budibase/packages/worker/src/api/controllers/admin/users.js

const CouchDB = require("../../../db")
const { generateGlobalUserID, getGlobalUserParams, StaticDatabases } =
  require("@budibase/auth").db
const { hash, getGlobalUserByEmail } = require("@budibase/auth").utils
const { UserStatus, EmailTemplatePurpose } = require("../../../constants")
const { checkInviteCode } = require("../../../utilities/redis")
const { sendEmail } = require("../../../utilities/email")
const { user: userCache } = require("@budibase/auth/cache")
const { invalidateSessions } = require("@budibase/auth/sessions")

const GLOBAL_DB = StaticDatabases.GLOBAL.name

async function allUsers() {
  const db = new CouchDB(GLOBAL_DB)
  const response = await db.allDocs(
    getGlobalUserParams(null, {
      include_docs: true,
    })
  )
  return response.rows.map(row => row.doc)
}

exports.save = async ctx => {
  const db = new CouchDB(GLOBAL_DB)
  const { email, password, _id } = ctx.request.body

  // make sure another user isn't using the same email
  let dbUser
  if (email) {
    dbUser = await getGlobalUserByEmail(email)
    if (dbUser != null && (dbUser._id !== _id || Array.isArray(dbUser))) {
      ctx.throw(400, "Email address already in use.")
    }
  } else {
    dbUser = await db.get(_id)
  }

  // get the password, make sure one is defined
  let hashedPassword
  if (password) {
    hashedPassword = await hash(password)
  } else if (dbUser) {
    hashedPassword = dbUser.password
  } else {
    ctx.throw(400, "Password must be specified.")
  }

  let user = {
    ...dbUser,
    ...ctx.request.body,
    _id: _id || generateGlobalUserID(),
    password: hashedPassword,
  }
  // make sure the roles object is always present
  if (!user.roles) {
    user.roles = {}
  }
  // add the active status to a user if its not provided
  if (user.status == null) {
    user.status = UserStatus.ACTIVE
  }
  try {
    const response = await db.put({
      password: hashedPassword,
      ...user,
    })
    await userCache.invalidateUser(response.id)
    ctx.body = {
      _id: response.id,
      _rev: response.rev,
      email,
    }
  } catch (err) {
    if (err.status === 409) {
      ctx.throw(400, "User exists already")
    } else {
      ctx.throw(err.status, err)
    }
  }
}

exports.adminUser = async ctx => {
  const db = new CouchDB(GLOBAL_DB)
  const response = await db.allDocs(
    getGlobalUserParams(null, {
      include_docs: true,
    })
  )

  if (response.rows.some(row => row.doc.admin)) {
    ctx.throw(403, "You cannot initialise once an admin user has been created.")
  }

  const { email, password } = ctx.request.body
  ctx.request.body = {
    email: email,
    password: password,
    roles: {},
    builder: {
      global: true,
    },
    admin: {
      global: true,
    },
  }
  await exports.save(ctx)
}

exports.destroy = async ctx => {
  const db = new CouchDB(GLOBAL_DB)
  const dbUser = await db.get(ctx.params.id)
  await db.remove(dbUser._id, dbUser._rev)
  await userCache.invalidateUser(dbUser._id)
  await invalidateSessions(dbUser._id)
  ctx.body = {
    message: `User ${ctx.params.id} deleted.`,
  }
}

exports.removeAppRole = async ctx => {
  const { appId } = ctx.params
  const db = new CouchDB(GLOBAL_DB)
  const users = await allUsers()
  const bulk = []
  const cacheInvalidations = []
  for (let user of users) {
    if (user.roles[appId]) {
      cacheInvalidations.push(userCache.invalidateUser(user._id))
      delete user.roles[appId]
      bulk.push(user)
    }
  }
  await db.bulkDocs(bulk)
  await Promise.all(cacheInvalidations)
  ctx.body = {
    message: "App role removed from all users",
  }
}

exports.getSelf = async ctx => {
  if (!ctx.user) {
    ctx.throw(403, "User not logged in")
  }
  ctx.params = {
    id: ctx.user._id,
  }
  // this will set the body
  await exports.find(ctx)
}

exports.updateSelf = async ctx => {
  const db = new CouchDB(GLOBAL_DB)
  const user = await db.get(ctx.user._id)
  if (ctx.request.body.password) {
    ctx.request.body.password = await hash(ctx.request.body.password)
  }
  // don't allow sending up an ID/Rev, always use the existing one
  delete ctx.request.body._id
  delete ctx.request.body._rev
  const response = await db.put({
    ...user,
    ...ctx.request.body,
  })
  await userCache.invalidateUser(user._id)
  ctx.body = {
    _id: response.id,
    _rev: response.rev,
  }
}

