@budibase/worker 3.35.3 → 3.36.1

package/__mocks__/@budibase/pro.ts

@@ -1,6 +1,10 @@
 const actual = jest.requireActual("@budibase/pro")
 const pro = {
   ...actual,
+  scimUsers: {
+    ...actual.scimUsers,
+    handleDisable: jest.fn(),
+  },
   features: {
     ...actual.features,
     isSSOEnforced: jest.fn(),

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@budibase/worker",
   "email": "hi@budibase.com",
-  "version": "3.35.3",
+  "version": "3.36.1",
   "description": "Budibase background service",
   "main": "src/index.ts",
   "repository": {
@@ -15,7 +15,7 @@
     "prebuild": "rimraf dist/",
     "build": "node ./scripts/build.js",
     "postbuild": "copyfiles -f ../../yarn.lock ./dist/",
-    "check:types": "tsc -p tsconfig.json --noEmit --paths null",
+    "check:types": "tsc -p tsconfig.json --noEmit --incremental --paths null",
     "build:dev": "yarn prebuild && tsc --build --watch --preserveWatchOutput",
     "run:docker": "node --enable-source-maps dist/index.js",
     "debug": "yarn build && node --expose-gc --inspect=9223 dist/index.js",
@@ -55,7 +55,7 @@
     "lodash": "4.18.1",
     "marked": "^15.0.11",
     "node-fetch": "2.6.7",
-    "nodemailer": "8.0.4",
+    "nodemailer": "8.0.5",
     "pouchdb": "9.0.0",
     "scim-patch": "^0.8.1",
     "scim2-parse-filter": "^0.2.8",
@@ -79,5 +79,5 @@
     "supertest": "6.3.3",
     "timekeeper": "2.2.0"
   },
-  "gitHead": "d5b05b266b9b7726bdcd7a9e7affb3330129805c"
+  "gitHead": "7a83e0e9dc810a0a6e41b006b8a6f26c749c75c0"
 }

package/src/api/controllers/global/auth.ts

@@ -95,7 +95,10 @@ async function passportCallback(
   const loginResult = await authSdk.loginUser(user)
 
   // set a cookie for browser access
-  setCookie(ctx, loginResult.token, Cookie.Auth, { sign: false })
+  setCookie(ctx, loginResult.token, Cookie.Auth, {
+    sign: false,
+    httpOnly: true,
+  })
   // set the token in a header as well for APIs
   ctx.set(Header.TOKEN, loginResult.token)
 
@@ -282,14 +285,20 @@ export const datasourcePreAuth = async (
   next: Next
 ) => {
   const provider = ctx.params.provider
+  const returnPath =
+    typeof ctx.query.returnPath === "string" ? ctx.query.returnPath : undefined
   const { middleware } = require(`@budibase/backend-core`)
   const handler = middleware.datasource[provider]
+  if (!handler) {
+    ctx.throw(400, "Unsupported datasource provider")
+  }
 
   setCookie(
     ctx,
     {
       provider,
       appId: ctx.query.appId,
+      returnPath,
     },
     Cookie.DatasourceAuth
   )
@@ -308,6 +317,9 @@ export const datasourceAuth = async (ctx: UserCtx<void, void>, next: Next) => {
   const provider = authStateCookie.provider
   const { middleware } = require(`@budibase/backend-core`)
   const handler = middleware.datasource[provider]
+  if (!handler) {
+    ctx.throw(400, "Unsupported datasource provider")
+  }
   return handler.postAuth(passport, ctx, next)
 }
 

package/src/api/controllers/global/configs.ts

@@ -36,6 +36,8 @@ import {
   OIDCLogosConfig,
   PASSWORD_REPLACEMENT,
   RecaptchaInnerConfig,
+  SCIMDisableAction,
+  SCIMInnerConfig,
   SaveConfigRequest,
   SaveConfigResponse,
   SettingsBrandingConfig,
@@ -346,12 +348,26 @@ async function processTranslationsConfig(
   ctx.request.body.config = prepareTranslationsConfig(ctx, config)
 }
 
