From 29787032f02fe63dec2102a20b0a592c623b86b8 Mon Sep 17 00:00:00 2001 From: mike12345567 Date: Wed, 7 Apr 2021 16:08:29 +0100 Subject: [PATCH] Fixing an issue with builder auth, adding a temporary endpoint which the server can set builder token on. --- packages/builder/src/builderStore/api.js | 4 ++++ packages/builder/src/builderStore/index.js | 3 +++ packages/server/src/api/controllers/auth.js | 6 ++++++ packages/server/src/api/routes/auth.js | 4 ++++ packages/server/src/middleware/authorized.js | 5 ----- packages/server/src/middleware/tests/authorized.spec.js | 5 ++--- 6 files changed, 19 insertions(+), 8 deletions(-) diff --git a/packages/builder/src/builderStore/api.js b/packages/builder/src/builderStore/api.js index 0202c5e8ab..8b5206da93 100644 --- a/packages/builder/src/builderStore/api.js +++ b/packages/builder/src/builderStore/api.js @@ -20,6 +20,9 @@ export const get = apiCall("GET") export const patch = apiCall("PATCH") export const del = apiCall("DELETE") export const put = apiCall("PUT") +export const getBuilderCookie = async () => { + await post("/api/builder/login", {}) +} export default { post: apiCall("POST"), @@ -27,4 +30,5 @@ export default { patch: apiCall("PATCH"), delete: apiCall("DELETE"), put: apiCall("PUT"), + getBuilderCookie, } diff --git a/packages/builder/src/builderStore/index.js b/packages/builder/src/builderStore/index.js index 6fecda84c0..48f466169b 100644 --- a/packages/builder/src/builderStore/index.js +++ b/packages/builder/src/builderStore/index.js @@ -6,6 +6,7 @@ import { derived, writable } from "svelte/store" import analytics from "analytics" import { FrontendTypes, LAYOUT_NAMES } from "../constants" import { findComponent } from "./storeUtils" +import { getBuilderCookie } from "./api" export const store = getFrontendStore() export const automationStore = getAutomationStore() @@ -57,6 +58,8 @@ export const selectedAccessRole = writable("BASIC") export const initialise = async () => { try { + // TODO this needs to be replaced by a real login + await getBuilderCookie() await analytics.activate() analytics.captureEvent("Builder Started") } catch (err) { diff --git a/packages/server/src/api/controllers/auth.js b/packages/server/src/api/controllers/auth.js index fc486bcb50..b35b7f1cda 100644 --- a/packages/server/src/api/controllers/auth.js +++ b/packages/server/src/api/controllers/auth.js @@ -8,6 +8,7 @@ const { setCookie } = require("../../utilities") const { outputProcessing } = require("../../utilities/rowProcessor") const { ViewNames } = require("../../db/utils") const { UserStatus } = require("../../constants") +const setBuilderToken = require("../../utilities/builder/setBuilderToken") const INVALID_ERR = "Invalid Credentials" @@ -69,6 +70,11 @@ exports.authenticate = async ctx => { } } +exports.builderLogin = async ctx => { + await setBuilderToken(ctx) + ctx.status = 200 +} + exports.fetchSelf = async ctx => { const { userId, appId } = ctx.user /* istanbul ignore next */ diff --git a/packages/server/src/api/routes/auth.js b/packages/server/src/api/routes/auth.js index ae640952ed..0661672968 100644 --- a/packages/server/src/api/routes/auth.js +++ b/packages/server/src/api/routes/auth.js @@ -1,9 +1,13 @@ const Router = require("@koa/router") const controller = require("../controllers/auth") +const authorized = require("../../middleware/authorized") +const { BUILDER } = require("../../utilities/security/permissions") const router = Router() router.post("/api/authenticate", controller.authenticate) +// TODO: this is a hack simply to make sure builder has a cookie until auth reworked +router.post("/api/builder/login", authorized(BUILDER), controller.builderLogin) // doesn't need authorization as can only fetch info about self router.get("/api/self", controller.fetchSelf) diff --git a/packages/server/src/middleware/authorized.js b/packages/server/src/middleware/authorized.js index dcd91bfdb4..554f281d8c 100644 --- a/packages/server/src/middleware/authorized.js +++ b/packages/server/src/middleware/authorized.js @@ -42,11 +42,6 @@ module.exports = (permType, permLevel = null) => async (ctx, next) => { const isAdmin = ADMIN_ROLES.includes(role._id) const isAuthed = ctx.auth.authenticated - // TODO: this was added while we work towards a better auth method - if (permType === PermissionTypes.BUILDER) { - return next() - } - const { basePermissions, permissions } = await getUserPermissions( ctx.appId, role._id diff --git a/packages/server/src/middleware/tests/authorized.spec.js b/packages/server/src/middleware/tests/authorized.spec.js index e4f34381a0..234db96d78 100644 --- a/packages/server/src/middleware/tests/authorized.spec.js +++ b/packages/server/src/middleware/tests/authorized.spec.js @@ -143,9 +143,8 @@ describe("Authorization middleware", () => { expect(config.next).toHaveBeenCalled() }) - - // TODO: this has been skipped while auth is still in flux - xit("throws if the user has only builder permissions", async () => { + + it("throws if the user has only builder permissions", async () => { config.setEnvironment(false) config.setMiddlewareRequiredPermission(PermissionTypes.BUILDER) config.setUser({