Adding the invite user flow to invite a new user into the organization.
This includes multiple APIs:
1. Invite user which creates an invite token for the user and then sends it to the new user via email. This token is valid for 1 hour (for now).
2. An endpoint to verify the invite token so that the client can pre-emptively show any errors or expired token messages. This endpoint is publicly accessible and doesn't require a session.
3. An endpoint for the new user to sign up and set their password by providing their invite token. This endpoint is publicly accessible and doesn't require a session.
Also extending the redis session timeout to 1 day instead of 30 mins.
See merge request theappsmith/internal-tools-server!125
Handling duplicate email in forgotPassword flow.
Now if the user requests for the reset password token multiple times, we will override the previous token and save the new token against that user.
See merge request theappsmith/internal-tools-server!122
Correcting the HTTP methods in SecurityConfig and acl.rego to fix bug in forgotPassword and resetPassword authorization.
See merge request theappsmith/internal-tools-server!121
Adding a flag to determine if we should send emails for that particular environment
This is to prevent us from sending erroneous emails from our dev/test environments
See merge request theappsmith/internal-tools-server!120
Removing the logic to bind actions to pages when a dynamic binding happens.
This is because when an action is created, it is already bound to that page. This assumption will not change. Also, adding the pageId when searching for an action because the action name and pageId is a unique index. There may be actions with similar names across multiple pages.
See merge request theappsmith/internal-tools-server!119
This is because when an action is created, it is already bound to that page. This assumption will not change. Also, adding the pageId when searching for an action because the action name and pageId is a unique index. There may be actions with similar names across multiple pages.
OPA controls access to all endpoints and the list of authenticated resources and public URLs is defined in a single place in that file.
The url_allow function in acl.rego is an overloaded function that replicates the OR condition in Rego. Either the user is authenticated and has permissions to access those resources, or the URL is public and accessible by any user.
Now, we have an authenticationSuccessHandler & authenticationFailureHandler for OAuth & Form sign ups. This makes the whole flow much easier to handle.
Also redirecting the browser to this user profile endpoint on username password login success. This ensures that the client fetches the profile along with setting the session ID cookie in the browser
This involves overriding the default success and failure handlers for login in the SecurityConfig class. The handlers are defined in the filters package.
The default groups for an organization are created by copying over data from the groups collection with the organizationId 'default-org'. This ensures that we can update the permissions in the DB and add new permissions without any code changes. The new user is then assigned to these groups so that they have all the permissions required to administer the organization.
Also adding a display name for the groups so that the UI can show a different name than the one used internally within the DB to represent the group.
Checking if the name of the user is not null. Only then inserting it that field into analytics service.
See merge request theappsmith/internal-tools-server!97
Adding the base uri for google oauth2 redirect uri
This is required because when we host the server in a docker container, by default the baseUri picked up by Spring security is the DNS name of the appsmith server inside the docker networking bridge. These names may not be valid DNS names that Google can redirect to in the event of a successful Oauth2 login. Hence, we are overriding the base uri with our own uri for each environment.
The customer will have to provide this uri when they host it on their internal networks. This uri must be publicly accessible for Oauth2 to work.
See merge request theappsmith/internal-tools-server!90
This is required because when we host the server in a docker container, by default the baseUri picked up by Spring security is the DNS name of the appsmith server inside the docker networking bridge. These names may not be valid DNS names that Google can redirect to in the event of a successful Oauth2 login. Hence, we are overriding the base uri with our own uri for each environment.
The customer will have to provide this uri when they host it on their internal networks. This uri must be publicly accessible for Oauth2 to work.
Instead of sending complete application information, we now only send the boolean true or false value to indicate to the client the success or failure of the publish action
This is to ensure that the Action object is independent by itself and the client can derive the mustache keys by looking at the action object directly.
When we shut down the server, the redis subscription is not closed cleanly leading to the server to hang. Adding an error handler solves for this issue.
Note that we have to delete the Mongo volume for the inidtb script to take effect. Else, it will not execute. To be used only for testing right now. Will figure out a more robust solution later.
Also using Google's JIB Maven plugin to reduce our Docker image footprint. Will make container upload and download much faster
Open Policy Agent requires a bundle in the form of tar.gz in order to bootstrap itself with base policy and data. The server will serve this policy under the public domain. In the future, we will enable a Basic Authentication scheme in order to lock down this pocliy.
Currently, ACLFilter communicates with the OPA daemon to determine if the request should be validated or not based on the resource and permissions in user and group
This also fixes the logic for multiple ResponseDTOs that were being sent when the service level response was a Flux. Now we only return a single array inside a Mono ResponseDTO object.
We are moving to a multi-module structure so that different parts of the codebase can be exposed to the public while others can remain private. Using pf4j for plugin framework.
Also adding a build script `build.sh` which compiles the code and creates the `dist` folder for distribution purposes. Now we can build the code via
```
$ ./build.sh -DskipTests
```
