Merge pull request #2802 from Budibase/develop

develop -> master (deprovisioning and auth/tenancy fixes)

lerna.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.9.145",
+  "version": "0.9.146-alpha.1",
   "npmClient": "yarn",
   "packages": [
     "packages/*"

packages/auth/deprovision.js

@@ -0,0 +1 @@
+module.exports = require("./src/tenancy/deprovision")

packages/auth/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@budibase/auth",
-  "version": "0.9.145",
+  "version": "0.9.146-alpha.1",
   "description": "Authentication middlewares for budibase builder and apps",
   "main": "src/index.js",
   "author": "Budibase",

packages/auth/src/tenancy/deprovision.js

@@ -0,0 +1,81 @@
+const { getGlobalUserParams, getAllApps } = require("../db/utils")
+const { getDB, getCouch } = require("../db")
+const { getGlobalDB } = require("./tenancy")
+const { StaticDatabases } = require("../db/constants")
+
+const TENANT_DOC = StaticDatabases.PLATFORM_INFO.docs.tenants
+const PLATFORM_INFO_DB = StaticDatabases.PLATFORM_INFO.name
+
+const removeTenantFromInfoDB = async tenantId => {
+  try {
+    const infoDb = getDB(PLATFORM_INFO_DB)
+    let tenants = await infoDb.get(TENANT_DOC)
+    tenants.tenantIds = tenants.tenantIds.filter(id => id !== tenantId)
+
+    await infoDb.put(tenants)
+  } catch (err) {
+    console.error(`Error removing tenant ${tenantId} from info db`, err)
+    throw err
+  }
+}
+
+const removeUsersFromInfoDB = async tenantId => {
+  try {
+    const globalDb = getGlobalDB(tenantId)
+    const infoDb = getDB(PLATFORM_INFO_DB)
+    const allUsers = await globalDb.allDocs(
+      getGlobalUserParams(null, {
+        include_docs: true,
+      })
+    )
+    const allEmails = allUsers.rows.map(row => row.doc.email)
+    // get the id docs
+    let keys = allUsers.rows.map(row => row.id)
+    // and the email docs
+    keys = keys.concat(allEmails)
+    // retrieve the docs and delete them
+    const userDocs = await infoDb.allDocs({
+      keys,
+      include_docs: true,
+    })
+    const toDelete = userDocs.rows.map(row => {
+      return {
+        ...row.doc,
+        _deleted: true,
+      }
+    })
+    await infoDb.bulkDocs(toDelete)
+  } catch (err) {
+    console.error(`Error removing tenant ${tenantId} users from info db`, err)
+    throw err
+  }
+}
+
+const removeGlobalDB = async tenantId => {
+  try {
+    const globalDb = getGlobalDB(tenantId)
+    await globalDb.destroy()
+  } catch (err) {
+    console.error(`Error removing tenant ${tenantId} users from info db`, err)
+    throw err
+  }
+}
+
+const removeTenantApps = async tenantId => {
+  try {
+    const apps = await getAllApps(getCouch(), { all: true })
+    const destroyPromises = apps.map(app => getDB(app.appId).destroy())
+    await Promise.allSettled(destroyPromises)
+  } catch (err) {
+    console.error(`Error removing tenant ${tenantId} apps`, err)
+    throw err
+  }
+}
+
+// can't live in tenancy package due to circular dependency on db/utils
+exports.deleteTenant = async tenantId => {
+  await removeTenantFromInfoDB(tenantId)
+  await removeUsersFromInfoDB(tenantId)
+  await removeGlobalDB(tenantId)
+  await removeTenantApps(tenantId)
+}

packages/bbui/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@budibase/bbui",
   "description": "A UI solution used in the different Budibase projects.",
-  "version": "0.9.145",
+  "version": "0.9.146-alpha.1",
   "license": "AGPL-3.0",
   "svelte": "src/index.js",
   "module": "dist/bbui.es.js",

