From 43f9deef4dc3559ebe4fc4e97212730dbfa88cd7 Mon Sep 17 00:00:00 2001
From: mike12345567 <me@michaeldrury.co.uk>
Date: Fri, 30 Oct 2020 17:12:06 +0000
Subject: [PATCH 01/10] Getting rid of userInstanceMap, preparing for meat of
 auth update.

---
 packages/server/src/api/controllers/application.js | 1 -
 packages/server/src/api/controllers/user.js        | 7 -------
 2 files changed, 8 deletions(-)

diff --git a/packages/server/src/api/controllers/application.js b/packages/server/src/api/controllers/application.js
index 66cde54fd6..1214ad43cb 100644
--- a/packages/server/src/api/controllers/application.js
+++ b/packages/server/src/api/controllers/application.js
@@ -70,7 +70,6 @@ exports.create = async function(ctx) {
   const newApplication = {
     _id: appId,
     type: "app",
-    userInstanceMap: {},
     version: packageJson.version,
     componentLibraries: ["@budibase/standard-components"],
     name: ctx.request.body.name,
diff --git a/packages/server/src/api/controllers/user.js b/packages/server/src/api/controllers/user.js
index da0adff895..ba6adeb060 100644
--- a/packages/server/src/api/controllers/user.js
+++ b/packages/server/src/api/controllers/user.js
@@ -39,13 +39,6 @@ exports.create = async function(ctx) {
 
   const response = await db.post(user)
 
-  const app = await db.get(ctx.user.appId)
-  app.userInstanceMap = {
-    ...app.userInstanceMap,
-    [username]: ctx.user.appId,
-  }
-  await db.put(app)
-
   ctx.status = 200
   ctx.message = "User created successfully."
   ctx.userId = response._id

From 98157f076f1edb8386ab5437b14b5c1c5cdf40bd Mon Sep 17 00:00:00 2001
From: Michael Drury <me@michaeldrury.co.uk>
Date: Mon, 2 Nov 2020 15:46:08 +0000
Subject: [PATCH 02/10] Some updates, still WIP.

---
 packages/server/src/api/controllers/application.js  |  2 +-
 packages/server/src/api/controllers/auth.js         |  2 +-
 packages/server/src/api/controllers/static.js       |  2 +-
 .../server/src/api/routes/tests/couchTestUtils.js   |  2 +-
 .../server/src/utilities/builder/setBuilderToken.js | 13 ++++++++-----
 packages/server/src/utilities/index.js              |  4 ++++
 6 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/packages/server/src/api/controllers/application.js b/packages/server/src/api/controllers/application.js
index 1214ad43cb..a8596e38ac 100644
--- a/packages/server/src/api/controllers/application.js
+++ b/packages/server/src/api/controllers/application.js
@@ -61,7 +61,7 @@ exports.fetchAppPackage = async function(ctx) {
   const db = new CouchDB(ctx.params.appId)
   const application = await db.get(ctx.params.appId)
   ctx.body = await getPackageForBuilder(ctx.config, application)
-  setBuilderToken(ctx, ctx.params.appId, application.version)
+  await setBuilderToken(ctx, ctx.params.appId, application.version)
 }
 
 exports.create = async function(ctx) {
diff --git a/packages/server/src/api/controllers/auth.js b/packages/server/src/api/controllers/auth.js
index 9576d22da1..0cdaa25a85 100644
--- a/packages/server/src/api/controllers/auth.js
+++ b/packages/server/src/api/controllers/auth.js
@@ -48,7 +48,7 @@ exports.authenticate = async ctx => {
     const expires = new Date()
     expires.setDate(expires.getDate() + 1)
 
-    ctx.cookies.set("budibase:token", token, {
+    ctx.cookies.set(`budibase:token`, token, {
       expires,
       path: "/",
       httpOnly: false,
diff --git a/packages/server/src/api/controllers/static.js b/packages/server/src/api/controllers/static.js
index 1ebe169417..40728813b8 100644
--- a/packages/server/src/api/controllers/static.js
+++ b/packages/server/src/api/controllers/static.js
@@ -21,7 +21,7 @@ const COMP_LIB_BASE_APP_VERSION = "0.2.5"
 exports.serveBuilder = async function(ctx) {
   let builderPath = resolve(__dirname, "../../../builder")
   if (ctx.file === "index.html") {
-    setBuilderToken(ctx)
+    await setBuilderToken(ctx)
   }
   await send(ctx, ctx.file, { root: ctx.devPath || builderPath })
 }
diff --git a/packages/server/src/api/routes/tests/couchTestUtils.js b/packages/server/src/api/routes/tests/couchTestUtils.js
index 83c968323d..6a4e67bfc7 100644
--- a/packages/server/src/api/routes/tests/couchTestUtils.js
+++ b/packages/server/src/api/routes/tests/couchTestUtils.js
@@ -209,7 +209,7 @@ const createUserWithPermissions = async (
 
   const loginResult = await request
     .post(`/api/authenticate`)
-    .set({ Cookie: `budibase:token=${anonToken}` })
+    .set({ Cookie: `budibase:${appId}=${anonToken}` })
     .send({ username, password })
 
   // returning necessary request headers
diff --git a/packages/server/src/utilities/builder/setBuilderToken.js b/packages/server/src/utilities/builder/setBuilderToken.js
index fca3e0724f..811f273d40 100644
--- a/packages/server/src/utilities/builder/setBuilderToken.js
+++ b/packages/server/src/utilities/builder/setBuilderToken.js
@@ -1,8 +1,9 @@
 const { BUILDER_LEVEL_ID } = require("../accessLevels")
 const env = require("../../environment")
+const CouchDB = require("../../db")
 const jwt = require("jsonwebtoken")
 
