@budibase/backend-core 2.9.19 → 2.9.21-alpha.0

package/src/middleware/csrf.ts

@@ -1,81 +0,0 @@
-import { Header } from "../constants"
-import { buildMatcherRegex, matches } from "./matchers"
-import { BBContext, EndpointMatcher } from "@budibase/types"
-
-/**
- * GET, HEAD and OPTIONS methods are considered safe operations
- *
- * POST, PUT, PATCH, and DELETE methods, being state changing verbs,
- * should have a CSRF token attached to the request
- */
-const EXCLUDED_METHODS = ["GET", "HEAD", "OPTIONS"]
-
-/**
- * There are only three content type values that can be used in cross domain requests.
- * If any other value is used, e.g. application/json, the browser will first make a OPTIONS
- * request which will be protected by CORS.
- */
-const INCLUDED_CONTENT_TYPES = [
-  "application/x-www-form-urlencoded",
-  "multipart/form-data",
-  "text/plain",
-]
-
-/**
- * Validate the CSRF token generated aganst the user session.
- * Compare the token with the x-csrf-token header.
- *
- * If the token is not found within the request or the value provided
- * does not match the value within the user session, the request is rejected.
- *
- * CSRF protection provided using the 'Synchronizer Token Pattern'
- * https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern
- *
- */
-export default function (
-  opts: { noCsrfPatterns: EndpointMatcher[] } = { noCsrfPatterns: [] }
-) {
-  const noCsrfOptions = buildMatcherRegex(opts.noCsrfPatterns)
-  return async (ctx: BBContext | any, next: any) => {
-    // don't apply for excluded paths
-    const found = matches(ctx, noCsrfOptions)
-    if (found) {
-      return next()
-    }
-
-    // don't apply for the excluded http methods
-    if (EXCLUDED_METHODS.indexOf(ctx.method) !== -1) {
-      return next()
-    }
-
-    // don't apply when the content type isn't supported
-    let contentType = ctx.get("content-type")
-      ? ctx.get("content-type").toLowerCase()
-      : ""
-    if (
-      !INCLUDED_CONTENT_TYPES.filter(type => contentType.includes(type)).length
-    ) {
-      return next()
-    }
-
-    // don't apply csrf when the internal api key has been used
-    if (ctx.internal) {
-      return next()
-    }
-
-    // apply csrf when there is a token in the session (new logins)
-    // in future there should be a hard requirement that the token is present
-    const userToken = ctx.user?.csrfToken
-    if (!userToken) {
-      return next()
-    }
-
-    // reject if no token in request or mismatch
-    const requestToken = ctx.get(Header.CSRF_TOKEN)
-    if (!requestToken || requestToken !== userToken) {
-      ctx.throw(403, "Invalid CSRF token")
-    }
-
-    return next()
-  }
-}

package/src/middleware/errorHandling.ts

@@ -1,29 +0,0 @@
-import { APIError } from "@budibase/types"
-import * as errors from "../errors"
-
-export async function errorHandling(ctx: any, next: any) {
-  try {
-    await next()
-  } catch (err: any) {
-    const status = err.status || err.statusCode || 500
-    ctx.status = status
-
-    if (status >= 400 && status < 500) {
-      console.warn(err)
-    } else {
-      console.error(err)
-    }
-
-    const error = errors.getPublicError(err)
-    const body: APIError = {
-      message: err.message,
-      status: status,
-      validationErrors: err.validation,
-      error,
-    }
-
-    ctx.body = body
-  }
-}
-
-export default errorHandling

package/src/middleware/index.ts

@@ -1,21 +0,0 @@
-export * as local from "./passport/local"
-export * as google from "./passport/sso/google"
-export * as oidc from "./passport/sso/oidc"
-import * as datasourceGoogle from "./passport/datasource/google"
-export const datasource = {
-  google: datasourceGoogle,
-}
-export { authError, ssoCallbackUrl } from "./passport/utils"
-export { default as authenticated } from "./authenticated"
-export { default as auditLog } from "./auditLog"
-export { default as tenancy } from "./tenancy"
-export { default as internalApi } from "./internalApi"
-export { default as csrf } from "./csrf"
-export { default as adminOnly } from "./adminOnly"
-export { default as builderOrAdmin } from "./builderOrAdmin"
-export { default as builderOnly } from "./builderOnly"
-export { default as pino } from "../logging/pino/middleware"
-export { default as correlation } from "../logging/correlation/middleware"
-export { default as errorHandling } from "./errorHandling"
-export { default as querystringToBody } from "./querystringToBody"
-export * as joiValidator from "./joi-validator"

