1
0
Fork 0
mirror of synced 2024-06-17 01:44:53 +12:00

Fixing authentication with API key issue.

This commit is contained in:
mike12345567 2021-06-21 17:13:06 +01:00
parent 1f65427e90
commit ed5dd08c66
3 changed files with 29 additions and 16 deletions

View file

@ -22,6 +22,12 @@ function buildNoAuthRegex(patterns) {
})
}
function finalise(ctx, { authenticated, user, internal } = {}) {
ctx.isAuthenticated = authenticated || false
ctx.user = user
ctx.internal = internal || false
}
module.exports = (noAuthPatterns = [], opts) => {
const noAuthOptions = noAuthPatterns ? buildNoAuthRegex(noAuthPatterns) : []
return async (ctx, next) => {
@ -36,35 +42,40 @@ module.exports = (noAuthPatterns = [], opts) => {
return next()
}
try {
const apiKey = ctx.request.headers["x-budibase-api-key"]
// check the actual user is authenticated first
const authCookie = getCookie(ctx, Cookies.Auth)
// this is an internal request, no user made it
if (apiKey && apiKey === env.INTERNAL_API_KEY) {
ctx.isAuthenticated = true
ctx.internal = true
} else if (authCookie) {
let authenticated = false,
user = null,
internal = false
if (authCookie) {
try {
const db = database.getDB(StaticDatabases.GLOBAL.name)
const user = await db.get(authCookie.userId)
delete user.password
ctx.isAuthenticated = true
ctx.user = user
const foundUser = await db.get(authCookie.userId)
delete foundUser.password
authenticated = true
user = foundUser
} catch (err) {
// remove the cookie as the use does not exist anymore
clearCookie(ctx, Cookies.Auth)
}
}
// be explicit
if (ctx.isAuthenticated !== true) {
ctx.isAuthenticated = false
const apiKey = ctx.request.headers["x-budibase-api-key"]
// this is an internal request, no user made it
if (!authenticated && apiKey && apiKey === env.INTERNAL_API_KEY) {
authenticated = true
internal = true
}
// be explicit
if (authenticated !== true) {
authenticated = false
}
// isAuthenticated is a function, so use a variable to be able to check authed state
finalise(ctx, { authenticated, user, internal })
return next()
} catch (err) {
// allow configuring for public access
if (opts && opts.publicAllowed) {
ctx.isAuthenticated = false
finalise(ctx, { authenticated: false })
} else {
ctx.throw(err.status || 403, err)
}

View file

@ -20,6 +20,7 @@ process.env.MINIO_ACCESS_KEY = "budibase"
process.env.MINIO_SECRET_KEY = "budibase"
process.env.COUCH_DB_USER = "budibase"
process.env.COUCH_DB_PASSWORD = "budibase"
process.env.INTERNAL_API_KEY = "budibase"
// Stop info logs polluting test outputs
process.env.LOG_LEVEL = "error"

View file

@ -90,7 +90,8 @@ exports.find = async function (ctx) {
if (scopedConfig) {
ctx.body = scopedConfig
} else {
ctx.throw(400, "No configuration exists.")
// don't throw an error, there simply is nothing to return
ctx.body = {}
}
} catch (err) {
ctx.throw(err.status, err)