budibase/packages/server/src/middleware/authorized.js

const {
  adminPermissions,
  ADMIN_LEVEL_ID,
  POWERUSER_LEVEL_ID,
  BUILDER_LEVEL_ID,
  BUILDER,
} = require("../utilities/accessLevels")
const environment = require("../environment")
const { apiKeyTable } = require("../db/dynamoClient")

module.exports = (permName, getItemId) => async (ctx, next) => {
  if (
    environment.CLOUD &&
    ctx.headers["x-api-key"] &&
    ctx.headers["x-instanceid"]
  ) {
    // api key header passed by external webhook
    const apiKeyInfo = await apiKeyTable.get({
      primary: ctx.headers["x-api-key"],
    })

    if (apiKeyInfo) {
      ctx.auth = {
        authenticated: true,
        external: true,
        apiKey: ctx.headers["x-api-key"],
      }
      ctx.user = {
        instanceId: ctx.headers["x-instanceid"],
      }
      return next()
    }

    ctx.throw(403, "API key invalid")
  }

  if (!ctx.auth.authenticated) {
    ctx.throw(403, "Session not authenticated")
  }

  if (!ctx.user) {
    ctx.throw(403, "User not found")
  }

  if (ctx.user.accessLevel._id === BUILDER_LEVEL_ID) {
    return next()
  }

  if (permName === BUILDER) {
    ctx.throw(403, "Not Authorized")
    return
  }

  const permissionId = ({ name, itemId }) => name + (itemId ? `-${itemId}` : "")

  if (ctx.user.accessLevel._id === ADMIN_LEVEL_ID) {
    return next()
  }

  const thisPermissionId = permissionId({
    name: permName,
    itemId: getItemId && getItemId(ctx),
  })

  // power user has everything, except the admin specific perms
  if (
    ctx.user.accessLevel._id === POWERUSER_LEVEL_ID &&
    !adminPermissions.map(permissionId).includes(thisPermissionId)
  ) {
    return next()
  }

  if (
    ctx.user.accessLevel.permissions
      .map(permissionId)
      .includes(thisPermissionId)
  ) {
    return next()
  }

  ctx.throw(403, "Not Authorized")
}
access levels 2020-05-28 04:23:01 +12:00			`const {`
			`adminPermissions,`
			`ADMIN_LEVEL_ID,`
			`POWERUSER_LEVEL_ID,`
instanceid removal 2020-06-19 03:59:31 +12:00			`BUILDER_LEVEL_ID,`
access levels 2020-05-28 04:23:01 +12:00			`BUILDER,`
			`} = require("../utilities/accessLevels")`
support for external webhooks 2020-10-12 23:57:37 +13:00			`const environment = require("../environment")`
			`const { apiKeyTable } = require("../db/dynamoClient")`
access levels 2020-05-28 04:23:01 +12:00
			`module.exports = (permName, getItemId) => async (ctx, next) => {`
support for external webhooks 2020-10-12 23:57:37 +13:00			`if (`
			`environment.CLOUD &&`
			`ctx.headers["x-api-key"] &&`
			`ctx.headers["x-instanceid"]`
			`) {`
			`// api key header passed by external webhook`
			`const apiKeyInfo = await apiKeyTable.get({`
			`primary: ctx.headers["x-api-key"],`
			`})`

			`if (apiKeyInfo) {`
adding auth object to context rather than separate booleans 2020-10-13 01:32:52 +13:00			`ctx.auth = {`
			`authenticated: true,`
			`external: true,`
			`apiKey: ctx.headers["x-api-key"],`
			`}`
support for external webhooks 2020-10-12 23:57:37 +13:00			`ctx.user = {`
			`instanceId: ctx.headers["x-instanceid"],`
			`}`
			`return next()`
			`}`

			`ctx.throw(403, "API key invalid")`
			`}`

adding auth object to context rather than separate booleans 2020-10-13 01:32:52 +13:00			`if (!ctx.auth.authenticated) {`
access levels 2020-05-28 04:23:01 +12:00			`ctx.throw(403, "Session not authenticated")`
			`}`

instanceid removal 2020-06-19 03:59:31 +12:00			`if (!ctx.user) {`
			`ctx.throw(403, "User not found")`
			`}`

			`if (ctx.user.accessLevel._id === BUILDER_LEVEL_ID) {`
Updates for API usage after testing against local Dynamo. 2020-10-09 05:34:41 +13:00			`return next()`
access levels 2020-05-28 04:23:01 +12:00			`}`

			`if (permName === BUILDER) {`
			`ctx.throw(403, "Not Authorized")`
			`return`
			`}`

			const permissionId = ({ name, itemId }) => name + (itemId ? `-${itemId}` : "")

			`if (ctx.user.accessLevel._id === ADMIN_LEVEL_ID) {`
Updates for API usage after testing against local Dynamo. 2020-10-09 05:34:41 +13:00			`return next()`
access levels 2020-05-28 04:23:01 +12:00			`}`

			`const thisPermissionId = permissionId({`
			`name: permName,`
			`itemId: getItemId && getItemId(ctx),`
			`})`

			`// power user has everything, except the admin specific perms`
			`if (`
			`ctx.user.accessLevel._id === POWERUSER_LEVEL_ID &&`
			`!adminPermissions.map(permissionId).includes(thisPermissionId)`
			`) {`
Updates for API usage after testing against local Dynamo. 2020-10-09 05:34:41 +13:00			`return next()`
access levels 2020-05-28 04:23:01 +12:00			`}`

			`if (`
			`ctx.user.accessLevel.permissions`
			`.map(permissionId)`
			`.includes(thisPermissionId)`
			`) {`
Updates for API usage after testing against local Dynamo. 2020-10-09 05:34:41 +13:00			`return next()`
access levels 2020-05-28 04:23:01 +12:00			`}`

			`ctx.throw(403, "Not Authorized")`
			`}`