// called internally by app server user fetch
exports.fetch = async ctx => {
  const users = await allUsers()
  // user hashed password shouldn't ever be returned
  for (let user of users) {
    if (user) {
      delete user.password
    }
  }
  ctx.body = users
}

// called internally by app server user find
exports.find = async ctx => {
  const db = new CouchDB(GLOBAL_DB)
  let user
  try {
    user = await db.get(ctx.params.id)
  } catch (err) {
    // no user found, just return nothing
    user = {}
  }
  if (user) {
    delete user.password
  }
  ctx.body = user
}

exports.invite = async ctx => {
  const { email, userInfo } = ctx.request.body
  const existing = await getGlobalUserByEmail(email)
  if (existing) {
    ctx.throw(400, "Email address already in use.")
  }
  await sendEmail(email, EmailTemplatePurpose.INVITATION, {
    subject: "{{ company }} platform invitation",
    info: userInfo,
  })
  ctx.body = {
    message: "Invitation has been sent.",
  }
}

exports.inviteAccept = async ctx => {
  const { inviteCode, password, firstName, lastName } = ctx.request.body
  try {
    // info is an extension of the user object that was stored by admin
    const { email, info } = await checkInviteCode(inviteCode)
    // only pass through certain props for accepting
    ctx.request.body = {
      firstName,
      lastName,
      password,
      email,
      ...info,
    }
    // this will flesh out the body response
    await exports.save(ctx)
  } catch (err) {
    ctx.throw(400, "Unable to create new user, invitation invalid.")
  }
}
Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`const CouchDB = require("../../../db")`
			`const { generateGlobalUserID, getGlobalUserParams, StaticDatabases } =`
			`require("@budibase/auth").db`
Adding organisation page. 2021-07-17 05:24:32 +12:00			`const { hash, getGlobalUserByEmail } = require("@budibase/auth").utils`
Finishing invite send email. 2021-05-06 02:17:15 +12:00			`const { UserStatus, EmailTemplatePurpose } = require("../../../constants")`
			`const { checkInviteCode } = require("../../../utilities/redis")`
			`const { sendEmail } = require("../../../utilities/email")`
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00			`const { user: userCache } = require("@budibase/auth/cache")`
			`const { invalidateSessions } = require("@budibase/auth/sessions")`
basic group apis 2021-04-19 22:34:07 +12:00
Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`const GLOBAL_DB = StaticDatabases.GLOBAL.name`
Fixing some tenancy issues. 2021-07-19 23:57:52 +12:00
re-write, to use the ideas that Rory put in place, still WIP, un-tested but all implemented. 2021-08-03 05:34:43 +12:00			`async function allUsers() {`
Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`const db = new CouchDB(GLOBAL_DB)`
Fixing issue with roles not being added correctly to global users and cleaning up roles when an app is deleted. 2021-06-02 02:58:40 +12:00			`const response = await db.allDocs(`
			`getGlobalUserParams(null, {`
			`include_docs: true,`
			`})`
			`)`
			`return response.rows.map(row => row.doc)`
			`}`

Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`exports.save = async ctx => {`
			`const db = new CouchDB(GLOBAL_DB)`
			`const { email, password, _id } = ctx.request.body`

