@budibase/backend-core 2.9.19 → 2.9.20

package/src/middleware/passport/sso/sso.ts

@@ -1,165 +0,0 @@
-import { generateGlobalUserID } from "../../../db"
-import { authError } from "../utils"
-import * as users from "../../../users"
-import * as context from "../../../context"
-import fetch from "node-fetch"
-import {
-  SaveSSOUserFunction,
-  SaveUserOpts,
-  SSOAuthDetails,
-  SSOUser,
-  User,
-} from "@budibase/types"
-
-// no-op function for user save
-// - this allows datasource auth and access token refresh to work correctly
-// - prefer no-op over an optional argument to ensure function is provided to login flows
-export const ssoSaveUserNoOp: SaveSSOUserFunction = (
-  user: SSOUser,
-  opts: SaveUserOpts
-) => Promise.resolve(user)
-
-/**
- * Common authentication logic for third parties. e.g. OAuth, OIDC.
- */
-export async function authenticate(
-  details: SSOAuthDetails,
-  requireLocalAccount: boolean = true,
-  done: any,
-  saveUserFn: SaveSSOUserFunction
-) {
-  if (!saveUserFn) {
-    throw new Error("Save user function must be provided")
-  }
-  if (!details.userId) {
-    return authError(done, "sso user id required")
-  }
-  if (!details.email) {
-    return authError(done, "sso user email required")
-  }
-
-  // use the third party id
-  const userId = generateGlobalUserID(details.userId)
-
-  let dbUser: User | undefined
-
-  // try to load by id
-  try {
-    dbUser = await users.getById(userId)
-  } catch (err: any) {
-    // abort when not 404 error
-    if (!err.status || err.status !== 404) {
-      return authError(
-        done,
-        "Unexpected error when retrieving existing user",
-        err
-      )
-    }
-  }
-
-  // fallback to loading by email
-  if (!dbUser) {
-    dbUser = await users.getGlobalUserByEmail(details.email)
-  }
-
-  // exit early if there is still no user and auto creation is disabled
-  if (!dbUser && requireLocalAccount) {
-    return authError(
-      done,
-      "Email does not yet exist. You must set up your local budibase account first."
-    )
-  }
-
-  // first time creation
-  if (!dbUser) {
-    // setup a blank user using the third party id
-    dbUser = {
-      _id: userId,
-      email: details.email,
-      roles: {},
-      tenantId: context.getTenantId(),
-    }
-  }
-
-  let ssoUser = await syncUser(dbUser, details)
-  // never prompt for password reset
-  ssoUser.forceResetPassword = false
-
-  try {
-    // don't try to re-save any existing password
-    delete ssoUser.password
-    // create or sync the user
-    ssoUser = (await saveUserFn(ssoUser, {
-      hashPassword: false,
-      requirePassword: false,
-    })) as SSOUser
-  } catch (err: any) {
-    return authError(done, "Error saving user", err)
-  }
-
-  return done(null, ssoUser)
-}
-
-async function getProfilePictureUrl(user: User, details: SSOAuthDetails) {
-  const pictureUrl = details.profile?._json.picture
-  if (pictureUrl) {
-    const response = await fetch(pictureUrl)
-    if (response.status === 200) {
-      const type = response.headers.get("content-type") as string
-      if (type.startsWith("image/")) {
-        return pictureUrl
-      }
-    }
-  }
-}
-
-/**
- * @returns a user that has been sync'd with third party information
- */
-async function syncUser(user: User, details: SSOAuthDetails): Promise<SSOUser> {
-  let firstName
-  let lastName
-  let pictureUrl
-  let oauth2
-  let thirdPartyProfile
-
-  if (details.profile) {
-    const profile = details.profile
-
-    if (profile.name) {
-      const name = profile.name
-      // first name
-      if (name.givenName) {
-        firstName = name.givenName
-      }
-      // last name
-      if (name.familyName) {
-        lastName = name.familyName
-      }
-    }
-
-    pictureUrl = await getProfilePictureUrl(user, details)
-
-    thirdPartyProfile = {
-      ...profile._json,
-    }
-  }
-
-  // oauth tokens for future use
-  if (details.oauth2) {
-    oauth2 = {
-      ...details.oauth2,
-    }
-  }
-
-  return {
-    ...user,
-    provider: details.provider,
-    providerType: details.providerType,
-    firstName,
-    lastName,
-    thirdPartyProfile,
-    pictureUrl,
-    oauth2,
-  }
-}