packages/builder/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@budibase/builder",
-  "version": "0.9.145",
+  "version": "0.9.146-alpha.1",
   "license": "AGPL-3.0",
   "private": true,
   "scripts": {
@@ -65,10 +65,10 @@
     }
   },
   "dependencies": {
-    "@budibase/bbui": "^0.9.145",
-    "@budibase/client": "^0.9.145",
+    "@budibase/bbui": "^0.9.146-alpha.1",
+    "@budibase/client": "^0.9.146-alpha.1",
     "@budibase/colorpicker": "1.1.2",
-    "@budibase/string-templates": "^0.9.145",
+    "@budibase/string-templates": "^0.9.146-alpha.1",
     "@sentry/browser": "5.19.1",
     "@spectrum-css/page": "^3.0.1",
     "@spectrum-css/vars": "^3.0.1",

packages/builder/src/components/upgrade/UpgradeModal.svelte

@@ -4,7 +4,7 @@
   let upgradeModal
 
   const onConfirm = () => {
-    window.open("https://accounts.budibase.com/install", "_blank")
+    window.open("https://account.budibase.app/portal/install", "_blank")
   }
 </script>
 

packages/builder/src/pages/builder/_layout.svelte

@@ -9,10 +9,31 @@
   $: hasAdminUser = $admin?.checklist?.adminUser?.checked
   $: tenantSet = $auth.tenantSet
   $: cloud = $admin.cloud
+  $: user = $auth.user
+
+  const validateTenantId = async () => {
+    // set the tenant from the url in the cloud
+    const tenantId = window.location.host.split(".")[0]
+
+    if (!tenantId.includes("localhost:")) {
+      // user doesn't have permission to access this tenant - kick them out
+      if (user?.tenantId !== tenantId) {
+        await auth.logout()
+        await auth.setOrganisation(null)
+      } else {
+        await auth.setOrganisation(tenantId)
+      }
+    }
+  }
 
   onMount(async () => {
     await auth.checkAuth()
     await admin.init()
+
+    if (cloud && multiTenancyEnabled) {
+      await validateTenantId()
+    }
+
     loaded = true
   })
 

packages/builder/src/pages/builder/auth/_layout.svelte

@@ -1,26 +1,23 @@
 <script>
   import { auth, admin } from "stores/portal"
-  import { onMount } from "svelte"
   import { redirect } from "@roxi/routify"
 
   // If already authenticated, redirect away from the auth section.
   // Check this onMount rather than a reactive statement to avoid trumping
   // the login return URL functionality.
-  onMount(() => {
-    if ($auth.user && !$auth.user.forceResetPassword) {
-      $redirect("../")
-    }
+  if ($auth.user && !$auth.user.forceResetPassword) {
+    $redirect("../")
+  }
 
-    // redirect to account portal for authentication in the cloud
-    if (
-      !$auth.user &&
-      $admin.cloud &&
-      $admin.accountPortalUrl &&
-      !$admin?.checklist?.sso?.checked
-    ) {
-      window.location.href = $admin.accountPortalUrl
-    }
-  })
+  // redirect to account portal for authentication in the cloud
+  if (
+    !$auth.user &&
+    $admin.cloud &&
+    $admin.accountPortalUrl &&
+    !$admin?.checklist?.sso?.checked
+  ) {
+    window.location.href = $admin.accountPortalUrl
+  }
 </script>
 
 {#if !$auth.user || $auth.user.forceResetPassword}

packages/builder/src/stores/portal/auth.js

@@ -80,6 +80,7 @@ export function createAuthStore() {
 
   return {
     subscribe: store.subscribe,
+    setOrganisation: setOrganisation,
     checkQueryString: async () => {
       const urlParams = new URLSearchParams(window.location.search)
       if (urlParams.has("tenantId")) {

packages/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@budibase/cli",
-  "version": "0.9.145",
+  "version": "0.9.146-alpha.1",
   "description": "Budibase CLI, for developers, self hosting and migrations.",
   "main": "src/index.js",
   "bin": {

packages/client/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@budibase/client",
-  "version": "0.9.145",
+  "version": "0.9.146-alpha.1",
   "license": "MPL-2.0",
   "module": "dist/budibase-client.js",
   "main": "dist/budibase-client.js",
@@ -19,9 +19,9 @@
     "dev:builder": "rollup -cw"
   },
   "dependencies": {
-    "@budibase/bbui": "^0.9.145",
+    "@budibase/bbui": "^0.9.146-alpha.1",
     "@budibase/standard-components": "^0.9.139",
-    "@budibase/string-templates": "^0.9.145",
+    "@budibase/string-templates": "^0.9.146-alpha.1",
     "regexparam": "^1.3.0",
     "shortid": "^2.2.15",
     "svelte-spa-router": "^3.0.5"

