@budibase/worker 3.35.3 → 3.35.10

package/__mocks__/@budibase/pro.ts

@@ -1,6 +1,10 @@
 const actual = jest.requireActual("@budibase/pro")
 const pro = {
   ...actual,
+  scimUsers: {
+    ...actual.scimUsers,
+    handleDisable: jest.fn(),
+  },
   features: {
     ...actual.features,
     isSSOEnforced: jest.fn(),

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@budibase/worker",
   "email": "hi@budibase.com",
-  "version": "3.35.3",
+  "version": "3.35.10",
   "description": "Budibase background service",
   "main": "src/index.ts",
   "repository": {
@@ -15,7 +15,7 @@
     "prebuild": "rimraf dist/",
     "build": "node ./scripts/build.js",
     "postbuild": "copyfiles -f ../../yarn.lock ./dist/",
-    "check:types": "tsc -p tsconfig.json --noEmit --paths null",
+    "check:types": "tsc -p tsconfig.json --noEmit --incremental --paths null",
     "build:dev": "yarn prebuild && tsc --build --watch --preserveWatchOutput",
     "run:docker": "node --enable-source-maps dist/index.js",
     "debug": "yarn build && node --expose-gc --inspect=9223 dist/index.js",
@@ -55,7 +55,7 @@
     "lodash": "4.18.1",
     "marked": "^15.0.11",
     "node-fetch": "2.6.7",
-    "nodemailer": "8.0.4",
+    "nodemailer": "8.0.5",
     "pouchdb": "9.0.0",
     "scim-patch": "^0.8.1",
     "scim2-parse-filter": "^0.2.8",
@@ -79,5 +79,5 @@
     "supertest": "6.3.3",
     "timekeeper": "2.2.0"
   },
-  "gitHead": "d5b05b266b9b7726bdcd7a9e7affb3330129805c"
+  "gitHead": "e2fa586beb21f730b22350e561d21ec1e2c5c2f0"
 }

package/src/api/controllers/global/auth.ts

@@ -95,7 +95,10 @@ async function passportCallback(
   const loginResult = await authSdk.loginUser(user)
 
   // set a cookie for browser access
-  setCookie(ctx, loginResult.token, Cookie.Auth, { sign: false })
+  setCookie(ctx, loginResult.token, Cookie.Auth, {
+    sign: false,
+    httpOnly: true,
+  })
   // set the token in a header as well for APIs
   ctx.set(Header.TOKEN, loginResult.token)
 
@@ -282,14 +285,20 @@ export const datasourcePreAuth = async (
   next: Next
 ) => {
   const provider = ctx.params.provider
+  const returnPath =
+    typeof ctx.query.returnPath === "string" ? ctx.query.returnPath : undefined
   const { middleware } = require(`@budibase/backend-core`)
   const handler = middleware.datasource[provider]
+  if (!handler) {
+    ctx.throw(400, "Unsupported datasource provider")
+  }
 
   setCookie(
     ctx,
     {
       provider,
       appId: ctx.query.appId,
+      returnPath,
     },
     Cookie.DatasourceAuth
   )
@@ -308,6 +317,9 @@ export const datasourceAuth = async (ctx: UserCtx<void, void>, next: Next) => {
   const provider = authStateCookie.provider
   const { middleware } = require(`@budibase/backend-core`)
   const handler = middleware.datasource[provider]
+  if (!handler) {
+    ctx.throw(400, "Unsupported datasource provider")
+  }
   return handler.postAuth(passport, ctx, next)
 }
 

package/src/api/controllers/global/configs.ts

@@ -36,6 +36,8 @@ import {
   OIDCLogosConfig,
   PASSWORD_REPLACEMENT,
   RecaptchaInnerConfig,
+  SCIMDisableAction,
+  SCIMInnerConfig,
   SaveConfigRequest,
   SaveConfigResponse,
   SettingsBrandingConfig,
@@ -346,12 +348,26 @@ async function processTranslationsConfig(
   ctx.request.body.config = prepareTranslationsConfig(ctx, config)
 }
 