package/src/middleware/passport/sso/tests/google.spec.ts

@@ -1,67 +0,0 @@
-import { generator, structures } from "../../../../../tests"
-import { SSOProviderType } from "@budibase/types"
-
-jest.mock("passport-google-oauth")
-const mockStrategy = require("passport-google-oauth").OAuth2Strategy
-
-jest.mock("../sso")
-import * as _sso from "../sso"
-const sso = jest.mocked(_sso)
-
-const mockSaveUserFn = jest.fn()
-const mockDone = jest.fn()
-
-import * as google from "../google"
-
-describe("google", () => {
-  describe("strategyFactory", () => {
-    const googleConfig = structures.sso.googleConfig()
-    const callbackUrl = generator.url()
-
-    it("should create successfully create a google strategy", async () => {
-      await google.strategyFactory(googleConfig, callbackUrl, mockSaveUserFn)
-
-      const expectedOptions = {
-        clientID: googleConfig.clientID,
-        clientSecret: googleConfig.clientSecret,
-        callbackURL: callbackUrl,
-      }
-
-      expect(mockStrategy).toHaveBeenCalledWith(
-        expectedOptions,
-        expect.anything()
-      )
-    })
-  })
-
-  describe("authenticate", () => {
-    const details = structures.sso.authDetails()
-    details.provider = "google"
-    details.providerType = SSOProviderType.GOOGLE
-
-    const profile = details.profile!
-    profile.provider = "google"
-
-    beforeEach(() => {
-      jest.clearAllMocks()
-    })
-
-    it("delegates authentication to third party common", async () => {
-      const authenticate = await google.buildVerifyFn(mockSaveUserFn)
-
-      await authenticate(
-        details.oauth2.accessToken,
-        details.oauth2.refreshToken!,
-        profile,
-        mockDone
-      )
-
-      expect(sso.authenticate).toHaveBeenCalledWith(
-        details,
-        true,
-        mockDone,
-        mockSaveUserFn
-      )
-    })
-  })
-})