-module.exports = (ctx, appId, version) => {
+module.exports = async (ctx, appId, version) => {
   const builderUser = {
     userId: "BUILDER",
     accessLevelId: BUILDER_LEVEL_ID,
@@ -18,14 +19,16 @@ module.exports = (ctx, appId, version) => {
 
   const expiry = new Date()
   expiry.setDate(expiry.getDate() + 30)
-  // remove the app token
-  ctx.cookies.set("budibase:token", "", {
-    overwrite: true,
-  })
   // set the builder token
   ctx.cookies.set("builder:token", token, {
     expires: expiry,
     httpOnly: false,
     overwrite: true,
   })
+  // need to clear all app tokens or else unable to use the app in the builder
+  let allDbNames = await CouchDB.allDbs()
+  allDbNames.map(dbName => {})
+  ctx.cookies.set(`budibase:${appId}`, "", {
+    overwrite: true,
+  })
 }
diff --git a/packages/server/src/utilities/index.js b/packages/server/src/utilities/index.js
index 9275659b3c..4fdc9f8b49 100644
--- a/packages/server/src/utilities/index.js
+++ b/packages/server/src/utilities/index.js
@@ -10,3 +10,7 @@ exports.isDev = () => {
     env.NODE_ENV !== "cypress"
   )
 }
+
+exports.getAppId = ctx => {
+
+}

From 0c81516662255a4759401d350898e688cd375ab3 Mon Sep 17 00:00:00 2001
From: mike12345567 <me@michaeldrury.co.uk>
Date: Mon, 2 Nov 2020 20:14:10 +0000
Subject: [PATCH 03/10] Some more re-work, more testing needed to auth stuff.

---
 packages/client/src/createApp.js              |  4 +--
 packages/client/src/index.js                  |  4 +--
 packages/client/src/render/getAppId.js        | 15 ++--------
 packages/client/src/render/screenRouter.js    |  4 +--
 packages/client/tests/testAppDef.js           |  2 +-
 packages/server/src/api/controllers/auth.js   |  5 +++-
 .../server/src/middleware/authenticated.js    | 17 ++++-------
 .../src/utilities/builder/setBuilderToken.js  | 14 +++++++---
 packages/server/src/utilities/index.js        | 28 ++++++++++++++++++-
 9 files changed, 55 insertions(+), 38 deletions(-)

diff --git a/packages/client/src/createApp.js b/packages/client/src/createApp.js
index 233abc0f58..f9d4f2bea5 100644
--- a/packages/client/src/createApp.js
+++ b/packages/client/src/createApp.js
@@ -2,7 +2,7 @@ import { attachChildren } from "./render/attachChildren"
 import { createTreeNode } from "./render/prepareRenderComponent"
 import { screenRouter } from "./render/screenRouter"
 import { createStateManager } from "./state/stateManager"
-import { parseAppIdFromCookie } from "./render/getAppId"
+import { getAppIdFromPath } from "./render/getAppId"
 
 export const createApp = ({
   componentLibraries,
@@ -38,7 +38,7 @@ export const createApp = ({
       window,
     })
     const fallbackPath = window.location.pathname.replace(
-      parseAppIdFromCookie(window.document.cookie),
+      getAppIdFromPath(),
       ""
     )
     routeTo(currentUrl || fallbackPath)
diff --git a/packages/client/src/index.js b/packages/client/src/index.js
index 6bbe2aee2b..54dbb7af9e 100644
--- a/packages/client/src/index.js
+++ b/packages/client/src/index.js
@@ -1,6 +1,6 @@
 import { createApp } from "./createApp"
 import { builtins, builtinLibName } from "./render/builtinComponents"
-import { parseAppIdFromCookie } from "./render/getAppId"
+import { getAppIdFromPath } from "./render/getAppId"
 
 /**
  * create a web application from static budibase definition files.
@@ -9,7 +9,7 @@ import { parseAppIdFromCookie } from "./render/getAppId"
 export const loadBudibase = async opts => {
   const _window = (opts && opts.window) || window
   // const _localStorage = (opts && opts.localStorage) || localStorage
-  const appId = parseAppIdFromCookie(_window.document.cookie)
+  const appId = getAppIdFromPath()
   const frontendDefinition = _window["##BUDIBASE_FRONTEND_DEFINITION##"]
 
   const user = {}
diff --git a/packages/client/src/render/getAppId.js b/packages/client/src/render/getAppId.js
index 4cbb6692b5..d476eda44c 100644
--- a/packages/client/src/render/getAppId.js
+++ b/packages/client/src/render/getAppId.js
@@ -1,14 +1,3 @@
-export const parseAppIdFromCookie = docCookie => {
-  const cookie =
-    docCookie.split(";").find(c => c.trim().startsWith("budibase:token")) ||
-    docCookie.split(";").find(c => c.trim().startsWith("builder:token"))
-
-  if (!cookie) return location.pathname.replace(/\//g, "")
-
-  const base64Token = cookie.substring(lengthOfKey)
-
-  const user = JSON.parse(atob(base64Token.split(".")[1]))
-  return user.appId
+export const getAppIdFromPath = () => {
+  return location.pathname.split("/")[1]
 }
-
-const lengthOfKey = "budibase:token=".length
diff --git a/packages/client/src/render/screenRouter.js b/packages/client/src/render/screenRouter.js
index 0c045097ed..32a12c167a 100644
--- a/packages/client/src/render/screenRouter.js
+++ b/packages/client/src/render/screenRouter.js
@@ -1,6 +1,6 @@
 import regexparam from "regexparam"
 import appStore from "../state/store"
-import { parseAppIdFromCookie } from "./getAppId"
+import { getAppIdFromPath } from "./getAppId"
 
 export const screenRouter = ({ screens, onScreenSelected, window }) => {
   function sanitize(url) {
@@ -27,7 +27,7 @@ export const screenRouter = ({ screens, onScreenSelected, window }) => {
 