Swapping over everything to use the new user ID and updating everything after some end to end testing. 2021-04-21 04:17:44 +12:00			`// make sure another user isn't using the same email`
Fixing issues with the user table within the apps. 2021-05-20 02:55:00 +12:00			`let dbUser`
			`if (email) {`
re-write, to use the ideas that Rory put in place, still WIP, un-tested but all implemented. 2021-08-03 05:34:43 +12:00			`dbUser = await getGlobalUserByEmail(email)`
Fixing issues with the user table within the apps. 2021-05-20 02:55:00 +12:00			`if (dbUser != null && (dbUser._id !== _id \|\| Array.isArray(dbUser))) {`
Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`ctx.throw(400, "Email address already in use.")`
Fixing issues with the user table within the apps. 2021-05-20 02:55:00 +12:00			`}`
			`} else {`
			`dbUser = await db.get(_id)`
Swapping over everything to use the new user ID and updating everything after some end to end testing. 2021-04-21 04:17:44 +12:00			`}`

			`// get the password, make sure one is defined`
			`let hashedPassword`
			`if (password) {`
			`hashedPassword = await hash(password)`
			`} else if (dbUser) {`
			`hashedPassword = dbUser.password`
			`} else {`
Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`ctx.throw(400, "Password must be specified.")`
Swapping over everything to use the new user ID and updating everything after some end to end testing. 2021-04-21 04:17:44 +12:00			`}`

Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`let user = {`
Swapping over everything to use the new user ID and updating everything after some end to end testing. 2021-04-21 04:17:44 +12:00			`...dbUser,`
Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`...ctx.request.body,`
			`_id: _id \|\| generateGlobalUserID(),`
basic group apis 2021-04-19 22:34:07 +12:00			`password: hashedPassword,`
			`}`
Making sure roles object is always present, issue #1529. 2021-05-22 01:56:06 +12:00			`// make sure the roles object is always present`
			`if (!user.roles) {`
			`user.roles = {}`
			`}`
basic group apis 2021-04-19 22:34:07 +12:00			`// add the active status to a user if its not provided`
			`if (user.status == null) {`
			`user.status = UserStatus.ACTIVE`
			`}`
			`try {`
Finalising the usage of redis in the password reset and invitation systems. 2021-05-06 02:10:28 +12:00			`const response = await db.put({`
Swapping over everything to use the new user ID and updating everything after some end to end testing. 2021-04-21 04:17:44 +12:00			`password: hashedPassword,`
basic group apis 2021-04-19 22:34:07 +12:00			`...user,`
			`})`
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00			`await userCache.invalidateUser(response.id)`
Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`ctx.body = {`
basic group apis 2021-04-19 22:34:07 +12:00			`_id: response.id,`
			`_rev: response.rev,`
			`email,`
			`}`
			`} catch (err) {`
			`if (err.status === 409) {`
Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`ctx.throw(400, "User exists already")`
basic group apis 2021-04-19 22:34:07 +12:00			`} else {`
Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`ctx.throw(err.status, err)`
basic group apis 2021-04-19 22:34:07 +12:00			`}`
			`}`
			`}`

First version of multi-tenancy, work still to be done. 2021-07-16 04:57:02 +12:00			`exports.adminUser = async ctx => {`
Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`const db = new CouchDB(GLOBAL_DB)`
Further work, tenancy now working but some more work to be done. 2021-07-17 05:04:49 +12:00			`const response = await db.allDocs(`
			`getGlobalUserParams(null, {`
			`include_docs: true,`
			`})`
			`)`

			`if (response.rows.some(row => row.doc.admin)) {`
Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`ctx.throw(403, "You cannot initialise once an admin user has been created.")`
do not allow users to initialise again once an admin has been created 2021-05-06 09:06:31 +12:00			`}`

Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`const { email, password } = ctx.request.body`
			`ctx.request.body = {`
first time setup E2E 2021-05-06 08:56:43 +12:00			`email: email,`
			`password: password,`
Swapping over everything to use the new user ID and updating everything after some end to end testing. 2021-04-21 04:17:44 +12:00			`roles: {},`
			`builder: {`
first time setup E2E 2021-05-06 08:56:43 +12:00			`global: true,`
			`},`
			`admin: {`
Swapping over everything to use the new user ID and updating everything after some end to end testing. 2021-04-21 04:17:44 +12:00			`global: true,`
			`},`
First version of multi-tenancy, work still to be done. 2021-07-16 04:57:02 +12:00			`}`
Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`await exports.save(ctx)`
Swapping over everything to use the new user ID and updating everything after some end to end testing. 2021-04-21 04:17:44 +12:00			`}`

