budibase/packages/auth/src/middleware/authenticated.js

const { Cookies } = require("../constants")
const database = require("../db")
const { getCookie, clearCookie } = require("../utils")
const { StaticDatabases } = require("../db/utils")
const env = require("../environment")

const PARAM_REGEX = /\/:(.*?)\//g

function buildNoAuthRegex(patterns) {
  return patterns.map(pattern => {
    const isObj = typeof pattern === "object" && pattern.route
    const method = isObj ? pattern.method : "GET"
    let route = isObj ? pattern.route : pattern

    const matches = route.match(PARAM_REGEX)
    if (matches) {
      for (let match of matches) {
        route = route.replace(match, "/.*/")
      }
    }
    return { regex: new RegExp(route), method }
  })
}

function finalise(ctx, { authenticated, user, internal } = {}) {
  ctx.isAuthenticated = authenticated || false
  ctx.user = user
  ctx.internal = internal || false
}

module.exports = (noAuthPatterns = [], opts) => {
  const noAuthOptions = noAuthPatterns ? buildNoAuthRegex(noAuthPatterns) : []
  return async (ctx, next) => {
    // the path is not authenticated
    const found = noAuthOptions.find(({ regex, method }) => {
      return (
        regex.test(ctx.request.url) &&
        ctx.request.method.toLowerCase() === method.toLowerCase()
      )
    })
    if (found != null) {
      return next()
    }
    try {
      // check the actual user is authenticated first
      const authCookie = getCookie(ctx, Cookies.Auth)
      let authenticated = false,
        user = null,
        internal = false
      if (authCookie) {
        try {
          const db = database.getDB(StaticDatabases.GLOBAL.name)
          user = await db.get(authCookie.userId)
          delete user.password
          authenticated = true
        } catch (err) {
          // remove the cookie as the use does not exist anymore
          clearCookie(ctx, Cookies.Auth)
        }
      }
      const apiKey = ctx.request.headers["x-budibase-api-key"]
      // this is an internal request, no user made it
      if (!authenticated && apiKey && apiKey === env.INTERNAL_API_KEY) {
        authenticated = true
        internal = true
      }
      // be explicit
      if (authenticated !== true) {
        authenticated = false
      }
      // isAuthenticated is a function, so use a variable to be able to check authed state
      finalise(ctx, { authenticated, user, internal })
      return next()
    } catch (err) {
      // allow configuring for public access
      if (opts && opts.publicAllowed) {
        finalise(ctx, { authenticated: false })
      } else {
        ctx.throw(err.status || 403, err)
      }
    }
  }
}
login page 2021-04-11 22:35:55 +12:00			`const { Cookies } = require("../constants")`
config specificity 2021-04-22 22:45:22 +12:00			`const database = require("../db")`
Updating test cases and some re-work of the email system. 2021-04-24 05:07:39 +12:00			`const { getCookie, clearCookie } = require("../utils")`
config specificity 2021-04-22 22:45:22 +12:00			`const { StaticDatabases } = require("../db/utils")`
Some updates, working towards supporting automation send smtp email also removing the styling template, adding to base. 2021-05-11 23:02:29 +12:00			`const env = require("../environment")`
login page 2021-04-11 22:35:55 +12:00
Updating auth middleware to accomodate public endpoints for the server properly and some refactoring. 2021-04-29 05:13:21 +12:00			`const PARAM_REGEX = /\/:(.*?)\//g`
Fixing login issue. 2021-04-29 01:28:25 +12:00
Updating auth middleware to accomodate public endpoints for the server properly and some refactoring. 2021-04-29 05:13:21 +12:00			`function buildNoAuthRegex(patterns) {`
			`return patterns.map(pattern => {`
			`const isObj = typeof pattern === "object" && pattern.route`
			`const method = isObj ? pattern.method : "GET"`
			`let route = isObj ? pattern.route : pattern`

			`const matches = route.match(PARAM_REGEX)`
			`if (matches) {`
			`for (let match of matches) {`
			`route = route.replace(match, "/.*/")`
			`}`
			`}`
			`return { regex: new RegExp(route), method }`
			`})`
Fixing login issue. 2021-04-29 01:28:25 +12:00			`}`

