Merge branch 'next' of github.com:Budibase/budibase into spectrum-bbui

.eslintignore

@@ -0,0 +1 @@
+packages/server/builder/**/*.js

.github/CONTRIBUTING.md

@@ -14,6 +14,13 @@ Budibase is a monorepo managed by [lerna](https://github.com/lerna/lerna). Lerna
 
 - **packages/server** - The budibase server. This [Koa](https://koajs.com/) app is responsible for serving the JS for the builder and budibase apps, as well as providing the API for interaction with the database and file system.
 
+## Contributor License Agreement (CLA)
+
+In order to accept your pull request, we need you to submit a CLA. You only need to do this once. If you are submitting a pull request for the first time, just submit a Pull Request and our CLA Bot will give you instructions on how to sign the CLA before merging your Pull Request.
+
+All contributors must sign an [Individual Contributor License Agreement](https://github.com/budibase/budibase/blob/next/.github/cla/individual-cla.md).
+
+If contributing on behalf of your company, your company must sign a [Corporate Contributor License Agreement](https://github.com/budibase/budibase/blob/next/.github/cla/corporate-cla.md). If so, please contact us via community@budibase.com.
 
 ## Glossary of Terms
 

.github/cla/corporate-cla.md

@@ -0,0 +1,23 @@
+# Software Grant and Corporate Contributor License Agreement ("Agreement"), v1.0
+
+You accept and agree to the following terms and conditions for Your present and future Contributions submitted to Budibase, Inc. ("Budibase"). Except for the license granted herein to Budibase and recipients of software distributed by Budibase, You reserve all right, title, and interest in and to Your Contributions.
+
+1. Definitions.
+
+"You" (or "Your") shall mean the copyright owner or legal entity authorized by the copyright owner that is making this Agreement with Budibase. For legal entities, the entity making a Contribution and all other entities that control, are controlled by, or are under common control with that entity are considered to be a single Contributor. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
+
+"Contribution" shall mean the code, documentation or other original works of authorship expressly identified in Schedule B, as well as any original work of authorship, including any modifications or additions to an existing work, that is intentionally submitted by You to Budibase for inclusion in, or documentation of, any of the products owned or managed by Budibase (the "Work"). For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to Budibase or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, Budibase for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by You as "Not a Contribution."
+
+2. Grant of Copyright License. Subject to the terms and conditions of this Agreement, You hereby grant to Budibase and to recipients of software distributed by Budibase a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contributions and such derivative works.
+
+3. Grant of Patent License. Subject to the terms and conditions of this Agreement, You hereby grant to Budibase and to recipients of software distributed by Budibase a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by You that are necessarily infringed by Your Contribution(s) alone or by combination of Your Contribution(s) with the Work to which such Contribution(s) was submitted. If any entity institutes patent litigation against You or any other entity (including a cross-claim or counterclaim in a lawsuit) alleging that your Contribution, or the Work to which you have contributed, constitutes direct or contributory patent infringement, then any patent licenses granted to that entity under this Agreement for that Contribution or Work shall terminate as of the date such litigation is filed.
+
+4. You represent that You are legally entitled to grant the above license. You represent further that each employee of the Corporation designated on Schedule A below (or in a subsequent written modification to that Schedule) is authorized to submit Contributions on behalf of the Corporation.
+
+5. You represent that each of Your Contributions is Your original creation (see section 7 for submissions on behalf of others).
+
+6. You are not expected to provide support for Your Contributions, except to the extent You desire to provide support. You may provide support for free, for a fee, or not at all. Unless required by applicable law or agreed to in writing, You provide Your Contributions on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON- INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.
+
+7. Should You wish to submit work that is not Your original creation, You may submit it to Budibase separately from any Contribution, identifying the complete details of its source and of any license or other restriction (including, but not limited to, related patents, trademarks, and license agreements) of which you are personally aware, and conspicuously marking the work as "Submitted on behalf of a third-party: [named here]".
+
+8. It is your responsibility to notify Budibase when any change is required to the list of designated employees authorized to submit Contributions on behalf of the Corporation, or to the Corporation's Point of Contact with Budibase.

.github/cla/individual-cla.md

@@ -0,0 +1,23 @@
+
+
+# Individual Contributor License Agreement ("Agreement"), v1.0
+
+Thank you for your interest in contributing to open-source software projects (“Projects”) made available by Budibase Inc, or its affiliates (“Budibase”). This Individual Contributor License Agreement (“Agreement”) sets out the terms governing any source code, object code, bug fixes, configuration changes, tools, specifications, documentation, data, materials, feedback, information or other works of authorship that you submit or have submitted, in any form and in any manner, to Budibase in respect of any of the Projects (collectively “Contributions”). If you have any questions respecting this Agreement, please contact community@budibase.com.
+
+You accept and agree to the following terms and conditions for Your past, present, and future Contributions submitted to Budibase, Inc. ("Budibase"). Except for the license granted herein to Budibase and recipients of software distributed by Budibase, You reserve all right, title, and interest in and to Your Contributions.
+
+1. Definitions. "You" (or "Your") shall mean the copyright owner or legal entity authorized by the copyright owner that is making this Agreement with Budibase. For legal entities, the entity making a Contribution and all other entities that control, are controlled by, or are under common control with that entity are considered to be a single Contributor. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "Contribution" shall mean any original work of authorship, including any modifications or additions to an existing work, that is intentionally submitted by You to Budibase for inclusion in, or documentation of, any of the products owned or managed by Budibase (the "Work"). For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to Budibase or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, Budibase for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by You as "Not a Contribution."
+
+2. Grant of Copyright License. Subject to the terms and conditions of this Agreement, You hereby grant to Budibase and to recipients of software distributed by Budibase a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contributions and such derivative works.
+
+3. Grant of Patent License. Subject to the terms and conditions of this Agreement, You hereby grant to Budibase and to recipients of software distributed by Budibase a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by You that are necessarily infringed by Your Contribution(s) alone or by combination of Your Contribution(s) with the Work to which such Contribution(s) was submitted. If any entity institutes patent litigation against You or any other entity (including a cross-claim or counterclaim in a lawsuit) alleging that your Contribution, or the Work to which you have contributed, constitutes a direct or contributory patent infringement, then any patent licenses granted to that entity under this Agreement for that Contribution or Work shall terminate as of the date such litigation is filed.
+    
+4. You represent that you are legally entitled to grant the above license. If your employer(s) has rights to intellectual property that you create that includes your Contributions, you represent that you have received permission to make Contributions on behalf of that employer, that your employer has waived such rights for your Contributions to Budibase, or that your employer has executed a separate Corporate CLA with Budibase.
+    
+5. You represent that each of Your Contributions is Your original creation (see section 7 for submissions on behalf of others). You represent that Your Contribution submissions include complete details of any third-party license or other restriction (including, but not limited to, related patents and trademarks) of which you are personally aware and which are associated with any part of Your Contributions.
+    
+6. You are not expected to provide support for Your Contributions, except to the extent You desire to provide support. You may provide support for free, for a fee, or not at all. Unless required by applicable law or agreed to in writing, You provide Your Contributions on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON- INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.
+
+7. Should You wish to submit work that is not Your original creation, You may submit it to Budibase separately from any Contribution, identifying the complete details of its source and of any license or other restriction (including, but not limited to, related patents, trademarks, and license agreements) of which you are personally aware, and conspicuously marking the work as "Submitted on behalf of a third-party: [named here]".
+
+8. You agree to notify Budibase of any facts or circumstances of which you become aware that would make these representations inaccurate in any respect.

.github/cla/signatures.json

@@ -0,0 +1,20 @@
+{
+  "signedContributors": [
+    {
+      "name": "shogunpurple",
+      "id": 11256663,
+      "comment_id": 819645107,
+      "created_at": "2021-04-14T16:20:01Z",
+      "repoId": 190729906,
+      "pullRequestNo": 1383
+    },
+    {
+      "name": "mike12345567",
+      "id": 4407001,
+      "comment_id": 819645152,
+      "created_at": "2021-04-14T16:20:04Z",
+      "repoId": 190729906,
+      "pullRequestNo": 1383
+    }
+  ]
+}

.github/workflows/cla.yml

@@ -0,0 +1,36 @@
+name: "CLA Assistant"
+on:
+  issue_comment:
+    types: [created]
+  pull_request_target:
+    types: [opened,closed,synchronize]
+
+jobs:
+  CLAssistant:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "CLA Assistant"
+        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
+        # Beta Release
+        uses: cla-assistant/github-action@v2.1.2-beta
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # the below token should have repo scope and must be manually added by you in the repository's secret
+          PERSONAL_ACCESS_TOKEN : ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+        with:
+          path-to-signatures: '.github/cla/signatures.json'
+          path-to-document: 'https://github.com/budibase/budibase/blob/next/.github/cla/individual-cla.md' # e.g. a CLA or a DCO document
+          # branch should not be protected
+          branch: 'next'
+          allowlist: user1,bot*
+
+         #below are the optional inputs - If the optional inputs are not given, then default values will be taken
+          #remote-organization-name: enter the remote organization name where the signatures should be stored (Default is storing the signatures in the same repository)
+          #remote-repository-name:  enter the  remote repository name where the signatures should be stored (Default is storing the signatures in the same repository)
+          #create-file-commit-message: 'For example: Creating file for storing CLA Signatures'
+          #signed-commit-message: 'For example: $contributorName has signed the CLA in #$pullRequestNo'
+          custom-notsigned-prcomment: '<br/><br/>Thank you for your submission - we really appreciate it ❤️. Like many open-source projects, we ask that $you sign a [Contributor License Agreement](https://github.com/budibase/budibase/blob/next/.github/cla/individual-cla.md) before we can accept your contribution.<br/><br/>You can sign the CLA by just posting a Pull Request Comment, the same as the text below.<br/><br/>If you are contributing on behalf of a company, your company should contact us to sign a [Corporate Contributor License Agreement](https://github.com/budibase/budibase/blob/next/.github/cla/corporate-cla.md), via community@budibase.com.'
+          #custom-pr-sign-comment: 'The signature to be committed in order to sign the CLA'
+          #custom-allsigned-prcomment: 'pull request comment when all contributors has signed, defaults to **CLA Assistant Lite bot** All Contributors have signed the CLA.'
+          #lock-pullrequest-aftermerge: false - if you don't want this bot to automatically lock the pull request after merging (default - true)
+          #use-dco-flag: true - If you are using DCO instead of CLA

.github/workflows/release.yml

@@ -1,6 +1,13 @@
 name: Budibase Release
 
 on: 
+ workflow_dispatch:
+  inputs:
+      name:
+        description: 'Version'
+        required: false
+        default: '0.8'
+        
  # Trigger the workflow on push with tags,
  # but only for the master branch
  push:

README.md

@@ -31,14 +31,14 @@
     <img alt="GitHub release (latest by date)" src="https://img.shields.io/github/v/release/Budibase/budibase">
   </a>
   <a href="https://discord.gg/rCYayfe">
-    <img alt="Discord" src="https://img.shields.io/discord/733030666647765003">  
+    <img alt="Discord" src="https://img.shields.io/discord/733030666647765003">
   </a>
   <a href="https://twitter.com/intent/follow?screen_name=budibase">
     <img src="https://img.shields.io/twitter/follow/budibase?style=social" alt="Follow @budibase" />
   </a>
   <img src="https://img.shields.io/badge/Contributor%20Covenant-v2.0%20adopted-ff69b4.svg" alt="Code of conduct" />
   <a href="https://codecov.io/gh/Budibase/budibase">
-    <img src="https://codecov.io/gh/Budibase/budibase/branch/next/graph/badge.svg?token=E8W2ZFXQOH"/>
+    <img src="https://codecov.io/gh/Budibase/budibase/graph/badge.svg?token=E8W2ZFXQOH"/>
   </a>
 </p>
 
@@ -58,9 +58,9 @@
 
 
 ## ✨ Features
-When other platforms chose the closed source route, we decided to go open source. When other platforms chose cloud builders, we decided a local builder offered the better developer experience. We like to do things differently at Budibase. 
+When other platforms chose the closed source route, we decided to go open source. When other platforms chose cloud builders, we decided a local builder offered the better developer experience. We like to do things differently at Budibase.
 
-- **Build and ship real software.** Unlike other platforms, with Budibase you build and ship single page applications. Budibase applications have performance baked in and can be designed responsively, providing your users with a great experience. 
+- **Build and ship real software.** Unlike other platforms, with Budibase you build and ship single page applications. Budibase applications have performance baked in and can be designed responsively, providing your users with a great experience.
 
 - **Open source and extensable.** Budibase is open-source. The builder is licensed AGPL v3, the server is GPL v3, and the client is MPL. This should fill you with confidence that Budibase will always be around. You can also code against Budibase or fork it and make changes as you please, providing a developer-friendly experience.
 
@@ -83,7 +83,7 @@ When other platforms chose the closed source route, we decided to go open source
 - [x] Public Beta: Anyone can [sign-up and use Budibase](https://portal.budi.live/signup).
 - [ ] Official Launch
 
-Watch "releases" of this repo to get notified of major updates, and give the star button a click whilst you're there. 
+Watch "releases" of this repo to get notified of major updates, and give the star button a click whilst you're there.
 
 <p align="center">
   <img src="https://i.imgur.com/cJpgqm8.png">
@@ -93,7 +93,7 @@ Watch "releases" of this repo to get notified of major updates, and give the sta
 
 [![Stargazers over time](https://starchart.cc/Budibase/budibase.svg)](https://starchart.cc/Budibase/budibase)
 
-If you are having issues between updates of the builder, please use the guide [here](https://github.com/Budibase/budibase/blob/master/CONTRIBUTING.md#troubleshooting) to clear down your environment.
+If you are having issues between updates of the builder, please use the guide [here](https://github.com/Budibase/budibase/blob/HEAD/.github/CONTRIBUTING.md#troubleshooting) to clear down your environment.
 
 
 ## 🏁 Getting Started with Budibase
@@ -131,25 +131,25 @@ Checkout our [Public Roadmap](https://github.com/Budibase/budibase/projects/10).
 
 ## ❗ Code of Conduct
 
-Budibase is dedicated to providing a welcoming, diverse, and harrassment-free experience for everyone. We expect everyone in the Budibase community to abide by our [**Code of Conduct**](https://github.com/Budibase/budibase/blob/master/.github/CODE_OF_CONDUCT.md). Please read it. 
+Budibase is dedicated to providing a welcoming, diverse, and harrassment-free experience for everyone. We expect everyone in the Budibase community to abide by our [**Code of Conduct**](https://github.com/Budibase/budibase/blob/HEAD/.github/CODE_OF_CONDUCT.md). Please read it.
 
 ## 🙌 Contributing to Budibase
 
 From opening a bug report to creating a pull request: every contribution is appreciated and welcomed. If you're planning to implement a new feature or change the API please create an issue first. This way we can ensure your work is not in vain.
 
 ### Not Sure Where to Start?
-A good place to start contributing, is the [First time issues project](https://github.com/Budibase/budibase/projects/22). 
+A good place to start contributing, is the [First time issues project](https://github.com/Budibase/budibase/projects/22).
 
 ### How the repository is organized
 Budibase is a monorepo managed by lerna. Lerna manages the building and publishing of the budibase packages. At a high level, here are the packages that make up Budibase.
 
-- [packages/builder](https://github.com/Budibase/budibase/tree/master/packages/builder) - contains code for the budibase builder client side svelte application.
+- [packages/builder](https://github.com/Budibase/budibase/tree/HEAD/packages/builder) - contains code for the budibase builder client side svelte application.
 
-- [packages/client](https://github.com/Budibase/budibase/tree/master/packages/client) - A module that runs in the browser responsible for reading JSON definition and creating living, breathing web apps from it.
+- [packages/client](https://github.com/Budibase/budibase/tree/HEAD/packages/client) - A module that runs in the browser responsible for reading JSON definition and creating living, breathing web apps from it.
 
-- [packages/server](https://github.com/Budibase/budibase/tree/master/packages/server) - The budibase server. This Koa app is responsible for serving the JS for the builder and budibase apps, as well as providing the API for interaction with the database and file system.
+- [packages/server](https://github.com/Budibase/budibase/tree/HEAD/packages/server) - The budibase server. This Koa app is responsible for serving the JS for the builder and budibase apps, as well as providing the API for interaction with the database and file system.
 
-For more information, see [CONTRIBUTING.md](https://github.com/Budibase/budibase/blob/master/.github/CONTRIBUTING.md)
+For more information, see [CONTRIBUTING.md](https://github.com/Budibase/budibase/blob/HEAD/.github/CONTRIBUTING.md)
 
 ## 📝 License
 

hosting/docker-compose.yaml

@@ -35,9 +35,10 @@ services:
     environment:
       SELF_HOSTED: 1
       PORT: 4003
+      JWT_SECRET: ${JWT_SECRET}
       MINIO_ACCESS_KEY: ${MINIO_ACCESS_KEY}
       MINIO_SECRET_KEY: ${MINIO_SECRET_KEY}
-      RAW_MINIO_URL: http://minio-service:9000
+      MINIO_URL: http://minio-service:9000
       COUCH_DB_USERNAME: ${COUCH_DB_USER}
       COUCH_DB_PASSWORD: ${COUCH_DB_PASSWORD}
       COUCH_DB_URL: http://${COUCH_DB_USER}:${COUCH_DB_PASSWORD}@couchdb-service:5984

hosting/envoy.dev.yaml.hbs

@@ -26,6 +26,10 @@ static_resources:
                   cluster: redis-service
                   prefix_rewrite: "/"
 
+              - match: { prefix: "/api/admin/" }
+                route:
+                  cluster: worker-dev
+
               - match: { prefix: "/api/" }
                 route:
                   cluster: server-dev
@@ -42,6 +46,10 @@ static_resources:
                 route:
                   cluster: builder-dev
                   prefix_rewrite: "/builder/"
+
+              # special case in dev to redirect no path to builder
+              - match: { path: "/" } 
+                redirect: { path_redirect: "/builder/" }
  
               # minio is on the default route because this works
               # best, minio + AWS SDK doesn't handle path proxy
@@ -123,3 +131,17 @@ static_resources:
                 address: {{ address }}
                 port_value: 3000
 
+  - name: worker-dev
+    connect_timeout: 0.25s
+    type: strict_dns
+    lb_policy: round_robin
+    load_assignment:
+      cluster_name: worker-dev
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: {{ address }}
+                port_value: 4002
+

hosting/envoy.yaml

@@ -25,6 +25,11 @@ static_resources:
               - match: { path: "/" }
                 route:
                   cluster: app-service
+
+              # special case for worker admin API
+              - match: { path: "/api/admin" }
+                route:
+                  cluster: worker-service
               