Add explicit prettier options 2021-05-04 22:32:22 +12:00			`exports.destroy = async ctx => {`
Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`const db = new CouchDB(GLOBAL_DB)`
Swapping over everything to use the new user ID and updating everything after some end to end testing. 2021-04-21 04:17:44 +12:00			`const dbUser = await db.get(ctx.params.id)`
basic group apis 2021-04-19 22:34:07 +12:00			`await db.remove(dbUser._id, dbUser._rev)`
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00			`await userCache.invalidateUser(dbUser._id)`
			`await invalidateSessions(dbUser._id)`
basic group apis 2021-04-19 22:34:07 +12:00			`ctx.body = {`
Swapping over everything to use the new user ID and updating everything after some end to end testing. 2021-04-21 04:17:44 +12:00			message: `User ${ctx.params.id} deleted.`,
basic group apis 2021-04-19 22:34:07 +12:00			`}`
			`}`

Fixing issue with roles not being added correctly to global users and cleaning up roles when an app is deleted. 2021-06-02 02:58:40 +12:00			`exports.removeAppRole = async ctx => {`
			`const { appId } = ctx.params`
Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`const db = new CouchDB(GLOBAL_DB)`
			`const users = await allUsers()`
Fixing issue with roles not being added correctly to global users and cleaning up roles when an app is deleted. 2021-06-02 02:58:40 +12:00			`const bulk = []`
Adding sessions API. 2021-07-08 10:29:19 +12:00			`const cacheInvalidations = []`
Fixing issue with roles not being added correctly to global users and cleaning up roles when an app is deleted. 2021-06-02 02:58:40 +12:00			`for (let user of users) {`
			`if (user.roles[appId]) {`
Adding sessions API. 2021-07-08 10:29:19 +12:00			`cacheInvalidations.push(userCache.invalidateUser(user._id))`
Fixing issue with roles not being added correctly to global users and cleaning up roles when an app is deleted. 2021-06-02 02:58:40 +12:00			`delete user.roles[appId]`
			`bulk.push(user)`
			`}`
			`}`
			`await db.bulkDocs(bulk)`
Adding sessions API. 2021-07-08 10:29:19 +12:00			`await Promise.all(cacheInvalidations)`
Fixing issue with roles not being added correctly to global users and cleaning up roles when an app is deleted. 2021-06-02 02:58:40 +12:00			`ctx.body = {`
			`message: "App role removed from all users",`
			`}`
			`}`

Adding a get self endpoint in the global users. 2021-05-20 00:37:59 +12:00			`exports.getSelf = async ctx => {`
Fixing issues discovered by cypress tests. 2021-06-22 05:37:14 +12:00			`if (!ctx.user) {`
			`ctx.throw(403, "User not logged in")`
			`}`
Adding a get self endpoint in the global users. 2021-05-20 00:37:59 +12:00			`ctx.params = {`
Adding the ability to get all apps, with the status attached. 2021-05-20 02:09:57 +12:00			`id: ctx.user._id,`
Adding a get self endpoint in the global users. 2021-05-20 00:37:59 +12:00			`}`
			`// this will set the body`
			`await exports.find(ctx)`
			`}`

			`exports.updateSelf = async ctx => {`
Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`const db = new CouchDB(GLOBAL_DB)`
Adding admin only endpoint, removing the ability to create/delete global users from the app server and adding a global self user update. 2021-05-20 00:17:50 +12:00			`const user = await db.get(ctx.user._id)`
			`if (ctx.request.body.password) {`
			`ctx.request.body.password = await hash(ctx.request.body.password)`
			`}`
Allowing null for global user endpoint properties. 2021-05-20 00:30:55 +12:00			`// don't allow sending up an ID/Rev, always use the existing one`
			`delete ctx.request.body._id`
			`delete ctx.request.body._rev`
Adding admin only endpoint, removing the ability to create/delete global users from the app server and adding a global self user update. 2021-05-20 00:17:50 +12:00			`const response = await db.put({`
			`...user,`
			`...ctx.request.body,`
			`})`
Adding sessions API. 2021-07-08 10:29:19 +12:00			`await userCache.invalidateUser(user._id)`
Adding admin only endpoint, removing the ability to create/delete global users from the app server and adding a global self user update. 2021-05-20 00:17:50 +12:00			`ctx.body = {`
			`_id: response.id,`
			`_rev: response.rev,`
			`}`
			`}`

