Fixing authentication with API key issue.

2024-06-17 01:44:53 +12:00 · 2021-06-21 17:13:06 +01:00 · 2021-06-21 17:13:06 +01:00 · ed5dd08c66
parent 1f65427e90
commit ed5dd08c66
3 changed files with 29 additions and 16 deletions
--- a/packages/auth/src/middleware/authenticated.js
+++ b/packages/auth/src/middleware/authenticated.js
@ -22,6 +22,12 @@ function buildNoAuthRegex(patterns) {
  })
 }

+function finalise(ctx, { authenticated, user, internal } = {}) {
+  ctx.isAuthenticated = authenticated || false
+  ctx.user = user
+  ctx.internal = internal || false
+}
+
 module.exports = (noAuthPatterns = [], opts) => {
  const noAuthOptions = noAuthPatterns ? buildNoAuthRegex(noAuthPatterns) : []
  return async (ctx, next) => {
@ -36,35 +42,40 @@ module.exports = (noAuthPatterns = [], opts) => {
      return next()
    }
    try {
-      const apiKey = ctx.request.headers["x-budibase-api-key"]
      // check the actual user is authenticated first
      const authCookie = getCookie(ctx, Cookies.Auth)
-
-      // this is an internal request, no user made it
-      if (apiKey && apiKey === env.INTERNAL_API_KEY) {
-        ctx.isAuthenticated = true
-        ctx.internal = true
-      } else if (authCookie) {
+      let authenticated = false,
+        user = null,
+        internal = false
+      if (authCookie) {
        try {
          const db = database.getDB(StaticDatabases.GLOBAL.name)
-          const user = await db.get(authCookie.userId)
-          delete user.password
-          ctx.isAuthenticated = true
-          ctx.user = user
+          const foundUser = await db.get(authCookie.userId)
+          delete foundUser.password
+          authenticated = true
+          user = foundUser
        } catch (err) {
          // remove the cookie as the use does not exist anymore
          clearCookie(ctx, Cookies.Auth)
        }
      }
-      // be explicit
-      if (ctx.isAuthenticated !== true) {
-        ctx.isAuthenticated = false
+      const apiKey = ctx.request.headers["x-budibase-api-key"]
+      // this is an internal request, no user made it
+      if (!authenticated && apiKey && apiKey === env.INTERNAL_API_KEY) {
+        authenticated = true
+        internal = true
      }
+      // be explicit
+      if (authenticated !== true) {
+        authenticated = false
+      }
+      // isAuthenticated is a function, so use a variable to be able to check authed state
+      finalise(ctx, { authenticated, user, internal })
      return next()
    } catch (err) {
      // allow configuring for public access
      if (opts && opts.publicAllowed) {
-        ctx.isAuthenticated = false
+        finalise(ctx, { authenticated: false })
      } else {
        ctx.throw(err.status || 403, err)
      }
--- a/packages/builder/cypress/setup.js
+++ b/packages/builder/cypress/setup.js
@ -20,6 +20,7 @@ process.env.MINIO_ACCESS_KEY = "budibase"
 process.env.MINIO_SECRET_KEY = "budibase"
 process.env.COUCH_DB_USER = "budibase"
 process.env.COUCH_DB_PASSWORD = "budibase"
+process.env.INTERNAL_API_KEY = "budibase"

 // Stop info logs polluting test outputs
 process.env.LOG_LEVEL = "error"
--- a/packages/worker/src/api/controllers/admin/configs.js
+++ b/packages/worker/src/api/controllers/admin/configs.js
@ -90,7 +90,8 @@ exports.find = async function (ctx) {
    if (scopedConfig) {
      ctx.body = scopedConfig
    } else {
-      ctx.throw(400, "No configuration exists.")
+      // don't throw an error, there simply is nothing to return
+      ctx.body = {}
    }
  } catch (err) {
    ctx.throw(err.status, err)