Fix cross tenant apps with session

4 years ago · cb6103a321
11 changed files with 725 additions and 2555 deletions
--- a/hosting/nginx.dev.conf.hbs
+++ b/hosting/nginx.dev.conf.hbs
@ -52,9 +52,8 @@ http {
      proxy_pass      http://{{ address }}:4001;
    }

-    location /app/ {
+    location /app {
      proxy_pass      http://{{ address }}:4001;
-      rewrite ^/app/(.*)$ /$1 break;
    }

    location /builder {
--- a/hosting/nginx.prod.conf.hbs
+++ b/hosting/nginx.prod.conf.hbs
@ -62,7 +62,6 @@ http {

    location /app {
      proxy_pass      http://$apps:4002;
-      rewrite ^/app/(.*)$ /$1 break;
    }

    location = / {
--- a/packages/backend-core/src/utils.js
+++ b/packages/backend-core/src/utils.js
@ -3,6 +3,7 @@ const {
  SEPARATOR,
  ViewNames,
  generateGlobalUserID,
+  getAllApps,
 } = require("./db/utils")
 const jwt = require("jsonwebtoken")
 const { options } = require("./middleware/passport/jwt")
@ -20,8 +21,10 @@ const { hash } = require("./hashing")
 const userCache = require("./cache/user")
 const env = require("./environment")
 const { getUserSessions, invalidateSessions } = require("./security/sessions")
+const tenancy = require("./tenancy")

 const APP_PREFIX = DocumentTypes.APP + SEPARATOR
+const PROD_APP_PREFIX = "/app/"

 function confirmAppId(possibleAppId) {
  return possibleAppId && possibleAppId.startsWith(APP_PREFIX)
@ -29,16 +32,35 @@ function confirmAppId(possibleAppId) {
    : undefined
 }

+async function resolveAppUrl(ctx) {
+  const appUrl = ctx.path.split("/")[2]
+  let possibleAppUrl = `/${appUrl.toLowerCase()}`
+
+  let tenantId = tenancy.getTenantId()
+  if (!env.SELF_HOSTED && ctx.subdomains.length) {
+    // always use the tenant id from the url in cloud
+    tenantId = ctx.subdomains[0]
+  }
+
+  // search prod apps for a url that matches
+  const apps = await tenancy.doInTenant(tenantId, () =>
+    getAllApps({ dev: false })
+  )
+  const app = apps.filter(
+    a => a.url && a.url.toLowerCase() === possibleAppUrl
+  )[0]
+
+  return app && app.appId ? app.appId : undefined
+}
+
 /**
 * Given a request tries to find the appId, which can be located in various places
 * @param {object} ctx The main request body to look through.
 * @returns {string|undefined} If an appId was found it will be returned.
 */
-exports.getAppId = ctx => {
-  const options = [ctx.headers[Headers.APP_ID], ctx.params.appId]
-  if (ctx.subdomains) {
-    options.push(ctx.subdomains[1])
-  }
+exports.getAppIdFromCtx = async ctx => {
+  // look in headers
+  const options = [ctx.headers[Headers.APP_ID]]
  let appId
  for (let option of options) {
    appId = confirmAppId(option)
@ -47,16 +69,24 @@ exports.getAppId = ctx => {
    }
  }

-  // look in body if can't find it in subdomain
+  // look in body
  if (!appId && ctx.request.body && ctx.request.body.appId) {
    appId = confirmAppId(ctx.request.body.appId)
  }
+
+  // look in the url - dev app
  let appPath =
    ctx.request.headers.referrer ||
    ctx.path.split("/").filter(subPath => subPath.startsWith(APP_PREFIX))
-  if (!appId && appPath.length !== 0) {
+  if (!appId && appPath.length) {
    appId = confirmAppId(appPath[0])
  }
+
+  // look in the url - prod app
+  if (!appId && ctx.path.startsWith(PROD_APP_PREFIX)) {
+    appId = confirmAppId(await resolveAppUrl(ctx))
+  }
+
  return appId
 }

