@budibase/backend-core 2.7.18 → 2.7.20-alpha.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/package.json +3 -3
- package/dist/src/middleware/passport/datasource/google.d.ts +3 -3
- package/dist/src/middleware/passport/datasource/google.js +12 -25
- package/dist/src/middleware/passport/datasource/google.js.map +1 -1
- package/dist/src/security/encryption.d.ts +8 -0
- package/dist/src/security/encryption.js +107 -5
- package/dist/src/security/encryption.js.map +1 -1
- package/dist/src/security/roles.d.ts +4 -1
- package/dist/src/security/roles.js +5 -1
- package/dist/src/security/roles.js.map +1 -1
- package/dist/tsconfig.build.tsbuildinfo +1 -1
- package/package.json +3 -3
- package/src/middleware/passport/datasource/google.ts +20 -26
- package/src/security/encryption.ts +121 -4
- package/src/security/roles.ts +8 -1
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@budibase/backend-core",
|
|
3
|
-
"version": "2.7.
|
|
3
|
+
"version": "2.7.20-alpha.0",
|
|
4
4
|
"description": "Budibase backend core libraries used in server and worker",
|
|
5
5
|
"main": "dist/src/index.js",
|
|
6
6
|
"types": "dist/src/index.d.ts",
|
|
@@ -22,7 +22,7 @@
|
|
|
22
22
|
"dependencies": {
|
|
23
23
|
"@budibase/nano": "10.1.2",
|
|
24
24
|
"@budibase/pouchdb-replication-stream": "1.2.10",
|
|
25
|
-
"@budibase/types": "2.7.
|
|
25
|
+
"@budibase/types": "2.7.20-alpha.0",
|
|
26
26
|
"@shopify/jest-koa-mocks": "5.0.1",
|
|
27
27
|
"@techpass/passport-openidconnect": "0.3.2",
|
|
28
28
|
"aws-cloudfront-sign": "2.2.0",
|
|
@@ -101,5 +101,5 @@
|
|
|
101
101
|
}
|
|
102
102
|
}
|
|
103
103
|
},
|
|
104
|
-
"gitHead": "
|
|
104
|
+
"gitHead": "eada128a9811982b6f276a447c593dd2943ddc43"
|
|
105
105
|
}
|
|
@@ -1,10 +1,11 @@
|
|
|
1
1
|
import * as google from "../sso/google"
|
|
2
2
|
import { Cookie } from "../../../constants"
|
|
3
|
-
import { clearCookie, getCookie } from "../../../utils"
|
|
4
|
-
import { doWithDB } from "../../../db"
|
|
5
3
|
import * as configs from "../../../configs"
|
|
6
|
-
import
|
|
4
|
+
import * as cache from "../../../cache"
|
|
5
|
+
import * as utils from "../../../utils"
|
|
6
|
+
import { UserCtx, SSOProfile } from "@budibase/types"
|
|
7
7
|
import { ssoSaveUserNoOp } from "../sso/sso"
|
|
8
|
+
|
|
8
9
|
const GoogleStrategy = require("passport-google-oauth").OAuth2Strategy
|
|
9
10
|
|
|
10
11
|
type Passport = {
|
|
@@ -22,7 +23,7 @@ async function fetchGoogleCreds() {
|
|
|
22
23
|
|
|
23
24
|
export async function preAuth(
|
|
24
25
|
passport: Passport,
|
|
25
|
-
ctx:
|
|
26
|
+
ctx: UserCtx,
|
|
26
27
|
next: Function
|
|
27
28
|
) {
|
|
28
29
|
// get the relevant config
|
|
@@ -36,8 +37,8 @@ export async function preAuth(
|
|
|
36
37
|
ssoSaveUserNoOp
|
|
37
38
|
)
|
|
38
39
|
|
|
39
|
-
if (!ctx.query.appId
|
|
40
|
-
ctx.throw(400, "appId
|
|
40
|
+
if (!ctx.query.appId) {
|
|
41
|
+
ctx.throw(400, "appId query param not present.")