+async function processSCIMConfig(
+  newConfig: SCIMInnerConfig,
+  existingConfig: SCIMInnerConfig | undefined
+): Promise<SCIMDisableAction | undefined> {
+  const { disableAction } = newConfig
+  delete newConfig.disableAction
+
+  const isBeingDisabled = existingConfig?.enabled && !newConfig.enabled
+  if (isBeingDisabled && disableAction) {
+    return disableAction
+  }
+}
+
 export async function save(
   ctx: UserCtx<SaveConfigRequest, SaveConfigResponse>
 ) {
   const body = ctx.request.body
   const type = body.type
   const config = body.config
+  let scimDisableAction: SCIMDisableAction | undefined
 
   const existingConfig = await configs.getConfig(type)
   let eventFns = await getEventFns(ctx.request.body, existingConfig)
@@ -380,6 +396,12 @@ export async function save(
       case ConfigType.TRANSLATIONS:
         await processTranslationsConfig(ctx, config)
         break
+      case ConfigType.SCIM:
+        scimDisableAction = await processSCIMConfig(
+          config,
+          existingConfig?.config
+        )
+        break
     }
   } catch (err: any) {
     ctx.throw(400, err?.message || err)
@@ -425,6 +447,19 @@ export async function save(
       await fn()
     }
 
+    if (scimDisableAction) {
+      const tenantId = tenancy.getTenantId()
+      setImmediate(async () => {
+        try {
+          await tenancy.doInTenant(tenantId, () =>
+            pro.scimUsers.handleDisable(scimDisableAction!)
+          )
+        } catch (e) {
+          console.error("Error processing SCIM users on disable:", e)
+        }
+      })
+    }
+
     ctx.body = {
       type,
       _id: response.id,

package/src/api/controllers/global/scim/users.ts

@@ -107,7 +107,7 @@ export const update = async (ctx: Ctx<ScimUpdateRequest, ScimUserResponse>) => {
     ctx.throw(500)
   }
 
-  const userToUpdate = mappers.user.fromScimUser(patchedScimUser)
+  const userToUpdate = mappers.user.fromScimUser(patchedScimUser, user.roles)
   await scimUsers.update(userToUpdate, { allowChangingEmail: true })
 
   ctx.body = mappers.user.toScimUserResponse(userToUpdate)

package/src/api/routes/global/license.ts

@@ -1,7 +1,11 @@
 import * as controller from "../../controllers/global/license"
 import { middleware } from "@budibase/backend-core"
 import Joi from "joi"
-import { loggedInRoutes } from "../endpointGroups"
+import {
+  adminRoutes,
+  builderOrAdminRoutes,
+  loggedInRoutes,
+} from "../endpointGroups"
 
 const activateLicenseKeyValidator = middleware.joiValidator.body(
   Joi.object({
@@ -15,9 +19,12 @@ const activateOfflineLicenseValidator = middleware.joiValidator.body(
   }).required()
 )
 
-loggedInRoutes
+loggedInRoutes.get("/api/global/license/usage", controller.getQuotaUsage)
+
+builderOrAdminRoutes.get("/api/global/license/key", controller.getLicenseKey)
+
+adminRoutes
   .post("/api/global/license/refresh", controller.refresh)
-  .get("/api/global/license/usage", controller.getQuotaUsage)
   .get("/api/global/install", controller.getInstallInfo)
   // LICENSE KEY
   .post(
@@ -25,7 +32,6 @@ loggedInRoutes
     activateLicenseKeyValidator,
     controller.activateLicenseKey
   )
-  .get("/api/global/license/key", controller.getLicenseKey)
   .delete("/api/global/license/key", controller.deleteLicenseKey)
   // OFFLINE LICENSE
   .post(

package/src/api/routes/global/tests/configs.spec.ts

@@ -5,6 +5,7 @@ import {
   ConfigType,
   GetPublicSettingsResponse,
   PKCEMethod,
+  SCIMConfig,
   TranslationsConfig,
 } from "@budibase/types"
 import { TestConfiguration, mocks, structures } from "../../../../tests"
@@ -402,6 +403,71 @@ describe("configs", () => {
     })
   })
 
