6bdc726d55
* Allow a displayName to be passed when creating admin user * Set the first and last names * Don't format handlebars files on save * Use familyName and givenName
463 lines
12 KiB
TypeScript
463 lines
12 KiB
TypeScript
import * as userSdk from "../../../sdk/users"
|
|
import env from "../../../environment"
|
|
import {
|
|
AcceptUserInviteRequest,
|
|
AcceptUserInviteResponse,
|
|
AddSSoUserRequest,
|
|
BulkUserRequest,
|
|
BulkUserResponse,
|
|
CloudAccount,
|
|
CreateAdminUserRequest,
|
|
CreateAdminUserResponse,
|
|
Ctx,
|
|
InviteUserRequest,
|
|
InviteUsersRequest,
|
|
InviteUsersResponse,
|
|
LockName,
|
|
LockType,
|
|
MigrationType,
|
|
PlatformUserByEmail,
|
|
SaveUserResponse,
|
|
SearchUsersRequest,
|
|
User,
|
|
UserCtx,
|
|
} from "@budibase/types"
|
|
import {
|
|
accounts,
|
|
cache,
|
|
ErrorCode,
|
|
events,
|
|
migrations,
|
|
platform,
|
|
tenancy,
|
|
db,
|
|
locks,
|
|
} from "@budibase/backend-core"
|
|
import { checkAnyUserExists } from "../../../utilities/users"
|
|
import { isEmailConfigured } from "../../../utilities/email"
|
|
|
|
const MAX_USERS_UPLOAD_LIMIT = 1000
|
|
|
|
export const save = async (ctx: UserCtx<User, SaveUserResponse>) => {
|
|
try {
|
|
const currentUserId = ctx.user?._id
|
|
const requestUser = ctx.request.body
|
|
|
|
const user = await userSdk.db.save(requestUser, { currentUserId })
|
|
|
|
ctx.body = {
|
|
_id: user._id!,
|
|
_rev: user._rev!,
|
|
email: user.email,
|
|
}
|
|
} catch (err: any) {
|
|
ctx.throw(err.status || 400, err)
|
|
}
|
|
}
|
|
|
|
export const addSsoSupport = async (ctx: Ctx<AddSSoUserRequest>) => {
|
|
const { email, ssoId } = ctx.request.body
|
|
try {
|
|
// Status is changed to 404 from getUserDoc if user is not found
|
|
let userByEmail = (await platform.users.getUserDoc(
|
|
email
|
|
)) as PlatformUserByEmail
|
|
await platform.users.addSsoUser(
|
|
ssoId,
|
|
email,
|
|
userByEmail.userId,
|
|
userByEmail.tenantId
|
|
)
|
|
ctx.status = 200
|
|
} catch (err: any) {
|
|
ctx.throw(err.status || 400, err)
|
|
}
|
|
}
|
|
|
|
const bulkDelete = async (userIds: string[], currentUserId: string) => {
|
|
if (userIds?.indexOf(currentUserId) !== -1) {
|
|
throw new Error("Unable to delete self.")
|
|
}
|
|
return await userSdk.db.bulkDelete(userIds)
|
|
}
|
|
|
|
const bulkCreate = async (users: User[], groupIds: string[]) => {
|
|
if (!env.SELF_HOSTED && users.length > MAX_USERS_UPLOAD_LIMIT) {
|
|
throw new Error(
|
|
"Max limit for upload is 1000 users. Please reduce file size and try again."
|
|
)
|
|
}
|
|
return await userSdk.db.bulkCreate(users, groupIds)
|
|
}
|
|
|
|
export const bulkUpdate = async (
|
|
ctx: Ctx<BulkUserRequest, BulkUserResponse>
|
|
) => {
|
|
const currentUserId = ctx.user._id
|
|
const input = ctx.request.body
|
|
let created, deleted
|
|
try {
|
|
if (input.create) {
|
|
created = await bulkCreate(input.create.users, input.create.groups)
|
|
}
|
|
if (input.delete) {
|
|
deleted = await bulkDelete(input.delete.userIds, currentUserId)
|
|
}
|
|
} catch (err: any) {
|
|
ctx.throw(err.status || 400, err?.message || err)
|
|
}
|
|
ctx.body = { created, deleted }
|
|
}
|
|
|
|
const parseBooleanParam = (param: any) => {
|
|
return !(param && param === "false")
|
|
}
|
|
|
|
export const adminUser = async (
|
|
ctx: Ctx<CreateAdminUserRequest, CreateAdminUserResponse>
|
|
) => {
|
|
const { email, password, tenantId, ssoId, givenName, familyName } =
|
|
ctx.request.body
|
|
|
|
if (await platform.tenants.exists(tenantId)) {
|
|
ctx.throw(403, "Organisation already exists.")