   const makeRootedPath = url => {
     if (isRunningLocally()) {
-      const appId = parseAppIdFromCookie(window.document.cookie)
+      const appId = getAppIdFromPath()
       if (url) {
         url = sanitize(url)
         if (!url.startsWith("/")) {
diff --git a/packages/client/tests/testAppDef.js b/packages/client/tests/testAppDef.js
index c583d91545..90dbd2717d 100644
--- a/packages/client/tests/testAppDef.js
+++ b/packages/client/tests/testAppDef.js
@@ -9,7 +9,7 @@ export const load = async (page, screens, url, host = "test.com") => {
   const cookieJar = new jsdom.CookieJar()
   const cookie = `${btoa("{}")}.${btoa('{"appId":"TEST_APP_ID"}')}.signature`
   cookieJar.setCookie(
-    `budibase:token=${cookie};domain=${host};path=/`,
+    `budibase:local:TEST_APP_ID=${cookie};domain=${host};path=/`,
     fullUrl,
     {
       looseMode: false,
diff --git a/packages/server/src/api/controllers/auth.js b/packages/server/src/api/controllers/auth.js
index 0cdaa25a85..2c7e43d2cc 100644
--- a/packages/server/src/api/controllers/auth.js
+++ b/packages/server/src/api/controllers/auth.js
@@ -4,6 +4,7 @@ const bcrypt = require("../../utilities/bcrypt")
 const env = require("../../environment")
 const { getAPIKey } = require("../../utilities/usageQuota")
 const { generateUserID } = require("../../db/utils")
+const { getCookieName } = require("../../utilities")
 
 exports.authenticate = async ctx => {
   const appId = ctx.user.appId
@@ -48,16 +49,18 @@ exports.authenticate = async ctx => {
     const expires = new Date()
     expires.setDate(expires.getDate() + 1)
 
-    ctx.cookies.set(`budibase:token`, token, {
+    ctx.cookies.set(getCookieName(appId), token, {
       expires,
       path: "/",
       httpOnly: false,
       overwrite: true,
     })
 
+    delete dbUser.password
     ctx.body = {
       token,
       ...dbUser,
+      appId,
     }
   } else {
     ctx.throw(401, "Invalid credentials.")
diff --git a/packages/server/src/middleware/authenticated.js b/packages/server/src/middleware/authenticated.js
index 74f133cbde..a4bd347b75 100644
--- a/packages/server/src/middleware/authenticated.js
+++ b/packages/server/src/middleware/authenticated.js
@@ -9,6 +9,7 @@ const {
 } = require("../utilities/accessLevels")
 const env = require("../environment")
 const { AuthTypes } = require("../constants")
+const { getAppId, getCookieName } = require("../utilities")
 
 module.exports = async (ctx, next) => {
   if (ctx.path === "/_builder") {
@@ -16,8 +17,10 @@ module.exports = async (ctx, next) => {
     return
   }
 
-  const appToken = ctx.cookies.get("budibase:token")
-  const builderToken = ctx.cookies.get("builder:token")
+  const appId = getAppId(ctx)
+
+  const appToken = ctx.cookies.get(getCookieName(appId))
+  const builderToken = ctx.cookies.get(getCookieName())
 
   let token
   // if running locally in the builder itself
@@ -31,16 +34,6 @@ module.exports = async (ctx, next) => {
 
   if (!token) {
     ctx.auth.authenticated = false
-
-    let appId = env.CLOUD ? ctx.subdomains[1] : ctx.params.appId
-
-    // if appId can't be determined from path param or subdomain
-    if (!appId && ctx.request.headers.referer) {
-      const url = new URL(ctx.request.headers.referer)
-      // remove leading and trailing slashes from appId
-      appId = url.pathname.replace(/\//g, "")
-    }
-
     ctx.user = {
       appId,
     }
diff --git a/packages/server/src/utilities/builder/setBuilderToken.js b/packages/server/src/utilities/builder/setBuilderToken.js
index 811f273d40..f77bfe49a4 100644
--- a/packages/server/src/utilities/builder/setBuilderToken.js
+++ b/packages/server/src/utilities/builder/setBuilderToken.js
@@ -2,6 +2,9 @@ const { BUILDER_LEVEL_ID } = require("../accessLevels")
 const env = require("../../environment")
 const CouchDB = require("../../db")
 const jwt = require("jsonwebtoken")
+const { DocumentTypes, SEPARATOR } = require("../../db/utils")
+const { getCookieName } = require("../index")
+const APP_PREFIX = DocumentTypes.APP + SEPARATOR
 
 module.exports = async (ctx, appId, version) => {
   const builderUser = {
@@ -20,15 +23,18 @@ module.exports = async (ctx, appId, version) => {
   const expiry = new Date()
   expiry.setDate(expiry.getDate() + 30)
   // set the builder token
-  ctx.cookies.set("builder:token", token, {
+  ctx.cookies.set(getCookieName(), token, {
     expires: expiry,
     httpOnly: false,
     overwrite: true,
   })
   // need to clear all app tokens or else unable to use the app in the builder
   let allDbNames = await CouchDB.allDbs()
-  allDbNames.map(dbName => {})
-  ctx.cookies.set(`budibase:${appId}`, "", {
-    overwrite: true,
+  allDbNames.map(dbName => {
+    if (dbName.startsWith(APP_PREFIX)) {
+      ctx.cookies.set(getCookieName(dbName), "", {
+        overwrite: true,
+      })
+    }
   })
 }
diff --git a/packages/server/src/utilities/index.js b/packages/server/src/utilities/index.js
index 4fdc9f8b49..4c324cbfdf 100644
--- a/packages/server/src/utilities/index.js
+++ b/packages/server/src/utilities/index.js
@@ -11,6 +11,32 @@ exports.isDev = () => {
   )
 }
 