|
|
41
42
|
}
|
|
42
43
|
|
|
43
44
|
return passport.authenticate(strategy, {
|
|
@@ -49,7 +50,7 @@ export async function preAuth(
|
|
|
49
50
|
|
|
50
51
|
export async function postAuth(
|
|
51
52
|
passport: Passport,
|
|
52
|
-
ctx:
|
|
53
|
+
ctx: UserCtx,
|
|
53
54
|
next: Function
|
|
54
55
|
) {
|
|
55
56
|
// get the relevant config
|
|
@@ -57,7 +58,7 @@ export async function postAuth(
|
|
|
57
58
|
const platformUrl = await configs.getPlatformUrl({ tenantAware: false })
|
|
58
59
|
|
|
59
60
|
let callbackUrl = `${platformUrl}/api/global/auth/datasource/google/callback`
|
|
60
|
-
const authStateCookie = getCookie(ctx, Cookie.DatasourceAuth)
|
|
61
|
+
const authStateCookie = utils.getCookie(ctx, Cookie.DatasourceAuth)
|
|
61
62
|
|
|
62
63
|
return passport.authenticate(
|
|
63
64
|
new GoogleStrategy(
|
|
@@ -69,33 +70,26 @@ export async function postAuth(
|
|
|
69
70
|
(
|
|
70
71
|
accessToken: string,
|
|
71
72
|
refreshToken: string,
|
|
72
|
-
|
|
73
|
+
_profile: SSOProfile,
|
|
73
74
|
done: Function
|
|
74
75
|
) => {
|
|
75
|
-
clearCookie(ctx, Cookie.DatasourceAuth)
|
|
76
|
+
utils.clearCookie(ctx, Cookie.DatasourceAuth)
|
|
76
77
|
done(null, { accessToken, refreshToken })
|
|
77
78
|
}
|
|
78
79
|
),
|
|
79
80
|
{ successRedirect: "/", failureRedirect: "/error" },
|
|
80
81
|
async (err: any, tokens: string[]) => {
|
|
81
82
|
const baseUrl = `/builder/app/${authStateCookie.appId}/data`
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
if (err.status === 404) {
|
|
89
|
-
ctx.redirect(baseUrl)
|
|
90
|
-
}
|
|
91
|
-
}
|
|
92
|
-
if (!datasource.config) {
|
|
93
|
-
datasource.config = {}
|
|
83
|
+
|
|
84
|
+
const id = utils.newid()
|
|
85
|
+
await cache.store(
|
|
86
|
+
`datasource:creation:${authStateCookie.appId}:google:${id}`,
|
|
87
|
+
{
|
|
88
|
+
tokens,
|
|
94
89
|
}
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
})
|
|
90
|
+
)
|
|
91
|
+
|
|
92
|
+
ctx.redirect(`${baseUrl}/new?continue_google_setup=${id}`)
|
|
99
93
|
}
|
|
100
94
|
)(ctx, next)
|
|
101
95
|
}
|
|
@@ -1,12 +1,17 @@
|
|
|
1
1
|
import crypto from "crypto"
|
|
2
|
+
import fs from "fs"
|
|
3
|
+
import zlib from "zlib"
|
|
2
4
|
import env from "../environment"
|
|
5
|
+
import { join } from "path"
|
|
3
6
|
|
|
4
7
|
const ALGO = "aes-256-ctr"
|
|
5
8
|
const SEPARATOR = "-"
|
|
6
9
|
const ITERATIONS = 10000
|
|
7
|
-
const RANDOM_BYTES = 16
|
|
8
10
|
const STRETCH_LENGTH = 32
|
|
9
11
|
|
|
12
|
+
const SALT_LENGTH = 16
|
|
13
|
+
const IV_LENGTH = 16
|
|
14
|
+
|
|
10
15
|
export enum SecretOption {
|
|
11
16
|
API = "api",
|
|
12
17
|
ENCRYPTION = "encryption",
|
|
@@ -31,15 +36,15 @@ export function getSecret(secretOption: SecretOption): string {
|
|
|
31
36
|
return secret
|
|
32
37
|
}
|
|
33
38
|
|
|
34
|
-
function stretchString(
|
|
35
|
-
return crypto.pbkdf2Sync(
|
|
39
|
+
