From ed5dd08c66b82ddd32c4715ab9d288bead9ffc5a Mon Sep 17 00:00:00 2001 From: mike12345567 Date: Mon, 21 Jun 2021 17:13:06 +0100 Subject: [PATCH] Fixing authentication with API key issue. --- packages/auth/src/middleware/authenticated.js | 41 ++++++++++++------- packages/builder/cypress/setup.js | 1 + .../src/api/controllers/admin/configs.js | 3 +- 3 files changed, 29 insertions(+), 16 deletions(-) diff --git a/packages/auth/src/middleware/authenticated.js b/packages/auth/src/middleware/authenticated.js index 5d9056b19a..b40e86e364 100644 --- a/packages/auth/src/middleware/authenticated.js +++ b/packages/auth/src/middleware/authenticated.js @@ -22,6 +22,12 @@ function buildNoAuthRegex(patterns) { }) } +function finalise(ctx, { authenticated, user, internal } = {}) { + ctx.isAuthenticated = authenticated || false + ctx.user = user + ctx.internal = internal || false +} + module.exports = (noAuthPatterns = [], opts) => { const noAuthOptions = noAuthPatterns ? buildNoAuthRegex(noAuthPatterns) : [] return async (ctx, next) => { @@ -36,35 +42,40 @@ module.exports = (noAuthPatterns = [], opts) => { return next() } try { - const apiKey = ctx.request.headers["x-budibase-api-key"] // check the actual user is authenticated first const authCookie = getCookie(ctx, Cookies.Auth) - - // this is an internal request, no user made it - if (apiKey && apiKey === env.INTERNAL_API_KEY) { - ctx.isAuthenticated = true - ctx.internal = true - } else if (authCookie) { + let authenticated = false, + user = null, + internal = false + if (authCookie) { try { const db = database.getDB(StaticDatabases.GLOBAL.name) - const user = await db.get(authCookie.userId) - delete user.password - ctx.isAuthenticated = true - ctx.user = user + const foundUser = await db.get(authCookie.userId) + delete foundUser.password + authenticated = true + user = foundUser } catch (err) { // remove the cookie as the use does not exist anymore clearCookie(ctx, Cookies.Auth) } } - // be explicit - if (ctx.isAuthenticated !== true) { - ctx.isAuthenticated = false + const apiKey = ctx.request.headers["x-budibase-api-key"] + // this is an internal request, no user made it + if (!authenticated && apiKey && apiKey === env.INTERNAL_API_KEY) { + authenticated = true + internal = true } + // be explicit + if (authenticated !== true) { + authenticated = false + } + // isAuthenticated is a function, so use a variable to be able to check authed state + finalise(ctx, { authenticated, user, internal }) return next() } catch (err) { // allow configuring for public access if (opts && opts.publicAllowed) { - ctx.isAuthenticated = false + finalise(ctx, { authenticated: false }) } else { ctx.throw(err.status || 403, err) } diff --git a/packages/builder/cypress/setup.js b/packages/builder/cypress/setup.js index c55cef2afe..0aa43308af 100644 --- a/packages/builder/cypress/setup.js +++ b/packages/builder/cypress/setup.js @@ -20,6 +20,7 @@ process.env.MINIO_ACCESS_KEY = "budibase" process.env.MINIO_SECRET_KEY = "budibase" process.env.COUCH_DB_USER = "budibase" process.env.COUCH_DB_PASSWORD = "budibase" +process.env.INTERNAL_API_KEY = "budibase" // Stop info logs polluting test outputs process.env.LOG_LEVEL = "error" diff --git a/packages/worker/src/api/controllers/admin/configs.js b/packages/worker/src/api/controllers/admin/configs.js index e1bd385384..27ba636bc8 100644 --- a/packages/worker/src/api/controllers/admin/configs.js +++ b/packages/worker/src/api/controllers/admin/configs.js @@ -90,7 +90,8 @@ exports.find = async function (ctx) { if (scopedConfig) { ctx.body = scopedConfig } else { - ctx.throw(400, "No configuration exists.") + // don't throw an error, there simply is nothing to return + ctx.body = {} } } catch (err) { ctx.throw(err.status, err)