+/**
+ * Given a request tries to find the appId, which can be located in various places
+ * @param {object} ctx The main request body to look through.
+ * @returns {string|undefined} If an appId was found it will be returned.
+ */
 exports.getAppId = ctx => {
-
+  let appId = env.CLOUD ? ctx.subdomains[1] : ctx.params.appId
+  // look in body if can't find it in subdomain
+  if (!appId && ctx.request.body && ctx.request.body.appId) {
+    appId = ctx.request.body.appId
+  }
+  // if appId can't be determined from path param or subdomain
+  if (!appId && ctx.request.headers.referer) {
+    const url = new URL(ctx.request.headers.referer)
+    // remove leading and trailing slashes from appId
+    appId = url.pathname.replace(/\//g, "")
+  }
+  return appId
+}
+
+/**
+ * Get the name of the cookie which is to be updated/retrieved
+ * @param {string|undefined|null} appId OPTIONAL can specify the specific app if previewing etc
+ * @returns {string} The name of the token trying to find
+ */
+exports.getCookieName = (appId = null) => {
+  let mid = env.CLOUD ? "cloud" : "local"
+  return `budibase:${mid}:${appId ? appId : "builder"}`
 }

From 215e1251bc36226cb35f853030baff9e71b1b16d Mon Sep 17 00:00:00 2001
From: Michael Drury <me@michaeldrury.co.uk>
Date: Mon, 2 Nov 2020 22:46:31 +0000
Subject: [PATCH 04/10] Some further work, logout and preview appear to be
 working much better now.

---
 packages/builder/cypress/support/cookies.js           |  2 +-
 .../builder/src/pages/[application]/_reset.svelte     |  3 ++-
 packages/client/tests/testAppDef.js                   |  2 +-
 .../server/src/api/routes/tests/couchTestUtils.js     |  4 ++--
 packages/server/src/utilities/index.js                |  4 ++--
 packages/standard-components/src/Navigation.svelte    | 11 ++++++++---
 6 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/packages/builder/cypress/support/cookies.js b/packages/builder/cypress/support/cookies.js
index 1c172f4d4c..1245f84960 100644
--- a/packages/builder/cypress/support/cookies.js
+++ b/packages/builder/cypress/support/cookies.js
@@ -1,3 +1,3 @@
 Cypress.Cookies.defaults({
-  preserve: "builder:token",
+  preserve: "budibase:builder:local",
 })
diff --git a/packages/builder/src/pages/[application]/_reset.svelte b/packages/builder/src/pages/[application]/_reset.svelte
index d1d682d0b9..06942e03c8 100644
--- a/packages/builder/src/pages/[application]/_reset.svelte
+++ b/packages/builder/src/pages/[application]/_reset.svelte
@@ -84,7 +84,8 @@
       <Button
         secondary
         on:click={() => {
-          document.cookie = 'budibase:token=; Path=/; Expires=Thu, 01 Jan 1970 00:00:01 GMT;'
+          // reset cookies for this app
+          document.cookie = `budibase:${application}:local=; Path=/; Expires=Thu, 01 Jan 1970 00:00:01 GMT;`
           window.open(`/${application}`)
         }}>
         Preview
diff --git a/packages/client/tests/testAppDef.js b/packages/client/tests/testAppDef.js
index 90dbd2717d..803a7f770b 100644
--- a/packages/client/tests/testAppDef.js
+++ b/packages/client/tests/testAppDef.js
@@ -9,7 +9,7 @@ export const load = async (page, screens, url, host = "test.com") => {
   const cookieJar = new jsdom.CookieJar()
   const cookie = `${btoa("{}")}.${btoa('{"appId":"TEST_APP_ID"}')}.signature`
   cookieJar.setCookie(
-    `budibase:local:TEST_APP_ID=${cookie};domain=${host};path=/`,
+    `budibase:TEST_APP_ID:local=${cookie};domain=${host};path=/`,
     fullUrl,
     {
       looseMode: false,
diff --git a/packages/server/src/api/routes/tests/couchTestUtils.js b/packages/server/src/api/routes/tests/couchTestUtils.js
index 6a4e67bfc7..07ff407e3d 100644
--- a/packages/server/src/api/routes/tests/couchTestUtils.js
+++ b/packages/server/src/api/routes/tests/couchTestUtils.js
@@ -34,7 +34,7 @@ exports.defaultHeaders = appId => {
 
   return {
     Accept: "application/json",
-    Cookie: [`builder:token=${builderToken}`],
+    Cookie: [`budibase:builder=${builderToken}:local`],
   }
 }
 
@@ -209,7 +209,7 @@ const createUserWithPermissions = async (
 
   const loginResult = await request
     .post(`/api/authenticate`)
-    .set({ Cookie: `budibase:${appId}=${anonToken}` })
+    .set({ Cookie: `budibase:${appId}:local=${anonToken}` })
     .send({ username, password })
 
   // returning necessary request headers
diff --git a/packages/server/src/utilities/index.js b/packages/server/src/utilities/index.js
index 4c324cbfdf..47db3f7ec1 100644
--- a/packages/server/src/utilities/index.js
+++ b/packages/server/src/utilities/index.js
@@ -37,6 +37,6 @@ exports.getAppId = ctx => {
  * @returns {string} The name of the token trying to find
  */
 exports.getCookieName = (appId = null) => {
-  let mid = env.CLOUD ? "cloud" : "local"
-  return `budibase:${mid}:${appId ? appId : "builder"}`
+  let environment = env.CLOUD ? "cloud" : "local"
+  return `budibase:${appId ? appId : "builder"}:${environment}`
 }
diff --git a/packages/standard-components/src/Navigation.svelte b/packages/standard-components/src/Navigation.svelte
index bb0863fe2c..0ee5fc7f23 100644
--- a/packages/standard-components/src/Navigation.svelte
+++ b/packages/standard-components/src/Navigation.svelte
@@ -18,9 +18,14 @@
   }
 
   const logOut = () => {
-    document.cookie =
-      "budibase:token=; Path=/; Expires=Thu, 01 Jan 1970 00:00:01 GMT;"
-    location.reload()
+    // TODO: not the best way to clear cookie, try to find better way
+    const appId = location.pathname.split("/")[1]
+    if (appId) {
+      for (let environment of ["local", "cloud"]) {
+        document.cookie = `budibase:${appId}:${environment}=; Path=/; Expires=Thu, 01 Jan 1970 00:00:01 GMT;`
+      }
+    }
+    location.href=`/${appId}`
   }
 </script>
 

From a35b6a57f9fb359b2ae651a8e99176437a500756 Mon Sep 17 00:00:00 2001
From: Michael Drury <me@michaeldrury.co.uk>
Date: Tue, 3 Nov 2020 13:45:49 +0000
Subject: [PATCH 05/10] Further work towards the re-implementation of auth,
 changing how the appId is determined, now it mainly will use a header, and a
 cookie which will be written to store the current status of appId.