               # special case for when API requests are made, can just forward, not to minio    
               - match: { prefix: "/api/" }

lerna.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.8.9",
+  "version": "0.8.16",
   "npmClient": "yarn",
   "packages": [
     "packages/*"

package.json

@@ -29,7 +29,7 @@
     "clean": "lerna clean",
     "kill-port": "kill-port 4001",
     "dev": "yarn run kill-port && lerna link && lerna run --parallel dev:builder --concurrency 1",
-    "dev:noserver": "lerna link && lerna run --parallel dev:builder --concurrency 1 --ignore @budibase/server",
+    "dev:noserver": "lerna link && lerna run dev:stack:up && lerna run --parallel dev:builder --concurrency 1 --ignore @budibase/server --ignore @budibase/worker",
     "test": "lerna run test",
     "lint": "eslint packages",
     "lint:fix": "eslint --fix packages",

packages/auth/.gitignore

@@ -0,0 +1,117 @@
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+
+# Diagnostic reports (https://nodejs.org/api/report.html)
+report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+*.lcov
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+bower_components
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# Snowpack dependency directory (https://snowpack.dev/)
+web_modules/
+
+# TypeScript cache
+*.tsbuildinfo
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Microbundle cache
+.rpt2_cache/
+.rts2_cache_cjs/
+.rts2_cache_es/
+.rts2_cache_umd/
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variables file
+.env
+.env.test
+
+# parcel-bundler cache (https://parceljs.org/)
+.cache
+.parcel-cache
+
+# Next.js build output
+.next
+out
+
+# Nuxt.js build / generate output
+.nuxt
+dist
+
+# Gatsby files
+.cache/
+# Comment in the public line in if your project uses Gatsby and not Next.js
+# https://nextjs.org/blog/next-9-1#public-directory-support
+# public
+
+# vuepress build output
+.vuepress/dist
+
+# Serverless directories
+.serverless/
+
+# FuseBox cache
+.fusebox/
+
+# DynamoDB Local files
+.dynamodb/
+
+# TernJS port file
+.tern-port
+
+# Stores VSCode versions used for testing VSCode extensions
+.vscode-test
+
+# yarn v2
+.yarn/cache
+.yarn/unplugged
+.yarn/build-state.yml
+.yarn/install-state.gz
+.pnp.*
+

packages/auth/README.md

@@ -0,0 +1 @@
+# Budibase Authentication Library

packages/auth/package.json

@@ -0,0 +1,18 @@
+{
+  "name": "@budibase/auth",
+  "version": "0.0.1",
+  "description": "Authentication middlewares for budibase builder and apps",
+  "main": "src/index.js",
+  "author": "Budibase",
+  "license": "AGPL-3.0",
+  "dependencies": {
+    "bcryptjs": "^2.4.3",
+    "jsonwebtoken": "^8.5.1",
+    "koa-passport": "^4.1.4",
+    "passport-google-auth": "^1.0.2",
+    "passport-google-oauth": "^2.0.0",
+    "passport-jwt": "^4.0.0",
+    "passport-local": "^1.0.0",
+    "uuid": "^8.3.2"
+  }
+}

packages/auth/src/constants.js

@@ -0,0 +1,16 @@
+exports.UserStatus = {
+  ACTIVE: "active",
+  INACTIVE: "inactive",
+}
+
+exports.Cookies = {
+  CurrentApp: "budibase:currentapp",
+  Auth: "budibase:auth",
+}
+
+exports.GlobalRoles = {
+  OWNER: "owner",
+  ADMIN: "admin",
+  BUILDER: "builder",
+  GROUP_MANAGER: "group_manager",
+}

packages/auth/src/db/index.js

@@ -0,0 +1,9 @@
+let Pouch
+
+module.exports.setDB = pouch => {
+  Pouch = pouch
+}
+
+module.exports.getDB = dbName => {
+  return new Pouch(dbName)
+}

packages/auth/src/db/utils.js

@@ -0,0 +1,162 @@
+const { newid } = require("../hashing")
+
+exports.ViewNames = {
+  USER_BY_EMAIL: "by_email",
+}
+
+exports.StaticDatabases = {
+  GLOBAL: {
+    name: "global-db",
+  },
+}
+
+const DocumentTypes = {
+  USER: "us",
+  APP: "app",
+  GROUP: "group",
+  CONFIG: "config",
+  TEMPLATE: "template",
+}
+
+exports.DocumentTypes = DocumentTypes
+
+const UNICODE_MAX = "\ufff0"
+const SEPARATOR = "_"
+
+exports.SEPARATOR = SEPARATOR
+
+/**
+ * Generates a new group ID.
+ * @returns {string} The new group ID which the group doc can be stored under.
+ */
+exports.generateGroupID = () => {
+  return `${DocumentTypes.GROUP}${SEPARATOR}${newid()}`
+}
+
+/**
+ * Gets parameters for retrieving groups.
+ */
+exports.getGroupParams = (id = "", otherProps = {}) => {
+  return {
+    ...otherProps,
+    startkey: `${DocumentTypes.GROUP}${SEPARATOR}${id}`,
+    endkey: `${DocumentTypes.GROUP}${SEPARATOR}${id}${UNICODE_MAX}`,
+  }
+}
+
+/**
+ * Generates a new global user ID.
+ * @returns {string} The new user ID which the user doc can be stored under.
+ */
+exports.generateGlobalUserID = id => {
+  return `${DocumentTypes.USER}${SEPARATOR}${id || newid()}`
+}
+
+/**
+ * Gets parameters for retrieving users.
+ */
+exports.getGlobalUserParams = (globalId, otherProps = {}) => {
+  if (!globalId) {
+    globalId = ""
+  }
+  return {
+    ...otherProps,
+    startkey: `${DocumentTypes.USER}${SEPARATOR}${globalId}`,
+    endkey: `${DocumentTypes.USER}${SEPARATOR}${globalId}${UNICODE_MAX}`,
+  }
+}
+
+/**
+ * Generates a template ID.
+ * @param ownerId The owner/user of the template, this could be global or a group level.
+ */
+exports.generateTemplateID = ownerId => {
+  return `${DocumentTypes.TEMPLATE}${SEPARATOR}${ownerId}${newid()}`
+}
+
+/**
+ * Gets parameters for retrieving templates. Owner ID must be specified, either global or a group level.
+ */
+exports.getTemplateParams = (ownerId, templateId, otherProps = {}) => {
+  if (!templateId) {
+    templateId = ""
+  }
+  let final
+  if (templateId) {
+    final = templateId
+  } else {
+    final = `${DocumentTypes.TEMPLATE}${SEPARATOR}${ownerId}${SEPARATOR}`
+  }
+  return {
+    ...otherProps,
+    startkey: final,
+    endkey: `${final}${UNICODE_MAX}`,
+  }
+}
+
+/**
+ * Generates a new configuration ID.
+ * @returns {string} The new configuration ID which the config doc can be stored under.
+ */
+const generateConfigID = ({ type, group, user }) => {
+  const scope = [type, group, user].filter(Boolean).join(SEPARATOR)
+
+  return `${DocumentTypes.CONFIG}${SEPARATOR}${scope}`
+}
+
+/**
+ * Gets parameters for retrieving configurations.
+ */
+const getConfigParams = ({ type, group, user }, otherProps = {}) => {
+  const scope = [type, group, user].filter(Boolean).join(SEPARATOR)
+
+  return {
+    ...otherProps,
+    startkey: `${DocumentTypes.CONFIG}${SEPARATOR}${scope}`,
+    endkey: `${DocumentTypes.CONFIG}${SEPARATOR}${scope}${UNICODE_MAX}`,
+  }
+}
+
+/**
+ * Returns the most granular configuration document from the DB based on the type, group and userID passed.
+ * @param {Object} db - db instance to query
+ * @param {Object} scopes - the type, group and userID scopes of the configuration.
+ * @returns The most granular configuration document based on the scope.
+ */
+const determineScopedConfig = async function(db, { type, user, group }) {
+  const response = await db.allDocs(
+    getConfigParams(
+      { type, user, group },
+      {
+        include_docs: true,
+      }
+    )
+  )
+  const configs = response.rows.map(row => {
+    const config = row.doc
+
+    // Config is specific to a user and a group
+    if (config._id.includes(generateConfigID({ type, user, group }))) {
+      config.score = 4
+    } else if (config._id.includes(generateConfigID({ type, user }))) {
+      // Config is specific to a user only
+      config.score = 3
+    } else if (config._id.includes(generateConfigID({ type, group }))) {
+      // Config is specific to a group only
+      config.score = 2
+    } else if (config._id.includes(generateConfigID({ type }))) {
+      // Config is specific to a type only
+      config.score = 1
+    }
+    return config
+  })
+
+  // Find the config with the most granular scope based on context
+  const scopedConfig = configs.sort((a, b) => b.score - a.score)[0]
+
+  return scopedConfig
+}
+
+exports.generateConfigID = generateConfigID
+exports.getConfigParams = getConfigParams
+exports.determineScopedConfig = determineScopedConfig

packages/auth/src/db/views.js

@@ -0,0 +1,35 @@
+const { DocumentTypes, ViewNames, StaticDatabases } = require("./utils")
+const { getDB } = require("./index")
+
+function DesignDoc() {
+  return {
+    _id: "_design/database",
+    // view collation information, read before writing any complex views:
+    // https://docs.couchdb.org/en/master/ddocs/views/collation.html#collation-specification
+    views: {},
+  }
+}
+
+exports.createUserEmailView = async () => {
+  const db = getDB(StaticDatabases.GLOBAL.name)
+  let designDoc
+  try {
+    designDoc = await db.get("_design/database")
+  } catch (err) {
+    // no design doc, make one
+    designDoc = DesignDoc()
+  }
+  const view = {
+    // if using variables in a map function need to inject them before use
+    map: `function(doc) {
+      if (doc._id.startsWith("${DocumentTypes.USER}")) {
+        emit(doc.email, doc._id)
+      }
+    }`,
+  }
+  designDoc.views = {
+    ...designDoc.views,
+    [ViewNames.USER_BY_EMAIL]: view,
+  }
+  await db.put(designDoc)
+}

packages/auth/src/environment.js

@@ -0,0 +1,5 @@
+module.exports = {
+  JWT_SECRET: process.env.JWT_SECRET,
+  COUCH_DB_URL: process.env.COUCH_DB_URL,
+  SALT_ROUNDS: process.env.SALT_ROUNDS,
+}

packages/auth/src/hashing.js

@@ -0,0 +1,18 @@
+const bcrypt = require("bcryptjs")
+const env = require("./environment")
+const { v4 } = require("uuid")
+
+const SALT_ROUNDS = env.SALT_ROUNDS || 10
+
+exports.hash = async data => {
+  const salt = await bcrypt.genSalt(SALT_ROUNDS)
+  return bcrypt.hash(data, salt)
+}
+
+exports.compare = async (data, encrypted) => {
+  return bcrypt.compare(data, encrypted)
+}
+
+exports.newid = function() {
+  return v4().replace(/-/g, "")
+}

packages/auth/src/index.js

@@ -0,0 +1,43 @@
+const passport = require("koa-passport")
+const LocalStrategy = require("passport-local").Strategy
+const JwtStrategy = require("passport-jwt").Strategy
+const { StaticDatabases } = require("./db/utils")
+const { jwt, local, authenticated, google } = require("./middleware")
+const { setDB, getDB } = require("./db")
+
+// Strategies
+passport.use(new LocalStrategy(local.options, local.authenticate))
+passport.use(new JwtStrategy(jwt.options, jwt.authenticate))
+
+passport.serializeUser((user, done) => done(null, user))
+
+passport.deserializeUser(async (user, done) => {
+  const db = getDB(StaticDatabases.GLOBAL.name)
+
+  try {
+    const user = await db.get(user._id)
+    return done(null, user)
+  } catch (err) {
+    console.error("User not found", err)
+    return done(null, false, { message: "User not found" })
+  }
+})
+
+module.exports = {
+  init(pouch) {
+    setDB(pouch)
+  },
+  db: require("./db/utils"),
+  utils: {
+    ...require("./utils"),
+    ...require("./hashing"),
+  },
+  auth: {
+    buildAuthMiddleware: authenticated,
+    passport,
+    google,
+    jwt: require("jsonwebtoken"),
+  },
+  StaticDatabases,
+  constants: require("./constants"),
+}

packages/auth/src/middleware/authenticated.js

@@ -0,0 +1,39 @@
+const { Cookies } = require("../constants")
+const database = require("../db")
+const { getCookie, clearCookie } = require("../utils")
+const { StaticDatabases } = require("../db/utils")
+
+module.exports = (noAuthPatterns = []) => {
+  const regex = new RegExp(noAuthPatterns.join("|"))
+  return async (ctx, next) => {
+    // the path is not authenticated
+    if (regex.test(ctx.request.url)) {
+      return next()
+    }
+    try {
+      // check the actual user is authenticated first
+      const authCookie = getCookie(ctx, Cookies.Auth)
+
+      if (authCookie) {
+        try {
+          const db = database.getDB(StaticDatabases.GLOBAL.name)
+          const user = await db.get(authCookie.userId)
+          delete user.password
+          ctx.isAuthenticated = true
+          ctx.user = user
+        } catch (err) {
+          // remove the cookie as the use does not exist anymore
+          clearCookie(ctx, Cookies.Auth)
+        }
+      }
+      // be explicit
+      if (ctx.isAuthenticated !== true) {
+        ctx.isAuthenticated = false
+      }
+
+      return next()
+    } catch (err) {
+      ctx.throw(err.status || 403, err)
+    }
+  }
+}

packages/auth/src/middleware/index.js

@@ -0,0 +1,11 @@
+const jwt = require("./passport/jwt")
+const local = require("./passport/local")
+const google = require("./passport/google")
+const authenticated = require("./authenticated")
+
+module.exports = {
+  google,
+  jwt,
+  local,
+  authenticated,
+}

packages/auth/src/middleware/passport/google.js

@@ -0,0 +1,76 @@
+const env = require("../../environment")
+const jwt = require("jsonwebtoken")
+const database = require("../../db")
+const GoogleStrategy = require("passport-google-oauth").OAuth2Strategy
+const { StaticDatabases, generateGlobalUserID } = require("../../db/utils")
+
+async function authenticate(token, tokenSecret, profile, done) {
+  // Check the user exists in the instance DB by email
+  const db = database.getDB(StaticDatabases.GLOBAL.name)
+
+  let dbUser
+  const userId = generateGlobalUserID(profile.id)
+
+  try {
+    // use the google profile id
+    dbUser = await db.get(userId)
+  } catch (err) {
+    console.error("Google user not found. Creating..")
+    // create the user
+    const user = {
+      _id: userId,
+      provider: profile.provider,
+      roles: {},
+      builder: {
+        global: true,
+      },
+      ...profile._json,
+    }
+    const response = await db.post(user)
+
+    dbUser = user
+    dbUser._rev = response.rev
+  }
+
+  // authenticate
+  const payload = {
+    userId: dbUser._id,
+    builder: dbUser.builder,
+    email: dbUser.email,
+  }
+
+  dbUser.token = jwt.sign(payload, env.JWT_SECRET, {
+    expiresIn: "1 day",
+  })
+
+  return done(null, dbUser)
+}
+
+/**
+ * Create an instance of the google passport strategy. This wrapper fetches the configuration
+ * from couchDB rather than environment variables, using this factory is necessary for dynamically configuring passport.
+ * @returns Dynamically configured Passport Google Strategy
+ */
+exports.strategyFactory = async function(config) {
+  try {
+    const { clientID, clientSecret, callbackURL } = config
+
+    if (!clientID || !clientSecret || !callbackURL) {
+      throw new Error(
+        "Configuration invalid. Must contain google clientID, clientSecret and callbackURL"
+      )
+    }
+
+    return new GoogleStrategy(
+      {
+        clientID: config.clientID,
+        clientSecret: config.clientSecret,
+        callbackURL: config.callbackURL,
+      },
+      authenticate
+    )
+  } catch (err) {
+    console.error(err)
+    throw new Error("Error constructing google authentication strategy", err)
+  }
+}

packages/auth/src/middleware/passport/jwt.js

@@ -0,0 +1,17 @@
+const { Cookies } = require("../../constants")
+const env = require("../../environment")
+
+exports.options = {
+  secretOrKey: env.JWT_SECRET,
+  jwtFromRequest: function(ctx) {
+    return ctx.cookies.get(Cookies.Auth)
+  },
+}
+
+exports.authenticate = async function(jwt, done) {
+  try {
+    return done(null, jwt)
+  } catch (err) {
+    return done(new Error("JWT invalid."), false)
+  }
+}

packages/auth/src/middleware/passport/local.js

@@ -0,0 +1,48 @@
+const jwt = require("jsonwebtoken")
+const { UserStatus } = require("../../constants")
+const { compare } = require("../../hashing")
+const env = require("../../environment")
+const { getGlobalUserByEmail } = require("../../utils")
+
+const INVALID_ERR = "Invalid Credentials"
+
+exports.options = {}
+
+/**
+ * Passport Local Authentication Middleware.
+ * @param {*} email - username to login with
+ * @param {*} password - plain text password to log in with
+ * @param {*} done - callback from passport to return user information and errors
+ * @returns The authenticated user, or errors if they occur
+ */
+exports.authenticate = async function(email, password, done) {
+  if (!email) return done(null, false, "Email Required.")
+  if (!password) return done(null, false, "Password Required.")
+
+  const dbUser = await getGlobalUserByEmail(email)
+  if (dbUser == null) {
+    return done(null, false, { message: "User not found" })
+  }
+
+  // check that the user is currently inactive, if this is the case throw invalid
+  if (dbUser.status === UserStatus.INACTIVE) {
+    return done(null, false, { message: INVALID_ERR })
+  }
+
+  // authenticate
+  if (await compare(password, dbUser.password)) {
+    const payload = {
+      userId: dbUser._id,
+    }
+
+    dbUser.token = jwt.sign(payload, env.JWT_SECRET, {
+      expiresIn: "1 day",
+    })
+    // Remove users password in payload
+    delete dbUser.password
+
+    return done(null, dbUser)
+  } else {
+    done(new Error(INVALID_ERR), false)
+  }
+}

packages/auth/src/utils.js

@@ -0,0 +1,127 @@
+const {
+  DocumentTypes,
+  SEPARATOR,
+  ViewNames,
+  StaticDatabases,
+} = require("./db/utils")
+const jwt = require("jsonwebtoken")
+const { options } = require("./middleware/passport/jwt")
+const { createUserEmailView } = require("./db/views")
+const { getDB } = require("./db")
+
+const APP_PREFIX = DocumentTypes.APP + SEPARATOR
+
+function confirmAppId(possibleAppId) {
+  return possibleAppId && possibleAppId.startsWith(APP_PREFIX)
+    ? possibleAppId
+    : undefined
+}
+
+/**
+ * Given a request tries to find the appId, which can be located in various places
+ * @param {object} ctx The main request body to look through.
+ * @returns {string|undefined} If an appId was found it will be returned.
+ */
+exports.getAppId = ctx => {
+  const options = [ctx.headers["x-budibase-app-id"], ctx.params.appId]
+  if (ctx.subdomains) {
+    options.push(ctx.subdomains[1])
+  }
+  let appId
+  for (let option of options) {
+    appId = confirmAppId(option)
+    if (appId) {
+      break
+    }
+  }
+
+  // look in body if can't find it in subdomain
+  if (!appId && ctx.request.body && ctx.request.body.appId) {
+    appId = confirmAppId(ctx.request.body.appId)
+  }
+  let appPath =
+    ctx.request.headers.referrer ||
+    ctx.path.split("/").filter(subPath => subPath.startsWith(APP_PREFIX))
+  if (!appId && appPath.length !== 0) {
+    appId = confirmAppId(appPath[0])
+  }
+  return appId
+}
+
+/**
+ * Get a cookie from context, and decrypt if necessary.
+ * @param {object} ctx The request which is to be manipulated.
+ * @param {string} name The name of the cookie to get.
+ */
+exports.getCookie = (ctx, name) => {
+  const cookie = ctx.cookies.get(name)
+
+  if (!cookie) {
+    return cookie
+  }
+
+  return jwt.verify(cookie, options.secretOrKey)
+}
+
+/**
+ * Store a cookie for the request, has a hardcoded expiry.
+ * @param {object} ctx The request which is to be manipulated.
+ * @param {string} name The name of the cookie to set.
+ * @param {string|object} value The value of cookie which will be set.
+ */
+exports.setCookie = (ctx, value, name = "builder") => {
+  const expires = new Date()
+  expires.setDate(expires.getDate() + 1)
+
+  if (!value) {
+    ctx.cookies.set(name)
+  } else {
+    value = jwt.sign(value, options.secretOrKey, {
+      expiresIn: "1 day",
+    })
+    ctx.cookies.set(name, value, {
+      expires,
+      path: "/",
+      httpOnly: false,
+      overwrite: true,
+    })
+  }
+}
+
+/**
+ * Utility function, simply calls setCookie with an empty string for value
+ */
+exports.clearCookie = (ctx, name) => {
+  exports.setCookie(ctx, null, name)
+}
+
+/**
+ * Checks if the API call being made (based on the provided ctx object) is from the client. If
+ * the call is not from a client app then it is from the builder.
+ * @param {object} ctx The koa context object to be tested.
+ * @return {boolean} returns true if the call is from the client lib (a built app rather than the builder).
+ */
+exports.isClient = ctx => {
+  return ctx.headers["x-budibase-type"] === "client"
+}
+
+exports.getGlobalUserByEmail = async email => {
+  const db = getDB(StaticDatabases.GLOBAL.name)
+  try {
+    let users = (
+      await db.query(`database/${ViewNames.USER_BY_EMAIL}`, {
+        key: email,
+        include_docs: true,
+      })
+    ).rows
+    users = users.map(user => user.doc)
+    return users.length <= 1 ? users[0] : users
+  } catch (err) {
+    if (err != null && err.name === "not_found") {
+      await createUserEmailView()
+      return exports.getGlobalUserByEmail(email)
+    } else {
+      throw err
+    }
+  }
+}