+  describe("scim", () => {
+    const scimConfig = (enabled: boolean, disableAction?: string): SCIMConfig =>
+      ({
+        type: ConfigType.SCIM,
+        config: { enabled, ...(disableAction ? { disableAction } : {}) },
+      }) as SCIMConfig
+
+    beforeEach(async () => {
+      await config.deleteConfig(ConfigType.SCIM)
+      jest.clearAllMocks()
+      mocks.pro.scimUsers.handleDisable.mockResolvedValue(undefined)
+    })
+
+    afterEach(async () => {
+      await config.deleteConfig(ConfigType.SCIM)
+    })
+
+    it("calls handleDisable with 'remove' when SCIM is disabled with remove action", async () => {
+      await config.api.configs.saveConfig(scimConfig(true))
+      jest.clearAllMocks()
+
+      await config.api.configs.saveConfig(scimConfig(false, "remove"))
+      await new Promise<void>(resolve => setImmediate(resolve))
+
+      expect(mocks.pro.scimUsers.handleDisable).toHaveBeenCalledTimes(1)
+      expect(mocks.pro.scimUsers.handleDisable).toHaveBeenCalledWith("remove")
+    })
+
+    it("calls handleDisable with 'convert' when SCIM is disabled with convert action", async () => {
+      await config.api.configs.saveConfig(scimConfig(true))
+      jest.clearAllMocks()
+
+      await config.api.configs.saveConfig(scimConfig(false, "convert"))
+      await new Promise<void>(resolve => setImmediate(resolve))
+
+      expect(mocks.pro.scimUsers.handleDisable).toHaveBeenCalledTimes(1)
+      expect(mocks.pro.scimUsers.handleDisable).toHaveBeenCalledWith("convert")
+    })
+
+    it("does not call handleDisable when SCIM is disabled without a disableAction", async () => {
+      await config.api.configs.saveConfig(scimConfig(true))
+      jest.clearAllMocks()
+
+      await config.api.configs.saveConfig(scimConfig(false))
+      await new Promise<void>(resolve => setImmediate(resolve))
+
+      expect(mocks.pro.scimUsers.handleDisable).not.toHaveBeenCalled()
+    })
+
+    it("does not call handleDisable when SCIM is being enabled", async () => {
+      await config.api.configs.saveConfig(scimConfig(true, "remove"))
+      await new Promise<void>(resolve => setImmediate(resolve))
+
+      expect(mocks.pro.scimUsers.handleDisable).not.toHaveBeenCalled()
+    })
+
+    it("does not persist disableAction to the saved config", async () => {
+      await config.api.configs.saveConfig(scimConfig(true))
+      await config.api.configs.saveConfig(scimConfig(false, "remove"))
+
+      const saved = await config.api.configs.getConfig(ConfigType.SCIM)
+      expect(saved.config).not.toHaveProperty("disableAction")
+    })
+  })
+
   describe("GET /api/global/configs/checklist", () => {
     it("should return the correct checklist", async () => {
       await config.saveSmtpConfig()

package/src/api/routes/global/tests/license.spec.ts

@@ -6,6 +6,26 @@ const quotas = mocks.pro.quotas
 describe("/api/global/license", () => {
   const config = new TestConfiguration()
 
+  async function createNonAdminUser() {
+    const user = await config.createUser()
+    await config.login(user)
+    return user
+  }
+
+  async function createBuilderUser() {
+    const user = await config.createUser(structures.users.builderUser())
+    await config.login(user)
+    return user
+  }
+
+  async function createCreatorUser() {
+    const user = await config.createUser(
+      structures.users.user({ builder: { creator: true } })
+    )
+    await config.login(user)
+    return user
+  }
+
   beforeAll(async () => {
     await config.beforeAll()
   })
@@ -14,6 +34,10 @@ describe("/api/global/license", () => {
     await config.afterAll()
   })
 