---
 packages/builder/src/builderStore/api.js      |  8 ++--
 .../src/pages/[application]/_reset.svelte     |  2 -
 packages/client/src/api/index.js              | 11 +++--
 packages/server/src/api/controllers/auth.js   | 14 ++-----
 .../server/src/middleware/authenticated.js    | 19 +++++----
 .../src/utilities/builder/setBuilderToken.js  | 14 ++-----
 packages/server/src/utilities/index.js        | 42 +++++++++++++++----
 packages/standard-components/src/api.js       |  4 ++
 8 files changed, 67 insertions(+), 47 deletions(-)

diff --git a/packages/builder/src/builderStore/api.js b/packages/builder/src/builderStore/api.js
index a33a695028..46304e1486 100644
--- a/packages/builder/src/builderStore/api.js
+++ b/packages/builder/src/builderStore/api.js
@@ -1,15 +1,17 @@
+import { store } from "./index"
+import { get as svelteGet } from "svelte/store"
+
 const apiCall = method => async (
   url,
   body,
   headers = { "Content-Type": "application/json" }
 ) => {
-  const response = await fetch(url, {
+  headers["x-budibase-app-id"] = svelteGet(store).appId
+  return await fetch(url, {
     method: method,
     body: body && JSON.stringify(body),
     headers,
   })
-
-  return response
 }
 
 export const post = apiCall("POST")
diff --git a/packages/builder/src/pages/[application]/_reset.svelte b/packages/builder/src/pages/[application]/_reset.svelte
index 06942e03c8..2dd672586f 100644
--- a/packages/builder/src/pages/[application]/_reset.svelte
+++ b/packages/builder/src/pages/[application]/_reset.svelte
@@ -84,8 +84,6 @@
       <Button
         secondary
         on:click={() => {
-          // reset cookies for this app
-          document.cookie = `budibase:${application}:local=; Path=/; Expires=Thu, 01 Jan 1970 00:00:01 GMT;`
           window.open(`/${application}`)
         }}>
         Preview
diff --git a/packages/client/src/api/index.js b/packages/client/src/api/index.js
index 7d7c9b52c0..39139197a3 100644
--- a/packages/client/src/api/index.js
+++ b/packages/client/src/api/index.js
@@ -1,11 +1,12 @@
-import { authenticate } from "./authenticate"
-// import appStore from "../state/store"
+import {authenticate} from "./authenticate"
+import {getAppIdFromPath} from "../render/getAppId";
 
 const apiCall = method => async ({ url, body }) => {
   const response = await fetch(url, {
     method: method,
     headers: {
       "Content-Type": "application/json",
+      "x-budibase-app-id": getAppIdFromPath(),
     },
     body: body && JSON.stringify(body),
     credentials: "same-origin",
@@ -36,9 +37,8 @@ const del = apiCall("DELETE")
 
 const ERROR_MEMBER = "##error"
 const error = message => {
-  const err = { [ERROR_MEMBER]: message }
   // appStore.update(s => s["##error_message"], message)
-  return err
+  return {[ERROR_MEMBER]: message}
 }
 
 const isSuccess = obj => !obj || !obj[ERROR_MEMBER]
@@ -81,6 +81,9 @@ const makeRowRequestBody = (parameters, state) => {
 
   // then override with supplied parameters
   for (let fieldName in parameters.fields) {
+    if (!parameters.fields.hasOwnProperty(fieldName)) {
+      continue
+    }
     const field = parameters.fields[fieldName]
 
     // ensure fields sent are of the correct type
diff --git a/packages/server/src/api/controllers/auth.js b/packages/server/src/api/controllers/auth.js
index 2c7e43d2cc..b7a084480a 100644
--- a/packages/server/src/api/controllers/auth.js
+++ b/packages/server/src/api/controllers/auth.js
@@ -4,10 +4,10 @@ const bcrypt = require("../../utilities/bcrypt")
 const env = require("../../environment")
 const { getAPIKey } = require("../../utilities/usageQuota")
 const { generateUserID } = require("../../db/utils")
-const { getCookieName } = require("../../utilities")
+const { setCookie } = require("../../utilities")
 
 exports.authenticate = async ctx => {
-  const appId = ctx.user.appId
+  const appId = ctx.appId
   if (!appId) ctx.throw(400, "No appId")
 
   const { username, password } = ctx.request.body
@@ -46,15 +46,7 @@ exports.authenticate = async ctx => {
       expiresIn: "1 day",
     })
 
-    const expires = new Date()
-    expires.setDate(expires.getDate() + 1)
-
-    ctx.cookies.set(getCookieName(appId), token, {
-      expires,
-      path: "/",
-      httpOnly: false,
-      overwrite: true,
-    })
+    setCookie(ctx, appId, token)
 
     delete dbUser.password
     ctx.body = {
diff --git a/packages/server/src/middleware/authenticated.js b/packages/server/src/middleware/authenticated.js
index a4bd347b75..5bdafa9dee 100644
--- a/packages/server/src/middleware/authenticated.js
+++ b/packages/server/src/middleware/authenticated.js
@@ -9,7 +9,7 @@ const {
 } = require("../utilities/accessLevels")
 const env = require("../environment")
 const { AuthTypes } = require("../constants")
-const { getAppId, getCookieName } = require("../utilities")
+const { getAppId, getCookieName, setCookie } = require("../utilities")
 
 module.exports = async (ctx, next) => {
   if (ctx.path === "/_builder") {
@@ -17,7 +17,14 @@ module.exports = async (ctx, next) => {
     return
   }
 