packages/auth/yarn.lock

@@ -0,0 +1,599 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+ajv@^6.12.3:
+  version "6.12.6"
+  resolved "https://registry.yarnpkg.com/ajv/-/ajv-6.12.6.tgz#baf5a62e802b07d977034586f8c3baf5adf26df4"
+  integrity sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==
+  dependencies:
+    fast-deep-equal "^3.1.1"
+    fast-json-stable-stringify "^2.0.0"
+    json-schema-traverse "^0.4.1"
+    uri-js "^4.2.2"
+
+asn1@~0.2.3:
+  version "0.2.4"
+  resolved "https://registry.yarnpkg.com/asn1/-/asn1-0.2.4.tgz#8d2475dfab553bb33e77b54e59e880bb8ce23136"
+  integrity sha512-jxwzQpLQjSmWXgwaCZE9Nz+glAG01yF1QnWgbhGwHI5A6FRIEY6IVqtHhIepHqI7/kyEyQEagBC5mBEFlIYvdg==
+  dependencies:
+    safer-buffer "~2.1.0"
+
+assert-plus@1.0.0, assert-plus@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/assert-plus/-/assert-plus-1.0.0.tgz#f12e0f3c5d77b0b1cdd9146942e4e96c1e4dd525"
+  integrity sha1-8S4PPF13sLHN2RRpQuTpbB5N1SU=
+
+async@~2.1.4:
+  version "2.1.5"
+  resolved "https://registry.yarnpkg.com/async/-/async-2.1.5.tgz#e587c68580994ac67fc56ff86d3ac56bdbe810bc"
+  integrity sha1-5YfGhYCZSsZ/xW/4bTrFa9voELw=
+  dependencies:
+    lodash "^4.14.0"
+
+asynckit@^0.4.0:
+  version "0.4.0"
+  resolved "https://registry.yarnpkg.com/asynckit/-/asynckit-0.4.0.tgz#c79ed97f7f34cb8f2ba1bc9790bcc366474b4b79"
+  integrity sha1-x57Zf380y48robyXkLzDZkdLS3k=
+
+aws-sign2@~0.7.0:
+  version "0.7.0"
+  resolved "https://registry.yarnpkg.com/aws-sign2/-/aws-sign2-0.7.0.tgz#b46e890934a9591f2d2f6f86d7e6a9f1b3fe76a8"
+  integrity sha1-tG6JCTSpWR8tL2+G1+ap8bP+dqg=
+
+aws4@^1.8.0:
+  version "1.11.0"
+  resolved "https://registry.yarnpkg.com/aws4/-/aws4-1.11.0.tgz#d61f46d83b2519250e2784daf5b09479a8b41c59"
+  integrity sha512-xh1Rl34h6Fi1DC2WWKfxUTVqRsNnr6LsKz2+hfwDxQJWmrx8+c7ylaqBMcHfl1U1r2dsifOvKX3LQuLNZ+XSvA==
+
+base64url@3.x.x:
+  version "3.0.1"
+  resolved "https://registry.yarnpkg.com/base64url/-/base64url-3.0.1.tgz#6399d572e2bc3f90a9a8b22d5dbb0a32d33f788d"
+  integrity sha512-ir1UPr3dkwexU7FdV8qBBbNDRUhMmIekYMFZfi+C/sLNnRESKPl23nB9b2pltqfOQNnGzsDdId90AEtG5tCx4A==
+
+bcrypt-pbkdf@^1.0.0:
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz#a4301d389b6a43f9b67ff3ca11a3f6637e360e9e"
+  integrity sha1-pDAdOJtqQ/m2f/PKEaP2Y342Dp4=
+  dependencies:
+    tweetnacl "^0.14.3"
+
+bcryptjs@^2.4.3:
+  version "2.4.3"
+  resolved "https://registry.yarnpkg.com/bcryptjs/-/bcryptjs-2.4.3.tgz#9ab5627b93e60621ff7cdac5da9733027df1d0cb"
+  integrity sha1-mrVie5PmBiH/fNrF2pczAn3x0Ms=
+
+buffer-equal-constant-time@1.0.1:
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/buffer-equal-constant-time/-/buffer-equal-constant-time-1.0.1.tgz#f8e71132f7ffe6e01a5c9697a4c6f3e48d5cc819"
+  integrity sha1-+OcRMvf/5uAaXJaXpMbz5I1cyBk=
+
+caseless@~0.12.0:
+  version "0.12.0"
+  resolved "https://registry.yarnpkg.com/caseless/-/caseless-0.12.0.tgz#1b681c21ff84033c826543090689420d187151dc"
+  integrity sha1-G2gcIf+EAzyCZUMJBolCDRhxUdw=
+
+combined-stream@^1.0.6, combined-stream@~1.0.6:
+  version "1.0.8"
+  resolved "https://registry.yarnpkg.com/combined-stream/-/combined-stream-1.0.8.tgz#c3d45a8b34fd730631a110a8a2520682b31d5a7f"
+  integrity sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==
+  dependencies:
+    delayed-stream "~1.0.0"
+
+core-util-is@1.0.2:
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/core-util-is/-/core-util-is-1.0.2.tgz#b5fd54220aa2bc5ab57aab7140c940754503c1a7"
+  integrity sha1-tf1UIgqivFq1eqtxQMlAdUUDwac=
+
+dashdash@^1.12.0:
+  version "1.14.1"
+  resolved "https://registry.yarnpkg.com/dashdash/-/dashdash-1.14.1.tgz#853cfa0f7cbe2fed5de20326b8dd581035f6e2f0"
+  integrity sha1-hTz6D3y+L+1d4gMmuN1YEDX24vA=
+  dependencies:
+    assert-plus "^1.0.0"
+
+delayed-stream@~1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/delayed-stream/-/delayed-stream-1.0.0.tgz#df3ae199acadfb7d440aaae0b29e2272b24ec619"
+  integrity sha1-3zrhmayt+31ECqrgsp4icrJOxhk=
+
+ecc-jsbn@~0.1.1:
+  version "0.1.2"
+  resolved "https://registry.yarnpkg.com/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz#3a83a904e54353287874c564b7549386849a98c9"
+  integrity sha1-OoOpBOVDUyh4dMVkt1SThoSamMk=
+  dependencies:
+    jsbn "~0.1.0"
+    safer-buffer "^2.1.0"
+
+ecdsa-sig-formatter@1.0.11:
+  version "1.0.11"
+  resolved "https://registry.yarnpkg.com/ecdsa-sig-formatter/-/ecdsa-sig-formatter-1.0.11.tgz#ae0f0fa2d85045ef14a817daa3ce9acd0489e5bf"
+  integrity sha512-nagl3RYrbNv6kQkeJIpt6NJZy8twLB/2vtz6yN9Z4vRKHN4/QZJIEbqohALSgwKdnksuY3k5Addp5lg8sVoVcQ==
+  dependencies:
+    safe-buffer "^5.0.1"
+
+extend@~3.0.2:
+  version "3.0.2"
+  resolved "https://registry.yarnpkg.com/extend/-/extend-3.0.2.tgz#f8b1136b4071fbd8eb140aff858b1019ec2915fa"
+  integrity sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==
+
+extsprintf@1.3.0:
+  version "1.3.0"
+  resolved "https://registry.yarnpkg.com/extsprintf/-/extsprintf-1.3.0.tgz#96918440e3041a7a414f8c52e3c574eb3c3e1e05"
+  integrity sha1-lpGEQOMEGnpBT4xS48V06zw+HgU=
+
+extsprintf@^1.2.0:
+  version "1.4.0"
+  resolved "https://registry.yarnpkg.com/extsprintf/-/extsprintf-1.4.0.tgz#e2689f8f356fad62cca65a3a91c5df5f9551692f"
+  integrity sha1-4mifjzVvrWLMplo6kcXfX5VRaS8=
+
+fast-deep-equal@^3.1.1:
+  version "3.1.3"
+  resolved "https://registry.yarnpkg.com/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz#3a7d56b559d6cbc3eb512325244e619a65c6c525"
+  integrity sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==
+
+fast-json-stable-stringify@^2.0.0:
+  version "2.1.0"
+  resolved "https://registry.yarnpkg.com/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz#874bf69c6f404c2b5d99c481341399fd55892633"
+  integrity sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==
+
+forever-agent@~0.6.1:
+  version "0.6.1"
+  resolved "https://registry.yarnpkg.com/forever-agent/-/forever-agent-0.6.1.tgz#fbc71f0c41adeb37f96c577ad1ed42d8fdacca91"
+  integrity sha1-+8cfDEGt6zf5bFd60e1C2P2sypE=
+
+form-data@~2.3.2:
+  version "2.3.3"
+  resolved "https://registry.yarnpkg.com/form-data/-/form-data-2.3.3.tgz#dcce52c05f644f298c6a7ab936bd724ceffbf3a6"
+  integrity sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==
+  dependencies:
+    asynckit "^0.4.0"
+    combined-stream "^1.0.6"
+    mime-types "^2.1.12"
+
+getpass@^0.1.1:
+  version "0.1.7"
+  resolved "https://registry.yarnpkg.com/getpass/-/getpass-0.1.7.tgz#5eff8e3e684d569ae4cb2b1282604e8ba62149fa"
+  integrity sha1-Xv+OPmhNVprkyysSgmBOi6YhSfo=
+  dependencies:
+    assert-plus "^1.0.0"
+
+google-auth-library@~0.10.0:
+  version "0.10.0"
+  resolved "https://registry.yarnpkg.com/google-auth-library/-/google-auth-library-0.10.0.tgz#6e15babee85fd1dd14d8d128a295b6838d52136e"
+  integrity sha1-bhW6vuhf0d0U2NEoopW2g41SE24=
+  dependencies:
+    gtoken "^1.2.1"
+    jws "^3.1.4"
+    lodash.noop "^3.0.1"
+    request "^2.74.0"
+
+google-p12-pem@^0.1.0:
+  version "0.1.2"
+  resolved "https://registry.yarnpkg.com/google-p12-pem/-/google-p12-pem-0.1.2.tgz#33c46ab021aa734fa0332b3960a9a3ffcb2f3177"
+  integrity sha1-M8RqsCGqc0+gMys5YKmj/8svMXc=
+  dependencies:
+    node-forge "^0.7.1"
+
+googleapis@^16.0.0:
+  version "16.1.0"
+  resolved "https://registry.yarnpkg.com/googleapis/-/googleapis-16.1.0.tgz#0f19f2d70572d918881a0f626e3b1a2fa8629576"
+  integrity sha1-Dxny1wVy2RiIGg9ibjsaL6hilXY=
+  dependencies:
+    async "~2.1.4"
+    google-auth-library "~0.10.0"
+    string-template "~1.0.0"
+
+gtoken@^1.2.1:
+  version "1.2.3"
+  resolved "https://registry.yarnpkg.com/gtoken/-/gtoken-1.2.3.tgz#5509571b8afd4322e124cf66cf68115284c476d8"
+  integrity sha512-wQAJflfoqSgMWrSBk9Fg86q+sd6s7y6uJhIvvIPz++RElGlMtEqsdAR2oWwZ/WTEtp7P9xFbJRrT976oRgzJ/w==
+  dependencies:
+    google-p12-pem "^0.1.0"
+    jws "^3.0.0"
+    mime "^1.4.1"
+    request "^2.72.0"
+
+har-schema@^2.0.0:
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/har-schema/-/har-schema-2.0.0.tgz#a94c2224ebcac04782a0d9035521f24735b7ec92"
+  integrity sha1-qUwiJOvKwEeCoNkDVSHyRzW37JI=
+
+har-validator@~5.1.3:
+  version "5.1.5"
+  resolved "https://registry.yarnpkg.com/har-validator/-/har-validator-5.1.5.tgz#1f0803b9f8cb20c0fa13822df1ecddb36bde1efd"
+  integrity sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==
+  dependencies:
+    ajv "^6.12.3"
+    har-schema "^2.0.0"
+
+http-signature@~1.2.0:
+  version "1.2.0"
+  resolved "https://registry.yarnpkg.com/http-signature/-/http-signature-1.2.0.tgz#9aecd925114772f3d95b65a60abb8f7c18fbace1"
+  integrity sha1-muzZJRFHcvPZW2WmCruPfBj7rOE=
+  dependencies:
+    assert-plus "^1.0.0"
+    jsprim "^1.2.2"
+    sshpk "^1.7.0"
+
+is-typedarray@~1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/is-typedarray/-/is-typedarray-1.0.0.tgz#e479c80858df0c1b11ddda6940f96011fcda4a9a"
+  integrity sha1-5HnICFjfDBsR3dppQPlgEfzaSpo=
+
+isstream@~0.1.2:
+  version "0.1.2"
+  resolved "https://registry.yarnpkg.com/isstream/-/isstream-0.1.2.tgz#47e63f7af55afa6f92e1500e690eb8b8529c099a"
+  integrity sha1-R+Y/evVa+m+S4VAOaQ64uFKcCZo=
+
+jsbn@~0.1.0:
+  version "0.1.1"
+  resolved "https://registry.yarnpkg.com/jsbn/-/jsbn-0.1.1.tgz#a5e654c2e5a2deb5f201d96cefbca80c0ef2f513"
+  integrity sha1-peZUwuWi3rXyAdls77yoDA7y9RM=
+
+json-schema-traverse@^0.4.1:
+  version "0.4.1"
+  resolved "https://registry.yarnpkg.com/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz#69f6a87d9513ab8bb8fe63bdb0979c448e684660"
+  integrity sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==
+
+json-schema@0.2.3:
+  version "0.2.3"
+  resolved "https://registry.yarnpkg.com/json-schema/-/json-schema-0.2.3.tgz#b480c892e59a2f05954ce727bd3f2a4e882f9e13"
+  integrity sha1-tIDIkuWaLwWVTOcnvT8qTogvnhM=
+
+json-stringify-safe@~5.0.1:
+  version "5.0.1"
+  resolved "https://registry.yarnpkg.com/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz#1296a2d58fd45f19a0f6ce01d65701e2c735b6eb"
+  integrity sha1-Epai1Y/UXxmg9s4B1lcB4sc1tus=
+
+jsonwebtoken@^8.2.0, jsonwebtoken@^8.5.1:
+  version "8.5.1"
+  resolved "https://registry.yarnpkg.com/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz#00e71e0b8df54c2121a1f26137df2280673bcc0d"
+  integrity sha512-XjwVfRS6jTMsqYs0EsuJ4LGxXV14zQybNd4L2r0UvbVnSF9Af8x7p5MzbJ90Ioz/9TI41/hTCvznF/loiSzn8w==
+  dependencies:
+    jws "^3.2.2"
+    lodash.includes "^4.3.0"
+    lodash.isboolean "^3.0.3"
+    lodash.isinteger "^4.0.4"
+    lodash.isnumber "^3.0.3"
+    lodash.isplainobject "^4.0.6"
+    lodash.isstring "^4.0.1"
+    lodash.once "^4.0.0"
+    ms "^2.1.1"
+    semver "^5.6.0"
+
+jsprim@^1.2.2:
+  version "1.4.1"
+  resolved "https://registry.yarnpkg.com/jsprim/-/jsprim-1.4.1.tgz#313e66bc1e5cc06e438bc1b7499c2e5c56acb6a2"
+  integrity sha1-MT5mvB5cwG5Di8G3SZwuXFastqI=
+  dependencies:
+    assert-plus "1.0.0"
+    extsprintf "1.3.0"
+    json-schema "0.2.3"
+    verror "1.10.0"
+
+jwa@^1.4.1:
+  version "1.4.1"
+  resolved "https://registry.yarnpkg.com/jwa/-/jwa-1.4.1.tgz#743c32985cb9e98655530d53641b66c8645b039a"
+  integrity sha512-qiLX/xhEEFKUAJ6FiBMbes3w9ATzyk5W7Hvzpa/SLYdxNtng+gcurvrI7TbACjIXlsJyr05/S1oUhZrc63evQA==
+  dependencies:
+    buffer-equal-constant-time "1.0.1"
+    ecdsa-sig-formatter "1.0.11"
+    safe-buffer "^5.0.1"
+
+jws@^3.0.0, jws@^3.1.4, jws@^3.2.2:
+  version "3.2.2"
+  resolved "https://registry.yarnpkg.com/jws/-/jws-3.2.2.tgz#001099f3639468c9414000e99995fa52fb478304"
+  integrity sha512-YHlZCB6lMTllWDtSPHz/ZXTsi8S00usEV6v1tjq8tOUZzw7DpSDWVXjXDre6ed1w/pd495ODpHZYSdkRTsa0HA==
+  dependencies:
+    jwa "^1.4.1"
+    safe-buffer "^5.0.1"
+
+koa-passport@^4.1.4:
+  version "4.1.4"
+  resolved "https://registry.yarnpkg.com/koa-passport/-/koa-passport-4.1.4.tgz#5f1665c1c2a37ace79af9f970b770885ca30ccfa"
+  integrity sha512-dJBCkl4X+zdYxbI2V2OtoGy0PUenpvp2ZLLWObc8UJhsId0iQpTFT8RVcuA0709AL2txGwRHnSPoT1bYNGa6Kg==
+  dependencies:
+    passport "^0.4.0"
+
+lodash.includes@^4.3.0:
+  version "4.3.0"
+  resolved "https://registry.yarnpkg.com/lodash.includes/-/lodash.includes-4.3.0.tgz#60bb98a87cb923c68ca1e51325483314849f553f"
+  integrity sha1-YLuYqHy5I8aMoeUTJUgzFISfVT8=
+
+lodash.isboolean@^3.0.3:
+  version "3.0.3"
+  resolved "https://registry.yarnpkg.com/lodash.isboolean/-/lodash.isboolean-3.0.3.tgz#6c2e171db2a257cd96802fd43b01b20d5f5870f6"
+  integrity sha1-bC4XHbKiV82WgC/UOwGyDV9YcPY=
+
+lodash.isinteger@^4.0.4:
+  version "4.0.4"
+  resolved "https://registry.yarnpkg.com/lodash.isinteger/-/lodash.isinteger-4.0.4.tgz#619c0af3d03f8b04c31f5882840b77b11cd68343"
+  integrity sha1-YZwK89A/iwTDH1iChAt3sRzWg0M=
+
+lodash.isnumber@^3.0.3:
+  version "3.0.3"
+  resolved "https://registry.yarnpkg.com/lodash.isnumber/-/lodash.isnumber-3.0.3.tgz#3ce76810c5928d03352301ac287317f11c0b1ffc"
+  integrity sha1-POdoEMWSjQM1IwGsKHMX8RwLH/w=
+
+lodash.isplainobject@^4.0.6:
+  version "4.0.6"
+  resolved "https://registry.yarnpkg.com/lodash.isplainobject/-/lodash.isplainobject-4.0.6.tgz#7c526a52d89b45c45cc690b88163be0497f550cb"
+  integrity sha1-fFJqUtibRcRcxpC4gWO+BJf1UMs=
+
+lodash.isstring@^4.0.1:
+  version "4.0.1"
+  resolved "https://registry.yarnpkg.com/lodash.isstring/-/lodash.isstring-4.0.1.tgz#d527dfb5456eca7cc9bb95d5daeaf88ba54a5451"
+  integrity sha1-1SfftUVuynzJu5XV2ur4i6VKVFE=
+
+lodash.noop@^3.0.1:
+  version "3.0.1"
+  resolved "https://registry.yarnpkg.com/lodash.noop/-/lodash.noop-3.0.1.tgz#38188f4d650a3a474258439b96ec45b32617133c"
+  integrity sha1-OBiPTWUKOkdCWEObluxFsyYXEzw=
+
+lodash.once@^4.0.0:
+  version "4.1.1"
+  resolved "https://registry.yarnpkg.com/lodash.once/-/lodash.once-4.1.1.tgz#0dd3971213c7c56df880977d504c88fb471a97ac"
+  integrity sha1-DdOXEhPHxW34gJd9UEyI+0cal6w=
+
+lodash@^4.14.0:
+  version "4.17.21"
+  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c"
+  integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==
+
+mime-db@1.47.0:
+  version "1.47.0"
+  resolved "https://registry.yarnpkg.com/mime-db/-/mime-db-1.47.0.tgz#8cb313e59965d3c05cfbf898915a267af46a335c"
+  integrity sha512-QBmA/G2y+IfeS4oktet3qRZ+P5kPhCKRXxXnQEudYqUaEioAU1/Lq2us3D/t1Jfo4hE9REQPrbB7K5sOczJVIw==
+
+mime-types@^2.1.12, mime-types@~2.1.19:
+  version "2.1.30"
+  resolved "https://registry.yarnpkg.com/mime-types/-/mime-types-2.1.30.tgz#6e7be8b4c479825f85ed6326695db73f9305d62d"
+  integrity sha512-crmjA4bLtR8m9qLpHvgxSChT+XoSlZi8J4n/aIdn3z92e/U47Z0V/yl+Wh9W046GgFVAmoNR/fmdbZYcSSIUeg==
+  dependencies:
+    mime-db "1.47.0"
+
+mime@^1.4.1:
+  version "1.6.0"
+  resolved "https://registry.yarnpkg.com/mime/-/mime-1.6.0.tgz#32cd9e5c64553bd58d19a568af452acff04981b1"
+  integrity sha512-x0Vn8spI+wuJ1O6S7gnbaQg8Pxh4NNHb7KSINmEWKiPE4RKOplvijn+NkmYmmRgP68mc70j2EbeTFRsrswaQeg==
+
+ms@^2.1.1:
+  version "2.1.3"
+  resolved "https://registry.yarnpkg.com/ms/-/ms-2.1.3.tgz#574c8138ce1d2b5861f0b44579dbadd60c6615b2"
+  integrity sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==
+
+node-forge@^0.7.1:
+  version "0.7.6"
+  resolved "https://registry.yarnpkg.com/node-forge/-/node-forge-0.7.6.tgz#fdf3b418aee1f94f0ef642cd63486c77ca9724ac"
+  integrity sha512-sol30LUpz1jQFBjOKwbjxijiE3b6pjd74YwfD0fJOKPjF+fONKb2Yg8rYgS6+bK6VDl+/wfr4IYpC7jDzLUIfw==
+
+oauth-sign@~0.9.0:
+  version "0.9.0"
+  resolved "https://registry.yarnpkg.com/oauth-sign/-/oauth-sign-0.9.0.tgz#47a7b016baa68b5fa0ecf3dee08a85c679ac6455"
+  integrity sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==
+
+oauth@0.9.x:
+  version "0.9.15"
+  resolved "https://registry.yarnpkg.com/oauth/-/oauth-0.9.15.tgz#bd1fefaf686c96b75475aed5196412ff60cfb9c1"
+  integrity sha1-vR/vr2hslrdUda7VGWQS/2DPucE=
+
+passport-google-auth@^1.0.2:
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/passport-google-auth/-/passport-google-auth-1.0.2.tgz#8b300b5aa442ef433de1d832ed3112877d0b2938"
+  integrity sha1-izALWqRC70M94dgy7TESh30LKTg=
+  dependencies:
+    googleapis "^16.0.0"
+    passport-strategy "1.x"
+
+passport-google-oauth1@1.x.x:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/passport-google-oauth1/-/passport-google-oauth1-1.0.0.tgz#af74a803df51ec646f66a44d82282be6f108e0cc"
+  integrity sha1-r3SoA99R7GRvZqRNgigr5vEI4Mw=
+  dependencies:
+    passport-oauth1 "1.x.x"
+
+passport-google-oauth20@2.x.x:
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/passport-google-oauth20/-/passport-google-oauth20-2.0.0.tgz#0d241b2d21ebd3dc7f2b60669ec4d587e3a674ef"
+  integrity sha512-KSk6IJ15RoxuGq7D1UKK/8qKhNfzbLeLrG3gkLZ7p4A6DBCcv7xpyQwuXtWdpyR0+E0mwkpjY1VfPOhxQrKzdQ==
+  dependencies:
+    passport-oauth2 "1.x.x"
+
+passport-google-oauth@^2.0.0:
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/passport-google-oauth/-/passport-google-oauth-2.0.0.tgz#f6eb4bc96dd6c16ec0ecfdf4e05ec48ca54d4dae"
+  integrity sha512-JKxZpBx6wBQXX1/a1s7VmdBgwOugohH+IxCy84aPTZNq/iIPX6u7Mqov1zY7MKRz3niFPol0KJz8zPLBoHKtYA==
+  dependencies:
+    passport-google-oauth1 "1.x.x"
+    passport-google-oauth20 "2.x.x"
+
+passport-jwt@^4.0.0:
+  version "4.0.0"
+  resolved "https://registry.yarnpkg.com/passport-jwt/-/passport-jwt-4.0.0.tgz#7f0be7ba942e28b9f5d22c2ebbb8ce96ef7cf065"
+  integrity sha512-BwC0n2GP/1hMVjR4QpnvqA61TxenUMlmfNjYNgK0ZAs0HK4SOQkHcSv4L328blNTLtHq7DbmvyNJiH+bn6C5Mg==
+  dependencies:
+    jsonwebtoken "^8.2.0"
+    passport-strategy "^1.0.0"
+
+passport-local@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/passport-local/-/passport-local-1.0.0.tgz#1fe63268c92e75606626437e3b906662c15ba6ee"
+  integrity sha1-H+YyaMkudWBmJkN+O5BmYsFbpu4=
+  dependencies:
+    passport-strategy "1.x.x"
+
+passport-oauth1@1.x.x:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/passport-oauth1/-/passport-oauth1-1.1.0.tgz#a7de988a211f9cf4687377130ea74df32730c918"
+  integrity sha1-p96YiiEfnPRoc3cTDqdN8ycwyRg=
+  dependencies:
+    oauth "0.9.x"
+    passport-strategy "1.x.x"
+    utils-merge "1.x.x"
+
+passport-oauth2@1.x.x:
+  version "1.5.0"
+  resolved "https://registry.yarnpkg.com/passport-oauth2/-/passport-oauth2-1.5.0.tgz#64babbb54ac46a4dcab35e7f266ed5294e3c4108"
+  integrity sha512-kqBt6vR/5VlCK8iCx1/KpY42kQ+NEHZwsSyt4Y6STiNjU+wWICG1i8ucc1FapXDGO15C5O5VZz7+7vRzrDPXXQ==
+  dependencies:
+    base64url "3.x.x"
+    oauth "0.9.x"
+    passport-strategy "1.x.x"
+    uid2 "0.0.x"
+    utils-merge "1.x.x"
+
+passport-strategy@1.x, passport-strategy@1.x.x, passport-strategy@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/passport-strategy/-/passport-strategy-1.0.0.tgz#b5539aa8fc225a3d1ad179476ddf236b440f52e4"
+  integrity sha1-tVOaqPwiWj0a0XlHbd8ja0QPUuQ=
+
+passport@^0.4.0:
+  version "0.4.1"
+  resolved "https://registry.yarnpkg.com/passport/-/passport-0.4.1.tgz#941446a21cb92fc688d97a0861c38ce9f738f270"
+  integrity sha512-IxXgZZs8d7uFSt3eqNjM9NQ3g3uQCW5avD8mRNoXV99Yig50vjuaez6dQK2qC0kVWPRTujxY0dWgGfT09adjYg==
+  dependencies:
+    passport-strategy "1.x.x"
+    pause "0.0.1"
+
+pause@0.0.1:
+  version "0.0.1"
+  resolved "https://registry.yarnpkg.com/pause/-/pause-0.0.1.tgz#1d408b3fdb76923b9543d96fb4c9dfd535d9cb5d"
+  integrity sha1-HUCLP9t2kjuVQ9lvtMnf1TXZy10=
+
+performance-now@^2.1.0:
+  version "2.1.0"
+  resolved "https://registry.yarnpkg.com/performance-now/-/performance-now-2.1.0.tgz#6309f4e0e5fa913ec1c69307ae364b4b377c9e7b"
+  integrity sha1-Ywn04OX6kT7BxpMHrjZLSzd8nns=
+
+psl@^1.1.28:
+  version "1.8.0"
+  resolved "https://registry.yarnpkg.com/psl/-/psl-1.8.0.tgz#9326f8bcfb013adcc005fdff056acce020e51c24"
+  integrity sha512-RIdOzyoavK+hA18OGGWDqUTsCLhtA7IcZ/6NCs4fFJaHBDab+pDDmDIByWFRQJq2Cd7r1OoQxBGKOaztq+hjIQ==
+
+punycode@^2.1.0, punycode@^2.1.1:
+  version "2.1.1"
+  resolved "https://registry.yarnpkg.com/punycode/-/punycode-2.1.1.tgz#b58b010ac40c22c5657616c8d2c2c02c7bf479ec"
+  integrity sha512-XRsRjdf+j5ml+y/6GKHPZbrF/8p2Yga0JPtdqTIY2Xe5ohJPD9saDJJLPvp9+NSBprVvevdXZybnj2cv8OEd0A==
+
+qs@~6.5.2:
+  version "6.5.2"
+  resolved "https://registry.yarnpkg.com/qs/-/qs-6.5.2.tgz#cb3ae806e8740444584ef154ce8ee98d403f3e36"
+  integrity sha512-N5ZAX4/LxJmF+7wN74pUD6qAh9/wnvdQcjq9TZjevvXzSUo7bfmw91saqMjzGS2xq91/odN2dW/WOl7qQHNDGA==
+
+request@^2.72.0, request@^2.74.0:
+  version "2.88.2"
+  resolved "https://registry.yarnpkg.com/request/-/request-2.88.2.tgz#d73c918731cb5a87da047e207234146f664d12b3"
+  integrity sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==
+  dependencies:
+    aws-sign2 "~0.7.0"
+    aws4 "^1.8.0"
+    caseless "~0.12.0"
+    combined-stream "~1.0.6"
+    extend "~3.0.2"
+    forever-agent "~0.6.1"
+    form-data "~2.3.2"
+    har-validator "~5.1.3"
+    http-signature "~1.2.0"
+    is-typedarray "~1.0.0"
+    isstream "~0.1.2"
+    json-stringify-safe "~5.0.1"
+    mime-types "~2.1.19"
+    oauth-sign "~0.9.0"
+    performance-now "^2.1.0"
+    qs "~6.5.2"
+    safe-buffer "^5.1.2"
+    tough-cookie "~2.5.0"
+    tunnel-agent "^0.6.0"
+    uuid "^3.3.2"
+
+safe-buffer@^5.0.1, safe-buffer@^5.1.2:
+  version "5.2.1"
+  resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.2.1.tgz#1eaf9fa9bdb1fdd4ec75f58f9cdb4e6b7827eec6"
+  integrity sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==
+
+safer-buffer@^2.0.2, safer-buffer@^2.1.0, safer-buffer@~2.1.0:
+  version "2.1.2"
+  resolved "https://registry.yarnpkg.com/safer-buffer/-/safer-buffer-2.1.2.tgz#44fa161b0187b9549dd84bb91802f9bd8385cd6a"
+  integrity sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==
+
+semver@^5.6.0:
+  version "5.7.1"
+  resolved "https://registry.yarnpkg.com/semver/-/semver-5.7.1.tgz#a954f931aeba508d307bbf069eff0c01c96116f7"
+  integrity sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ==
+
+sshpk@^1.7.0:
+  version "1.16.1"
+  resolved "https://registry.yarnpkg.com/sshpk/-/sshpk-1.16.1.tgz#fb661c0bef29b39db40769ee39fa70093d6f6877"
+  integrity sha512-HXXqVUq7+pcKeLqqZj6mHFUMvXtOJt1uoUx09pFW6011inTMxqI8BA8PM95myrIyyKwdnzjdFjLiE6KBPVtJIg==
+  dependencies:
+    asn1 "~0.2.3"
+    assert-plus "^1.0.0"
+    bcrypt-pbkdf "^1.0.0"
+    dashdash "^1.12.0"
+    ecc-jsbn "~0.1.1"
+    getpass "^0.1.1"
+    jsbn "~0.1.0"
+    safer-buffer "^2.0.2"
+    tweetnacl "~0.14.0"
+
+string-template@~1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/string-template/-/string-template-1.0.0.tgz#9e9f2233dc00f218718ec379a28a5673ecca8b96"
+  integrity sha1-np8iM9wA8hhxjsN5oopWc+zKi5Y=
+
+tough-cookie@~2.5.0:
+  version "2.5.0"
+  resolved "https://registry.yarnpkg.com/tough-cookie/-/tough-cookie-2.5.0.tgz#cd9fb2a0aa1d5a12b473bd9fb96fa3dcff65ade2"
+  integrity sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==
+  dependencies:
+    psl "^1.1.28"
+    punycode "^2.1.1"
+
+tunnel-agent@^0.6.0:
+  version "0.6.0"
+  resolved "https://registry.yarnpkg.com/tunnel-agent/-/tunnel-agent-0.6.0.tgz#27a5dea06b36b04a0a9966774b290868f0fc40fd"
+  integrity sha1-J6XeoGs2sEoKmWZ3SykIaPD8QP0=
+  dependencies:
+    safe-buffer "^5.0.1"
+
+tweetnacl@^0.14.3, tweetnacl@~0.14.0:
+  version "0.14.5"
+  resolved "https://registry.yarnpkg.com/tweetnacl/-/tweetnacl-0.14.5.tgz#5ae68177f192d4456269d108afa93ff8743f4f64"
+  integrity sha1-WuaBd/GS1EViadEIr6k/+HQ/T2Q=
+
+uid2@0.0.x:
+  version "0.0.3"
+  resolved "https://registry.yarnpkg.com/uid2/-/uid2-0.0.3.tgz#483126e11774df2f71b8b639dcd799c376162b82"
+  integrity sha1-SDEm4Rd03y9xuLY53NeZw3YWK4I=
+
+uri-js@^4.2.2:
+  version "4.4.1"
+  resolved "https://registry.yarnpkg.com/uri-js/-/uri-js-4.4.1.tgz#9b1a52595225859e55f669d928f88c6c57f2a77e"
+  integrity sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==
+  dependencies:
+    punycode "^2.1.0"
+
+utils-merge@1.x.x:
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/utils-merge/-/utils-merge-1.0.1.tgz#9f95710f50a267947b2ccc124741c1028427e713"
+  integrity sha1-n5VxD1CiZ5R7LMwSR0HBAoQn5xM=
+
+uuid@^3.3.2:
+  version "3.4.0"
+  resolved "https://registry.yarnpkg.com/uuid/-/uuid-3.4.0.tgz#b23e4358afa8a202fe7a100af1f5f883f02007ee"
+  integrity sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==
+
+uuid@^8.3.2:
+  version "8.3.2"
+  resolved "https://registry.yarnpkg.com/uuid/-/uuid-8.3.2.tgz#80d5b5ced271bb9af6c445f21a1a04c606cefbe2"
+  integrity sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==
+
+verror@1.10.0:
+  version "1.10.0"
+  resolved "https://registry.yarnpkg.com/verror/-/verror-1.10.0.tgz#3a105ca17053af55d6e270c1f8288682e18da400"
+  integrity sha1-OhBcoXBTr1XW4nDB+CiGguGNpAA=
+  dependencies:
+    assert-plus "^1.0.0"
+    core-util-is "1.0.2"
+    extsprintf "^1.2.0"

