Merge pull request #2560 from Budibase/fix/multi-tenancy-prod

Fixing issues with multi-tenancy breaking various server endpoints in prod
2024-10-03 02:27:06 +13:00 · 2021-09-06 16:36:43 +01:00 · 2021-09-06 16:36:43 +01:00 · df5f738451
commit df5f738451
parent 6668e994b2 f7718ecae9
4 changed files with 47 additions and 38 deletions
--- a/packages/auth/src/middleware/tenancy.js
+++ b/packages/auth/src/middleware/tenancy.js
@ -2,12 +2,13 @@ const { setTenantId } = require("../tenancy")
 const ContextFactory = require("../tenancy/FunctionContext")
 const { buildMatcherRegex, matches } = require("./matchers")

-module.exports = (allowQueryStringPatterns, noTenancyPatterns) => {
+module.exports = (allowQueryStringPatterns, noTenancyPatterns, opts = {}) => {
  const allowQsOptions = buildMatcherRegex(allowQueryStringPatterns)
  const noTenancyOptions = buildMatcherRegex(noTenancyPatterns)

  return ContextFactory.getMiddleware(ctx => {
-    const allowNoTenant = !!matches(ctx, noTenancyOptions)
+    const allowNoTenant =
+      opts.noTenancyRequired || !!matches(ctx, noTenancyOptions)
    const allowQs = !!matches(ctx, allowQsOptions)
    setTenantId(ctx, { allowQs, allowNoTenant })
  })
--- a/packages/server/src/api/controllers/row/ExternalRequest.ts
+++ b/packages/server/src/api/controllers/row/ExternalRequest.ts
@ -6,8 +6,16 @@ import {
  SearchFilters,
  SortJson,
 } from "../../../definitions/datasource"
-import {Datasource, FieldSchema, Row, Table} from "../../../definitions/common"
-import {breakRowIdField, generateRowIdField} from "../../../integrations/utils"
+import {
+  Datasource,
+  FieldSchema,
+  Row,
+  Table,
+} from "../../../definitions/common"
+import {
+  breakRowIdField,
+  generateRowIdField,
+} from "../../../integrations/utils"
 import { RelationshipTypes } from "../../../constants"

 interface ManyRelationship {
@ -348,7 +356,7 @@ module External {
     * information.
     */
    async lookupRelations(tableId: string, row: Row) {
-      const related: {[key: string]: any} = {}
+      const related: { [key: string]: any } = {}
      const { tableName } = breakExternalTableId(tableId)
      const table = this.tables[tableName]
      // @ts-ignore
@ -387,7 +395,11 @@ module External {
     * isn't supposed to exist anymore and delete those. This is better than the usual method of delete them
     * all and then re-create, as theres no chance of losing data (e.g. delete succeed, but write fail).
     */
-    async handleManyRelationships(mainTableId: string, row: Row, relationships: ManyRelationship[]) {
+    async handleManyRelationships(
+      mainTableId: string,
+      row: Row,
+      relationships: ManyRelationship[]
+    ) {
      const { appId } = this
      // if we're creating (in a through table) need to wipe the existing ones first
      const promises = []
@ -399,8 +411,10 @@ module External {
        // @ts-ignore
        const linkPrimary = linkTable.primary[0]
        const rows = related[key].rows || []
-        const found = rows.find((row: { [key: string]: any }) =>
-          row[linkPrimary] === relationship.id || row[linkPrimary] === body[linkPrimary]
+        const found = rows.find(
+          (row: { [key: string]: any }) =>
+            row[linkPrimary] === relationship.id ||
+            row[linkPrimary] === body[linkPrimary]
        )
        const operation = isUpdate
          ? DataSourceOperation.UPDATE
@ -420,13 +434,17 @@ module External {
        }
      }
      // finally cleanup anything that needs to be removed
-      for (let [colName, {isMany, rows, tableId}] of Object.entries(related)) {
+      for (let [colName, { isMany, rows, tableId }] of Object.entries(
+        related
+      )) {
        const table = this.getTable(tableId)
        for (let row of rows) {
          const filters = buildFilters(generateIdForRow(row, table), {}, table)
          // safety check, if there are no filters on deletion bad things happen
          if (Object.keys(filters).length !== 0) {
-            const op = isMany ? DataSourceOperation.DELETE : DataSourceOperation.UPDATE
+            const op = isMany
+              ? DataSourceOperation.DELETE
+              : DataSourceOperation.UPDATE
            const body = isMany ? null : { [colName]: null }
            promises.push(
              makeExternalQuery(this.appId, {
@ -448,7 +466,10 @@ module External {
     * Creating the specific list of fields that we desire, and excluding the ones that are no use to us
     * is more performant and has the added benefit of protecting against this scenario.
     */
-    buildFields(table: Table, includeRelations: IncludeRelationships = IncludeRelationships.INCLUDE) {
+    buildFields(
+      table: Table,
+      includeRelations: IncludeRelationships = IncludeRelationships.INCLUDE
+    ) {
      function extractNonLinkFieldNames(table: Table, existing: string[] = []) {
        return Object.entries(table.schema)
          .filter(
@ -523,7 +544,10 @@ module External {
      // can't really use response right now
      const response = await makeExternalQuery(appId, json)
      // handle many to many relationships now if we know the ID (could be auto increment)
-      if (operation !== DataSourceOperation.READ && processed.manyRelationships) {
+      if (
+        operation !== DataSourceOperation.READ &&
+        processed.manyRelationships
+      ) {
        await this.handleManyRelationships(
          table._id || "",
          response[0],
--- a/packages/server/src/api/index.js
+++ b/packages/server/src/api/index.js
@ -10,27 +10,6 @@ const env = require("../environment")

 const router = new Router()

-const NO_TENANCY_ENDPOINTS = [
-  {
-    route: "/api/analytics",
-    method: "GET",
-  },
-  {
-    route: "/builder",
-    method: "GET",
-  },
-  // when using this locally there can be pass through, need
-  // to allow all pass through endpoints to go without tenancy
-  {
-    route: "/api/global",
-    method: "ALL",
-  },
-  {
-    route: "/api/system",
-    method: "ALL",
-  },
-]
-
 router
  .use(
    compress({
@ -53,13 +32,21 @@ router
  })
  .use("/health", ctx => (ctx.status = 200))
  .use("/version", ctx => (ctx.body = pkg.version))
+  // re-direct before any middlewares occur
+  .redirect("/", "/builder")
  .use(
    buildAuthMiddleware(null, {
      publicAllowed: true,
    })
  )
  // nothing in the server should allow query string tenants
-  .use(buildTenancyMiddleware(null, NO_TENANCY_ENDPOINTS))
+  // the server can be public anywhere, so nowhere should throw errors
+  // if the tenancy has not been set, it'll have to be discovered at application layer
+  .use(
+    buildTenancyMiddleware(null, null, {
+      noTenancyRequired: true,
+    })
+  )
  .use(currentApp)
  .use(auditLog)

@ -93,7 +80,4 @@ for (let route of mainRoutes) {
 router.use(staticRoutes.routes())
 router.use(staticRoutes.allowedMethods())

-// add a redirect for when hitting server directly
-router.redirect("/", "/builder")
-
 module.exports = router
--- a/packages/server/src/definitions/datasource.ts
+++ b/packages/server/src/definitions/datasource.ts
@ -42,7 +42,7 @@ export enum SourceNames {

 export enum IncludeRelationships {
  INCLUDE = 1,
-  EXCLUDE = 0
+  EXCLUDE = 0,
 }

 export interface QueryDefinition {