From 8a936e09271e8c7d15e0389417daf588ca50cadf Mon Sep 17 00:00:00 2001
From: Martin McKeaveney <martin@shogunsystems.co.uk>
Date: Thu, 15 Oct 2020 14:26:33 +0100
Subject: [PATCH] more auth bugfixes

---
 packages/client/src/render/getAppId.js          | 2 ++
 packages/server/src/middleware/authenticated.js | 8 +++++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/packages/client/src/render/getAppId.js b/packages/client/src/render/getAppId.js
index e6216e7be5..5525c67358 100644
--- a/packages/client/src/render/getAppId.js
+++ b/packages/client/src/render/getAppId.js
@@ -3,6 +3,8 @@ export const parseAppIdFromCookie = docCookie => {
     docCookie.split(";").find(c => c.trim().startsWith("budibase:token")) ||
     docCookie.split(";").find(c => c.trim().startsWith("builder:token"))
 
+  if (!cookie) return location.pathname.replace("/")
+
   const base64Token = cookie.substring(lengthOfKey)
 
   const user = JSON.parse(atob(base64Token.split(".")[1]))
diff --git a/packages/server/src/middleware/authenticated.js b/packages/server/src/middleware/authenticated.js
index 8a046f4327..1a2eba3fd8 100644
--- a/packages/server/src/middleware/authenticated.js
+++ b/packages/server/src/middleware/authenticated.js
@@ -34,12 +34,14 @@ module.exports = async (ctx, next) => {
 
     let appId = process.env.CLOUD ? ctx.subdomains[1] : ctx.params.appId
 
-    if (!appId) {
-      appId = ctx.referer && ctx.referer.split("/").pop()
+    // if appId can't be determined from path param or subdomain
+    if (!appId && ctx.request.headers.referer) {
+      const url = new URL(ctx.request.headers.referer)
+      // remove leading and trailing slashes from appId
+      appId = url.pathname.replace(/\//g, "")
     }
 
     ctx.user = {
-      // if appId can't be determined from path param or subdomain
       appId,
     }
     await next()