function stretchString(secret: string, salt: Buffer) {
|
|
40
|
+
return crypto.pbkdf2Sync(secret, salt, ITERATIONS, STRETCH_LENGTH, "sha512")
|
|
36
41
|
}
|
|
37
42
|
|
|
38
43
|
export function encrypt(
|
|
39
44
|
input: string,
|
|
40
45
|
secretOption: SecretOption = SecretOption.API
|
|
41
46
|
) {
|
|
42
|
-
const salt = crypto.randomBytes(
|
|
47
|
+
const salt = crypto.randomBytes(SALT_LENGTH)
|
|
43
48
|
const stretched = stretchString(getSecret(secretOption), salt)
|
|
44
49
|
const cipher = crypto.createCipheriv(ALGO, stretched, salt)
|
|
45
50
|
const base = cipher.update(input)
|
|
@@ -60,3 +65,115 @@ export function decrypt(
|
|
|
60
65
|
const final = decipher.final()
|
|
61
66
|
return Buffer.concat([base, final]).toString()
|
|
62
67
|
}
|
|
68
|
+
|
|
69
|
+
export async function encryptFile(
|
|
70
|
+
{ dir, filename }: { dir: string; filename: string },
|
|
71
|
+
secret: string
|
|
72
|
+
) {
|
|
73
|
+
const outputFileName = `${filename}.enc`
|
|
74
|
+
|
|
75
|
+
const filePath = join(dir, filename)
|
|
76
|
+
const inputFile = fs.createReadStream(filePath)
|
|
77
|
+
const outputFile = fs.createWriteStream(join(dir, outputFileName))
|
|
78
|
+
|
|
79
|
+
const salt = crypto.randomBytes(SALT_LENGTH)
|
|
80
|
+
const iv = crypto.randomBytes(IV_LENGTH)
|
|
81
|
+
const stretched = stretchString(secret, salt)
|
|
82
|
+
const cipher = crypto.createCipheriv(ALGO, stretched, iv)
|
|
83
|
+
|
|
84
|
+
outputFile.write(salt)
|
|
85
|
+
outputFile.write(iv)
|
|
86
|
+
|
|
87
|
+
inputFile.pipe(zlib.createGzip()).pipe(cipher).pipe(outputFile)
|
|
88
|
+
|
|
89
|
+
return new Promise<{ filename: string; dir: string }>(r => {
|
|
90
|
+
outputFile.on("finish", () => {
|
|
91
|
+
r({
|
|
92
|
+
filename: outputFileName,
|
|
93
|
+
dir,
|
|
94
|
+
})
|
|
95
|
+
})
|
|
96
|
+
})
|
|
97
|
+
}
|
|
98
|
+
|
|
99
|
+
async function getSaltAndIV(path: string) {
|
|
100
|
+
const fileStream = fs.createReadStream(path)
|
|
101
|
+
|
|
102
|
+
const salt = await readBytes(fileStream, SALT_LENGTH)
|
|
103
|
+
const iv = await readBytes(fileStream, IV_LENGTH)
|
|
104
|
+
fileStream.close()
|
|
105
|
+
return { salt, iv }
|
|
106
|
+
}
|
|
107
|
+
|
|
108
|
+
export async function decryptFile(
|
|
109
|
+
inputPath: string,
|
|
110
|
+
outputPath: string,
|
|
111
|
+
secret: string
|
|
112
|
+
) {
|
|
113
|
+
const { salt, iv } = await getSaltAndIV(inputPath)
|
|
114
|
+
const inputFile = fs.createReadStream(inputPath, {
|
|
115
|
+
start: SALT_LENGTH + IV_LENGTH,
|
|
116
|
+
})
|
|
117
|
+
|
|
118
|
+
const outputFile = fs.createWriteStream(outputPath)
|
|
119
|
+
|
|
120
|
+
const stretched = stretchString(secret, salt)
|
|
121
|
+
const decipher = crypto.createDecipheriv(ALGO, stretched, iv)
|
|
122
|
+
|
|
123
|
+
const unzip = zlib.createGunzip()
|
|
124
|
+
|
|
125
|
+
inputFile.pipe(decipher).pipe(unzip).pipe(outputFile)