package/src/middleware/passport/sso/tests/oidc.spec.ts

@@ -1,152 +0,0 @@
-import { generator, mocks, structures } from "../../../../../tests"
-import {
-  JwtClaims,
-  OIDCInnerConfig,
-  SSOAuthDetails,
-  SSOProviderType,
-} from "@budibase/types"
-import * as _sso from "../sso"
-import * as oidc from "../oidc"
-
-jest.mock("@techpass/passport-openidconnect")
-const mockStrategy = require("@techpass/passport-openidconnect").Strategy
-
-jest.mock("../sso")
-const sso = jest.mocked(_sso)
-
-const mockSaveUser = jest.fn()
-const mockDone = jest.fn()
-
-describe("oidc", () => {
-  const callbackUrl = generator.url()
-  const oidcConfig: OIDCInnerConfig = structures.sso.oidcConfig()
-  const wellKnownConfig = structures.sso.oidcWellKnownConfig()
-
-  function mockRetrieveWellKnownConfig() {
-    // mock the request to retrieve the oidc configuration
-    mocks.fetch.mockReturnValue({
-      ok: true,
-      json: () => wellKnownConfig,
-    })
-  }
-
-  beforeEach(() => {
-    mockRetrieveWellKnownConfig()
-  })
-
-  describe("strategyFactory", () => {
-    it("should create successfully create an oidc strategy", async () => {
-      const strategyConfiguration = await oidc.fetchStrategyConfig(
-        oidcConfig,
-        callbackUrl
-      )
-      await oidc.strategyFactory(strategyConfiguration, mockSaveUser)
-
-      expect(mocks.fetch).toHaveBeenCalledWith(oidcConfig.configUrl)
-
-      const expectedOptions = {
-        issuer: wellKnownConfig.issuer,
-        authorizationURL: wellKnownConfig.authorization_endpoint,
-        tokenURL: wellKnownConfig.token_endpoint,
-        userInfoURL: wellKnownConfig.userinfo_endpoint,
-        clientID: oidcConfig.clientID,
-        clientSecret: oidcConfig.clientSecret,
-        callbackURL: callbackUrl,
-      }
-      expect(mockStrategy).toHaveBeenCalledWith(
-        expectedOptions,
-        expect.anything()
-      )
-    })
-  })
-
-  describe("authenticate", () => {
-    const details: SSOAuthDetails = structures.sso.authDetails()
-    details.providerType = SSOProviderType.OIDC
-    const profile = details.profile!
-    const issuer = profile.provider
-
-    const sub = generator.string()
-    const idToken = generator.string()
-    const params = {}
-
-    let authenticateFn: any
-    let jwtClaims: JwtClaims
-
-    beforeEach(async () => {
-      jest.clearAllMocks()
-      authenticateFn = await oidc.buildVerifyFn(mockSaveUser)
-    })
-
-    async function authenticate() {
-      await authenticateFn(
-        issuer,
-        sub,
-        profile,
-        jwtClaims,
-        details.oauth2.accessToken,
-        details.oauth2.refreshToken,
-        idToken,
-        params,
-        mockDone
-      )
-    }
-
-    it("passes auth details to sso module", async () => {
-      await authenticate()
-
-      expect(sso.authenticate).toHaveBeenCalledWith(
-        details,
-        false,
-        mockDone,
-        mockSaveUser
-      )
-    })
-
-    it("uses JWT email to get email", async () => {
-      delete profile._json.email
-
-      jwtClaims = {
-        email: details.email,
-      }
-
-      await authenticate()
-
-      expect(sso.authenticate).toHaveBeenCalledWith(
-        details,
-        false,
-        mockDone,
-        mockSaveUser
-      )
-    })
-
-    it("uses JWT username to get email", async () => {
-      delete profile._json.email
-
-      jwtClaims = {
-        email: details.email,
-      }
-
-      await authenticate()
-
-      expect(sso.authenticate).toHaveBeenCalledWith(
-        details,
-        false,
-        mockDone,
-        mockSaveUser
-      )
-    })
-
-    it("uses JWT invalid username to get email", async () => {
-      delete profile._json.email
-
-      jwtClaims = {
-        preferred_username: "invalidUsername",
-      }
-
-      await expect(authenticate()).rejects.toThrow(
-        "Could not determine user email from profile"
-      )
-    })
-  })
-})