basic group apis 2021-04-19 22:34:07 +12:00			`// called internally by app server user fetch`
Add explicit prettier options 2021-05-04 22:32:22 +12:00			`exports.fetch = async ctx => {`
Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`const users = await allUsers()`
basic group apis 2021-04-19 22:34:07 +12:00			`// user hashed password shouldn't ever be returned`
			`for (let user of users) {`
			`if (user) {`
			`delete user.password`
			`}`
			`}`
			`ctx.body = users`
			`}`

			`// called internally by app server user find`
Add explicit prettier options 2021-05-04 22:32:22 +12:00			`exports.find = async ctx => {`
Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`const db = new CouchDB(GLOBAL_DB)`
basic group apis 2021-04-19 22:34:07 +12:00			`let user`
			`try {`
Swapping over everything to use the new user ID and updating everything after some end to end testing. 2021-04-21 04:17:44 +12:00			`user = await db.get(ctx.params.id)`
basic group apis 2021-04-19 22:34:07 +12:00			`} catch (err) {`
			`// no user found, just return nothing`
			`user = {}`
			`}`
			`if (user) {`
			`delete user.password`
			`}`
			`ctx.body = user`
			`}`
Finalising the usage of redis in the password reset and invitation systems. 2021-05-06 02:10:28 +12:00
			`exports.invite = async ctx => {`
Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`const { email, userInfo } = ctx.request.body`
re-write, to use the ideas that Rory put in place, still WIP, un-tested but all implemented. 2021-08-03 05:34:43 +12:00			`const existing = await getGlobalUserByEmail(email)`
Finishing invite send email. 2021-05-06 02:17:15 +12:00			`if (existing) {`
			`ctx.throw(400, "Email address already in use.")`
			`}`
re-write, to use the ideas that Rory put in place, still WIP, un-tested but all implemented. 2021-08-03 05:34:43 +12:00			`await sendEmail(email, EmailTemplatePurpose.INVITATION, {`
Formatting. 2021-05-12 02:24:17 +12:00			`subject: "{{ company }} platform invitation",`
Updating system to allow setting builder/admin as a toggle during the invitation phase of a user. 2021-05-25 05:45:43 +12:00			`info: userInfo,`
Formatting. 2021-05-12 02:24:17 +12:00			`})`
Finishing invite send email. 2021-05-06 02:17:15 +12:00			`ctx.body = {`
Formatting. 2021-05-06 02:19:44 +12:00			`message: "Invitation has been sent.",`
Finishing invite send email. 2021-05-06 02:17:15 +12:00			`}`
Finalising the usage of redis in the password reset and invitation systems. 2021-05-06 02:10:28 +12:00			`}`

			`exports.inviteAccept = async ctx => {`
Adding the ability to get all apps, with the status attached. 2021-05-20 02:09:57 +12:00			`const { inviteCode, password, firstName, lastName } = ctx.request.body`
Finishing invite send email. 2021-05-06 02:17:15 +12:00			`try {`
Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`// info is an extension of the user object that was stored by admin`
Updating system to allow setting builder/admin as a toggle during the invitation phase of a user. 2021-05-25 05:45:43 +12:00			`const { email, info } = await checkInviteCode(inviteCode)`
Revert "Multi-tenancy/organisations" 2021-08-04 21:02:24 +12:00			`// only pass through certain props for accepting`
			`ctx.request.body = {`
			`firstName,`
			`lastName,`
			`password,`
			`email,`
			`...info,`
			`}`
			`// this will flesh out the body response`
			`await exports.save(ctx)`
Finishing invite send email. 2021-05-06 02:17:15 +12:00			`} catch (err) {`
			`ctx.throw(400, "Unable to create new user, invitation invalid.")`
Finalising the usage of redis in the password reset and invitation systems. 2021-05-06 02:10:28 +12:00			`}`
			`}`