package/src/middleware/internalApi.ts

@@ -1,23 +0,0 @@
-import { Header } from "../constants"
-import { BBContext } from "@budibase/types"
-import { isValidInternalAPIKey } from "../utils"
-
-/**
- * API Key only endpoint.
- */
-export default async (ctx: BBContext, next: any) => {
-  const apiKey = ctx.request.headers[Header.API_KEY]
-  if (!apiKey) {
-    ctx.throw(403, "Unauthorized")
-  }
-
-  if (Array.isArray(apiKey)) {
-    ctx.throw(403, "Unauthorized")
-  }
-
-  if (!isValidInternalAPIKey(apiKey)) {
-    ctx.throw(403, "Unauthorized")
-  }
-
-  return next()
-}

package/src/middleware/joi-validator.ts

@@ -1,45 +0,0 @@
-import Joi, { ObjectSchema } from "joi"
-import { BBContext } from "@budibase/types"
-
-function validate(
-  schema: Joi.ObjectSchema | Joi.ArraySchema,
-  property: string
-) {
-  // Return a Koa middleware function
-  return (ctx: BBContext, next: any) => {
-    if (!schema) {
-      return next()
-    }
-    let params = null
-    // @ts-ignore
-    let reqProp = ctx.request?.[property]
-    if (ctx[property] != null) {
-      params = ctx[property]
-    } else if (reqProp != null) {
-      params = reqProp
-    }
-
-    // not all schemas have the append property e.g. array schemas
-    if ((schema as Joi.ObjectSchema).append) {
-      schema = (schema as Joi.ObjectSchema).append({
-        createdAt: Joi.any().optional(),
-        updatedAt: Joi.any().optional(),
-      })
-    }
-
-    const { error } = schema.validate(params)
-    if (error) {
-      ctx.throw(400, `Invalid ${property} - ${error.message}`)
-      return
-    }
-    return next()
-  }
-}
-
-export function body(schema: Joi.ObjectSchema | Joi.ArraySchema) {
-  return validate(schema, "body")
-}
-
-export function params(schema: Joi.ObjectSchema | Joi.ArraySchema) {
-  return validate(schema, "params")
-}

package/src/middleware/matchers.ts

@@ -1,47 +0,0 @@
-import { BBContext, EndpointMatcher, RegexMatcher } from "@budibase/types"
-
-const PARAM_REGEX = /\/:(.*?)(\/.*)?$/g
-
-export const buildMatcherRegex = (
-  patterns: EndpointMatcher[]
-): RegexMatcher[] => {
-  if (!patterns) {
-    return []
-  }
-  return patterns.map(pattern => {
-    let route = pattern.route
-    const method = pattern.method
-    const strict = pattern.strict ? pattern.strict : false
-
-    // if there is a param in the route
-    // use a wildcard pattern
-    const matches = route.match(PARAM_REGEX)
-    if (matches) {
-      for (let match of matches) {
-        const suffix = match.endsWith("/") ? "/" : ""
-        const pattern = "/.*" + suffix
-        route = route.replace(match, pattern)
-      }
-    }
-
-    return { regex: new RegExp(route), method, strict, route }
-  })
-}
-
-export const matches = (ctx: BBContext, options: RegexMatcher[]) => {
-  return options.find(({ regex, method, strict, route }) => {
-    let urlMatch
-    if (strict) {
-      urlMatch = ctx.request.url === route
-    } else {
-      urlMatch = regex.test(ctx.request.url)
-    }
-
-    const methodMatch =
-      method === "ALL"
-        ? true
-        : ctx.request.method.toLowerCase() === method.toLowerCase()
-
-    return urlMatch && methodMatch
-  })
-}