+  beforeEach(() => {
+    mocks.licenses.useUnlimited()
+  })
+
   afterEach(() => {
     jest.resetAllMocks()
   })
@@ -34,6 +58,19 @@ describe("/api/global/license", () => {
       expect(res.status).toBe(200)
       expect(res.body).toEqual(usage)
     })
+
+    it("allows non-admin access", async () => {
+      const user = await createNonAdminUser()
+      const usage = structures.quotas.usage()
+      quotas.getQuotaUsage.mockResolvedValue(usage)
+
+      const res = await config.withUser(user, () =>
+        config.api.license.getUsage()
+      )
+
+      expect(res.status).toBe(200)
+      expect(res.body).toEqual(usage)
+    })
   })
 
   describe("POST /api/global/license/key", () => {
@@ -53,6 +90,35 @@ describe("/api/global/license", () => {
       const res = await config.api.license.getLicenseKey()
       expect(res.status).toBe(404)
     })
+
+    it("allows builder access", async () => {
+      const user = await createBuilderUser()
+      licensing.keys.getLicenseKey.mockResolvedValue("licenseKey")
+
+      const res = await config.withUser(user, () =>
+        config.api.license.getLicenseKey()
+      )
+
+      expect(res.status).toBe(200)
+      expect(res.body).toEqual({
+        licenseKey: "*",
+      })
+    })
+
+    it("allows creator access", async () => {
+      const user = await createCreatorUser()
+      licensing.keys.getLicenseKey.mockResolvedValue("licenseKey")
+
+      const res = await config.withUser(user, () =>
+        config.api.license.getLicenseKey()
+      )
+
+      expect(res.status).toBe(200)
+      expect(res.body).toEqual({
+        licenseKey: "*",
+      })
+    })
+
     it("returns 200 + license key", async () => {
       licensing.keys.getLicenseKey.mockResolvedValue("licenseKey")
       const res = await config.api.license.getLicenseKey()
@@ -120,4 +186,70 @@ describe("/api/global/license", () => {
       })
     })
   })
+
+  describe("authorisation", () => {
+    it.each([
+      [
+        "GET /api/global/license/key",
+        () => config.api.license.getLicenseKey(),
+        { message: "Admin/Builder user only endpoint.", status: 403 },
+      ],
+      [
+        "POST /api/global/license/refresh",
+        () => config.api.license.refresh(),
+        config.adminOnlyResponse(),
+      ],
+      [
+        "GET /api/global/install",
+        () => config.api.license.getInstallInfo(),
+        config.adminOnlyResponse(),
+      ],
+      [
+        "POST /api/global/license/key",
+        () =>
+          config.api.license.activateLicenseKey({
+            licenseKey: "licenseKey",
+          }),
+        config.adminOnlyResponse(),
+      ],
+      [
+        "DELETE /api/global/license/key",
+        () => config.api.license.deleteLicenseKey(),
+        config.adminOnlyResponse(),
+      ],
+      [
+        "POST /api/global/license/offline",
+        () =>
+          config.api.license.activateOfflineLicense({
+            offlineLicenseToken: "offlineLicenseToken",
+          }),
+        config.adminOnlyResponse(),
+      ],
+      [
+        "GET /api/global/license/offline",
+        () => config.api.license.getOfflineLicense(),
+        config.adminOnlyResponse(),
+      ],
+      [
+        "DELETE /api/global/license/offline",
+        () => config.api.license.deleteOfflineLicense(),
+        config.adminOnlyResponse(),
+      ],
+      [
+        "GET /api/global/license/offline/identifier",
+        () => config.api.license.getOfflineLicenseIdentifier(),
+        config.adminOnlyResponse(),
+      ],
+    ])(
+      "returns 403 for non-admin access to %s",
+      async (_path, request, expectedBody) => {
+        const user = await createNonAdminUser()
+
+        const res = await config.withUser(user, () => request())
+
+        expect(res.status).toBe(403)
+        expect(res.body).toEqual(expectedBody)
+      }
+    )
+  })
 })

