diff --git a/packages/server/src/api/controllers/static.js b/packages/server/src/api/controllers/static.js index f14b794210..5aaa9ab125 100644 --- a/packages/server/src/api/controllers/static.js +++ b/packages/server/src/api/controllers/static.js @@ -136,7 +136,7 @@ exports.performLocalFileProcessing = async function(ctx) { } exports.serveApp = async function(ctx) { - const mainOrAuth = ctx.isAuthenticated ? "main" : "unauthenticated" + const mainOrAuth = ctx.auth.authenticated ? "main" : "unauthenticated" // default to homedir const appPath = resolve( @@ -154,7 +154,7 @@ exports.serveApp = async function(ctx) { // only set the appId cookie for /appId .. we COULD check for valid appIds // but would like to avoid that DB hit const looksLikeAppId = /^(app_)?[0-9a-f]{32}$/.test(appId) - if (looksLikeAppId && !ctx.isAuthenticated) { + if (looksLikeAppId && !ctx.auth.authenticated) { const anonUser = { userId: "ANON", accessLevelId: ANON_LEVEL_ID, @@ -200,7 +200,7 @@ exports.serveAttachment = async function(ctx) { exports.serveAppAsset = async function(ctx) { // default to homedir - const mainOrAuth = ctx.isAuthenticated ? "main" : "unauthenticated" + const mainOrAuth = ctx.auth.authenticated ? "main" : "unauthenticated" const appPath = resolve( budibaseAppsDir(), diff --git a/packages/server/src/app.js b/packages/server/src/app.js index 7560c9cfa4..4157534365 100644 --- a/packages/server/src/app.js +++ b/packages/server/src/app.js @@ -24,6 +24,7 @@ app.use( ) app.context.eventEmitter = eventEmitter +app.context.auth = {} // api routes app.use(api.routes()) diff --git a/packages/server/src/middleware/authenticated.js b/packages/server/src/middleware/authenticated.js index 93ee66b6d4..1203ea0033 100644 --- a/packages/server/src/middleware/authenticated.js +++ b/packages/server/src/middleware/authenticated.js @@ -20,8 +20,10 @@ module.exports = async (ctx, next) => { if (builderToken) { try { const jwtPayload = jwt.verify(builderToken, ctx.config.jwtSecret) - ctx.apiKey = jwtPayload.apiKey - ctx.isAuthenticated = jwtPayload.accessLevelId === BUILDER_LEVEL_ID + ctx.auth = { + apiKey: jwtPayload.apiKey, + authenticated: jwtPayload.accessLevelId === BUILDER_LEVEL_ID, + } ctx.user = { ...jwtPayload, accessLevel: await getAccessLevel( @@ -38,14 +40,13 @@ module.exports = async (ctx, next) => { } if (!appToken) { - ctx.isAuthenticated = false + ctx.auth.authenticated = false await next() return } try { const jwtPayload = jwt.verify(appToken, ctx.config.jwtSecret) - ctx.apiKey = jwtPayload.apiKey ctx.user = { ...jwtPayload, accessLevel: await getAccessLevel( @@ -53,7 +54,10 @@ module.exports = async (ctx, next) => { jwtPayload.accessLevelId ), } - ctx.isAuthenticated = ctx.user.accessLevelId !== ANON_LEVEL_ID + ctx.auth = { + authenticated: ctx.user.accessLevelId !== ANON_LEVEL_ID, + apiKey: jwtPayload.apiKey, + } } catch (err) { ctx.throw(err.status || STATUS_CODES.FORBIDDEN, err.text) } diff --git a/packages/server/src/middleware/authorized.js b/packages/server/src/middleware/authorized.js index 093e9b5bf5..bd09029471 100644 --- a/packages/server/src/middleware/authorized.js +++ b/packages/server/src/middleware/authorized.js @@ -20,9 +20,11 @@ module.exports = (permName, getItemId) => async (ctx, next) => { }) if (apiKeyInfo) { - ctx.isAuthenticated = true - ctx.externalWebhook = true - ctx.apiKey = ctx.headers["x-api-key"] + ctx.auth = { + authenticated: true, + external: true, + apiKey: ctx.headers["x-api-key"], + } ctx.user = { instanceId: ctx.headers["x-instanceid"], } @@ -32,7 +34,7 @@ module.exports = (permName, getItemId) => async (ctx, next) => { ctx.throw(403, "API key invalid") } - if (!ctx.isAuthenticated) { + if (!ctx.auth.authenticated) { ctx.throw(403, "Session not authenticated") } diff --git a/packages/server/src/middleware/usageQuota.js b/packages/server/src/middleware/usageQuota.js index e82305dc12..778f51f9d8 100644 --- a/packages/server/src/middleware/usageQuota.js +++ b/packages/server/src/middleware/usageQuota.js @@ -55,7 +55,7 @@ module.exports = async (ctx, next) => { return next() } try { - await usageQuota.update(ctx.apiKey, property, usage) + await usageQuota.update(ctx.auth.apiKey, property, usage) return next() } catch (err) { ctx.throw(403, err)