
    }

    // check authenticated
    if (!ctx.isAuthenticated) {
      return ctx.throw(403, "Session not authenticated")
    }

    // check authorized
    await checkAuthorized(ctx, resourceRoles, permType, permLevel)

    // csrf protection
    return csrf(ctx, next)
  }
Fixing an issue discovered in #3385 - RBAC roles worked for applying lower levels of roles, but they didn't revoke access correctly, it would always fallback to the base permissions if higher permissions were set. 2021-11-16 02:48:26 +13:00			`const {`
			`getUserRoleHierarchy,`
			`getRequiredResourceRole,`
			`BUILTIN_ROLE_IDS,`
Switching out @budibase/auth to @budibase/backend-core. 2022-01-11 08:33:00 +13:00			`} = require("@budibase/backend-core/roles")`
Tests failing but starting to progress. 2020-11-13 06:06:55 +13:00			`const {`
			`PermissionTypes,`
Making use of the resourceId in the middleware package. 2021-02-09 06:52:22 +13:00			`doesHaveBasePermission,`
Switching out @budibase/auth to @budibase/backend-core. 2022-01-11 08:33:00 +13:00			`} = require("@budibase/backend-core/permissions")`
Adding a debounced updated at timestamp to applications. 2021-05-22 00:07:10 +12:00			`const builderMiddleware = require("./builder")`
Fixing an issue with webhooks, couldn't use them in development (like getting schema) and making sure trigger will always use production app #3143. 2021-11-04 03:08:47 +13:00			`const { isWebhookEndpoint } = require("./utils")`
Add CSRF Token 2022-01-26 11:54:50 +13:00			`const { buildCsrfMiddleware } = require("@budibase/backend-core/auth")`
Merge branch 'develop' of github.com:Budibase/budibase into lab-day/refactor-app-db 2022-02-01 03:09:07 +13:00			`const { getAppId } = require("@budibase/backend-core/context")`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-12 06:34:15 +13:00
Making use of the resourceId in the middleware package. 2021-02-09 06:52:22 +13:00			`function hasResource(ctx) {`
			`return ctx.resourceId != null`
			`}`

Add CSRF Token 2022-01-26 11:54:50 +13:00			`const csrf = buildCsrfMiddleware()`

			`/**`
			`* Apply authorization to the requested resource:`
			`* - If this is a builder resource the user must be a builder.`
			`* - Builders can access all resources.`
			`* - Otherwise the user must have the required role.`
			`*/`
			`const checkAuthorized = async (ctx, resourceRoles, permType, permLevel) => {`
			`// check if this is a builder api and the user is not a builder`
			`const isBuilder = ctx.user && ctx.user.builder && ctx.user.builder.global`
			`const isBuilderApi = permType === PermissionTypes.BUILDER`
			`if (isBuilderApi && !isBuilder) {`
			`return ctx.throw(403, "Not Authorized")`
			`}`

			`// check for resource authorization`
			`if (!isBuilder) {`
			`await checkAuthorizedResource(ctx, resourceRoles, permType, permLevel)`
			`}`
			`}`

			`const checkAuthorizedResource = async (`
			`ctx,`
			`resourceRoles,`
			`permType,`
			`permLevel`
			`) => {`
			`// get the user's roles`
			`const roleId = ctx.roleId \|\| BUILTIN_ROLE_IDS.PUBLIC`
Merge branch 'develop' of github.com:Budibase/budibase into lab-day/refactor-app-db 2022-02-01 03:09:07 +13:00			`const userRoles = await getUserRoleHierarchy(roleId, {`
Add CSRF Token 2022-01-26 11:54:50 +13:00			`idOnly: false,`
			`})`
			`const permError = "User does not have permission"`
			`// check if the user has the required role`
			`if (resourceRoles.length > 0) {`
			`// deny access if the user doesn't have the required resource role`
			`const found = userRoles.find(role => resourceRoles.indexOf(role._id) !== -1)`
			`if (!found) {`
			`ctx.throw(403, permError)`
			`}`
			`// fallback to the base permissions when no resource roles are found`
			`} else if (!doesHaveBasePermission(permType, permLevel, userRoles)) {`
			`ctx.throw(403, permError)`
			`}`
			`}`

Lint with prettier 2021-06-16 06:39:40 +12:00			`module.exports =`
			`(permType, permLevel = null) =>`
			`async (ctx, next) => {`
			`// webhooks don't need authentication, each webhook unique`
Adding the sync call from the worker for creation, updating and deletion of users. Making sure that production and development apps are always up to date with user metadata. 2021-11-05 03:53:03 +13:00			`// also internal requests (between services) don't need authorized`
Merge branch 'develop' of github.com:Budibase/budibase into fix/user-metadata 2021-11-09 06:28:32 +13:00			`if (isWebhookEndpoint(ctx) \|\| ctx.internal) {`
Lint with prettier 2021-06-16 06:39:40 +12:00			`return next()`
			`}`
support for external webhooks 2020-10-12 23:57:37 +13:00
Lint with prettier 2021-06-16 06:39:40 +12:00			`if (!ctx.user) {`
			`return ctx.throw(403, "No user info found")`
			`}`
instanceid removal 2020-06-19 03:59:31 +12:00
Lint with prettier 2021-06-16 06:39:40 +12:00			`// check general builder stuff, this middleware is a good way`
			`// to find API endpoints which are builder focused`
			`await builderMiddleware(ctx, permType)`
access levels 2020-05-28 04:23:01 +12:00
Add CSRF Token 2022-01-26 11:54:50 +13:00			`// get the resource roles`
			`let resourceRoles = []`
Merge branch 'develop' of github.com:Budibase/budibase into lab-day/refactor-app-db 2022-02-01 03:09:07 +13:00			`const appId = getAppId()`
			`if (appId && hasResource(ctx)) {`
			`resourceRoles = await getRequiredResourceRole(permLevel, ctx)`
Lint with prettier 2021-06-16 06:39:40 +12:00			`}`
Adding basic permissions test which proves a public user can read from a table, but cannot write. 2021-02-10 06:24:36 +13:00
Add CSRF Token 2022-01-26 11:54:50 +13:00			`// if the resource is public, proceed`
			`const isPublicResource = resourceRoles.includes(BUILTIN_ROLE_IDS.PUBLIC)`
			`if (isPublicResource) {`
			`return next()`
Lint with prettier 2021-06-16 06:39:40 +12:00			`}`
access levels 2020-05-28 04:23:01 +12:00
Add CSRF Token 2022-01-26 11:54:50 +13:00			`// check authenticated`
			`if (!ctx.isAuthenticated) {`
			`return ctx.throw(403, "Session not authenticated")`
Lint with prettier 2021-06-16 06:39:40 +12:00			`}`

Add CSRF Token 2022-01-26 11:54:50 +13:00			`// check authorized`
			`await checkAuthorized(ctx, resourceRoles, permType, permLevel)`

			`// csrf protection`
			`return csrf(ctx, next)`
Lint with prettier 2021-06-16 06:39:40 +12:00			`}`