packages/bbui/src/Form/Core/RadioGroup.svelte

@@ -19,6 +19,7 @@
   {#if options && Array.isArray(options)}
     {#each options as option}
       <div
+        title={getOptionLabel(option)}
         class="spectrum-Radio spectrum-FieldGroup-item spectrum-Radio--emphasized"
         class:is-invalid={!!error}>
         <input

packages/builder/cypress/integration/createApp.spec.js

@@ -1,5 +1,6 @@
 context("Create an Application", () => {
   it("should create a new application", () => {
+    cy.login()
     cy.createTestApp()
     cy.visit(`localhost:${Cypress.env("PORT")}/builder`)
     cy.contains("Cypress Tests").should("exist")

packages/builder/cypress/integration/createAutomation.spec.js

@@ -1,5 +1,6 @@
 context("Create a automation", () => {
   before(() => {
+    cy.login()
     cy.createTestApp()
   })
 

packages/builder/cypress/integration/createBinding.spec.js

@@ -1,16 +1,13 @@
 context("Create Bindings", () => {
   before(() => {
+    cy.login()
     cy.createTestApp()
     cy.navigateToFrontend()
   })
 
   it("should add a current user binding", () => {
-    cy.addComponent("Elements", "Paragraph").then(componentId => {
+    cy.addComponent("Elements", "Paragraph").then(() => {
       addSettingBinding("text", "Current User._id")
-      cy.getComponent(componentId).should(
-        "have.text",
-        `ro_ta_users_us_test@test.com`
-      )
     })
   })
 

packages/builder/cypress/integration/createComponents.spec.js

@@ -2,6 +2,7 @@ context("Create Components", () => {
   let headlineId
 
   before(() => {
+    cy.login()
     cy.createTestApp()
     cy.createTable("dog")
     cy.addColumn("dog", "name", "string")

packages/builder/cypress/integration/createScreen.js

@@ -1,5 +1,6 @@
 context("Screen Tests", () => {
   before(() => {
+    cy.login()
     cy.createTestApp()
     cy.navigateToFrontend()
   })

packages/builder/cypress/integration/createTable.spec.js

@@ -1,5 +1,6 @@
 context("Create a Table", () => {
   before(() => {
+    cy.login()
     cy.createTestApp()
   })
 

packages/builder/cypress/integration/createUser.spec.js

@@ -1,5 +1,6 @@
 context("Create a User", () => {
   before(() => {
+    cy.login()
     cy.createTestApp()
   })
 

packages/builder/cypress/integration/createView.spec.js

@@ -1,5 +1,6 @@
 context("Create a View", () => {
   before(() => {
+    cy.login()
     cy.createTestApp()
     cy.createTable("data")
     cy.addColumn("data", "group", "Text")

packages/builder/cypress/setup.js

@@ -3,13 +3,16 @@ const path = require("path")
 
 const tmpdir = path.join(require("os").tmpdir(), ".budibase")
 
+const WORKER_PORT = "4002"
+const MAIN_PORT = cypressConfig.env.PORT
 process.env.BUDIBASE_API_KEY = "6BE826CB-6B30-4AEC-8777-2E90464633DE"
 process.env.NODE_ENV = "cypress"
 process.env.ENABLE_ANALYTICS = "false"
-process.env.PORT = cypressConfig.env.PORT
+process.env.PORT = MAIN_PORT
 process.env.JWT_SECRET = cypressConfig.env.JWT_SECRET
 process.env.COUCH_URL = `leveldb://${tmpdir}/.data/`
 process.env.SELF_HOSTED = 1
+process.env.WORKER_URL = "http://localhost:4002/"
 process.env.MINIO_URL = "http://localhost:10000/"
 process.env.MINIO_ACCESS_KEY = "budibase"
 process.env.MINIO_SECRET_KEY = "budibase"
@@ -25,18 +28,12 @@ async function run() {
   // dont make this a variable or top level require
   // it will cause environment module to be loaded prematurely
   const server = require("../../server/src/app")
+  process.env.PORT = WORKER_PORT
+  const worker = require("../../worker/src/index")
+  // reload main port for rest of system
+  process.env.PORT = MAIN_PORT
   server.on("close", () => console.log("Server Closed"))
+  worker.on("close", () => console.log("Worker Closed"))
 }
 
 run()
-
-// TODO: ensure that this still works
-// initialiseBudibase({ dir: homedir, clientId: "cypress-test" })
-// .then(() => {
-//   delete require.cache[require.resolve("../../server/src/environment")]
-//   const xPlatHomeDir = homedir.startsWith("~")
-//     ? join(homedir(), homedir.substring(1))
-//     : homedir
-//   run(xPlatHomeDir)
-// })
-// .catch(e => console.error(e))

packages/builder/cypress/support/commands.js

@@ -1,28 +1,26 @@
 // ***********************************************
-// This example commands.js shows you how to
-// create various custom commands and overwrite
-// existing commands.
-//
 // For more comprehensive examples of custom
 // commands please read more here:
 // https://on.cypress.io/custom-commands
 // ***********************************************
 //
-//
-// -- This is a parent command --
-// Cypress.Commands.add("login", (email, password) => { ... })
-//
-//
-// -- This is a child command --
-// Cypress.Commands.add("drag", { prevSubject: 'element'}, (subject, options) => { ... })
-//
-//
-// -- This is a dual command --
-// Cypress.Commands.add("dismiss", { prevSubject: 'optional'}, (subject, options) => { ... })
-//
-//
-// -- This will overwrite an existing command --
-// Cypress.Commands.overwrite("visit", (originalFn, url, options) => { ... })
+
+Cypress.Commands.add("login", () => {
+  cy.getCookie("budibase:auth").then(cookie => {
+    // Already logged in
+    if (cookie) return
+
+    cy.visit(`localhost:${Cypress.env("PORT")}/builder`)
+    cy.contains("Create Test User").click()
+    cy.get("input")
+      .first()
+      .type("test@test.com")
+
+    cy.get('input[type="password"]').type("test")
+
+    cy.contains("Login").click()
+  })
+})
 
 Cypress.Commands.add("createApp", name => {
   cy.visit(`localhost:${Cypress.env("PORT")}/builder`)

packages/builder/cypress/support/cookies.js

@@ -1,3 +1,3 @@
 Cypress.Cookies.defaults({
-  preserve: "budibase:builder:local",
+  preserve: "budibase:auth",
 })

packages/builder/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@budibase/builder",
-  "version": "0.8.9",
+  "version": "0.8.16",
   "license": "AGPL-3.0",
   "private": true,
   "scripts": {
@@ -14,9 +14,10 @@
     "cy:setup": "node ./cypress/setup.js",
     "cy:run": "cypress run",
     "cy:open": "cypress open",
-    "cy:run:ci": "cypress run --browser electron --record --key f308590b-6070-41af-b970-794a3823d451",
+    "cy:run:ci": "cypress run --record --key f308590b-6070-41af-b970-794a3823d451",
     "cy:test": "start-server-and-test cy:setup http://localhost:10000/builder cy:run",
-    "cy:ci": "start-server-and-test cy:setup http://localhost:10000/builder cy:run:ci"
+    "cy:ci": "start-server-and-test cy:setup http://localhost:10000/builder cy:run:ci",
+    "cy:debug": "start-server-and-test cy:setup http://localhost:10000/builder cy:open"
   },
   "jest": {
     "globals": {
@@ -65,9 +66,9 @@
   },
   "dependencies": {
     "@budibase/bbui": "^1.58.13",
-    "@budibase/client": "^0.8.9",
+    "@budibase/client": "^0.8.16",
     "@budibase/colorpicker": "1.1.2",
-    "@budibase/string-templates": "^0.8.9",
+    "@budibase/string-templates": "^0.8.16",
     "@sentry/browser": "5.19.1",
     "@spectrum-css/page": "^3.0.1",
     "@spectrum-css/vars": "^3.0.1",

packages/builder/src/builderStore/api.js

@@ -1,5 +1,6 @@
 import { store } from "./index"
 import { get as svelteGet } from "svelte/store"
+import { removeCookie, Cookies } from "./cookies"
 
 const apiCall = method => async (
   url,
@@ -8,11 +9,15 @@ const apiCall = method => async (
 ) => {
   headers["x-budibase-app-id"] = svelteGet(store).appId
   const json = headers["Content-Type"] === "application/json"
-  return await fetch(url, {
+  const resp = await fetch(url, {
     method: method,
     body: json ? JSON.stringify(body) : body,
     headers,
   })
+  if (resp.status === 403) {
+    removeCookie(Cookies.Auth)
+  }
+  return resp
 }
 
 export const post = apiCall("POST")
@@ -20,9 +25,6 @@ export const get = apiCall("GET")
 export const patch = apiCall("PATCH")
 export const del = apiCall("DELETE")
 export const put = apiCall("PUT")
-export const getBuilderCookie = async () => {
-  await post("/api/builder/login", {})
-}
 
 export default {
   post: apiCall("POST"),
@@ -30,5 +32,4 @@ export default {
   patch: apiCall("PATCH"),
   delete: apiCall("DELETE"),
   put: apiCall("PUT"),
-  getBuilderCookie,
 }

packages/builder/src/builderStore/cookies.js

@@ -0,0 +1,16 @@
+export const Cookies = {
+  Auth: "budibase:auth",
+  CurrentApp: "budibase:currentapp",
+}
+
+export function getCookie(cookieName) {
+  return document.cookie.split(";").some(cookie => {
+    return cookie.trim().startsWith(`${cookieName}=`)
+  })
+}
+
+export function removeCookie(cookieName) {
+  if (getCookie(cookieName)) {
+    document.cookie = `${cookieName}=; Max-Age=-99999999;`
+  }
+}