package/src/middleware/passport/sso/tests/sso.spec.ts

@@ -1,197 +0,0 @@
-import { structures, mocks } from "../../../../../tests"
-import { testEnv } from "../../../../../tests/extra"
-import { SSOAuthDetails, User } from "@budibase/types"
-
-import { HTTPError } from "../../../../errors"
-import * as sso from "../sso"
-import * as context from "../../../../context"
-
-const mockDone = jest.fn()
-const mockSaveUser = jest.fn()
-
-jest.mock("../../../../users")
-import * as _users from "../../../../users"
-const users = jest.mocked(_users)
-
-const getErrorMessage = () => {
-  return mockDone.mock.calls[0][2].message
-}
-
-describe("sso", () => {
-  describe("authenticate", () => {
-    beforeEach(() => {
-      jest.clearAllMocks()
-      testEnv.singleTenant()
-    })
-
-    describe("validation", () => {
-      const testValidation = async (
-        details: SSOAuthDetails,
-        message: string
-      ) => {
-        await sso.authenticate(details, false, mockDone, mockSaveUser)
-
-        expect(mockDone.mock.calls.length).toBe(1)
-        expect(getErrorMessage()).toContain(message)
-      }
-
-      it("user id fails", async () => {
-        const details = structures.sso.authDetails()
-        details.userId = undefined!
-
-        await testValidation(details, "sso user id required")
-      })
-
-      it("email fails", async () => {
-        const details = structures.sso.authDetails()
-        details.email = undefined!
-
-        await testValidation(details, "sso user email required")
-      })
-    })
-
-    function mockGetProfilePicture() {
-      mocks.fetch.mockReturnValueOnce(
-        Promise.resolve({
-          status: 200,
-          headers: { get: () => "image/" },
-        })
-      )
-    }
-
-    describe("when the user doesn't exist", () => {
-      let user: User
-      let details: SSOAuthDetails
-
-      beforeEach(() => {
-        users.getById.mockImplementationOnce(() => {
-          throw new HTTPError("", 404)
-        })
-        mockGetProfilePicture()
-
-        user = structures.users.user()
-        delete user._rev
-        delete user._id
-
-        details = structures.sso.authDetails(user)
-        details.userId = structures.uuid()
-      })
-
-      describe("when a local account is required", () => {
-        it("returns an error message", async () => {
-          const details = structures.sso.authDetails()
-
-          await sso.authenticate(details, true, mockDone, mockSaveUser)
-
-          expect(mockDone.mock.calls.length).toBe(1)
-          expect(getErrorMessage()).toContain(
-            "Email does not yet exist. You must set up your local budibase account first."
-          )
-        })
-      })
-
-      describe("when a local account isn't required", () => {
-        it("creates and authenticates the user", async () => {
-          const ssoUser = structures.users.ssoUser({ user, details })
-          mockSaveUser.mockReturnValueOnce(ssoUser)
-
-          await sso.authenticate(details, false, mockDone, mockSaveUser)
-
-          // default roles for new user
-          ssoUser.roles = {}
-
-          // modified external id to match user format
-          ssoUser._id = "us_" + details.userId
-
-          // new sso user won't have a password
-          delete ssoUser.password
-
-          // new user isn't saved with rev
-          delete ssoUser._rev
-
-          // tenant id added
-          ssoUser.tenantId = context.getTenantId()
-
-          expect(mockSaveUser).toBeCalledWith(ssoUser, {
-            hashPassword: false,
-            requirePassword: false,
-          })
-          expect(mockDone).toBeCalledWith(null, ssoUser)
-        })
-      })
-    })
-
-    describe("when the user exists", () => {
-      let existingUser: User
-      let details: SSOAuthDetails
-
-      beforeEach(() => {
-        existingUser = structures.users.user()
-        existingUser._id = structures.uuid()
-        details = structures.sso.authDetails(existingUser)
-        mockGetProfilePicture()
-      })
-
-      describe("exists by email", () => {
-        beforeEach(() => {
-          users.getById.mockImplementationOnce(() => {
-            throw new HTTPError("", 404)
-          })
-          users.getGlobalUserByEmail.mockReturnValueOnce(
-            Promise.resolve(existingUser)
-          )
-        })
-
-        it("syncs and authenticates the user", async () => {
-          const ssoUser = structures.users.ssoUser({
-            user: existingUser,
-            details,
-          })
-          mockSaveUser.mockReturnValueOnce(ssoUser)
-
-          await sso.authenticate(details, true, mockDone, mockSaveUser)
-
-          // roles preserved
-          ssoUser.roles = existingUser.roles
-
-          // existing id preserved
-          ssoUser._id = existingUser._id
-
-          expect(mockSaveUser).toBeCalledWith(ssoUser, {
-            hashPassword: false,
-            requirePassword: false,
-          })
-          expect(mockDone).toBeCalledWith(null, ssoUser)
-        })
-      })
-
-      describe("exists by id", () => {
-        beforeEach(() => {
-          users.getById.mockReturnValueOnce(Promise.resolve(existingUser))
-        })
-
-        it("syncs and authenticates the user", async () => {
-          const ssoUser = structures.users.ssoUser({
-            user: existingUser,
-            details,
-          })
-          mockSaveUser.mockReturnValueOnce(ssoUser)
-
-          await sso.authenticate(details, true, mockDone, mockSaveUser)
-
-          // roles preserved
-          ssoUser.roles = existingUser.roles
-
-          // existing id preserved
-          ssoUser._id = existingUser._id
-
-          expect(mockSaveUser).toBeCalledWith(ssoUser, {
-            hashPassword: false,
-            requirePassword: false,
-          })
-          expect(mockDone).toBeCalledWith(null, ssoUser)
-        })
-      })
-    })
-  })
-})