-  const appId = getAppId(ctx)
+  // do everything we can to make sure the appId is held correctly
+  // we hold it in state as a
+  let appId = getAppId(ctx)
+  if (appId) {
+    setCookie(ctx, "currentapp", appId)
+  } else {
+    appId = ctx.cookies.get(getCookieName("currentapp"))
+  }
 
   const appToken = ctx.cookies.get(getCookieName(appId))
   const builderToken = ctx.cookies.get(getCookieName())
@@ -43,14 +50,12 @@ module.exports = async (ctx, next) => {
 
   try {
     const jwtPayload = jwt.verify(token, ctx.config.jwtSecret)
+    ctx.appId = appId
     ctx.auth.apiKey = jwtPayload.apiKey
     ctx.user = {
       ...jwtPayload,
-      appId: jwtPayload.appId,
-      accessLevel: await getAccessLevel(
-        jwtPayload.appId,
-        jwtPayload.accessLevelId
-      ),
+      appId: appId,
+      accessLevel: await getAccessLevel(appId, jwtPayload.accessLevelId),
     }
   } catch (err) {
     ctx.throw(err.status || STATUS_CODES.FORBIDDEN, err.text)
diff --git a/packages/server/src/utilities/builder/setBuilderToken.js b/packages/server/src/utilities/builder/setBuilderToken.js
index f77bfe49a4..38de0df939 100644
--- a/packages/server/src/utilities/builder/setBuilderToken.js
+++ b/packages/server/src/utilities/builder/setBuilderToken.js
@@ -3,7 +3,7 @@ const env = require("../../environment")
 const CouchDB = require("../../db")
 const jwt = require("jsonwebtoken")
 const { DocumentTypes, SEPARATOR } = require("../../db/utils")
-const { getCookieName } = require("../index")
+const { setCookie } = require("../index")
 const APP_PREFIX = DocumentTypes.APP + SEPARATOR
 
 module.exports = async (ctx, appId, version) => {
@@ -20,21 +20,13 @@ module.exports = async (ctx, appId, version) => {
     expiresIn: "30 days",
   })
 
-  const expiry = new Date()
-  expiry.setDate(expiry.getDate() + 30)
   // set the builder token
-  ctx.cookies.set(getCookieName(), token, {
-    expires: expiry,
-    httpOnly: false,
-    overwrite: true,
-  })
+  setCookie(ctx, "builder", token)
   // need to clear all app tokens or else unable to use the app in the builder
   let allDbNames = await CouchDB.allDbs()
   allDbNames.map(dbName => {
     if (dbName.startsWith(APP_PREFIX)) {
-      ctx.cookies.set(getCookieName(dbName), "", {
-        overwrite: true,
-      })
+      setCookie(ctx, dbName, "")
     }
   })
 }
diff --git a/packages/server/src/utilities/index.js b/packages/server/src/utilities/index.js
index 47db3f7ec1..73e11be1c9 100644
--- a/packages/server/src/utilities/index.js
+++ b/packages/server/src/utilities/index.js
@@ -1,4 +1,7 @@
 const env = require("../environment")
+const { DocumentTypes, SEPARATOR } = require("../db/utils")
+
+const APP_PREFIX = DocumentTypes.APP + SEPARATOR
 
 exports.wait = ms => new Promise(resolve => setTimeout(resolve, ms))
 
@@ -17,26 +20,47 @@ exports.isDev = () => {
  * @returns {string|undefined} If an appId was found it will be returned.
  */
 exports.getAppId = ctx => {
-  let appId = env.CLOUD ? ctx.subdomains[1] : ctx.params.appId
+  let appId = ctx.headers["x-budibase-app-id"]
+  if (!appId) {
+    appId = env.CLOUD ? ctx.subdomains[1] : ctx.params.appId
+  }
   // look in body if can't find it in subdomain
   if (!appId && ctx.request.body && ctx.request.body.appId) {
     appId = ctx.request.body.appId
   }
-  // if appId can't be determined from path param or subdomain
-  if (!appId && ctx.request.headers.referer) {
-    const url = new URL(ctx.request.headers.referer)
-    // remove leading and trailing slashes from appId
-    appId = url.pathname.replace(/\//g, "")
+  let appPath =
+    ctx.request.headers.referrer ||
+    ctx.path.split("/").filter(subPath => subPath.startsWith(APP_PREFIX))
+  if (!appId && appPath.length !== 0) {
+    appId = appPath[0]
   }
   return appId
 }
 
 /**
  * Get the name of the cookie which is to be updated/retrieved
- * @param {string|undefined|null} appId OPTIONAL can specify the specific app if previewing etc
+ * @param {string|undefined|null} name OPTIONAL can specify the specific app if previewing etc
  * @returns {string} The name of the token trying to find
  */
-exports.getCookieName = (appId = null) => {
+exports.getCookieName = (name = "builder") => {
   let environment = env.CLOUD ? "cloud" : "local"
-  return `budibase:${appId ? appId : "builder"}:${environment}`
+  return `budibase:${name}:${environment}`
+}
+
+/**
+ * Store a cookie for the request, has a hardcoded expiry.
+ * @param {object} ctx The request which is to be manipulated.
+ * @param {string} name The name of the cookie to set.
+ * @param {string|object} value The value of cookie which will be set.
+ */
+exports.setCookie = (ctx, name, value) => {
+  const expires = new Date()
+  expires.setDate(expires.getDate() + 1)
+
+  ctx.cookies.set(exports.getCookieName(name), value, {
+    expires,
+    path: "/",
+    httpOnly: false,
+    overwrite: true,
+  })
 }
diff --git a/packages/standard-components/src/api.js b/packages/standard-components/src/api.js
index 45e7a8f134..7d9be3db56 100644
--- a/packages/standard-components/src/api.js
+++ b/packages/standard-components/src/api.js
@@ -5,6 +5,10 @@ const apiCall = method => async (
     "Content-Type": "application/json",
   }
 ) => {
+  const appId = location.pathname.split("/")[1]
+  if (appId) {
+    headers["x-budibase-app-id"] = appId
+  }
   const response = await fetch(url, {
     method: method,
     body: body && JSON.stringify(body),

From 27871c1bc01bb94381015536e2780aed822a308b Mon Sep 17 00:00:00 2001
From: Michael Drury <me@michaeldrury.co.uk>
Date: Tue, 3 Nov 2020 13:58:17 +0000
Subject: [PATCH 06/10] Removing appIds from tokens to reduce confusion.