packages/builder/src/builderStore/dataBinding.js

@@ -2,10 +2,7 @@ import { cloneDeep } from "lodash/fp"
 import { get } from "svelte/store"
 import { findComponent, findComponentPath } from "./storeUtils"
 import { store } from "builderStore"
-import {
-  tables as tablesStore,
-  queries as queriesStores,
-} from "stores/backend/"
+import { tables as tablesStore, queries as queriesStores } from "stores/backend"
 import { makePropSafe } from "@budibase/string-templates"
 import { TableNames } from "../constants"
 

packages/builder/src/builderStore/index.js

@@ -6,7 +6,6 @@ import { derived, writable } from "svelte/store"
 import analytics from "analytics"
 import { FrontendTypes, LAYOUT_NAMES } from "../constants"
 import { findComponent } from "./storeUtils"
-import { getBuilderCookie } from "./api"
 
 export const store = getFrontendStore()
 export const automationStore = getAutomationStore()
@@ -58,8 +57,6 @@ export const selectedAccessRole = writable("BASIC")
 
 export const initialise = async () => {
   try {
-    // TODO this needs to be replaced by a real login
-    await getBuilderCookie()
     await analytics.activate()
     analytics.captureEvent("Builder Started")
   } catch (err) {

packages/builder/src/components/backend/DataTable/api.js

@@ -1,7 +1,7 @@
 import api from "builderStore/api"
 
 export async function createUser(user) {
-  const CREATE_USER_URL = `/api/users`
+  const CREATE_USER_URL = `/api/users/metadata`
   const response = await api.post(CREATE_USER_URL, user)
   return await response.json()
 }
@@ -15,8 +15,7 @@ export async function saveRow(row, tableId) {
 
 export async function deleteRow(row) {
   const DELETE_ROWS_URL = `/api/${row.tableId}/rows/${row._id}/${row._rev}`
-  const response = await api.delete(DELETE_ROWS_URL)
-  return response
+  return api.delete(DELETE_ROWS_URL)
 }
 
 export async function fetchDataForView(view) {

packages/builder/src/components/backend/DataTable/modals/CreateEditColumn.svelte

@@ -53,8 +53,9 @@
   )
   $: required = !!field?.constraints?.presence || primaryDisplay
   $: uneditable =
-    $tables.selected?._id === TableNames.USERS &&
-    UNEDITABLE_USER_FIELDS.includes(field.name)
+    ($tables.selected?._id === TableNames.USERS &&
+      UNEDITABLE_USER_FIELDS.includes(field.name)) ||
+    (originalName && field.type === LINK_TYPE)
   $: invalid =
     !field.name ||
     (field.type === LINK_TYPE && !field.tableId) ||
@@ -157,19 +158,22 @@
     if (!linkTable) {
       return null
     }
-    const thisName = truncate(table.name, { length: 15 }),
-      linkName = truncate(linkTable.name, { length: 15 })
+    const thisName = truncate(table.name, { length: 14 }),
+      linkName = truncate(linkTable.name, { length: 14 })
     return [
       {
         name: `Many ${thisName} rows → many ${linkName} rows`,
+        alt: `Many ${table.name} rows → many ${linkTable.name} rows`,
         value: RelationshipTypes.MANY_TO_MANY,
       },
       {
         name: `One ${linkName} row → many ${thisName} rows`,
+        alt: `One ${linkTable.name} rows → many ${table.name} rows`,
         value: RelationshipTypes.ONE_TO_MANY,
       },
       {
         name: `One ${thisName} row → many ${linkName} rows`,
+        alt: `One ${table.name} rows → many ${linkTable.name} rows`,
         value: RelationshipTypes.MANY_TO_ONE,
       },
     ]

packages/builder/src/components/common/DrawerBindableInput.svelte

@@ -80,6 +80,7 @@
       border-color var(--spectrum-global-animation-duration-100, 130ms);
     height: calc(var(--spectrum-alias-item-height-m) - 2px);
   }
+
   .icon:hover {
     cursor: pointer;
     color: var(--spectrum-alias-text-color-hover);

packages/builder/src/components/login/LoginForm.svelte

@@ -0,0 +1,50 @@
+<script>
+  import { Button, Label, Input, Spacer } from "@budibase/bbui"
+  import { notifier } from "builderStore/store/notifications"
+  import { auth } from "stores/backend"
+
+  let username = ""
+  let password = ""
+
+  async function login() {
+    try {
+      await auth.login({
+        username,
+        password,
+      })
+      notifier.success("Logged in successfully.")
+    } catch (err) {
+      console.error(err)
+      notifier.danger("Invalid credentials")
+    }
+  }
+
+  async function createTestUser() {
+    try {
+      await auth.firstUser()
+      notifier.success("Test user created")
+    } catch (err) {
+      console.error(err)
+      notifier.danger("Could not create test user")
+    }
+  }
+</script>
+
+<form on:submit|preventDefault data-cy="login-form">
+  <Spacer large />
+  <Label small>Email</Label>
+  <Input outline bind:value={username} />
+  <Spacer large />
+  <Label small>Password</Label>
+  <Input outline type="password" on:change bind:value={password} />
+  <Spacer large />
+  <Button primary on:click={login}>Login</Button>
+  <a target="_blank" href="/api/admin/auth/google">Sign In With Google</a>
+  <Button secondary on:click={createTestUser}>Create Test User</Button>
+</form>
+
+<style>
+  form {
+    width: 60%;
+  }
+</style>

packages/builder/src/components/login/index.js

@@ -0,0 +1 @@
+export { LoginForm } from "./LoginForm.svelte"

packages/builder/src/components/start/CreateAppModal.svelte

@@ -27,12 +27,6 @@
       applicationName: string().required("Your application must have a name"),
     },
     {
-      email: string()
-        .email()
-        .required("Your application needs a first user"),
-      password: string().required(
-        "Please enter a password for your first user"
-      ),
       roleId: string()
         .nullable()
         .required("You need to select a role for your user"),
@@ -114,11 +108,9 @@
 
       // Create user
       const user = {
-        email: $values.email,
-        password: $values.password,
         roleId: $values.roleId,
       }
-      const userResp = await api.post(`/api/users`, user)
+      const userResp = await api.post(`/api/users/metadata/self`, user)
       await userResp.json()
       $goto(`./${appJson._id}`)
     } catch (error) {

packages/builder/src/components/start/LogoutButton.svelte

@@ -0,0 +1,28 @@
+<script>
+  import { TextButton as Button, Modal } from "@budibase/bbui"
+  import { auth } from "stores/backend"
+</script>
+
+<div>
+  <Button text on:click={auth.logout}>
+    <i class="ri-logout-box-line" />
+    <p>Logout</p>
+  </Button>
+</div>
+
+<style>
+  div i {
+    font-size: 26px;
+    color: var(--grey-7);
+    margin-left: 12px;
+    margin-top: 10px;
+  }
+
+  div p {
+    font-family: var(--font-sans);
+    font-size: var(--font-size-s);
+    color: var(--ink);
+    font-weight: 400;
+    margin: 0 0 0 12px;
+  }
+</style>

packages/builder/src/components/start/Steps/User.svelte

@@ -1,5 +1,5 @@
 <script>
-  import { Input, Select, Heading } from "@budibase/bbui"
+  import { Select, Heading } from "@budibase/bbui"
 
   export let values
   export let errors
@@ -7,21 +7,7 @@
 </script>
 
 <div class="container">
-  <Heading l h2>Create your first User</Heading>
-  <Input
-    bind:value={$values.email}
-    on:change={() => ($touched.email = true)}
-    label="Email"
-    placeholder="Email"
-    type="email"
-    error={$touched.email && $errors.email} />
-  <Input
-    bind:value={$values.password}
-    on:change={() => ($touched.password = true)}
-    label="Password"
-    placeholder="Password"
-    type="password"
-    error={$touched.password && $errors.password} />
+  <Heading l h2>What's your role for this app?</Heading>
   <Select
     bind:value={$values.roleId}
     label="Role"

packages/builder/src/pages/builder/[application]/data/datasource/index.svelte

@@ -9,7 +9,7 @@
   })
 </script>
 
-{#if $tables.list.length === 0}
+{#if $datasources.list.length === 0}
   <i>Connect your first datasource to start building.</i>
 {:else}<i>Select a datasource to edit</i>{/if}
 

packages/builder/src/pages/builder/_layout.svelte

@@ -3,48 +3,60 @@
     SideNavigation as Navigation,
     SideNavigationItem as Item,
   } from "@budibase/bbui"
+  import { auth } from "stores/backend"
+  import LoginForm from "components/login/LoginForm.svelte"
   import BuilderSettingsButton from "components/start/BuilderSettingsButton.svelte"
+  import LogoutButton from "components/start/LogoutButton.svelte"
   import Logo from "/assets/budibase-logo.svg"
+
+  let modal
 </script>
 
-<div class="root">
-  <div class="ui-nav">
-    <div class="home-logo"><img src={Logo} alt="Budibase icon" /></div>
-    <div class="nav-section">
-      <div class="nav-top">
-        <Navigation>
-          <Item href="/builder/" icon="Apps" selected>Apps</Item>
-          <Item external href="https://portal.budi.live/" icon="Servers">
-            Hosting
-          </Item>
-          <Item external href="https://docs.budibase.com/" icon="Book">
-            Documentation
-          </Item>
-          <Item
-            external
-            href="https://github.com/Budibase/budibase/discussions"
-            icon="PeopleGroup"
-          >
-            Community
-          </Item>
-          <Item
-            external
-            href="https://github.com/Budibase/budibase/issues/new/choose"
-            icon="Bug"
-          >
-            Raise an issue
-          </Item>
-        </Navigation>
+{#if $auth}
+  {#if $auth.user}
+    <div class="root">
+      <div class="ui-nav">
+        <div class="home-logo"><img src={Logo} alt="Budibase icon" /></div>
+        <div class="nav-section">
+          <div class="nav-top">
+            <Navigation>
+              <Item href="/builder/" icon="Apps" selected>Apps</Item>
+              <Item external href="https://portal.budi.live/" icon="Servers">
+                Hosting
+              </Item>
+              <Item external href="https://docs.budibase.com/" icon="Book">
+                Documentation
+              </Item>
+              <Item
+                external
+                href="https://github.com/Budibase/budibase/discussions"
+                icon="PeopleGroup">
+                Community
+              </Item>
+              <Item
+                external
+                href="https://github.com/Budibase/budibase/issues/new/choose"
+                icon="Bug">
+                Raise an issue
+              </Item>
+            </Navigation>
+          </div>
+          <div class="nav-bottom">
+            <BuilderSettingsButton />
+            <LogoutButton />
+          </div>
+        </div>
       </div>
-      <div class="nav-bottom">
-        <BuilderSettingsButton />
+      <div class="main">
+        <slot />
       </div>
     </div>
-  </div>
-  <div class="main">
-    <slot />
-  </div>
-</div>
+  {:else}
+    <section class="login">
+      <LoginForm />
+    </section>
+  {/if}
+{/if}
 
 <style>
   .root {
@@ -54,6 +66,14 @@
     width: 100%;
   }
 
+  .login {
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    height: 100%;
+    width: 100%;
+  }
+
   .main {
     grid-column: 2;
     overflow: auto;

packages/builder/src/stores/backend/auth.js

@@ -0,0 +1,56 @@
+import { writable } from "svelte/store"
+import api from "../../builderStore/api"
+
+async function checkAuth() {
+  const response = await api.get("/api/self")
+  const user = await response.json()
+  if (response.status === 200) return user
+
+  return null
+}
+
+export function createAuthStore() {
+  const { subscribe, set } = writable(null)
+
+  checkAuth()
+    .then(user => set({ user }))
+    .catch(() => set({ user: null }))
+
+  return {
+    subscribe,
+    login: async creds => {
+      const response = await api.post(`/api/admin/auth`, creds)
+      const json = await response.json()
+      if (response.status === 200) {
+        set({ user: json.user })
+      } else {
+        throw "Invalid credentials"
+      }
+      return json
+    },
+    logout: async () => {
+      const response = await api.post(`/api/admin/auth/logout`)
+      if (response.status !== 200) {
+        throw "Unable to create logout"
+      }
+      await response.json()
+      set({ user: null })
+    },
+    createUser: async user => {
+      const response = await api.post(`/api/admin/users`, user)
+      if (response.status !== 200) {
+        throw "Unable to create user"
+      }
+      await response.json()
+    },
+    firstUser: async () => {
+      const response = await api.post(`/api/admin/users/first`)
+      if (response.status !== 200) {
+        throw "Unable to create test user"
+      }
+      await response.json()
+    },
+  }
+}
+
+export const auth = createAuthStore()

packages/builder/src/stores/backend/index.js

@@ -7,3 +7,4 @@ export { roles } from "./roles"
 export { datasources } from "./datasources"
 export { integrations } from "./integrations"
 export { queries } from "./queries"
+export { auth } from "./auth"

packages/cli/package.json

@@ -1,6 +1,6 @@
 {
-  "name": "@budibase/cli",
-  "version": "0.8.10",
+  "name": "cli",
+  "version": "0.8.15",
   "description": "Budibase CLI, for developers, self hosting and migrations.",
   "main": "src/index.js",
   "bin": {

packages/client/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@budibase/client",
-  "version": "0.8.9",
+  "version": "0.8.16",
   "license": "MPL-2.0",
   "module": "dist/budibase-client.js",
   "main": "dist/budibase-client.js",
@@ -18,8 +18,7 @@
     "dev:builder": "rollup -cw"
   },
   "dependencies": {
-    "@budibase/standard-components": "^0.8.9",
-    "@budibase/string-templates": "^0.8.9",
+    "@budibase/string-templates": "^0.8.16",
     "regexparam": "^1.3.0",
     "shortid": "^2.2.15",
     "svelte-spa-router": "^3.0.5"
@@ -27,6 +26,7 @@
   "devDependencies": {
     "@rollup/plugin-commonjs": "^18.0.0",
     "@rollup/plugin-node-resolve": "^11.2.1",
+    "@budibase/standard-components": "^0.8.16",
     "fs-extra": "^8.1.0",
     "jsdom": "^16.0.1",
     "postcss": "^8.2.9",
@@ -40,5 +40,5 @@
     "rollup-plugin-terser": "^7.0.2",
     "svelte": "^3.35.0"
   },
-  "gitHead": "1b95326b20d1352d36305910259228b96a683dc7"
+  "gitHead": "4b6efc42ed3273595c7a129411f4d883733d3321"
 }

packages/client/src/api/auth.js

@@ -13,8 +13,8 @@ export const logIn = async ({ email, password }) => {
     return API.error("Please enter your password")
   }
   return await API.post({
-    url: "/api/authenticate",
-    body: { email, password },
+    url: "/api/admin/auth",
+    body: { username: email, password },
   })
 }
 

packages/client/src/store/auth.js

@@ -19,8 +19,8 @@ const createAuthStore = () => {
 
   // Logs a user in
   const logIn = async ({ email, password }) => {
-    const user = await API.logIn({ email, password })
-    if (!user.error) {
+    const auth = await API.logIn({ email, password })
+    if (auth.success) {
       await fetchUser()
       await initialise()
       goToDefaultRoute()
@@ -30,12 +30,7 @@ const createAuthStore = () => {
   // Logs a user out
   const logOut = async () => {
     store.set(null)
-    const appId = get(builderStore).appId
-    if (appId) {
-      for (let environment of ["local", "cloud"]) {
-        window.document.cookie = `budibase:${appId}:${environment}=; Path=/; Expires=Thu, 01 Jan 1970 00:00:01 GMT;`
-      }
-    }
+    window.document.cookie = `budibase:auth=; budibase:currentapp=; Path=/; Expires=Thu, 01 Jan 1970 00:00:01 GMT;`
     await initialise()
     goToDefaultRoute()
   }

packages/server/__mocks__/node-fetch.js

@@ -10,8 +10,15 @@ module.exports = async (url, opts) => {
     }
   }
 
+  if (url.includes("/api/admin")) {
+    return json({
+      email: "test@test.com",
+      _id: "us_test@test.com",
+      status: "active",
+    })
+  }
   // mocked data based on url
-  if (url.includes("api/apps")) {
+  else if (url.includes("api/apps")) {
     return json({
       app1: {
         url: "/app1",

packages/server/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@budibase/server",
   "email": "hi@budibase.com",
-  "version": "0.8.9",
+  "version": "0.8.16",
   "description": "Budibase Web Server",
   "main": "src/electron.js",
   "repository": {
@@ -43,7 +43,6 @@
     "electron": "electron src/electron.js",
     "build:electron": "electron-builder --dir",
     "publish:electron": "electron-builder -mwl --publish always",
-    "postinstall": "electron-builder install-app-deps",
     "lint": "eslint --fix src/",
     "initialise": "node scripts/initialise.js"
   },
@@ -80,8 +79,9 @@
   "author": "Budibase",
   "license": "AGPL-3.0-or-later",
   "dependencies": {
-    "@budibase/client": "^0.8.9",
-    "@budibase/string-templates": "^0.8.9",
+    "@budibase/auth": "^0.0.1",
+    "@budibase/client": "^0.8.16",
+    "@budibase/string-templates": "^0.8.16",
     "@elastic/elasticsearch": "7.10.0",
     "@koa/router": "8.0.0",
     "@sendgrid/mail": "7.1.1",
@@ -103,7 +103,6 @@
     "jimp": "0.16.1",
     "joi": "17.2.1",
     "jsonschema": "1.4.0",
-    "jsonwebtoken": "8.5.1",
     "koa": "2.7.0",
     "koa-body": "4.2.0",
     "koa-compress": "4.0.1",
@@ -135,7 +134,7 @@
     "zlib": "1.0.5"
   },
   "devDependencies": {
-    "@budibase/standard-components": "^0.8.9",
+    "@budibase/standard-components": "^0.8.16",
     "@jest/test-sequencer": "^24.8.0",
     "docker-compose": "^0.23.6",
     "electron": "10.1.3",
@@ -147,5 +146,5 @@
     "pouchdb-adapter-memory": "^7.2.1",
     "supertest": "^4.0.2"
   },
-  "gitHead": "1b95326b20d1352d36305910259228b96a683dc7"
+  "gitHead": "4b6efc42ed3273595c7a129411f4d883733d3321"
 }

packages/server/scripts/dev/manage.js

@@ -33,9 +33,6 @@ async function init() {
   fs.writeFileSync(envoyOutputPath, processStringSync(contents, config))
 
   const envFilePath = path.join(process.cwd(), ".env")
-  if (fs.existsSync(envFilePath)) {
-    return
-  }
   const envFileJson = {
     PORT: 4001,
     MINIO_URL: "http://localhost:10000/",
@@ -70,7 +67,11 @@ async function nuke() {
   console.log(
     "Clearing down your budibase dev environment, including all containers and volumes... 💥"
   )
-  await compose.down(CONFIG)
+  await compose.down({
+    ...CONFIG,
+    // stop containers, delete volumes
+    commandOptions: ["-v", "--remove-orphans"],
+  })
 }
 
 const managementCommand = process.argv.slice(2)[0]

packages/server/src/api/controllers/application.js

@@ -1,6 +1,5 @@
 const CouchDB = require("../../db")
 const env = require("../../environment")
-const setBuilderToken = require("../../utilities/builder/setBuilderToken")
 const packageJson = require("../../../package.json")
 const {
   createLinkView,
@@ -74,7 +73,7 @@ async function getAppUrlIfNotInUse(ctx) {
   if (!env.SELF_HOSTED) {
     return url
   }
-  const deployedApps = await getDeployedApps()
+  const deployedApps = await getDeployedApps(ctx)
   if (
     deployedApps[url] != null &&
     deployedApps[url].appId !== ctx.params.appId
@@ -145,7 +144,6 @@ exports.fetchAppPackage = async function(ctx) {
     layouts,
     clientLibPath: clientLibraryPath(ctx.params.appId),
   }
-  await setBuilderToken(ctx, ctx.params.appId, application.version)
 }
 
 exports.create = async function(ctx) {
@@ -161,7 +159,6 @@ exports.create = async function(ctx) {
 
   const url = await getAppUrlIfNotInUse(ctx)
   const appId = instance._id
-  const version = packageJson.version
   const newApplication = {
     _id: appId,
     type: "app",
@@ -184,7 +181,6 @@ exports.create = async function(ctx) {
     await createApp(appId)
   }
 