Fixing authentication with API key issue. 2021-06-22 04:13:06 +12:00			`function finalise(ctx, { authenticated, user, internal } = {}) {`
			`ctx.isAuthenticated = authenticated \|\| false`
			`ctx.user = user`
			`ctx.internal = internal \|\| false`
			`}`

Updating auth middleware to accomodate public endpoints for the server properly and some refactoring. 2021-04-29 05:13:21 +12:00			`module.exports = (noAuthPatterns = [], opts) => {`
			`const noAuthOptions = noAuthPatterns ? buildNoAuthRegex(noAuthPatterns) : []`
Some re-work of the auth package, making it a bit easier to use/less likely to make a mistake. 2021-04-22 03:42:44 +12:00			`return async (ctx, next) => {`
			`// the path is not authenticated`
Updating auth middleware to accomodate public endpoints for the server properly and some refactoring. 2021-04-29 05:13:21 +12:00			`const found = noAuthOptions.find(({ regex, method }) => {`
			`return (`
			`regex.test(ctx.request.url) &&`
			`ctx.request.method.toLowerCase() === method.toLowerCase()`
			`)`
			`})`
			`if (found != null) {`
Some re-work of the auth package, making it a bit easier to use/less likely to make a mistake. 2021-04-22 03:42:44 +12:00			`return next()`
login page 2021-04-11 22:35:55 +12:00			`}`
Some re-work of the auth package, making it a bit easier to use/less likely to make a mistake. 2021-04-22 03:42:44 +12:00			`try {`
			`// check the actual user is authenticated first`
			`const authCookie = getCookie(ctx, Cookies.Auth)`
Fixing authentication with API key issue. 2021-06-22 04:13:06 +12:00			`let authenticated = false,`
			`user = null,`
			`internal = false`
			`if (authCookie) {`
Updating test cases and some re-work of the email system. 2021-04-24 05:07:39 +12:00			`try {`
			`const db = database.getDB(StaticDatabases.GLOBAL.name)`
Fixing issues discovered by cypress tests. 2021-06-22 05:37:14 +12:00			`user = await db.get(authCookie.userId)`
			`delete user.password`
Fixing authentication with API key issue. 2021-06-22 04:13:06 +12:00			`authenticated = true`
Updating test cases and some re-work of the email system. 2021-04-24 05:07:39 +12:00			`} catch (err) {`
			`// remove the cookie as the use does not exist anymore`
			`clearCookie(ctx, Cookies.Auth)`
			`}`
			`}`
Fixing authentication with API key issue. 2021-06-22 04:13:06 +12:00			`const apiKey = ctx.request.headers["x-budibase-api-key"]`
			`// this is an internal request, no user made it`
			`if (!authenticated && apiKey && apiKey === env.INTERNAL_API_KEY) {`
			`authenticated = true`
			`internal = true`
			`}`
Updating test cases and some re-work of the email system. 2021-04-24 05:07:39 +12:00			`// be explicit`
Fixing authentication with API key issue. 2021-06-22 04:13:06 +12:00			`if (authenticated !== true) {`
			`authenticated = false`
Some re-work of the auth package, making it a bit easier to use/less likely to make a mistake. 2021-04-22 03:42:44 +12:00			`}`
Fixing authentication with API key issue. 2021-06-22 04:13:06 +12:00			`// isAuthenticated is a function, so use a variable to be able to check authed state`
			`finalise(ctx, { authenticated, user, internal })`
Some re-work of the auth package, making it a bit easier to use/less likely to make a mistake. 2021-04-22 03:42:44 +12:00			`return next()`
			`} catch (err) {`
Updating auth middleware to accomodate public endpoints for the server properly and some refactoring. 2021-04-29 05:13:21 +12:00			`// allow configuring for public access`
			`if (opts && opts.publicAllowed) {`
Fixing authentication with API key issue. 2021-06-22 04:13:06 +12:00			`finalise(ctx, { authenticated: false })`
Updating auth middleware to accomodate public endpoints for the server properly and some refactoring. 2021-04-29 05:13:21 +12:00			`} else {`
			`ctx.throw(err.status \|\| 403, err)`
			`}`
Some re-work of the auth package, making it a bit easier to use/less likely to make a mistake. 2021-04-22 03:42:44 +12:00			`}`
login page 2021-04-11 22:35:55 +12:00			`}`
			`}`