package/src/middleware/passport/datasource/google.ts

@@ -1,95 +0,0 @@
-import * as google from "../sso/google"
-import { Cookie } from "../../../constants"
-import * as configs from "../../../configs"
-import * as cache from "../../../cache"
-import * as utils from "../../../utils"
-import { UserCtx, SSOProfile } from "@budibase/types"
-import { ssoSaveUserNoOp } from "../sso/sso"
-
-const GoogleStrategy = require("passport-google-oauth").OAuth2Strategy
-
-type Passport = {
-  authenticate: any
-}
-
-async function fetchGoogleCreds() {
-  let config = await configs.getGoogleDatasourceConfig()
-
-  if (!config) {
-    throw new Error("No google configuration found")
-  }
-  return config
-}
-
-export async function preAuth(
-  passport: Passport,
-  ctx: UserCtx,
-  next: Function
-) {
-  // get the relevant config
-  const googleConfig = await fetchGoogleCreds()
-  const platformUrl = await configs.getPlatformUrl({ tenantAware: false })
-
-  let callbackUrl = `${platformUrl}/api/global/auth/datasource/google/callback`
-  const strategy = await google.strategyFactory(
-    googleConfig,
-    callbackUrl,
-    ssoSaveUserNoOp
-  )
-
-  if (!ctx.query.appId) {
-    ctx.throw(400, "appId query param not present.")
-  }
-
-  return passport.authenticate(strategy, {
-    scope: ["profile", "email", "https://www.googleapis.com/auth/spreadsheets"],
-    accessType: "offline",
-    prompt: "consent",
-  })(ctx, next)
-}
-
-export async function postAuth(
-  passport: Passport,
-  ctx: UserCtx,
-  next: Function
-) {
-  // get the relevant config
-  const config = await fetchGoogleCreds()
-  const platformUrl = await configs.getPlatformUrl({ tenantAware: false })
-
-  let callbackUrl = `${platformUrl}/api/global/auth/datasource/google/callback`
-  const authStateCookie = utils.getCookie(ctx, Cookie.DatasourceAuth)
-
-  return passport.authenticate(
-    new GoogleStrategy(
-      {
-        clientID: config.clientID,
-        clientSecret: config.clientSecret,
-        callbackURL: callbackUrl,
-      },
-      (
-        accessToken: string,
-        refreshToken: string,
-        _profile: SSOProfile,
-        done: Function
-      ) => {
-        utils.clearCookie(ctx, Cookie.DatasourceAuth)
-        done(null, { accessToken, refreshToken })
-      }
-    ),
-    { successRedirect: "/", failureRedirect: "/error" },
-    async (err: any, tokens: string[]) => {
-      const baseUrl = `/builder/app/${authStateCookie.appId}/data`
-
-      const id = utils.newid()
-      await cache.store(
-        `datasource:creation:${authStateCookie.appId}:google:${id}`,
-        {
-          tokens,
-        }
-      )
-
-      ctx.redirect(`${baseUrl}/new?continue_google_setup=${id}`)
-    }
-  )(ctx, next)
-}

package/src/middleware/passport/local.ts

@@ -1,54 +0,0 @@
-import { UserStatus } from "../../constants"
-import { compare } from "../../utils"
-import * as users from "../../users"
-import { authError } from "./utils"
-import { BBContext } from "@budibase/types"
-
-const INVALID_ERR = "Invalid credentials"
-const EXPIRED = "This account has expired. Please reset your password"
-
-export const options = {
-  passReqToCallback: true,
-}
-
-/**
- * Passport Local Authentication Middleware.
- * @param {*} ctx the request structure
- * @param {*} email username to login with
- * @param {*} password plain text password to log in with
- * @param {*} done callback from passport to return user information and errors
- * @returns The authenticated user, or errors if they occur
- */
-export async function authenticate(
-  ctx: BBContext,
-  email: string,
-  password: string,
-  done: Function
-) {
-  if (!email) return authError(done, "Email Required")
-  if (!password) return authError(done, "Password Required")
-
-  const dbUser = await users.getGlobalUserByEmail(email)
-  if (dbUser == null) {
-    console.info(`user=${email} could not be found`)
-    return authError(done, INVALID_ERR)
-  }
-
-  if (dbUser.status === UserStatus.INACTIVE) {
-    console.info(`user=${email} is inactive`, dbUser)
-    return authError(done, INVALID_ERR)
-  }
-
-  if (!dbUser.password) {
-    console.info(`user=${email} has no password set`, dbUser)
-    return authError(done, EXPIRED)
-  }
-
-  if (!(await compare(password, dbUser.password))) {
-    return authError(done, INVALID_ERR)
-  }
-
-  // intentionally remove the users password in payload
-  delete dbUser.password
-  return done(null, dbUser)
-}