--- a/packages/client/stats.html
+++ b/packages/client/stats.html
--- a/packages/server/src/api/controllers/static/index.js
+++ b/packages/server/src/api/controllers/static/index.js
@ -5,7 +5,6 @@ const { resolve, join } = require("../../../utilities/centralPath")
 const uuid = require("uuid")
 const { ObjectStoreBuckets } = require("../../../constants")
 const { processString } = require("@budibase/string-templates")
-const { getAllApps } = require("@budibase/backend-core/db")
 const {
  loadHandlebarsFile,
  NODE_MODULES_PATH,
@ -16,7 +15,7 @@ const { clientLibraryPath } = require("../../../utilities")
 const { upload } = require("../../../utilities/fileSystem")
 const { attachmentsRelativeURL } = require("../../../utilities")
 const { DocumentTypes } = require("../../../db/utils")
-const { getAppDB, updateAppId } = require("@budibase/backend-core/context")
+const { getAppDB, getAppId } = require("@budibase/backend-core/context")
 const AWS = require("aws-sdk")
 const AWS_REGION = env.AWS_REGION ? env.AWS_REGION : "eu-west-1"

@ -39,21 +38,6 @@ async function prepareUpload({ s3Key, bucket, metadata, file }) {
  }
 }

-async function getAppIdFromUrl(ctx) {
-  // the "appId" component of the URL can be the id or the custom url
-  let possibleAppUrl = `/${encodeURI(ctx.params.appId).toLowerCase()}`
-
-  // search prod apps for a url that matches, exclude dev where id is always used
-  const apps = await getAllApps({ dev: false })
-  const app = apps.filter(
-    a => a.url && a.url.toLowerCase() === possibleAppUrl
-  )[0]
-
-  const appId = app && app.appId ? app.appId : ctx.params.appId
-  updateAppId(appId)
-  return appId
-}
-
 exports.serveBuilder = async function (ctx) {
  let builderPath = resolve(TOP_LEVEL_PATH, "builder")
  await send(ctx, ctx.file, { root: builderPath })
@ -81,10 +65,10 @@ exports.uploadFile = async function (ctx) {
 }

 exports.serveApp = async function (ctx) {
-  let appId = await getAppIdFromUrl(ctx)
  const App = require("./templates/BudibaseApp.svelte").default
  const db = getAppDB({ skip_setup: true })
  const appInfo = await db.get(DocumentTypes.APP_METADATA)
+  let appId = getAppId()

  const { head, html, css } = App.render({
    title: appInfo.name,
--- a/packages/server/src/api/routes/static.js
+++ b/packages/server/src/api/routes/static.js
@ -44,8 +44,7 @@ router
    authorized(PermissionTypes.TABLE, PermissionLevels.WRITE),
    controller.uploadFile
  )
-  // TODO: this likely needs to be secured in some way
-  .get("/:appId/:path*", controller.serveApp)
+  .get("/app/:appUrl/:path*", controller.serveApp)
  .post(
    "/api/attachments/:datasourceId/url",
    authorized(PermissionTypes.TABLE, PermissionLevels.READ),
--- a/packages/server/src/definitions/openapi.ts
+++ b/packages/server/src/definitions/openapi.ts
--- a/packages/server/src/middleware/currentapp.js
+++ b/packages/server/src/middleware/currentapp.js
@ -1,5 +1,5 @@
 const {
-  getAppId,
+  getAppIdFromCtx,
  setCookie,
  getCookie,
  clearCookie,
@ -17,7 +17,7 @@ const { doInAppContext } = require("@budibase/backend-core/context")

 module.exports = async (ctx, next) => {
  // try to get the appID from the request
-  let requestAppId = getAppId(ctx)
+  let requestAppId = await getAppIdFromCtx(ctx)
  // get app cookie if it exists
  let appCookie = null
  try {
--- a/packages/server/src/middleware/publicApi.js
+++ b/packages/server/src/middleware/publicApi.js
@ -1,9 +1,9 @@
 const { Headers } = require("@budibase/backend-core/constants")
-const { getAppId } = require("@budibase/backend-core/utils")
+const { getAppIdFromCtx } = require("@budibase/backend-core/utils")

 module.exports = function ({ requiresAppId } = {}) {
  return async (ctx, next) => {
-    const appId = getAppId(ctx)
+    const appId = await getAppIdFromCtx(ctx)
    if (requiresAppId && !appId) {
      ctx.throw(
        400,
--- a/packages/server/yarn.lock
+++ b/packages/server/yarn.lock
--- a/packages/worker/yarn.lock
+++ b/packages/worker/yarn.lock