+async function processSCIMConfig(
+  newConfig: SCIMInnerConfig,
+  existingConfig: SCIMInnerConfig | undefined
+): Promise<SCIMDisableAction | undefined> {
+  const { disableAction } = newConfig
+  delete newConfig.disableAction
+
+  const isBeingDisabled = existingConfig?.enabled && !newConfig.enabled
+  if (isBeingDisabled && disableAction) {
+    return disableAction
+  }
+}
+
 export async function save(
   ctx: UserCtx<SaveConfigRequest, SaveConfigResponse>
 ) {
   const body = ctx.request.body
   const type = body.type
   const config = body.config
+  let scimDisableAction: SCIMDisableAction | undefined
 
   const existingConfig = await configs.getConfig(type)
   let eventFns = await getEventFns(ctx.request.body, existingConfig)
@@ -380,6 +396,12 @@ export async function save(
       case ConfigType.TRANSLATIONS:
         await processTranslationsConfig(ctx, config)
         break
+      case ConfigType.SCIM:
+        scimDisableAction = await processSCIMConfig(
+          config,
+          existingConfig?.config
+        )
+        break
     }
   } catch (err: any) {
     ctx.throw(400, err?.message || err)
@@ -425,6 +447,19 @@ export async function save(
       await fn()
     }
 
+    if (scimDisableAction) {
+      const tenantId = tenancy.getTenantId()
+      setImmediate(async () => {
+        try {
+          await tenancy.doInTenant(tenantId, () =>
+            pro.scimUsers.handleDisable(scimDisableAction!)
+          )
+        } catch (e) {
+          console.error("Error processing SCIM users on disable:", e)
+        }
+      })
+    }
+
     ctx.body = {
       type,
       _id: response.id,

package/src/api/controllers/global/scim/users.ts

@@ -107,7 +107,7 @@ export const update = async (ctx: Ctx<ScimUpdateRequest, ScimUserResponse>) => {
     ctx.throw(500)
   }
 
-  const userToUpdate = mappers.user.fromScimUser(patchedScimUser)
+  const userToUpdate = mappers.user.fromScimUser(patchedScimUser, user.roles)
   await scimUsers.update(userToUpdate, { allowChangingEmail: true })
 
   ctx.body = mappers.user.toScimUserResponse(userToUpdate)

package/src/api/routes/global/tests/configs.spec.ts

@@ -5,6 +5,7 @@ import {
   ConfigType,
   GetPublicSettingsResponse,
   PKCEMethod,
+  SCIMConfig,
   TranslationsConfig,
 } from "@budibase/types"
 import { TestConfiguration, mocks, structures } from "../../../../tests"
@@ -402,6 +403,71 @@ describe("configs", () => {
     })
   })
 
+  describe("scim", () => {
+    const scimConfig = (enabled: boolean, disableAction?: string): SCIMConfig =>
+      ({
+        type: ConfigType.SCIM,
+        config: { enabled, ...(disableAction ? { disableAction } : {}) },
+      }) as SCIMConfig
+
+    beforeEach(async () => {
+      await config.deleteConfig(ConfigType.SCIM)
+      jest.clearAllMocks()
+      mocks.pro.scimUsers.handleDisable.mockResolvedValue(undefined)
+    })
+
+    afterEach(async () => {
+      await config.deleteConfig(ConfigType.SCIM)
+    })
+
+    it("calls handleDisable with 'remove' when SCIM is disabled with remove action", async () => {
+      await config.api.configs.saveConfig(scimConfig(true))
+      jest.clearAllMocks()
+
+      await config.api.configs.saveConfig(scimConfig(false, "remove"))
+      await new Promise<void>(resolve => setImmediate(resolve))
+
+      expect(mocks.pro.scimUsers.handleDisable).toHaveBeenCalledTimes(1)
+      expect(mocks.pro.scimUsers.handleDisable).toHaveBeenCalledWith("remove")
+    })
+
+    it("calls handleDisable with 'convert' when SCIM is disabled with convert action", async () => {
+      await config.api.configs.saveConfig(scimConfig(true))
+      jest.clearAllMocks()
+
+      await config.api.configs.saveConfig(scimConfig(false, "convert"))
+      await new Promise<void>(resolve => setImmediate(resolve))
+
+      expect(mocks.pro.scimUsers.handleDisable).toHaveBeenCalledTimes(1)
+      expect(mocks.pro.scimUsers.handleDisable).toHaveBeenCalledWith("convert")
+    })
+
+    it("does not call handleDisable when SCIM is disabled without a disableAction", async () => {
+      await config.api.configs.saveConfig(scimConfig(true))
+      jest.clearAllMocks()
+
+      await config.api.configs.saveConfig(scimConfig(false))
+      await new Promise<void>(resolve => setImmediate(resolve))
+
+      expect(mocks.pro.scimUsers.handleDisable).not.toHaveBeenCalled()
+    })
+
+    it("does not call handleDisable when SCIM is being enabled", async () => {
+      await config.api.configs.saveConfig(scimConfig(true, "remove"))
+      await new Promise<void>(resolve => setImmediate(resolve))
+
+      expect(mocks.pro.scimUsers.handleDisable).not.toHaveBeenCalled()
+    })
+
+    it("does not persist disableAction to the saved config", async () => {
+      await config.api.configs.saveConfig(scimConfig(true))
+      await config.api.configs.saveConfig(scimConfig(false, "remove"))
+
+      const saved = await config.api.configs.getConfig(ConfigType.SCIM)
+      expect(saved.config).not.toHaveProperty("disableAction")
+    })
+  })
+
   describe("GET /api/global/configs/checklist", () => {
     it("should return the correct checklist", async () => {
       await config.saveSmtpConfig()