|
|
}
|
|
|
|
if (env.MULTI_TENANCY) {
|
|
// store the new tenant record in the platform db
|
|
await platform.tenants.addTenant(tenantId)
|
|
await migrations.backPopulateMigrations({
|
|
type: MigrationType.GLOBAL,
|
|
tenantId,
|
|
})
|
|
}
|
|
|
|
await tenancy.doInTenant(tenantId, async () => {
|
|
// account portal sends a pre-hashed password - honour param to prevent double hashing
|
|
const hashPassword = parseBooleanParam(ctx.request.query.hashPassword)
|
|
// account portal sends no password for SSO users
|
|
const requirePassword = parseBooleanParam(ctx.request.query.requirePassword)
|
|
|
|
const userExists = await checkAnyUserExists()
|
|
if (userExists) {
|
|
ctx.throw(
|
|
403,
|
|
"You cannot initialise once an global user has been created."
|
|
)
|
|
}
|
|
|
|
try {
|
|
const finalUser = await userSdk.db.createAdminUser(email, tenantId, {
|
|
password,
|
|
ssoId,
|
|
hashPassword,
|
|
requirePassword,
|
|
firstName: givenName,
|
|
lastName: familyName,
|
|
})
|
|
|
|
// events
|
|
let account: CloudAccount | undefined
|
|
if (!env.SELF_HOSTED && !env.DISABLE_ACCOUNT_PORTAL) {
|
|
account = await accounts.getAccountByTenantId(tenantId)
|
|
}
|
|
await events.identification.identifyTenantGroup(tenantId, account)
|
|
|
|
ctx.body = {
|
|
_id: finalUser._id!,
|
|
_rev: finalUser._rev!,
|
|
email: finalUser.email,
|
|
}
|
|
} catch (err: any) {
|
|
ctx.throw(err.status || 400, err)
|
|
}
|
|
})
|
|
}
|
|
|
|
export const countByApp = async (ctx: any) => {
|
|
const appId = ctx.params.appId
|
|
try {
|
|
ctx.body = await userSdk.db.countUsersByApp(appId)
|
|
} catch (err: any) {
|
|
ctx.throw(err.status || 400, err)
|
|
}
|
|
}
|
|
|
|
export const destroy = async (ctx: any) => {
|
|
const id = ctx.params.id
|
|
if (id === ctx.user._id) {
|
|
ctx.throw(400, "Unable to delete self.")