-  await setBuilderToken(ctx, appId, version)
   ctx.status = 200
   ctx.body = newApplication
   ctx.message = `Application ${ctx.request.body.name} created successfully`

packages/server/src/api/controllers/auth.js

@@ -1,93 +1,38 @@
-const jwt = require("jsonwebtoken")
 const CouchDB = require("../../db")
-const bcrypt = require("../../utilities/bcrypt")
-const env = require("../../environment")
-const { getAPIKey } = require("../../utilities/usageQuota")
-const { generateUserID } = require("../../db/utils")
-const { setCookie } = require("../../utilities")
 const { outputProcessing } = require("../../utilities/rowProcessor")
-const { ViewNames } = require("../../db/utils")
-const { UserStatus } = require("../../constants")
-const setBuilderToken = require("../../utilities/builder/setBuilderToken")
-
-const INVALID_ERR = "Invalid Credentials"
-
-exports.authenticate = async ctx => {
-  const appId = ctx.appId
-  if (!appId) ctx.throw(400, "No appId")
-
-  const { email, password } = ctx.request.body
-
-  if (!email) ctx.throw(400, "Email Required.")
-  if (!password) ctx.throw(400, "Password Required.")
-
-  // Check the user exists in the instance DB by email
-  const db = new CouchDB(appId)
-  const app = await db.get(appId)
-
-  let dbUser
-  try {
-    dbUser = await db.get(generateUserID(email))
-  } catch (_) {
-    // do not want to throw a 404 - as this could be
-    // used to determine valid emails
-    ctx.throw(401, INVALID_ERR)
-  }
-
-  // check that the user is currently inactive, if this is the case throw invalid
-  if (dbUser.status === UserStatus.INACTIVE) {
-    ctx.throw(401, INVALID_ERR)
-  }
-
-  // authenticate
-  if (await bcrypt.compare(password, dbUser.password)) {
-    const payload = {
-      userId: dbUser._id,
-      roleId: dbUser.roleId,
-      version: app.version,
-    }
-    // if in prod add the user api key, unless self hosted
-    /* istanbul ignore next */
-    if (env.isProd() && !env.SELF_HOSTED) {
-      const { apiKey } = await getAPIKey(ctx.user.appId)
-      payload.apiKey = apiKey
-    }
-
-    const token = jwt.sign(payload, ctx.config.jwtSecret, {
-      expiresIn: "1 day",
-    })
-
-    setCookie(ctx, token, appId)
-
-    delete dbUser.password
-    ctx.body = {
-      token,
-      ...dbUser,
-      appId,
-    }
-  } else {
-    ctx.throw(401, INVALID_ERR)
-  }
-}
-
-exports.builderLogin = async ctx => {
-  await setBuilderToken(ctx)
-  ctx.status = 200
-}
+const { InternalTables } = require("../../db/utils")
+const { getFullUser } = require("../../utilities/users")
 
 exports.fetchSelf = async ctx => {
-  const { userId, appId } = ctx.user
+  if (!ctx.user) {
+    ctx.throw(403, "No user logged in")
+  }
+  const appId = ctx.appId
+  const { userId } = ctx.user
   /* istanbul ignore next */
-  if (!userId || !appId) {
+  if (!userId) {
     ctx.body = {}
     return
   }
-  const db = new CouchDB(appId)
-  const user = await db.get(userId)
-  const userTable = await db.get(ViewNames.USERS)
-  if (user) {
-    delete user.password
+
+  const user = await getFullUser(ctx, userId)
+
+  if (appId) {
+    const db = new CouchDB(appId)
+    // remove the full roles structure
+    delete user.roles
+    try {
+      const userTable = await db.get(InternalTables.USER_METADATA)
+      const metadata = await db.get(userId)
+      // specifically needs to make sure is enriched
+      ctx.body = await outputProcessing(appId, userTable, {
+        ...user,
+        ...metadata,
+      })
+    } catch (err) {
+      ctx.body = user
+    }
+  } else {
+    ctx.body = user
   }
-  // specifically needs to make sure is enriched
-  ctx.body = await outputProcessing(appId, userTable, user)
 }

packages/server/src/api/controllers/automation.js

@@ -34,13 +34,13 @@ function cleanAutomationInputs(automation) {
 
 /**
  * This function handles checking if any webhooks need to be created or deleted for automations.
- * @param {object} user The user object, including all auth info
+ * @param {string} appId The ID of the app in which we are checking for webhooks
  * @param {object|undefined} oldAuto The old automation object if updating/deleting
  * @param {object|undefined} newAuto The new automation object if creating/updating
  * @returns {Promise<object|undefined>} After this is complete the new automation object may have been updated and should be
  * written to DB (this does not write to DB as it would be wasteful to repeat).
  */
-async function checkForWebhooks({ user, oldAuto, newAuto }) {
+async function checkForWebhooks({ appId, oldAuto, newAuto }) {
   const oldTrigger = oldAuto ? oldAuto.definition.trigger : null
   const newTrigger = newAuto ? newAuto.definition.trigger : null
   function isWebhookTrigger(auto) {
@@ -56,11 +56,11 @@ async function checkForWebhooks({ user, oldAuto, newAuto }) {
     !isWebhookTrigger(newAuto) &&
     oldTrigger.webhookId
   ) {
-    let db = new CouchDB(user.appId)
+    let db = new CouchDB(appId)
     // need to get the webhook to get the rev
     const webhook = await db.get(oldTrigger.webhookId)
     const ctx = {
-      user,
+      appId,
       params: { id: webhook._id, rev: webhook._rev },
     }
     // might be updating - reset the inputs to remove the URLs
@@ -73,7 +73,7 @@ async function checkForWebhooks({ user, oldAuto, newAuto }) {
   // need to create webhook
   else if (!isWebhookTrigger(oldAuto) && isWebhookTrigger(newAuto)) {
     const ctx = {
-      user,
+      appId,
       request: {
         body: new webhooks.Webhook(
           "Automation webhook",
@@ -86,17 +86,17 @@ async function checkForWebhooks({ user, oldAuto, newAuto }) {
     const id = ctx.body.webhook._id
     newTrigger.webhookId = id
     newTrigger.inputs = {
-      schemaUrl: `api/webhooks/schema/${user.appId}/${id}`,
-      triggerUrl: `api/webhooks/trigger/${user.appId}/${id}`,
+      schemaUrl: `api/webhooks/schema/${appId}/${id}`,
+      triggerUrl: `api/webhooks/trigger/${appId}/${id}`,
     }
   }
   return newAuto
 }
 
 exports.create = async function(ctx) {
-  const db = new CouchDB(ctx.user.appId)
+  const db = new CouchDB(ctx.appId)
   let automation = ctx.request.body
-  automation.appId = ctx.user.appId
+  automation.appId = ctx.appId
 
   // call through to update if already exists
   if (automation._id && automation._rev) {
@@ -107,7 +107,10 @@ exports.create = async function(ctx) {
 
   automation.type = "automation"
   automation = cleanAutomationInputs(automation)
-  automation = await checkForWebhooks({ user: ctx.user, newAuto: automation })
+  automation = await checkForWebhooks({
+    appId: ctx.appId,
+    newAuto: automation,
+  })
   const response = await db.put(automation)
   automation._rev = response.rev
 
@@ -122,13 +125,13 @@ exports.create = async function(ctx) {
 }
 
 exports.update = async function(ctx) {
-  const db = new CouchDB(ctx.user.appId)
+  const db = new CouchDB(ctx.appId)
   let automation = ctx.request.body
-  automation.appId = ctx.user.appId
+  automation.appId = ctx.appId
   const oldAutomation = await db.get(automation._id)
   automation = cleanAutomationInputs(automation)
   automation = await checkForWebhooks({
-    user: ctx.user,
+    appId: ctx.appId,
     oldAuto: oldAutomation,
     newAuto: automation,
   })
@@ -147,7 +150,7 @@ exports.update = async function(ctx) {
 }
 
 exports.fetch = async function(ctx) {
-  const db = new CouchDB(ctx.user.appId)
+  const db = new CouchDB(ctx.appId)
   const response = await db.allDocs(
     getAutomationParams(null, {
       include_docs: true,
@@ -157,14 +160,17 @@ exports.fetch = async function(ctx) {
 }
 
 exports.find = async function(ctx) {
-  const db = new CouchDB(ctx.user.appId)
+  const db = new CouchDB(ctx.appId)
   ctx.body = await db.get(ctx.params.id)
 }
 
 exports.destroy = async function(ctx) {
-  const db = new CouchDB(ctx.user.appId)
+  const db = new CouchDB(ctx.appId)
   const oldAutomation = await db.get(ctx.params.id)
-  await checkForWebhooks({ user: ctx.user, oldAuto: oldAutomation })
+  await checkForWebhooks({
+    appId: ctx.appId,
+    oldAuto: oldAutomation,
+  })
   ctx.body = await db.remove(ctx.params.id, ctx.params.rev)
 }
 
@@ -195,11 +201,11 @@ module.exports.getDefinitionList = async function(ctx) {
  *********************/
 
 exports.trigger = async function(ctx) {
-  const db = new CouchDB(ctx.user.appId)
+  const db = new CouchDB(ctx.appId)
   let automation = await db.get(ctx.params.id)
   await triggers.externalTrigger(automation, {
     ...ctx.request.body,
-    appId: ctx.user.appId,
+    appId: ctx.appId,
   })
   ctx.status = 200
   ctx.body = {

packages/server/src/api/controllers/datasource.js

@@ -6,7 +6,7 @@ const {
 } = require("../../db/utils")
 
 exports.fetch = async function(ctx) {
-  const database = new CouchDB(ctx.user.appId)
+  const database = new CouchDB(ctx.appId)
   ctx.body = (
     await database.allDocs(
       getDatasourceParams(null, {
@@ -17,7 +17,7 @@ exports.fetch = async function(ctx) {
 }
 
 exports.save = async function(ctx) {
-  const db = new CouchDB(ctx.user.appId)
+  const db = new CouchDB(ctx.appId)
 
   const datasource = {
     _id: generateDatasourceID(),
@@ -34,7 +34,7 @@ exports.save = async function(ctx) {
 }
 
 exports.destroy = async function(ctx) {
-  const db = new CouchDB(ctx.user.appId)
+  const db = new CouchDB(ctx.appId)
 
   // Delete all queries for the datasource
   const rows = await db.allDocs(getQueryParams(ctx.params.datasourceId, null))
@@ -48,6 +48,6 @@ exports.destroy = async function(ctx) {
 }
 
 exports.find = async function(ctx) {
-  const database = new CouchDB(ctx.user.appId)
+  const database = new CouchDB(ctx.appId)
   ctx.body = await database.get(ctx.params.datasourceId)
 }

packages/server/src/api/controllers/deploy/index.js

@@ -93,7 +93,7 @@ async function deployApp(deployment) {
 
 exports.fetchDeployments = async function(ctx) {
   try {
-    const db = new PouchDB(ctx.user.appId)
+    const db = new PouchDB(ctx.appId)
     const deploymentDoc = await db.get("_local/deployments")
     const { updated, deployments } = await checkAllDeployments(
       deploymentDoc,
@@ -110,7 +110,7 @@ exports.fetchDeployments = async function(ctx) {
 
 exports.deploymentProgress = async function(ctx) {
   try {
-    const db = new PouchDB(ctx.user.appId)
+    const db = new PouchDB(ctx.appId)
     const deploymentDoc = await db.get("_local/deployments")
     ctx.body = deploymentDoc[ctx.params.deploymentId]
   } catch (err) {
@@ -128,7 +128,7 @@ exports.deployApp = async function(ctx) {
     hostingInfo.type === HostingTypes.CLOUD
       ? require("./awsDeploy")
       : require("./selfDeploy")
-  let deployment = new Deployment(ctx.user.appId)
+  let deployment = new Deployment(ctx.appId)
   deployment.setStatus(DeploymentStatus.PENDING)
   deployment = await storeLocalDeploymentHistory(deployment)
 

packages/server/src/api/controllers/dev.js

@@ -0,0 +1,34 @@
+const fetch = require("node-fetch")
+const env = require("../../environment")
+const { checkSlashesInUrl } = require("../../utilities")
+const { request } = require("../../utilities/workerRequests")
+
+async function redirect(ctx, method) {
+  const { devPath } = ctx.params
+  const response = await fetch(
+    checkSlashesInUrl(`${env.WORKER_URL}/api/admin/${devPath}`),
+    request(ctx, {
+      method,
+      body: ctx.request.body,
+    })
+  )
+  ctx.body = await response.json()
+  const cookie = response.headers.get("set-cookie")
+  if (cookie) {
+    ctx.set("set-cookie", cookie)
+  }
+  ctx.status = response.status
+  ctx.cookies
+}
+
+exports.redirectGet = async ctx => {
+  await redirect(ctx, "GET")
+}
+
+exports.redirectPost = async ctx => {
+  await redirect(ctx, "POST")
+}
+
+exports.redirectDelete = async ctx => {
+  await redirect(ctx, "DELETE")
+}

packages/server/src/api/controllers/hosting.js

@@ -40,5 +40,5 @@ exports.fetchUrls = async ctx => {
 }
 
 exports.getDeployedApps = async ctx => {
-  ctx.body = await getDeployedApps()
+  ctx.body = await getDeployedApps(ctx)
 }

packages/server/src/api/controllers/layout.js

@@ -3,7 +3,7 @@ const CouchDB = require("../../db")
 const { generateLayoutID, getScreenParams } = require("../../db/utils")
 
 exports.save = async function(ctx) {
-  const db = new CouchDB(ctx.user.appId)
+  const db = new CouchDB(ctx.appId)
   let layout = ctx.request.body
 
   if (!layout.props) {
@@ -22,7 +22,7 @@ exports.save = async function(ctx) {
 }
 
 exports.destroy = async function(ctx) {
-  const db = new CouchDB(ctx.user.appId)
+  const db = new CouchDB(ctx.appId)
   const layoutId = ctx.params.layoutId,
     layoutRev = ctx.params.layoutRev
 

packages/server/src/api/controllers/query.js

@@ -28,7 +28,7 @@ function formatResponse(resp) {
 }
 
 exports.fetch = async function(ctx) {
-  const db = new CouchDB(ctx.user.appId)
+  const db = new CouchDB(ctx.appId)
 
   const body = await db.allDocs(
     getQueryParams(null, {
@@ -39,7 +39,7 @@ exports.fetch = async function(ctx) {
 }
 
 exports.save = async function(ctx) {
-  const db = new CouchDB(ctx.user.appId)
+  const db = new CouchDB(ctx.appId)
   const query = ctx.request.body
 
   if (!query._id) {
@@ -90,7 +90,7 @@ async function enrichQueryFields(fields, parameters) {
 }
 
 exports.find = async function(ctx) {
-  const db = new CouchDB(ctx.user.appId)
+  const db = new CouchDB(ctx.appId)
   const query = enrichQueries(await db.get(ctx.params.queryId))
   // remove properties that could be dangerous in real app
   if (env.isProd()) {
@@ -102,7 +102,7 @@ exports.find = async function(ctx) {
 }
 
 exports.preview = async function(ctx) {
-  const db = new CouchDB(ctx.user.appId)
+  const db = new CouchDB(ctx.appId)
 
   const datasource = await db.get(ctx.request.body.datasourceId)
 
@@ -130,7 +130,7 @@ exports.preview = async function(ctx) {
 }
 
 exports.execute = async function(ctx) {
-  const db = new CouchDB(ctx.user.appId)
+  const db = new CouchDB(ctx.appId)
 
   const query = await db.get(ctx.params.queryId)
   const datasource = await db.get(query.datasourceId)
@@ -153,7 +153,7 @@ exports.execute = async function(ctx) {
 }
 
 exports.destroy = async function(ctx) {
-  const db = new CouchDB(ctx.user.appId)
+  const db = new CouchDB(ctx.appId)
   await db.remove(ctx.params.queryId, ctx.params.revId)
   ctx.message = `Query deleted.`
   ctx.status = 200

packages/server/src/api/controllers/role.js

@@ -10,8 +10,8 @@ const {
 const {
   generateRoleID,
   getRoleParams,
-  getUserParams,
-  ViewNames,
+  getUserMetadataParams,
+  InternalTables,
 } = require("../../db/utils")
 
 const UpdateRolesOptions = {
@@ -28,7 +28,7 @@ const EXTERNAL_BUILTIN_ROLE_IDS = [
 ]
 
 async function updateRolesOnUserTable(db, roleId, updateOption) {
-  const table = await db.get(ViewNames.USERS)
+  const table = await db.get(InternalTables.USER_METADATA)
   const schema = table.schema
   const remove = updateOption === UpdateRolesOptions.REMOVED
   let updated = false
@@ -51,7 +51,7 @@ async function updateRolesOnUserTable(db, roleId, updateOption) {
 }
 
 exports.fetch = async function(ctx) {
-  const db = new CouchDB(ctx.user.appId)
+  const db = new CouchDB(ctx.appId)
   const body = await db.allDocs(
     getRoleParams(null, {
       include_docs: true,
@@ -79,11 +79,11 @@ exports.fetch = async function(ctx) {
 }
 
 exports.find = async function(ctx) {
-  ctx.body = await getRole(ctx.user.appId, ctx.params.roleId)
+  ctx.body = await getRole(ctx.appId, ctx.params.roleId)
 }
 
 exports.save = async function(ctx) {
-  const db = new CouchDB(ctx.user.appId)
+  const db = new CouchDB(ctx.appId)
   let { _id, name, inherits, permissionId } = ctx.request.body
   if (!_id) {
     _id = generateRoleID()
@@ -104,7 +104,7 @@ exports.save = async function(ctx) {
 }
 
 exports.destroy = async function(ctx) {
-  const db = new CouchDB(ctx.user.appId)
+  const db = new CouchDB(ctx.appId)
   const roleId = ctx.params.roleId
   if (isBuiltin(roleId)) {
     ctx.throw(400, "Cannot delete builtin role.")
@@ -112,7 +112,7 @@ exports.destroy = async function(ctx) {
   // first check no users actively attached to role
   const users = (
     await db.allDocs(
-      getUserParams(null, {
+      getUserMetadataParams(null, {
         include_docs: true,
       })
     )

packages/server/src/api/controllers/row.js

@@ -6,10 +6,9 @@ const {
   generateRowID,
   DocumentTypes,
   SEPARATOR,
-  ViewNames,
-  generateUserID,
+  InternalTables,
 } = require("../../db/utils")
-const usersController = require("./user")
+const userController = require("./user")
 const {
   inputProcessing,
   outputProcessing,
@@ -37,18 +36,14 @@ validateJs.extend(validateJs.validators.datetime, {
   },
 })
 
-async function findRow(db, appId, tableId, rowId) {
+async function findRow(ctx, db, tableId, rowId) {
   let row
-  if (tableId === ViewNames.USERS) {
-    let ctx = {
-      params: {
-        userId: rowId,
-      },
-      user: {
-        appId,
-      },
+  // TODO remove special user case in future
+  if (tableId === InternalTables.USER_METADATA) {
+    ctx.params = {
+      id: rowId,
     }
-    await usersController.find(ctx)
+    await userController.findMetadata(ctx)
     row = ctx.body
   } else {
     row = await db.get(rowId)
@@ -60,7 +55,7 @@ async function findRow(db, appId, tableId, rowId) {
 }
 
 exports.patch = async function(ctx) {
-  const appId = ctx.user.appId
+  const appId = ctx.appId
   const db = new CouchDB(appId)
   let dbRow = await db.get(ctx.params.rowId)
   let dbTable = await db.get(dbRow.tableId)
@@ -96,14 +91,14 @@ exports.patch = async function(ctx) {
     table,
   })
 
-  // Creation of a new user goes to the user controller
-  if (row.tableId === ViewNames.USERS) {
+  // TODO remove special user case in future
+  if (row.tableId === InternalTables.USER_METADATA) {
     // the row has been updated, need to put it into the ctx
     ctx.request.body = {
       ...row,
       password: ctx.request.body.password,
     }
-    await usersController.update(ctx)
+    await userController.updateMetadata(ctx)
     return
   }
 
@@ -121,7 +116,7 @@ exports.patch = async function(ctx) {
 }
 
 exports.save = async function(ctx) {
-  const appId = ctx.user.appId
+  const appId = ctx.appId
   const db = new CouchDB(appId)
   let inputs = ctx.request.body
   inputs.tableId = ctx.params.tableId
@@ -134,19 +129,17 @@ exports.save = async function(ctx) {
   }
 
   // if the row obj had an _id then it will have been retrieved
-  const existingRow = ctx.preExisting
-  if (existingRow) {
-    ctx.params.rowId = inputs._id
-    await exports.patch(ctx)
-    return
+  if (inputs._id && inputs._rev) {
+    const existingRow = await db.get(inputs._id)
+    if (existingRow) {
+      ctx.params.rowId = inputs._id
+      await exports.patch(ctx)
+      return
+    }
   }
 
   if (!inputs._rev && !inputs._id) {
-    if (inputs.tableId === ViewNames.USERS) {
-      inputs._id = generateUserID(inputs.email)
-    } else {
-      inputs._id = generateRowID(inputs.tableId)
-    }
+    inputs._id = generateRowID(inputs.tableId)
   }
 
   // this returns the table and row incase they have been updated
@@ -175,11 +168,11 @@ exports.save = async function(ctx) {
     table,
   })
 
-  // Creation of a new user goes to the user controller
-  if (row.tableId === ViewNames.USERS) {
+  // TODO remove special user case in future
+  if (row.tableId === InternalTables.USER_METADATA) {
     // the row has been updated, need to put it into the ctx
     ctx.request.body = row
-    await usersController.create(ctx)
+    await userController.createMetadata(ctx)
     return
   }
 
@@ -197,7 +190,7 @@ exports.save = async function(ctx) {
 }
 
 exports.fetchView = async function(ctx) {
-  const appId = ctx.user.appId
+  const appId = ctx.appId
   const viewName = ctx.params.viewName
 