package/src/api/routes/global/tests/scim.spec.ts

@@ -364,9 +364,12 @@ describe("scim", () => {
       })
 
       it("creating an external user that conflicts an internal one syncs the existing user", async () => {
-        const { body: internalUser } = await config.api.users.saveUser(
-          structures.users.user()
-        )
+        const workspaceId = "app_scim_sync_roles"
+        const explicitRoles = { [workspaceId]: "BASIC" }
+        const { body: internalUser } = await config.api.users.saveUser({
+          ...structures.users.user(),
+          roles: explicitRoles,
+        })
 
         const scimUserData = {
           externalId: structures.uuid(),
@@ -410,6 +413,14 @@ describe("scim", () => {
         }
 
         expect(res).toEqual(expectedScimUser)
+
+        expect(
+          (await config.api.users.getUser(internalUser._id!)).body
+        ).toEqual(
+          expect.objectContaining({
+            roles: explicitRoles,
+          })
+        )
       })
 
       it("a user cannot be SCIM synchronised with another SCIM user", async () => {
@@ -516,6 +527,46 @@ describe("scim", () => {
         expect(persistedUser).toEqual(expectedScimUser)
       })
 
+      it("preserves explicit roles when updating an existing SCIM user", async () => {
+        const workspaceId = "app_scim_patch_roles"
+        const explicitRoles = { [workspaceId]: "BASIC" }
+        const { body: internalUser } = await config.api.users.saveUser({
+          ...structures.users.user(),
+          roles: explicitRoles,
+        })
+
+        const syncedUser = await config.api.scimUsersAPI.post(
+          {
+            body: structures.scim.createUserRequest({
+              email: internalUser.email,
+            }),
+          },
+          { expect: 200 }
+        )
+
+        const newFamilyName = structures.generator.last()
+        const body: ScimUpdateRequest = {
+          schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+          Operations: [
+            {
+              op: "Replace",
+              path: "name.familyName",
+              value: newFamilyName,
+            },
+          ],
+        }
+
+        await patchScimUser({ id: syncedUser.id, body })
+
+        expect((await config.api.users.getUser(syncedUser.id)).body).toEqual(
+          expect.objectContaining({
+            _id: syncedUser.id,
+            lastName: newFamilyName,
+            roles: explicitRoles,
+          })
+        )
+      })
+
       it.each([false, "false", "False"])(
         "deactivating an active user (sending %s) will delete it",
         async activeValue => {

package/src/api/routes/global/tests/users.spec.ts

@@ -1138,6 +1138,14 @@ describe("/api/global/users", () => {
       await config.api.users.searchUsers({}, { status: 403, noHeaders: true })
     })
 
+    it("should throw an error if a public route is injected in the query string", async () => {
+      await config.request
+        .post("/api/global/users/search?x=/api/system/status")
+        .send({})
+        .expect("Content-Type", /json/)
+        .expect(403)
+    })
+
     it("should be able to search using logical conditions", async () => {
       const user = await config.createUser()
       const response = await config.api.users.searchUsers({

package/src/tests/api/license.ts

@@ -10,12 +10,17 @@ export class LicenseAPI extends TestAPI {
       .post("/api/global/license/refresh")
       .set(this.config.defaultHeaders())
   }
-  getUsage = async () => {
+  getUsage = async (status = 200) => {
     return this.request
       .get("/api/global/license/usage")
       .set(this.config.defaultHeaders())
       .expect("Content-Type", /json/)
-      .expect(200)
+      .expect(status)
+  }
+  getInstallInfo = async () => {
+    return this.request
+      .get("/api/global/install")
+      .set(this.config.defaultHeaders())
   }
   activateLicenseKey = async (body: ActivateLicenseKeyRequest) => {
     return this.request