package/src/middleware/passport/utils.ts

@@ -1,38 +0,0 @@
-import { getTenantId, isMultiTenant } from "../../context"
-import * as configs from "../../configs"
-import { ConfigType, GoogleInnerConfig } from "@budibase/types"
-
-/**
- * Utility to handle authentication errors.
- *
- * @param {*} done The passport callback.
- * @param {*} message Message that will be returned in the response body
- * @param {*} err (Optional) error that will be logged
- */
-
-export function authError(done: Function, message: string, err?: any) {
-  return done(
-    err,
-    null, // never return a user
-    { message: message }
-  )
-}
-
-export async function ssoCallbackUrl(
-  type: ConfigType,
-  config?: GoogleInnerConfig
-) {
-  // incase there is a callback URL from before
-  if (config && (config as GoogleInnerConfig).callbackURL) {
-    return (config as GoogleInnerConfig).callbackURL as string
-  }
-  const settingsConfig = await configs.getSettingsConfig()
-
-  let callbackUrl = `/api/global/auth`
-  if (isMultiTenant()) {
-    callbackUrl += `/${getTenantId()}`
-  }
-  callbackUrl += `/${type}/callback`
-
-  return `${settingsConfig.platformUrl}${callbackUrl}`
-}

package/src/middleware/querystringToBody.ts

@@ -1,28 +0,0 @@
-import { Ctx } from "@budibase/types"
-
-/**
- * Expects a standard "query" query string property which is the JSON body
- * of the request, which has to be sent via query string due to the requirement
- * of making an endpoint a GET request e.g. downloading a file stream.
- */
-export default function (ctx: Ctx, next: any) {
-  const queryString = ctx.request.query?.query as string | undefined
-  if (ctx.request.method.toLowerCase() !== "get") {
-    ctx.throw(
-      500,
-      "Query to download middleware can only be used for get requests."
-    )
-  }
-  if (!queryString) {
-    return next()
-  }
-  const decoded = decodeURIComponent(queryString)
-  let json
-  try {
-    json = JSON.parse(decoded)
-  } catch (err) {
-    return next()
-  }
-  ctx.request.body = json
-  return next()
-}

package/src/middleware/tenancy.ts

@@ -1,36 +0,0 @@
-import { doInTenant } from "../context"
-import { getTenantIDFromCtx } from "../tenancy"
-import { buildMatcherRegex, matches } from "./matchers"
-import { Header } from "../constants"
-import {
-  BBContext,
-  EndpointMatcher,
-  GetTenantIdOptions,
-  TenantResolutionStrategy,
-} from "@budibase/types"
-
-export default function (
-  allowQueryStringPatterns: EndpointMatcher[],
-  noTenancyPatterns: EndpointMatcher[],
-  opts: { noTenancyRequired?: boolean } = { noTenancyRequired: false }
-) {
-  const allowQsOptions = buildMatcherRegex(allowQueryStringPatterns)
-  const noTenancyOptions = buildMatcherRegex(noTenancyPatterns)
-
-  return async function (ctx: BBContext | any, next: any) {
-    const allowNoTenant =
-      opts.noTenancyRequired || !!matches(ctx, noTenancyOptions)
-    const tenantOpts: GetTenantIdOptions = {
-      allowNoTenant,
-    }
-
-    const allowQs = !!matches(ctx, allowQsOptions)
-    if (!allowQs) {
-      tenantOpts.excludeStrategies = [TenantResolutionStrategy.QUERY]
-    }
-
-    const tenantId = getTenantIDFromCtx(ctx, tenantOpts)
-    ctx.set(Header.TENANT_ID, tenantId as string)
-    return doInTenant(tenantId, next)
-  }
-}