---
 packages/server/src/api/controllers/auth.js              | 3 +--
 packages/server/src/utilities/builder/setBuilderToken.js | 1 -
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/packages/server/src/api/controllers/auth.js b/packages/server/src/api/controllers/auth.js
index b7a084480a..017a938a6a 100644
--- a/packages/server/src/api/controllers/auth.js
+++ b/packages/server/src/api/controllers/auth.js
@@ -33,8 +33,7 @@ exports.authenticate = async ctx => {
     const payload = {
       userId: dbUser._id,
       accessLevelId: dbUser.accessLevelId,
-      version: app.version,
-      appId,
+      version: app.version
     }
     // if in cloud add the user api key
     if (env.CLOUD) {
diff --git a/packages/server/src/utilities/builder/setBuilderToken.js b/packages/server/src/utilities/builder/setBuilderToken.js
index 38de0df939..2986a805a9 100644
--- a/packages/server/src/utilities/builder/setBuilderToken.js
+++ b/packages/server/src/utilities/builder/setBuilderToken.js
@@ -10,7 +10,6 @@ module.exports = async (ctx, appId, version) => {
   const builderUser = {
     userId: "BUILDER",
     accessLevelId: BUILDER_LEVEL_ID,
-    appId,
     version,
   }
   if (env.BUDIBASE_API_KEY) {

From 957706fc9119b138f8d1edf7517097f1084f2586 Mon Sep 17 00:00:00 2001
From: Michael Drury <me@michaeldrury.co.uk>
Date: Tue, 3 Nov 2020 14:30:20 +0000
Subject: [PATCH 07/10] Linting and fixing client test case, have to mock
 getAppId as the location will never be set during testing.

---
 packages/client/src/api/index.js                   | 6 +++---
 packages/client/tests/screenRouting.spec.js        | 3 +++
 packages/client/tests/testAppDef.js                | 6 ++++--
 packages/server/src/api/controllers/auth.js        | 2 +-
 packages/standard-components/src/Navigation.svelte | 2 +-
 5 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/packages/client/src/api/index.js b/packages/client/src/api/index.js
index 39139197a3..1279ebcb89 100644
--- a/packages/client/src/api/index.js
+++ b/packages/client/src/api/index.js
@@ -1,5 +1,5 @@
-import {authenticate} from "./authenticate"
-import {getAppIdFromPath} from "../render/getAppId";
+import { authenticate } from "./authenticate"
+import { getAppIdFromPath } from "../render/getAppId"
 
 const apiCall = method => async ({ url, body }) => {
   const response = await fetch(url, {
@@ -38,7 +38,7 @@ const del = apiCall("DELETE")
 const ERROR_MEMBER = "##error"
 const error = message => {
   // appStore.update(s => s["##error_message"], message)
-  return {[ERROR_MEMBER]: message}
+  return { [ERROR_MEMBER]: message }
 }
 
 const isSuccess = obj => !obj || !obj[ERROR_MEMBER]
diff --git a/packages/client/tests/screenRouting.spec.js b/packages/client/tests/screenRouting.spec.js
index 3e4818961d..10f251f032 100644
--- a/packages/client/tests/screenRouting.spec.js
+++ b/packages/client/tests/screenRouting.spec.js
@@ -1,5 +1,8 @@
 import { load, makePage, makeScreen, walkComponentTree } from "./testAppDef"
 import { isScreenSlot } from "../src/render/builtinComponents"
+jest.mock("../src/render/getAppId", () => ({
+  getAppIdFromPath: () => "TEST_APP_ID"
+}))
 
 describe("screenRouting", () => {
   it("should load correct screen, for initial URL", async () => {
diff --git a/packages/client/tests/testAppDef.js b/packages/client/tests/testAppDef.js
index 803a7f770b..c9a5bb1cc0 100644
--- a/packages/client/tests/testAppDef.js
+++ b/packages/client/tests/testAppDef.js
@@ -1,15 +1,17 @@
 import jsdom, { JSDOM } from "jsdom"
 import { loadBudibase } from "../src/index"
 
+export const APP_ID = "TEST_APP_ID"
+
 export const load = async (page, screens, url, host = "test.com") => {
   screens = screens || []
   url = url || "/"
 
   const fullUrl = `http://${host}${url}`
   const cookieJar = new jsdom.CookieJar()
-  const cookie = `${btoa("{}")}.${btoa('{"appId":"TEST_APP_ID"}')}.signature`
+  const cookie = `${btoa("{}")}.${btoa(`{"appId":"${APP_ID}"}`)}.signature`
   cookieJar.setCookie(
-    `budibase:TEST_APP_ID:local=${cookie};domain=${host};path=/`,
+    `budibase:${APP_ID}:local=${cookie};domain=${host};path=/`,
     fullUrl,
     {
       looseMode: false,
diff --git a/packages/server/src/api/controllers/auth.js b/packages/server/src/api/controllers/auth.js
index 017a938a6a..2c162587b3 100644
--- a/packages/server/src/api/controllers/auth.js
+++ b/packages/server/src/api/controllers/auth.js
@@ -33,7 +33,7 @@ exports.authenticate = async ctx => {
     const payload = {
       userId: dbUser._id,
       accessLevelId: dbUser.accessLevelId,
-      version: app.version
+      version: app.version,
     }
     // if in cloud add the user api key
     if (env.CLOUD) {
diff --git a/packages/standard-components/src/Navigation.svelte b/packages/standard-components/src/Navigation.svelte
index 0ee5fc7f23..dda860414d 100644
--- a/packages/standard-components/src/Navigation.svelte
+++ b/packages/standard-components/src/Navigation.svelte
@@ -25,7 +25,7 @@
         document.cookie = `budibase:${appId}:${environment}=; Path=/; Expires=Thu, 01 Jan 1970 00:00:01 GMT;`
       }
     }
-    location.href=`/${appId}`
+    location.href = `/${appId}`
   }
 </script>
 