|
|
}
|
|
|
|
await userSdk.db.destroy(id)
|
|
|
|
ctx.body = {
|
|
message: `User ${id} deleted.`,
|
|
}
|
|
}
|
|
|
|
export const getAppUsers = async (ctx: Ctx<SearchUsersRequest>) => {
|
|
const body = ctx.request.body
|
|
const users = await userSdk.db.getUsersByAppAccess({
|
|
appId: body.appId,
|
|
limit: body.limit,
|
|
})
|
|
|
|
ctx.body = { data: users }
|
|
}
|
|
|
|
export const search = async (ctx: Ctx<SearchUsersRequest>) => {
|
|
const body = ctx.request.body
|
|
|
|
// TODO: for now only two supported search keys; string.email and equal._id
|
|
if (body?.query) {
|
|
// Clean numeric prefixing. This will overwrite duplicate search fields,
|
|
// but this is fine because we only support a single custom search on
|
|
// email and id
|
|
for (let filters of Object.values(body.query)) {
|
|
if (filters && typeof filters === "object") {
|
|
for (let [field, value] of Object.entries(filters)) {
|
|
delete filters[field]
|
|
const cleanedField = db.removeKeyNumbering(field)
|
|
if (filters[cleanedField] !== undefined) {
|
|
ctx.throw(400, "Only 1 filter per field is supported")
|
|
}
|
|
filters[cleanedField] = value
|
|
}
|
|
}
|
|
}
|
|
// Validate we aren't trying to search on any illegal fields
|
|
if (!userSdk.core.isSupportedUserSearch(body.query)) {
|
|
ctx.throw(400, "Can only search by string.email, equal._id or oneOf._id")
|
|
}
|
|
}
|
|
|
|
if (body.paginate === false) {
|
|
await getAppUsers(ctx)
|
|
} else {
|
|
const paginated = await userSdk.core.paginatedUsers(body)
|
|
// user hashed password shouldn't ever be returned
|
|
for (let user of paginated.data) {
|
|
if (user) {
|
|
delete user.password
|
|
}
|
|
}
|
|
ctx.body = paginated
|
|
}
|
|
}
|
|
|
|
// called internally by app server user fetch
|
|
export const fetch = async (ctx: any) => {
|
|
const all = await userSdk.db.allUsers()
|
|
// user hashed password shouldn't ever be returned
|
|
for (let user of all) {
|
|
if (user) {
|
|
delete user.password
|
|
}
|
|
}
|
|
ctx.body = all
|
|
}
|
|
|
|
// called internally by app server user find
|
|
export const find = async (ctx: any) => {
|
|
ctx.body = await userSdk.db.getUser(ctx.params.id)
|
|
}
|
|
|
|
export const tenantUserLookup = async (ctx: any) => {
|
|
const id = ctx.params.id
|
|
const user = await userSdk.core.getPlatformUser(id)
|
|
if (user) {
|
|
ctx.body = user
|
|
} else {
|
|
ctx.throw(400, "No tenant user found.")
|
|
}
|
|
}
|
|
|
|
/*
|
|
Encapsulate the app user onboarding flows here.
|
|
*/
|
|
export const onboardUsers = async (
|
|
ctx: Ctx<InviteUsersRequest, InviteUsersResponse>
|
|
) => {
|
|
if (await isEmailConfigured()) {
|
|
await inviteMultiple(ctx)
|
|
return
|
|
}
|
|
|
|
let createdPasswords: Record<string, string> = {}
|
|
const users: User[] = ctx.request.body.map(invite => {
|
|
let password = Math.random().toString(36).substring(2, 22)
|
|
createdPasswords[invite.email] = password
|
|
|
|
return {
|
|
email: invite.email,
|
|
password,
|
|
forceResetPassword: true,
|
|
roles: invite.userInfo.apps,
|
|
admin: invite.userInfo.admin,
|
|
builder: invite.userInfo.builder,
|
|
tenantId: tenancy.getTenantId(),
|
|
}
|
|
})
|
|
|
|
let resp = await userSdk.db.bulkCreate(users)
|
|
for (const user of resp.successful) {
|
|
user.password = createdPasswords[user.email]
|
|
}
|
|
ctx.body = { ...resp, created: true }
|
|
}
|
|
|
|
export const invite = async (ctx: Ctx<InviteUserRequest>) => {
|
|
const request = ctx.request.body
|
|
|
|
let multiRequest = [request]
|
|
const response = await userSdk.invite(multiRequest)
|
|
|
|
// explicitly throw for single user invite
|
|
if (response.unsuccessful.length) {