packages/server/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@budibase/server",
   "email": "hi@budibase.com",
-  "version": "0.9.145",
+  "version": "0.9.146-alpha.1",
   "description": "Budibase Web Server",
   "main": "src/index.js",
   "repository": {
@@ -64,9 +64,9 @@
   "author": "Budibase",
   "license": "AGPL-3.0-or-later",
   "dependencies": {
-    "@budibase/auth": "^0.9.145",
-    "@budibase/client": "^0.9.145",
-    "@budibase/string-templates": "^0.9.145",
+    "@budibase/auth": "^0.9.146-alpha.1",
+    "@budibase/client": "^0.9.146-alpha.1",
+    "@budibase/string-templates": "^0.9.146-alpha.1",
     "@elastic/elasticsearch": "7.10.0",
     "@koa/router": "8.0.0",
     "@sendgrid/mail": "7.1.1",

packages/string-templates/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@budibase/string-templates",
-  "version": "0.9.145",
+  "version": "0.9.146-alpha.1",
   "description": "Handlebars wrapper for Budibase templating.",
   "main": "src/index.cjs",
   "module": "dist/bundle.mjs",

packages/worker/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@budibase/worker",
   "email": "hi@budibase.com",
-  "version": "0.9.145",
+  "version": "0.9.146-alpha.1",
   "description": "Budibase background service",
   "main": "src/index.js",
   "repository": {
@@ -25,8 +25,8 @@
   "author": "Budibase",
   "license": "AGPL-3.0-or-later",
   "dependencies": {
-    "@budibase/auth": "^0.9.145",
-    "@budibase/string-templates": "^0.9.145",
+    "@budibase/auth": "^0.9.146-alpha.1",
+    "@budibase/string-templates": "^0.9.146-alpha.1",
     "@koa/router": "^8.0.0",
     "@techpass/passport-openidconnect": "^0.3.0",
     "aws-sdk": "^2.811.0",

packages/worker/src/api/controllers/global/users.js

@@ -53,22 +53,22 @@ async function saveUser(
     // check budibase users inside the tenant
     dbUser = await getGlobalUserByEmail(email)
     if (dbUser != null && (dbUser._id !== _id || Array.isArray(dbUser))) {
-      throw "Email address already in use."
+      throw `Email address ${email} already in use.`
     }
 
     // check budibase users in other tenants
     if (env.MULTI_TENANCY) {
       dbUser = await getTenantUser(email)
       if (dbUser != null) {
-        throw "Email address already in use."
+        throw `Email address ${email} already in use.`
       }
     }
 
     // check root account users in account portal
     if (!env.SELF_HOSTED) {
       const account = await accounts.getAccount(email)
-      if (account) {
-        throw "Email address already in use."
+      if (account && account.verified) {
+        throw `Email address ${email} already in use.`
       }
     }
   } else {

packages/worker/src/api/controllers/system/tenants.js

@@ -1,5 +1,7 @@
 const CouchDB = require("../../../db")
 const { StaticDatabases } = require("@budibase/auth/db")
+const { getTenantId } = require("@budibase/auth/tenancy")
+const { deleteTenant } = require("@budibase/auth/deprovision")
 
 exports.exists = async ctx => {
   const tenantId = ctx.request.params
@@ -31,3 +33,19 @@ exports.fetch = async ctx => {
   }
   ctx.body = tenants
 }
+
+exports.delete = async ctx => {
+  const tenantId = getTenantId()
+
+  if (ctx.params.tenantId !== tenantId) {
+    ctx.throw(403, "Unauthorized")
+  }
+
+  try {
+    await deleteTenant(tenantId)
+    ctx.status = 204
+  } catch (err) {
+    ctx.log.error(err)
+    throw err
+  }
+}

packages/worker/src/api/routes/system/tenants.js

@@ -7,5 +7,6 @@ const router = Router()
 router
   .get("/api/system/tenants/:tenantId/exists", controller.exists)
   .get("/api/system/tenants", adminOnly, controller.fetch)
+  .delete("/api/system/tenants/:tenantId", adminOnly, controller.delete)
 
 module.exports = router