From 0cc837b220f248cd6bbc34faf81b93d95f3ee18a Mon Sep 17 00:00:00 2001
From: Michael Drury <me@michaeldrury.co.uk>
Date: Tue, 3 Nov 2020 15:00:39 +0000
Subject: [PATCH 08/10] Updating server test cases with the header for appId.

---
 packages/client/src/render/getAppId.js            |  3 ++-
 .../server/src/api/routes/tests/couchTestUtils.js | 15 +++++++++++----
 packages/server/src/middleware/authenticated.js   |  7 ++++---
 3 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/packages/client/src/render/getAppId.js b/packages/client/src/render/getAppId.js
index d476eda44c..7da86a802d 100644
--- a/packages/client/src/render/getAppId.js
+++ b/packages/client/src/render/getAppId.js
@@ -1,3 +1,4 @@
 export const getAppIdFromPath = () => {
-  return location.pathname.split("/")[1]
+  let appId = location.pathname.split("/")[1]
+  return appId.startsWith("app_") ? appId : undefined
 }
diff --git a/packages/server/src/api/routes/tests/couchTestUtils.js b/packages/server/src/api/routes/tests/couchTestUtils.js
index 07ff407e3d..02a75d77fd 100644
--- a/packages/server/src/api/routes/tests/couchTestUtils.js
+++ b/packages/server/src/api/routes/tests/couchTestUtils.js
@@ -27,15 +27,19 @@ exports.defaultHeaders = appId => {
   const builderUser = {
     userId: "BUILDER",
     accessLevelId: BUILDER_LEVEL_ID,
-    appId,
   }
 
   const builderToken = jwt.sign(builderUser, env.JWT_SECRET)
 
-  return {
+  const headers = {
     Accept: "application/json",
-    Cookie: [`budibase:builder=${builderToken}:local`],
+    Cookie: [`budibase:builder:local=${builderToken}`],
   }
+  if (appId) {
+    headers["x-budibase-app-id"] = appId
+  }
+
+  return headers
 }
 
 exports.createTable = async (request, appId, table) => {
@@ -209,7 +213,10 @@ const createUserWithPermissions = async (
 
   const loginResult = await request
     .post(`/api/authenticate`)
-    .set({ Cookie: `budibase:${appId}:local=${anonToken}` })
+    .set({
+      Cookie: `budibase:${appId}:local=${anonToken}`,
+      "x-budibase-app-id": appId,
+    })
     .send({ username, password })
 
   // returning necessary request headers
diff --git a/packages/server/src/middleware/authenticated.js b/packages/server/src/middleware/authenticated.js
index 5bdafa9dee..a29fa9f51c 100644
--- a/packages/server/src/middleware/authenticated.js
+++ b/packages/server/src/middleware/authenticated.js
@@ -20,10 +20,11 @@ module.exports = async (ctx, next) => {
   // do everything we can to make sure the appId is held correctly
   // we hold it in state as a
   let appId = getAppId(ctx)
-  if (appId) {
+  const cookieAppId = ctx.cookies.get(getCookieName("currentapp"))
+  if (appId && cookieAppId !== appId) {
     setCookie(ctx, "currentapp", appId)
-  } else {
-    appId = ctx.cookies.get(getCookieName("currentapp"))
+  } else if (cookieAppId) {
+    appId = cookieAppId
   }
 
   const appToken = ctx.cookies.get(getCookieName(appId))

From 42b16069a6539c8664f52537c2f5f59510131e4b Mon Sep 17 00:00:00 2001
From: Michael Drury <me@michaeldrury.co.uk>
Date: Tue, 3 Nov 2020 15:35:27 +0000
Subject: [PATCH 09/10] Fixing issue that was breaking linting.

---
 packages/client/src/api/index.js | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/packages/client/src/api/index.js b/packages/client/src/api/index.js
index 1279ebcb89..249c8731fa 100644
--- a/packages/client/src/api/index.js
+++ b/packages/client/src/api/index.js
@@ -80,10 +80,7 @@ const makeRowRequestBody = (parameters, state) => {
   if (body._table) delete body._table
 
   // then override with supplied parameters
-  for (let fieldName in parameters.fields) {
-    if (!parameters.fields.hasOwnProperty(fieldName)) {
-      continue
-    }
+  for (let fieldName of Object.keys(parameters.fields)) {
     const field = parameters.fields[fieldName]
 
     // ensure fields sent are of the correct type

From b3fbffdfdcb30505df54296616d57adeedf85b4d Mon Sep 17 00:00:00 2001
From: Michael Drury <me@michaeldrury.co.uk>
Date: Tue, 3 Nov 2020 16:23:28 +0000
Subject: [PATCH 10/10] Fixing issue with appId being checked when undefined.

---
 packages/client/src/render/getAppId.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/client/src/render/getAppId.js b/packages/client/src/render/getAppId.js
index 7da86a802d..8356f7b25c 100644
--- a/packages/client/src/render/getAppId.js
+++ b/packages/client/src/render/getAppId.js
@@ -1,4 +1,4 @@
 export const getAppIdFromPath = () => {
   let appId = location.pathname.split("/")[1]
-  return appId.startsWith("app_") ? appId : undefined
+  return appId && appId.startsWith("app_") ? appId : undefined
 }