|
|
126
|
+
|
|
127
|
+
return new Promise<void>((res, rej) => {
|
|
128
|
+
outputFile.on("finish", () => {
|
|
129
|
+
outputFile.close()
|
|
130
|
+
res()
|
|
131
|
+
})
|
|
132
|
+
|
|
133
|
+
inputFile.on("error", e => {
|
|
134
|
+
outputFile.close()
|
|
135
|
+
rej(e)
|
|
136
|
+
})
|
|
137
|
+
|
|
138
|
+
decipher.on("error", e => {
|
|
139
|
+
outputFile.close()
|
|
140
|
+
rej(e)
|
|
141
|
+
})
|
|
142
|
+
|
|
143
|
+
unzip.on("error", e => {
|
|
144
|
+
outputFile.close()
|
|
145
|
+
rej(e)
|
|
146
|
+
})
|
|
147
|
+
|
|
148
|
+
outputFile.on("error", e => {
|
|
149
|
+
outputFile.close()
|
|
150
|
+
rej(e)
|
|
151
|
+
})
|
|
152
|
+
})
|
|
153
|
+
}
|
|
154
|
+
|
|
155
|
+
function readBytes(stream: fs.ReadStream, length: number) {
|
|
156
|
+
return new Promise<Buffer>((resolve, reject) => {
|
|
157
|
+
let bytesRead = 0
|
|
158
|
+
const data: Buffer[] = []
|
|
159
|
+
|
|
160
|
+
stream.on("readable", () => {
|
|
161
|
+
let chunk
|
|
162
|
+
|
|
163
|
+
while ((chunk = stream.read(length - bytesRead)) !== null) {
|
|
164
|
+
data.push(chunk)
|
|
165
|
+
bytesRead += chunk.length
|
|
166
|
+
}
|
|
167
|
+
|
|
168
|
+
resolve(Buffer.concat(data))
|
|
169
|
+
})
|
|
170
|
+
|
|
171
|
+
stream.on("end", () => {
|
|
172
|
+
reject(new Error("Insufficient data in the stream."))
|
|
173
|
+
})
|
|
174
|
+
|
|
175
|
+
stream.on("error", error => {
|
|
176
|
+
reject(error)
|
|
177
|
+
})
|
|
178
|
+
})
|
|
179
|
+
}
|
package/src/security/roles.ts
CHANGED
|
@@ -140,9 +140,13 @@ export function lowerBuiltinRoleID(roleId1?: string, roleId2?: string): string {
|
|
|
140
140
|
* Gets the role object, this is mainly useful for two purposes, to check if the level exists and
|
|
141
141
|
* to check if the role inherits any others.
|
|
142
142
|
* @param {string|null} roleId The level ID to lookup.
|
|
143
|
+
* @param {object|null} opts options for the function, like whether to halt errors, instead return public.
|
|
143
144
|
* @returns {Promise<Role|object|null>} The role object, which may contain an "inherits" property.
|
|
144
145
|
*/
|
|
145
|
-
export async function getRole(
|
|
146
|
+
export async function getRole(
|
|
147
|
+
roleId?: string,
|
|
148
|
+
opts?: { defaultPublic?: boolean }
|
|
149
|
+
): Promise<RoleDoc | undefined> {
|
|
146
150
|
if (!roleId) {
|
|
147
151
|
return undefined
|
|
148
152
|
}
|
|
@@ -161,6 +165,9 @@ export async function getRole(roleId?: string): Promise<RoleDoc | undefined> {
|
|
|
161
165
|
// finalise the ID
|
|
162
166
|
role._id = getExternalRoleID(role._id)
|
|
163
167
|
} catch (err) {
|
|
168
|
+
if (!isBuiltin(roleId) && opts?.defaultPublic) {
|
|
169
|
+
return cloneDeep(BUILTIN_ROLES.PUBLIC)
|
|
170
|
+
}
|
|
164
171
|
// only throw an error if there is no role at all
|
|
165
172
|
if (Object.keys(role).length === 0) {
|
|
166
173
|
throw err
|