package/src/middleware/passport/sso/google.ts

@@ -1,77 +0,0 @@
-import { ssoCallbackUrl } from "../utils"
-import * as sso from "./sso"
-import {
-  ConfigType,
-  SSOProfile,
-  SSOAuthDetails,
-  SSOProviderType,
-  SaveSSOUserFunction,
-  GoogleInnerConfig,
-} from "@budibase/types"
-const GoogleStrategy = require("passport-google-oauth").OAuth2Strategy
-
-export function buildVerifyFn(saveUserFn: SaveSSOUserFunction) {
-  return (
-    accessToken: string,
-    refreshToken: string,
-    profile: SSOProfile,
-    done: Function
-  ) => {
-    const details: SSOAuthDetails = {
-      provider: "google",
-      providerType: SSOProviderType.GOOGLE,
-      userId: profile.id,
-      profile: profile,
-      email: profile._json.email,
-      oauth2: {
-        accessToken,
-        refreshToken,
-      },
-    }
-
-    return sso.authenticate(
-      details,
-      true, // require local accounts to exist
-      done,
-      saveUserFn
-    )
-  }
-}
-
-/**
- * Create an instance of the google passport strategy. This wrapper fetches the configuration
- * from couchDB rather than environment variables, using this factory is necessary for dynamically configuring passport.
- * @returns Dynamically configured Passport Google Strategy
- */
-export async function strategyFactory(
-  config: GoogleInnerConfig,
-  callbackUrl: string,
-  saveUserFn: SaveSSOUserFunction
-) {
-  try {
-    const { clientID, clientSecret } = config
-
-    if (!clientID || !clientSecret) {
-      throw new Error(
-        "Configuration invalid. Must contain google clientID and clientSecret"
-      )
-    }
-
-    const verify = buildVerifyFn(saveUserFn)
-    return new GoogleStrategy(
-      {
-        clientID: config.clientID,
-        clientSecret: config.clientSecret,
-        callbackURL: callbackUrl,
-      },
-      verify
-    )
-  } catch (err: any) {
-    console.error(err)
-    throw new Error(`Error constructing google authentication strategy: ${err}`)
-  }
-}
-
-export async function getCallbackUrl(config: GoogleInnerConfig) {
-  return ssoCallbackUrl(ConfigType.GOOGLE, config)
-}