package/src/api/routes/global/tests/scim.spec.ts

@@ -364,9 +364,12 @@ describe("scim", () => {
       })
 
       it("creating an external user that conflicts an internal one syncs the existing user", async () => {
-        const { body: internalUser } = await config.api.users.saveUser(
-          structures.users.user()
-        )
+        const workspaceId = "app_scim_sync_roles"
+        const explicitRoles = { [workspaceId]: "BASIC" }
+        const { body: internalUser } = await config.api.users.saveUser({
+          ...structures.users.user(),
+          roles: explicitRoles,
+        })
 
         const scimUserData = {
           externalId: structures.uuid(),
@@ -410,6 +413,14 @@ describe("scim", () => {
         }
 
         expect(res).toEqual(expectedScimUser)
+
+        expect(
+          (await config.api.users.getUser(internalUser._id!)).body
+        ).toEqual(
+          expect.objectContaining({
+            roles: explicitRoles,
+          })
+        )
       })
 
       it("a user cannot be SCIM synchronised with another SCIM user", async () => {
@@ -516,6 +527,46 @@ describe("scim", () => {
         expect(persistedUser).toEqual(expectedScimUser)
       })
 
+      it("preserves explicit roles when updating an existing SCIM user", async () => {
+        const workspaceId = "app_scim_patch_roles"
+        const explicitRoles = { [workspaceId]: "BASIC" }
+        const { body: internalUser } = await config.api.users.saveUser({
+          ...structures.users.user(),
+          roles: explicitRoles,
+        })
+
+        const syncedUser = await config.api.scimUsersAPI.post(
+          {
+            body: structures.scim.createUserRequest({
+              email: internalUser.email,
+            }),
+          },
+          { expect: 200 }
+        )
+
+        const newFamilyName = structures.generator.last()
+        const body: ScimUpdateRequest = {
+          schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+          Operations: [
+            {
+              op: "Replace",
+              path: "name.familyName",
+              value: newFamilyName,
+            },
+          ],
+        }
+
+        await patchScimUser({ id: syncedUser.id, body })
+
+        expect((await config.api.users.getUser(syncedUser.id)).body).toEqual(
+          expect.objectContaining({
+            _id: syncedUser.id,
+            lastName: newFamilyName,
+            roles: explicitRoles,
+          })
+        )
+      })
+
       it.each([false, "false", "False"])(
         "deactivating an active user (sending %s) will delete it",
         async activeValue => {

package/src/api/routes/global/tests/users.spec.ts

@@ -1138,6 +1138,14 @@ describe("/api/global/users", () => {
       await config.api.users.searchUsers({}, { status: 403, noHeaders: true })
     })
 
+    it("should throw an error if a public route is injected in the query string", async () => {
+      await config.request
+        .post("/api/global/users/search?x=/api/system/status")
+        .send({})
+        .expect("Content-Type", /json/)
+        .expect(403)
+    })
+
     it("should be able to search using logical conditions", async () => {
       const user = await config.createUser()
       const response = await config.api.users.searchUsers({