   // if this is a table view being looked for just transfer to that
@@ -256,7 +249,7 @@ exports.fetchView = async function(ctx) {
 }
 
 exports.search = async function(ctx) {
-  const appId = ctx.user.appId
+  const appId = ctx.appId
   const db = new CouchDB(appId)
   const {
     query,
@@ -287,14 +280,6 @@ exports.search = async function(ctx) {
   }
 
   const response = await search(searchString)
-
-  // delete passwords from users
-  if (tableId === ViewNames.USERS) {
-    for (let row of response.rows) {
-      delete row.password
-    }
-  }
-
   const table = await db.get(tableId)
   ctx.body = {
     rows: await outputProcessing(appId, table, response.rows),
@@ -303,14 +288,14 @@ exports.search = async function(ctx) {
 }
 
 exports.fetchTableRows = async function(ctx) {
-  const appId = ctx.user.appId
+  const appId = ctx.appId
   const db = new CouchDB(appId)
 
-  // special case for users, fetch through the user controller
+  // TODO remove special user case in future
   let rows,
     table = await db.get(ctx.params.tableId)
-  if (ctx.params.tableId === ViewNames.USERS) {
-    await usersController.fetch(ctx)
+  if (ctx.params.tableId === InternalTables.USER_METADATA) {
+    await userController.fetchMetadata(ctx)
     rows = ctx.body
   } else {
     const response = await db.allDocs(
@@ -324,11 +309,11 @@ exports.fetchTableRows = async function(ctx) {
 }
 
 exports.find = async function(ctx) {
-  const appId = ctx.user.appId
+  const appId = ctx.appId
   const db = new CouchDB(appId)
   try {
     const table = await db.get(ctx.params.tableId)
-    const row = await findRow(db, appId, ctx.params.tableId, ctx.params.rowId)
+    const row = await findRow(ctx, db, ctx.params.tableId, ctx.params.rowId)
     ctx.body = await outputProcessing(appId, table, row)
   } catch (err) {
     ctx.throw(400, err)
@@ -336,7 +321,7 @@ exports.find = async function(ctx) {
 }
 
 exports.destroy = async function(ctx) {
-  const appId = ctx.user.appId
+  const appId = ctx.appId
   const db = new CouchDB(appId)
   const row = await db.get(ctx.params.rowId)
   if (row.tableId !== ctx.params.tableId) {
@@ -348,17 +333,25 @@ exports.destroy = async function(ctx) {
     row,
     tableId: row.tableId,
   })
-  ctx.body = await db.remove(ctx.params.rowId, ctx.params.revId)
-  ctx.status = 200
+  // TODO remove special user case in future
+  if (ctx.params.tableId === InternalTables.USER_METADATA) {
+    ctx.params = {
+      id: ctx.params.rowId,
+    }
+    await userController.destroyMetadata(ctx)
+  } else {
+    ctx.body = await db.remove(ctx.params.rowId, ctx.params.revId)
+  }
 
   // for automations include the row that was deleted
   ctx.row = row
+  ctx.status = 200
   ctx.eventEmitter && ctx.eventEmitter.emitRow(`row:delete`, appId, row)
 }
 
 exports.validate = async function(ctx) {
   const errors = await validate({
-    appId: ctx.user.appId,
+    appId: ctx.appId,
     tableId: ctx.params.tableId,
     row: ctx.request.body,
   })
@@ -388,14 +381,14 @@ async function validate({ appId, tableId, row, table }) {
 }
 
 exports.fetchEnrichedRow = async function(ctx) {
-  const appId = ctx.user.appId
+  const appId = ctx.appId
   const db = new CouchDB(appId)
   const tableId = ctx.params.tableId
   const rowId = ctx.params.rowId
   // need table to work out where links go in row
   let [table, row] = await Promise.all([
     db.get(tableId),
-    findRow(db, appId, tableId, rowId),
+    findRow(ctx, db, tableId, rowId),
   ])
   // get the link docs
   const linkVals = await linkRows.getLinkDocuments({
@@ -433,11 +426,11 @@ exports.fetchEnrichedRow = async function(ctx) {
 }
 
 async function bulkDelete(ctx) {
-  const appId = ctx.user.appId
+  const appId = ctx.appId
   const { rows } = ctx.request.body
   const db = new CouchDB(appId)
 
-  const linkUpdates = rows.map(row =>
+  let updates = rows.map(row =>
     linkRows.updateLinks({
       appId,
       eventType: linkRows.EventType.ROW_DELETE,
@@ -445,9 +438,20 @@ async function bulkDelete(ctx) {
       tableId: row.tableId,
     })
   )
-
-  await db.bulkDocs(rows.map(row => ({ ...row, _deleted: true })))
-  await Promise.all(linkUpdates)
+  // TODO remove special user case in future
+  if (ctx.params.tableId === InternalTables.USER_METADATA) {
+    updates = updates.concat(
+      rows.map(row => {
+        ctx.params = {
+          id: row._id,
+        }
+        return userController.destroyMetadata(ctx)
+      })
+    )
+  } else {
+    await db.bulkDocs(rows.map(row => ({ ...row, _deleted: true })))
+  }
+  await Promise.all(updates)
 
   rows.forEach(row => {
     ctx.eventEmitter && ctx.eventEmitter.emitRow(`row:delete`, appId, row)

packages/server/src/api/controllers/screen.js

@@ -3,7 +3,7 @@ const { getScreenParams, generateScreenID } = require("../../db/utils")
 const { AccessController } = require("../../utilities/security/roles")
 
 exports.fetch = async ctx => {
-  const appId = ctx.user.appId
+  const appId = ctx.appId
   const db = new CouchDB(appId)
 
   const screens = (
@@ -21,7 +21,7 @@ exports.fetch = async ctx => {
 }
 
 exports.save = async ctx => {
-  const appId = ctx.user.appId
+  const appId = ctx.appId
   const db = new CouchDB(appId)
   let screen = ctx.request.body
 
@@ -39,7 +39,7 @@ exports.save = async ctx => {
 }
 
 exports.destroy = async ctx => {
-  const db = new CouchDB(ctx.user.appId)
+  const db = new CouchDB(ctx.appId)
   await db.remove(ctx.params.screenId, ctx.params.screenRev)
   ctx.body = {
     message: "Screen deleted successfully",

packages/server/src/api/controllers/search/index.js

@@ -1,8 +1,7 @@
 const { QueryBuilder, buildSearchUrl, search } = require("./utils")
 
 exports.rowSearch = async ctx => {
-  // this can't be done through pouch, have to reach for trusty node-fetch
-  const appId = ctx.user.appId
+  const appId = ctx.appId
   const { tableId } = ctx.params
   const { bookmark, query, raw } = ctx.request.body
   let url

packages/server/src/api/controllers/static/index.js

@@ -9,7 +9,6 @@ const { processString } = require("@budibase/string-templates")
 const { budibaseTempDir } = require("../../../utilities/budibaseDir")
 const { getDeployedApps } = require("../../../utilities/builder/hosting")
 const CouchDB = require("../../../db")
-const setBuilderToken = require("../../../utilities/builder/setBuilderToken")
 const {
   loadHandlebarsFile,
   NODE_MODULES_PATH,
@@ -22,7 +21,7 @@ const { objectStoreUrl, clientLibraryPath } = require("../../../utilities")
 async function checkForSelfHostedURL(ctx) {
   // the "appId" component of the URL may actually be a specific self hosted URL
   let possibleAppUrl = `/${encodeURI(ctx.params.appId).toLowerCase()}`
-  const apps = await getDeployedApps()
+  const apps = await getDeployedApps(ctx)
   if (apps[possibleAppUrl] && apps[possibleAppUrl].appId) {
     return apps[possibleAppUrl].appId
   } else {
@@ -35,9 +34,6 @@ const COMP_LIB_BASE_APP_VERSION = "0.2.5"
 
 exports.serveBuilder = async function(ctx) {
   let builderPath = resolve(TOP_LEVEL_PATH, "builder")
-  if (ctx.file === "index.html") {
-    await setBuilderToken(ctx)
-  }
   await send(ctx, ctx.file, { root: builderPath })
 }
 
@@ -61,7 +57,7 @@ exports.uploadFile = async function(ctx) {
 
     return prepareUpload({
       file,
-      s3Key: `assets/${ctx.user.appId}/attachments/${processedFileName}`,
+      s3Key: `assets/${ctx.appId}/attachments/${processedFileName}`,
       bucket: "prod-budi-app-assets",
     })
   })
@@ -111,20 +107,17 @@ exports.serveComponentLibrary = async function(ctx) {
     )
     return send(ctx, "/awsDeploy.js", { root: componentLibraryPath })
   }
+  const db = new CouchDB(appId)
+  const appInfo = await db.get(appId)
+
   let componentLib = "componentlibrary"
-  if (ctx.user.version) {
-    componentLib += `-${ctx.user.version}`
+  if (appInfo && appInfo.version) {
+    componentLib += `-${appInfo.version}`
   } else {
     componentLib += `-${COMP_LIB_BASE_APP_VERSION}`
   }
   const S3_URL = encodeURI(
-    join(
-      objectStoreUrl(appId),
-      componentLib,
-      ctx.query.library,
-      "dist",
-      "index.js"
-    )
+    join(objectStoreUrl(), componentLib, ctx.query.library, "dist", "index.js")
   )
   const response = await fetch(S3_URL)
   const body = await response.text()

packages/server/src/api/controllers/table/index.js

@@ -10,7 +10,7 @@ const { FieldTypes } = require("../../../constants")
 const { TableSaveFunctions } = require("./utils")
 
 exports.fetch = async function(ctx) {
-  const db = new CouchDB(ctx.user.appId)
+  const db = new CouchDB(ctx.appId)
   const body = await db.allDocs(
     getTableParams(null, {
       include_docs: true,
@@ -20,12 +20,12 @@ exports.fetch = async function(ctx) {
 }
 
 exports.find = async function(ctx) {
-  const db = new CouchDB(ctx.user.appId)
+  const db = new CouchDB(ctx.appId)
   ctx.body = await db.get(ctx.params.id)
 }
 
 exports.save = async function(ctx) {
-  const appId = ctx.user.appId
+  const appId = ctx.appId
   const db = new CouchDB(appId)
   const { dataImport, ...rest } = ctx.request.body
   let tableToSave = {
@@ -127,7 +127,7 @@ exports.save = async function(ctx) {
 }
 
 exports.destroy = async function(ctx) {
-  const appId = ctx.user.appId
+  const appId = ctx.appId
   const db = new CouchDB(appId)
   const tableToDelete = await db.get(ctx.params.tableId)
 

packages/server/src/api/controllers/table/utils.js

@@ -1,6 +1,10 @@
 const CouchDB = require("../../../db")
 const csvParser = require("../../../utilities/csvParser")
-const { getRowParams, generateRowID, ViewNames } = require("../../../db/utils")
+const {
+  getRowParams,
+  generateRowID,
+  InternalTables,
+} = require("../../../db/utils")
 const { isEqual } = require("lodash/fp")
 const { AutoFieldSubTypes } = require("../../../constants")
 const { inputProcessing } = require("../../../utilities/rowProcessor")
@@ -57,8 +61,8 @@ exports.makeSureTableUpToDate = (table, tableToSave) => {
   return tableToSave
 }
 
-exports.handleDataImport = async (user, table, dataImport) => {
-  const db = new CouchDB(user.appId)
+exports.handleDataImport = async (appId, user, table, dataImport) => {
+  const db = new CouchDB(appId)
   if (dataImport && dataImport.csvString) {
     // Populate the table with rows imported from CSV in a bulk update
     const data = await csvParser.transform(dataImport)
@@ -136,7 +140,7 @@ exports.handleSearchIndexes = async (appId, table) => {
 
 exports.checkStaticTables = table => {
   // check user schema has all required elements
-  if (table._id === ViewNames.USERS) {
+  if (table._id === InternalTables.USER_METADATA) {
     for (let [key, schema] of Object.entries(USERS_TABLE_SCHEMA.schema)) {
       // check if the schema exists on the table to be created/updated
       if (table.schema[key] == null) {
@@ -152,7 +156,7 @@ class TableSaveFunctions {
     this.db = db
     this.ctx = ctx
     if (this.ctx && this.ctx.user) {
-      this.appId = this.ctx.user.appId
+      this.appId = this.ctx.appId
     }
     this.oldTable = oldTable
     this.dataImport = dataImport
@@ -184,6 +188,7 @@ class TableSaveFunctions {
   async after(table) {
     table = await exports.handleSearchIndexes(this.appId, table)
     table = await exports.handleDataImport(
+      this.appId,
       this.ctx.user,
       table,
       this.dataImport

packages/server/src/api/controllers/user.js

@@ -1,115 +1,113 @@
 const CouchDB = require("../../db")
-const bcrypt = require("../../utilities/bcrypt")
-const { generateUserID, getUserParams, ViewNames } = require("../../db/utils")
+const {
+  generateUserMetadataID,
+  getUserMetadataParams,
+  getGlobalIDFromUserMetadataID,
+} = require("../../db/utils")
+const { InternalTables } = require("../../db/utils")
 const { getRole } = require("../../utilities/security/roles")
-const { UserStatus } = require("../../constants")
+const {
+  getGlobalUsers,
+  saveGlobalUser,
+  deleteGlobalUser,
+} = require("../../utilities/workerRequests")
+const { getFullUser } = require("../../utilities/users")
 
-exports.fetch = async function(ctx) {
-  const database = new CouchDB(ctx.user.appId)
-  const users = (
+exports.fetchMetadata = async function(ctx) {
+  const database = new CouchDB(ctx.appId)
+  const global = await getGlobalUsers(ctx, ctx.appId)
+  const metadata = (
     await database.allDocs(
-      getUserParams(null, {
+      getUserMetadataParams(null, {
         include_docs: true,
       })
     )
   ).rows.map(row => row.doc)
-  // user hashed password shouldn't ever be returned
-  for (let user of users) {
-    delete user.password
+  const users = []
+  for (let user of global) {
+    // find the metadata that matches up to the global ID
+    const info = metadata.find(meta => meta._id.includes(user._id))
+    // remove these props, not for the correct DB
+    users.push({
+      ...user,
+      ...info,
+      // make sure the ID is always a local ID, not a global one
+      _id: generateUserMetadataID(user._id),
+    })
   }
   ctx.body = users
 }
 
-exports.create = async function(ctx) {
-  const db = new CouchDB(ctx.user.appId)
-  const { email, password, roleId } = ctx.request.body
+exports.createMetadata = async function(ctx) {
+  const appId = ctx.appId
+  const db = new CouchDB(appId)
+  const { roleId } = ctx.request.body
 
-  if (!email || !password) {
-    ctx.throw(400, "email and Password Required.")
+  if (ctx.request.body._id) {
+    return exports.updateMetadata(ctx)
   }
 
-  const role = await getRole(ctx.user.appId, roleId)
-
+  // check role valid
+  const role = await getRole(appId, roleId)
   if (!role) ctx.throw(400, "Invalid Role")
 
-  const hashedPassword = await bcrypt.hash(password)
+  const globalUser = await saveGlobalUser(ctx, appId, ctx.request.body)
+
   const user = {
-    ...ctx.request.body,
-    // these must all be after the object spread, make sure
-    // any values are overwritten, generateUserID will always
-    // generate the same ID for the user as it is not UUID based
-    _id: generateUserID(email),
+    ...globalUser,
+    _id: generateUserMetadataID(globalUser._id),
     type: "user",
-    password: hashedPassword,
-    tableId: ViewNames.USERS,
-  }
-  // add the active status to a user if its not provided
-  if (user.status == null) {
-    user.status = UserStatus.ACTIVE
+    tableId: InternalTables.USER_METADATA,
   }
 
-  try {
-    const response = await db.post(user)
-    ctx.status = 200
-    ctx.message = "User created successfully."
-    ctx.userId = response.id
-    ctx.body = {
-      _rev: response.rev,
-      email,
-    }
-  } catch (err) {
-    if (err.status === 409) {
-      ctx.throw(400, "User exists already")
-    } else {
-      ctx.throw(err.status, err)
-    }
+  const response = await db.post(user)
+  // for automations to make it obvious was successful
+  ctx.status = 200
+  ctx.body = {
+    _id: response.id,
+    _rev: response.rev,
+    email: ctx.request.body.email,
   }
 }
 
-exports.update = async function(ctx) {
-  const db = new CouchDB(ctx.user.appId)
-  const user = ctx.request.body
-  let dbUser
-  if (user.email && !user._id) {
-    user._id = generateUserID(user.email)
-  }
-  // get user incase password removed
-  if (user._id) {
-    dbUser = await db.get(user._id)
-  }
-  if (user.password) {
-    user.password = await bcrypt.hash(user.password)
-  } else {
-    delete user.password
-  }
+exports.updateSelfMetadata = async function(ctx) {
+  // overwrite the ID with current users
+  ctx.request.body._id = ctx.user._id
+  // make sure no stale rev
+  delete ctx.request.body._rev
+  await exports.updateMetadata(ctx)
+}
 
-  const response = await db.put({
-    password: dbUser.password,
+exports.updateMetadata = async function(ctx) {
+  const appId = ctx.appId
+  const db = new CouchDB(appId)
+  const user = ctx.request.body
+  const globalUser = await saveGlobalUser(ctx, appId, {
     ...user,
+    _id: getGlobalIDFromUserMetadataID(user._id),
   })
-  user._rev = response.rev
-
-  ctx.status = 200
-  ctx.body = response
+  const metadata = {
+    ...globalUser,
+    _id: user._id || generateUserMetadataID(globalUser._id),
+    _rev: user._rev,
+  }
+  ctx.body = await db.put(metadata)
 }
 
-exports.destroy = async function(ctx) {
-  const database = new CouchDB(ctx.user.appId)
-  await database.destroy(generateUserID(ctx.params.email))
+exports.destroyMetadata = async function(ctx) {
+  const db = new CouchDB(ctx.appId)
+  await deleteGlobalUser(ctx, getGlobalIDFromUserMetadataID(ctx.params.id))
+  try {
+    const dbUser = await db.get(ctx.params.id)
+    await db.remove(dbUser._id, dbUser._rev)
+  } catch (err) {
+    // error just means the global user has no config in this app
+  }
   ctx.body = {
-    message: `User ${ctx.params.email} deleted.`,
+    message: `User ${ctx.params.id} deleted.`,
   }
-  ctx.status = 200
 }
 
-exports.find = async function(ctx) {
-  const database = new CouchDB(ctx.user.appId)
-  let lookup = ctx.params.email
-    ? generateUserID(ctx.params.email)
-    : ctx.params.userId
-  const user = await database.get(lookup)
-  if (user) {
-    delete user.password
-  }
-  ctx.body = user
+exports.findMetadata = async function(ctx) {
+  ctx.body = await getFullUser(ctx, ctx.params.id)
 }

packages/server/src/api/controllers/view/index.js

@@ -7,7 +7,7 @@ const { ViewNames } = require("../../../db/utils")
 
 const controller = {
   fetch: async ctx => {
-    const db = new CouchDB(ctx.user.appId)
+    const db = new CouchDB(ctx.appId)
     const designDoc = await db.get("_design/database")
     const response = []
 
@@ -25,7 +25,7 @@ const controller = {
     ctx.body = response
   },
   save: async ctx => {
-    const db = new CouchDB(ctx.user.appId)
+    const db = new CouchDB(ctx.appId)
     const { originalName, ...viewToSave } = ctx.request.body
     const designDoc = await db.get("_design/database")
     const view = viewTemplate(viewToSave)
@@ -66,7 +66,7 @@ const controller = {
     }
   },
   destroy: async ctx => {
-    const db = new CouchDB(ctx.user.appId)
+    const db = new CouchDB(ctx.appId)
     const designDoc = await db.get("_design/database")
     const viewName = decodeURI(ctx.params.viewName)
     const view = designDoc.views[viewName]
@@ -81,7 +81,7 @@ const controller = {
     ctx.body = view
   },
   exportView: async ctx => {
-    const db = new CouchDB(ctx.user.appId)
+    const db = new CouchDB(ctx.appId)
     const designDoc = await db.get("_design/database")
     const viewName = decodeURI(ctx.query.view)
 

packages/server/src/api/controllers/webhook.js

@@ -22,7 +22,7 @@ exports.WebhookType = {
 }
 
 exports.fetch = async ctx => {
-  const db = new CouchDB(ctx.user.appId)
+  const db = new CouchDB(ctx.appId)
   const response = await db.allDocs(
     getWebhookParams(null, {
       include_docs: true,
@@ -32,9 +32,9 @@ exports.fetch = async ctx => {
 }
 
 exports.save = async ctx => {
-  const db = new CouchDB(ctx.user.appId)
+  const db = new CouchDB(ctx.appId)
   const webhook = ctx.request.body
-  webhook.appId = ctx.user.appId
+  webhook.appId = ctx.appId
 
   // check that the webhook exists
   if (webhook._id) {
@@ -51,7 +51,7 @@ exports.save = async ctx => {
 }
 
 exports.destroy = async ctx => {
-  const db = new CouchDB(ctx.user.appId)
+  const db = new CouchDB(ctx.appId)
   ctx.body = await db.remove(ctx.params.id, ctx.params.rev)
 }
 

packages/server/src/api/index.js

@@ -1,22 +1,30 @@
 const Router = require("@koa/router")
-const authenticated = require("../middleware/authenticated")
+const { buildAuthMiddleware } = require("@budibase/auth").auth
+const currentApp = require("../middleware/currentapp")
 const compress = require("koa-compress")
 const zlib = require("zlib")
-const { mainRoutes, authRoutes, staticRoutes } = require("./routes")
+const { mainRoutes, staticRoutes } = require("./routes")
 const pkg = require("../../package.json")
 
 const router = new Router()
 const env = require("../environment")
 