package/src/middleware/passport/sso/oidc.ts

@@ -1,154 +0,0 @@
-import fetch from "node-fetch"
-import * as sso from "./sso"
-import { ssoCallbackUrl } from "../utils"
-import { validEmail } from "../../../utils"
-import {
-  ConfigType,
-  OIDCInnerConfig,
-  SSOProfile,
-  OIDCStrategyConfiguration,
-  SSOAuthDetails,
-  SSOProviderType,
-  JwtClaims,
-  SaveSSOUserFunction,
-} from "@budibase/types"
-
-const OIDCStrategy = require("@techpass/passport-openidconnect").Strategy
-
-export function buildVerifyFn(saveUserFn: SaveSSOUserFunction) {
-  /**
-   * @param {*} issuer The identity provider base URL
-   * @param {*} sub The user ID
-   * @param {*} profile The user profile information. Created by passport from the /userinfo response
-   * @param {*} jwtClaims The parsed id_token claims
-   * @param {*} accessToken The access_token for contacting the identity provider - may or may not be a JWT
-   * @param {*} refreshToken The refresh_token for obtaining a new access_token - usually not a JWT
-   * @param {*} idToken The id_token - always a JWT
-   * @param {*} params The response body from requesting an access_token
-   * @param {*} done The passport callback: err, user, info
-   */
-  return async (
-    issuer: string,
-    sub: string,
-    profile: SSOProfile,
-    jwtClaims: JwtClaims,
-    accessToken: string,
-    refreshToken: string,
-    idToken: string,
-    params: any,
-    done: Function
-  ) => {
-    const details: SSOAuthDetails = {
-      // store the issuer info to enable sync in future
-      provider: issuer,
-      providerType: SSOProviderType.OIDC,
-      userId: profile.id,
-      profile: profile,
-      email: getEmail(profile, jwtClaims),
-      oauth2: {
-        accessToken: accessToken,
-        refreshToken: refreshToken,
-      },
-    }
-
-    return sso.authenticate(
-      details,
-      false, // don't require local accounts to exist
-      done,
-      saveUserFn
-    )
-  }
-}
-
-/**
- * @param {*} profile The structured profile created by passport using the user info endpoint
- * @param {*} jwtClaims The claims returned in the id token
- */
-function getEmail(profile: SSOProfile, jwtClaims: JwtClaims) {
-  // profile not guaranteed to contain email e.g. github connected azure ad account
-  if (profile._json.email) {
-    return profile._json.email
-  }
-
-  // fallback to id token email
-  if (jwtClaims.email) {
-    return jwtClaims.email
-  }
-
-  // fallback to id token preferred username
-  const username = jwtClaims.preferred_username
-  if (username && validEmail(username)) {
-    return username
-  }
-
-  throw new Error(
-    `Could not determine user email from profile ${JSON.stringify(
-      profile
-    )} and claims ${JSON.stringify(jwtClaims)}`
-  )
-}
-
-/**
- * Create an instance of the oidc passport strategy. This wrapper fetches the configuration
- * from couchDB rather than environment variables, using this factory is necessary for dynamically configuring passport.
- * @returns Dynamically configured Passport OIDC Strategy
- */
-export async function strategyFactory(
-  config: OIDCStrategyConfiguration,
-  saveUserFn: SaveSSOUserFunction
-) {
-  try {
-    const verify = buildVerifyFn(saveUserFn)
-    const strategy = new OIDCStrategy(config, verify)
-    strategy.name = "oidc"
-    return strategy
-  } catch (err: any) {
-    console.error(err)
-    throw new Error(`Error constructing OIDC authentication strategy - ${err}`)
-  }
-}
-
-export async function fetchStrategyConfig(
-  oidcConfig: OIDCInnerConfig,
-  callbackUrl?: string
-): Promise<OIDCStrategyConfiguration> {
-  try {
-    const { clientID, clientSecret, configUrl } = oidcConfig
-
-    if (!clientID || !clientSecret || !callbackUrl || !configUrl) {
-      // check for remote config and all required elements
-      throw new Error(
-        "Configuration invalid. Must contain clientID, clientSecret, callbackUrl and configUrl"
-      )
-    }
-
-    const response = await fetch(configUrl)
-
-    if (!response.ok) {
-      throw new Error(
-        `Unexpected response when fetching openid-configuration: ${response.statusText}`
-      )
-    }
-
-    const body = await response.json()
-
-    return {
-      issuer: body.issuer,
-      authorizationURL: body.authorization_endpoint,
-      tokenURL: body.token_endpoint,
-      userInfoURL: body.userinfo_endpoint,
-      clientID: clientID,
-      clientSecret: clientSecret,
-      callbackURL: callbackUrl,
-    }
-  } catch (err) {
-    console.error(err)
-    throw new Error(
-      `Error constructing OIDC authentication configuration - ${err}`
-    )
-  }
-}
-
-export async function getCallbackUrl() {
-  return ssoCallbackUrl(ConfigType.OIDC)
-}