|
|
const reason = response.unsuccessful[0].reason
|
|
if (reason === "Unavailable") {
|
|
ctx.throw(400, reason)
|
|
} else {
|
|
ctx.throw(500, reason)
|
|
}
|
|
}
|
|
|
|
ctx.body = {
|
|
message: "Invitation has been sent.",
|
|
successful: response.successful,
|
|
unsuccessful: response.unsuccessful,
|
|
}
|
|
}
|
|
|
|
export const inviteMultiple = async (ctx: Ctx<InviteUsersRequest>) => {
|
|
ctx.body = await userSdk.invite(ctx.request.body)
|
|
}
|
|
|
|
export const checkInvite = async (ctx: any) => {
|
|
const { code } = ctx.params
|
|
let invite
|
|
try {
|
|
invite = await cache.invite.getCode(code)
|
|
} catch (e) {
|
|
console.warn("Error getting invite from code", e)
|
|
ctx.throw(400, "There was a problem with the invite")
|
|
return
|
|
}
|
|
ctx.body = {
|
|
email: invite.email,
|
|
}
|
|
}
|
|
|
|
export const getUserInvites = async (ctx: any) => {
|
|
try {
|
|
// Restricted to the currently authenticated tenant
|
|
ctx.body = await cache.invite.getInviteCodes()
|
|
} catch (e) {
|
|
ctx.throw(400, "There was a problem fetching invites")
|
|
}
|
|
}
|
|
|
|
export const updateInvite = async (ctx: any) => {
|
|
const { code } = ctx.params
|
|
let updateBody = { ...ctx.request.body }
|
|
|
|
delete updateBody.email
|
|
|
|
let invite
|
|
try {
|
|
invite = await cache.invite.getCode(code)
|
|
} catch (e) {
|
|
ctx.throw(400, "There was a problem with the invite")
|
|
return
|
|
}
|
|
|
|
let updated = {
|
|
...invite,
|
|
}
|
|
|
|
if (!updateBody?.builder?.apps && updated.info?.builder?.apps) {
|
|
updated.info.builder.apps = []
|
|
} else if (updateBody?.builder) {
|
|
updated.info.builder = updateBody.builder
|
|
}
|
|
|
|
if (!updateBody?.apps || !Object.keys(updateBody?.apps).length) {
|
|
updated.info.apps = []
|
|
} else {
|
|
updated.info = {
|
|
...invite.info,
|
|
apps: {
|
|
...invite.info.apps,
|
|
...updateBody.apps,
|
|
},
|
|
}
|
|
}
|
|
|
|
await cache.invite.updateCode(code, updated)
|
|
ctx.body = { ...invite }
|
|
}
|
|
|
|
export const inviteAccept = async (
|
|
ctx: Ctx<AcceptUserInviteRequest, AcceptUserInviteResponse>
|
|
) => {
|
|
const { inviteCode, password, firstName, lastName } = ctx.request.body
|
|
try {
|
|
await locks.doWithLock(
|
|
{
|
|
type: LockType.AUTO_EXTEND,
|
|
name: LockName.PROCESS_USER_INVITE,
|
|
resource: inviteCode,
|
|
systemLock: true,
|
|
},
|
|
async () => {
|
|
// info is an extension of the user object that was stored by global
|
|
const { email, info } = await cache.invite.getCode(inviteCode)
|
|
const user = await tenancy.doInTenant(info.tenantId, async () => {
|
|
let request: any = {
|
|
firstName,
|
|
lastName,
|
|
password,
|
|
email,
|
|
admin: { global: info?.admin?.global || false },
|
|
roles: info.apps,
|
|
tenantId: info.tenantId,
|
|
}
|
|
const builder: { global: boolean; apps?: string[] } = {
|
|
global: info?.builder?.global || false,
|
|
}
|
|
|
|
if (info?.builder?.apps) {
|
|
builder.apps = info.builder.apps
|
|
request.builder = builder
|
|
}
|
|
delete info.apps
|
|
request = {
|
|
...request,
|
|
...info,
|
|
}
|
|
|
|
const saved = await userSdk.db.save(request)
|
|
await events.user.inviteAccepted(saved)
|
|
return saved
|
|
})
|
|
|
|
await cache.invite.deleteCode(inviteCode)
|
|
|
|
ctx.body = {
|
|
_id: user._id!,
|
|
_rev: user._rev!,
|
|
email: user.email,
|
|
}
|
|
}
|
|
)
|
|
} catch (err: any) {
|
|
if (err.code === ErrorCode.USAGE_LIMIT_EXCEEDED) {
|
|
// explicitly re-throw limit exceeded errors
|
|
ctx.throw(400, err)
|
|
}
|
|
console.warn("Error inviting user", err)
|
|
ctx.throw(400, err || "Unable to create new user, invitation invalid.")
|
|
}
|
|
}
|