+const NO_AUTH_ENDPOINTS = [
+  "/health",
+  "/version",
+  "webhooks/trigger",
+  "webhooks/schema",
+]
+
 router
   .use(
     compress({
       threshold: 2048,
       gzip: {
-        flush: zlib.Z_SYNC_FLUSH,
+        flush: zlib.constants.Z_SYNC_FLUSH,
       },
       deflate: {
-        flush: zlib.Z_SYNC_FLUSH,
+        flush: zlib.constants.Z_SYNC_FLUSH,
       },
       br: false,
     })
@@ -30,7 +38,8 @@ router
   })
   .use("/health", ctx => (ctx.status = 200))
   .use("/version", ctx => (ctx.body = pkg.version))
-  .use(authenticated)
+  .use(buildAuthMiddleware(NO_AUTH_ENDPOINTS))
+  .use(currentApp)
 
 // error handling middleware
 router.use(async (ctx, next) => {
@@ -51,9 +60,6 @@ router.use(async (ctx, next) => {
 
 router.get("/health", ctx => (ctx.status = 200))
 
-router.use(authRoutes.routes())
-router.use(authRoutes.allowedMethods())
-
 // authenticated routes
 for (let route of mainRoutes) {
   router.use(route.routes())

packages/server/src/api/routes/auth.js

@@ -1,14 +1,8 @@
 const Router = require("@koa/router")
 const controller = require("../controllers/auth")
-const authorized = require("../../middleware/authorized")
-const { BUILDER } = require("../../utilities/security/permissions")
 
 const router = Router()
 
-router.post("/api/authenticate", controller.authenticate)
-// TODO: this is a hack simply to make sure builder has a cookie until auth reworked
-router.post("/api/builder/login", authorized(BUILDER), controller.builderLogin)
-// doesn't need authorization as can only fetch info about self
 router.get("/api/self", controller.fetchSelf)
 
 module.exports = router

packages/server/src/api/routes/dev.js

@@ -0,0 +1,14 @@
+const Router = require("@koa/router")
+const controller = require("../controllers/dev")
+const env = require("../../environment")
+
+const router = Router()
+
+if (env.isDev() || env.isTest()) {
+  router
+    .get("/api/admin/:devPath(.*)", controller.redirectGet)
+    .post("/api/admin/:devPath(.*)", controller.redirectPost)
+    .delete("/api/admin/:devPath(.*)", controller.redirectDelete)
+}
+
+module.exports = router

packages/server/src/api/routes/index.js

@@ -22,8 +22,10 @@ const datasourceRoutes = require("./datasource")
 const queryRoutes = require("./query")
 const hostingRoutes = require("./hosting")
 const backupRoutes = require("./backup")
+const devRoutes = require("./dev")
 
 exports.mainRoutes = [
+  authRoutes,
   deployRoutes,
   layoutRoutes,
   screenRoutes,
@@ -44,11 +46,11 @@ exports.mainRoutes = [
   queryRoutes,
   hostingRoutes,
   backupRoutes,
+  devRoutes,
   // these need to be handled last as they still use /api/:tableId
   // this could be breaking as koa may recognise other routes as this
   tableRoutes,
   rowRoutes,
 ]
 
-exports.authRoutes = authRoutes
 exports.staticRoutes = staticRoutes

packages/server/src/api/routes/tests/auth.spec.js

@@ -1,4 +1,19 @@
 const setup = require("./utilities")
+const { generateUserMetadataID } = require("../../../db/utils")
+
+require("../../../utilities/workerRequests")
+jest.mock("../../../utilities/workerRequests", () => ({
+  getGlobalUsers: jest.fn(() => {
+    return {
+      _id: "us_uuid1",
+    }
+  }),
+  saveGlobalUser: jest.fn(() => {
+    return {
+      _id: "us_uuid1",
+    }
+  }),
+}))
 
 describe("/authenticate", () => {
   let request = setup.getRequest()
@@ -10,96 +25,16 @@ describe("/authenticate", () => {
     await config.init()
   })
 
-  describe("authenticate", () => {
-    it("should be able to create a layout", async () => {
-      await config.createUser("test@test.com", "p4ssw0rd")
-      const res = await request
-        .post(`/api/authenticate`)
-        .send({
-          email: "test@test.com",
-          password: "p4ssw0rd",
-        })
-        .set(config.publicHeaders())
-        .expect("Content-Type", /json/)
-        .expect(200)
-      expect(res.body.token).toBeDefined()
-      expect(res.body.email).toEqual("test@test.com")
-      expect(res.body.password).toBeUndefined()
-    })
-
-    it("should error if no app specified", async () => {
-      await request
-        .post(`/api/authenticate`)
-        .expect(400)
-    })
-
-    it("should error if no email specified", async () => {
-      await request
-        .post(`/api/authenticate`)
-        .send({
-          password: "test",
-        })
-        .set(config.publicHeaders())
-        .expect(400)
-    })
-
-    it("should error if no password specified", async () => {
-      await request
-        .post(`/api/authenticate`)
-        .send({
-          email: "test",
-        })
-        .set(config.publicHeaders())
-        .expect(400)
-    })
-
-    it("should error if invalid user specified", async () => {
-      await request
-        .post(`/api/authenticate`)
-        .send({
-          email: "test",
-          password: "test",
-        })
-        .set(config.publicHeaders())
-        .expect(401)
-    })
-
-    it("should throw same error if wrong password specified", async () => {
-      await config.createUser("test@test.com", "password")
-      await request
-        .post(`/api/authenticate`)
-        .send({
-          email: "test@test.com",
-          password: "test",
-        })
-        .set(config.publicHeaders())
-        .expect(401)
-    })
-
-    it("should throw an error for inactive users", async () => {
-      await config.createUser("test@test.com", "password")
-      await config.makeUserInactive("test@test.com")
-      await request
-        .post(`/api/authenticate`)
-        .send({
-          email: "test@test.com",
-          password: "password",
-        })
-        .set(config.publicHeaders())
-        .expect(401)
-    })
-  })
-
   describe("fetch self", () => {
-    it("should be able to delete the layout", async () => {
-      await config.createUser("test@test.com", "p4ssw0rd")
-      const headers = await config.login("test@test.com", "p4ssw0rd")
+    it("should be able to fetch self", async () => {
+      const user = await config.createUser("test@test.com", "p4ssw0rd")
+      const headers = await config.login("test@test.com", "p4ssw0rd", { userId: "us_uuid1" })
       const res = await request
         .get(`/api/self`)
         .set(headers)
         .expect("Content-Type", /json/)
         .expect(200)
-      expect(res.body.email).toEqual("test@test.com")
+      expect(res.body._id).toEqual(generateUserMetadataID("us_uuid1"))
     })
   })
 })

packages/server/src/api/routes/tests/misc.spec.js

@@ -41,10 +41,12 @@ describe("run misc tests", () => {
       const dataImport = {
         csvString: "a,b,c,d\n1,2,3,4"
       }
-      await tableUtils.handleDataImport({
-        appId: config.getAppId(),
-        userId: "test",
-      }, table, dataImport)
+      await tableUtils.handleDataImport(
+        config.getAppId(),
+        { userId: "test" },
+        table,
+        dataImport
+      )
       const rows = await config.getRows()
       expect(rows[0].a).toEqual("1")
       expect(rows[0].b).toEqual("2")

packages/server/src/api/routes/tests/query.spec.js

@@ -93,7 +93,7 @@ describe("/queries", () => {
         const query = await config.createQuery()
         const res = await request
           .get(`/api/queries/${query._id}`)
-          .set(await config.roleHeaders())
+          .set(await config.roleHeaders({}))
           .expect("Content-Type", /json/)
           .expect(200)
         expect(res.body.fields).toBeUndefined()

packages/server/src/api/routes/tests/routing.spec.js

@@ -2,6 +2,7 @@ const setup = require("./utilities")
 const { basicScreen } = setup.structures
 const { checkBuilderEndpoint } = require("./utilities/TestFunctions")
 const { BUILTIN_ROLE_IDS } = require("../../../utilities/security/roles")
+const workerRequests = require("../../../utilities/workerRequests")
 
 const route = "/test"
 
@@ -25,9 +26,20 @@ describe("/routing", () => {
 
   describe("fetch", () => {
     it("returns the correct routing for basic user", async () => {
+      workerRequests.getGlobalUsers.mockImplementationOnce((ctx, appId) => {
+        return {
+          roles: {
+            [appId]: BUILTIN_ROLE_IDS.BASIC,
+          }
+        }
+      })
       const res = await request
         .get(`/api/routing/client`)
-        .set(await config.roleHeaders("basic@test.com", BUILTIN_ROLE_IDS.BASIC))
+        .set(await config.roleHeaders({
+          email: "basic@test.com",
+          roleId: BUILTIN_ROLE_IDS.BASIC,
+          builder: false
+        }))
         .expect("Content-Type", /json/)
         .expect(200)
       expect(res.body.routes).toBeDefined()
@@ -42,9 +54,20 @@ describe("/routing", () => {
     })
 
     it("returns the correct routing for power user", async () => {
+      workerRequests.getGlobalUsers.mockImplementationOnce((ctx, appId) => {
+        return {
+          roles: {
+            [appId]: BUILTIN_ROLE_IDS.POWER,
+          }
+        }
+      })
       const res = await request
         .get(`/api/routing/client`)
-        .set(await config.roleHeaders("basic@test.com", BUILTIN_ROLE_IDS.POWER))
+        .set(await config.roleHeaders({
+          email: "basic@test.com",
+          roleId: BUILTIN_ROLE_IDS.POWER,
+          builder: false,
+        }))
         .expect("Content-Type", /json/)
         .expect(200)
       expect(res.body.routes).toBeDefined()

packages/server/src/api/routes/tests/user.spec.js

@@ -2,6 +2,20 @@ const { BUILTIN_ROLE_IDS } = require("../../../utilities/security/roles")
 const { checkPermissionsEndpoint } = require("./utilities/TestFunctions")
 const setup = require("./utilities")
 const { basicUser } = setup.structures
+const workerRequests = require("../../../utilities/workerRequests")
+
+jest.mock("../../../utilities/workerRequests", () => ({
+  getGlobalUsers: jest.fn(() => {
+    return {}
+  }),
+  saveGlobalUser: jest.fn(() => {
+    const uuid = require("uuid/v4")
+    return {
+      _id: `us_${uuid()}`
+    }
+  }),
+  deleteGlobalUser: jest.fn(),
+}))
 
 describe("/users", () => {
   let request = setup.getRequest()
@@ -14,18 +28,30 @@ describe("/users", () => {
   })
 
   describe("fetch", () => {
+    beforeEach(() => {
+      workerRequests.getGlobalUsers.mockImplementationOnce(() => ([
+          {
+            _id: "us_uuid1",
+          },
+          {
+            _id: "us_uuid2",
+          }
+        ]
+      ))
+    })
+
     it("returns a list of users from an instance db", async () => {
       await config.createUser("brenda@brenda.com", "brendas_password")
       await config.createUser("pam@pam.com", "pam_password")
       const res = await request
-        .get(`/api/users`)
+        .get(`/api/users/metadata`)
         .set(config.defaultHeaders())
         .expect("Content-Type", /json/)
         .expect(200)
 
       expect(res.body.length).toBe(2)
-      expect(res.body.find(u => u.email === "brenda@brenda.com")).toBeDefined()
-      expect(res.body.find(u => u.email === "pam@pam.com")).toBeDefined()
+      expect(res.body.find(u => u._id === `ro_ta_users_us_uuid1`)).toBeDefined()
+      expect(res.body.find(u => u._id === `ro_ta_users_us_uuid2`)).toBeDefined()
     })
 
     it("should apply authorization to endpoint", async () => {
@@ -34,7 +60,7 @@ describe("/users", () => {
         config,
         request,
         method: "GET",
-        url: `/api/users`,
+        url: `/api/users/metadata`,
         passRole: BUILTIN_ROLE_IDS.ADMIN,
         failRole: BUILTIN_ROLE_IDS.PUBLIC,
       })
@@ -42,9 +68,21 @@ describe("/users", () => {
   })
 
   describe("create", () => {
+    beforeEach(() => {
+      workerRequests.getGlobalUsers.mockImplementationOnce(() => ([
+          {
+            _id: "us_uuid1",
+          },
+          {
+            _id: "us_uuid2",
+          }
+        ]
+      ))
+    })
+
     async function create(user, status = 200) {
       return request
-        .post(`/api/users`)
+        .post(`/api/users/metadata`)
         .set(config.defaultHeaders())
         .send(user)
         .expect(status)
@@ -53,51 +91,42 @@ describe("/users", () => {
 
     it("returns a success message when a user is successfully created", async () => {
       const body = basicUser(BUILTIN_ROLE_IDS.POWER)
-      body.email = "bill@budibase.com"
       const res = await create(body)
 
-      expect(res.res.statusMessage).toEqual("User created successfully.")
-      expect(res.body._id).toBeUndefined()
+      expect(res.res.statusMessage).toEqual("OK")
+      expect(res.body._id).toBeDefined()
     })
 
     it("should apply authorization to endpoint", async () => {
       const body = basicUser(BUILTIN_ROLE_IDS.POWER)
-      body.email = "brandNewUser@user.com"
       await checkPermissionsEndpoint({
         config,
         method: "POST",
         body,
-        url: `/api/users`,
+        url: `/api/users/metadata`,
         passRole: BUILTIN_ROLE_IDS.ADMIN,
         failRole: BUILTIN_ROLE_IDS.PUBLIC,
       })
     })
-
-    it("should error if no email provided", async () => {
-      const user = basicUser(BUILTIN_ROLE_IDS.POWER)
-      delete user.email
-      await create(user, 400)
-    })
-
+    
     it("should error if no role provided", async () => {
       const user = basicUser(null)
       await create(user, 400)
     })
-
-    it("should throw error if user exists already", async () => {
-      await config.createUser("test@test.com")
-      const user = basicUser(BUILTIN_ROLE_IDS.POWER)
-      user.email = "test@test.com"
-      await create(user, 400)
-    })
   })
 
   describe("update", () => {
+    beforeEach(() => {
+      workerRequests.saveGlobalUser.mockImplementationOnce(() => ({
+        _id: "us_test@test.com"
+      }))
+    })
+
     it("should be able to update the user", async () => {
       const user = await config.createUser()
       user.roleId = BUILTIN_ROLE_IDS.BASIC
       const res = await request
-        .put(`/api/users`)
+        .put(`/api/users/metadata`)
         .set(config.defaultHeaders())
         .send(user)
         .expect(200)
@@ -108,27 +137,37 @@ describe("/users", () => {
 
   describe("destroy", () => {
     it("should be able to delete the user", async () => {
-      const email = "test@test.com"
-      await config.createUser(email)
+      const user = await config.createUser()
       const res = await request
-        .delete(`/api/users/${email}`)
+        .delete(`/api/users/metadata/${user._id}`)
         .set(config.defaultHeaders())
         .expect(200)
         .expect("Content-Type", /json/)
       expect(res.body.message).toBeDefined()
+      expect(workerRequests.deleteGlobalUser).toHaveBeenCalled()
     })
   })
 
   describe("find", () => {
+    beforeEach(() => {
+      jest.resetAllMocks()
+      workerRequests.saveGlobalUser.mockImplementationOnce(() => ({
+        _id: "us_uuid1",
+      }))
+      workerRequests.getGlobalUsers.mockImplementationOnce(() => ({
+        _id: "us_uuid1",
+        roleId: BUILTIN_ROLE_IDS.POWER,
+      }))
+    })
+
     it("should be able to find the user", async () => {
-      const email = "test@test.com"
-      await config.createUser(email)
+      const user = await config.createUser()
       const res = await request
-        .get(`/api/users/${email}`)
+        .get(`/api/users/metadata/${user._id}`)
         .set(config.defaultHeaders())
         .expect(200)
         .expect("Content-Type", /json/)
-      expect(res.body.email).toEqual(email)
+      expect(res.body._id).toEqual(user._id)
       expect(res.body.roleId).toEqual(BUILTIN_ROLE_IDS.POWER)
       expect(res.body.tableId).toBeDefined()
     })

packages/server/src/api/routes/tests/utilities/TestFunctions.js

@@ -3,7 +3,7 @@ const appController = require("../../../controllers/application")
 const CouchDB = require("../../../../db")
 
 function Request(appId, params) {
-  this.user = { appId }
+  this.appId = appId
   this.params = params
 }
 
@@ -46,7 +46,10 @@ exports.createRequest = (request, method, url, body) => {
 }
 
 exports.checkBuilderEndpoint = async ({ config, method, url, body }) => {
-  const headers = await config.login()
+  const headers = await config.login("test@test.com", "test", {
+    userId: "us_fail",
+    builder: false,
+  })
   await exports
     .createRequest(config.request, method, url, body)
     .set(headers)
@@ -62,16 +65,22 @@ exports.checkPermissionsEndpoint = async ({
   failRole,
 }) => {
   const password = "PASSWORD"
-  await config.createUser("passUser@budibase.com", password, passRole)
-  const passHeader = await config.login("passUser@budibase.com", password)
+  let user = await config.createUser("pass@budibase.com", password, passRole)
+  const passHeader = await config.login("pass@budibase.com", password, {
+    roleId: passRole,
+    userId: user.globalId,
+  })
 
   await exports
     .createRequest(config.request, method, url, body)
     .set(passHeader)
     .expect(200)
 
-  await config.createUser("failUser@budibase.com", password, failRole)
-  const failHeader = await config.login("failUser@budibase.com", password)
+  user = await config.createUser("fail@budibase.com", password, failRole)
+  const failHeader = await config.login("fail@budibase.com", password, {
+    roleId: failRole,
+    userId: user.globalId,
+  })
 
   await exports
     .createRequest(config.request, method, url, body)

packages/server/src/api/routes/tests/utilities/index.js

@@ -2,6 +2,15 @@ const TestConfig = require("../../../../tests/utilities/TestConfiguration")
 const structures = require("../../../../tests/utilities/structures")
 const env = require("../../../../environment")
 
+jest.mock("../../../../utilities/workerRequests", () => ({
+  getGlobalUsers: jest.fn(),
+  saveGlobalUser: jest.fn(() => {
+    return {
+      _id: "us_uuid1",
+    }
+  }),
+}))
+
 exports.delay = ms => new Promise(resolve => setTimeout(resolve, ms))
 
 let request, config

packages/server/src/api/routes/tests/webhook.spec.js

@@ -108,14 +108,6 @@ describe("/webhooks", () => {
         type: "object",
       })
     })
-
-    it("should apply authorization to endpoint", async () => {
-      await checkBuilderEndpoint({
-        config,
-        method: "POST",
-        url: `/api/webhooks/schema/${config.getAppId()}/${webhook._id}`,
-      })
-    })
   })
 
   describe("trigger", () => {

packages/server/src/api/routes/user.js

@@ -11,31 +11,37 @@ const router = Router()
 
 router
   .get(
-    "/api/users",
+    "/api/users/metadata",
     authorized(PermissionTypes.USER, PermissionLevels.READ),
-    controller.fetch
+    controller.fetchMetadata
   )
   .get(
-    "/api/users/:email",
+    "/api/users/metadata/:id",
     authorized(PermissionTypes.USER, PermissionLevels.READ),
-    controller.find
+    controller.findMetadata
   )
   .put(
-    "/api/users",
+    "/api/users/metadata",
     authorized(PermissionTypes.USER, PermissionLevels.WRITE),
-    controller.update
+    controller.updateMetadata
   )
   .post(
-    "/api/users",
+    "/api/users/metadata",
     authorized(PermissionTypes.USER, PermissionLevels.WRITE),
     usage,
-    controller.create
+    controller.createMetadata
+  )
+  .post(
+    "/api/users/metadata/self",
+    authorized(PermissionTypes.USER, PermissionLevels.WRITE),
+    usage,
+    controller.updateSelfMetadata
   )
   .delete(
-    "/api/users/:email",
+    "/api/users/metadata/:id",
     authorized(PermissionTypes.USER, PermissionLevels.WRITE),
     usage,
-    controller.destroy
+    controller.destroyMetadata
   )
 
 module.exports = router

packages/server/src/app.js

@@ -1,3 +1,7 @@
+// need to load environment first
+const env = require("./environment")
+const CouchDB = require("./db")
+require("@budibase/auth").init(CouchDB)
 const Koa = require("koa")
 const destroyable = require("server-destroy")
 const electron = require("electron")
@@ -5,7 +9,6 @@ const koaBody = require("koa-body")
 const logger = require("koa-pino-logger")
 const http = require("http")
 const api = require("./api")
-const env = require("./environment")
 const eventEmitter = require("./events")
 const automations = require("./automations/index")
 const Sentry = require("@sentry/node")

packages/server/src/automations/steps/createRow.js

@@ -75,7 +75,7 @@ module.exports.run = async function({ inputs, appId, apiKey, emitter }) {
     request: {
       body: inputs.row,
     },
-    user: { appId },
+    appId,
     eventEmitter: emitter,
   }