Adding the invite user flow to invite a new user into the organization.
This includes multiple APIs:
1. Invite user which creates an invite token for the user and then sends it to the new user via email. This token is valid for 1 hour (for now).
2. An endpoint to verify the invite token so that the client can pre-emptively show any errors or expired token messages. This endpoint is publicly accessible and doesn't require a session.
3. An endpoint for the new user to sign up and set their password by providing their invite token. This endpoint is publicly accessible and doesn't require a session.
Also extending the redis session timeout to 1 day instead of 30 mins.
See merge request theappsmith/internal-tools-server!125
On user signup install the default plugins in the user's personal organization
When a user signs up, a personal organization is created for that user. There are a bunch of plugins marked in the DB as with field `defaultInstall` as true. These plugins must be installed for the new organization. This ensures that the user is able to run basic actions such as executing an API, DB query etc.
Also, adding a condition in the `getPlugins` API to return only the plugins installed by the user's organization.
See merge request theappsmith/internal-tools-server!124
Handling duplicate email in forgotPassword flow.
Now if the user requests for the reset password token multiple times, we will override the previous token and save the new token against that user.
See merge request theappsmith/internal-tools-server!122
Correcting the HTTP methods in SecurityConfig and acl.rego to fix bug in forgotPassword and resetPassword authorization.
See merge request theappsmith/internal-tools-server!121
Adding a flag to determine if we should send emails for that particular environment
This is to prevent us from sending erroneous emails from our dev/test environments
See merge request theappsmith/internal-tools-server!120
Removing the logic to bind actions to pages when a dynamic binding happens.
This is because when an action is created, it is already bound to that page. This assumption will not change. Also, adding the pageId when searching for an action because the action name and pageId is a unique index. There may be actions with similar names across multiple pages.
See merge request theappsmith/internal-tools-server!119
This is because when an action is created, it is already bound to that page. This assumption will not change. Also, adding the pageId when searching for an action because the action name and pageId is a unique index. There may be actions with similar names across multiple pages.
Creating a list of public endpoints that anonymous users can access.
OPA controls access to all endpoints and the list of authenticated resources and public URLs is defined in a single place in that file.
The url_allow function in acl.rego is an overloaded function that replicates the OR condition in Rego. Either the user is authenticated and has permissions to access those resources, or the URL is public and accessible by any user.
See merge request theappsmith/internal-tools-server!117
OPA controls access to all endpoints and the list of authenticated resources and public URLs is defined in a single place in that file.
The url_allow function in acl.rego is an overloaded function that replicates the OR condition in Rego. Either the user is authenticated and has permissions to access those resources, or the URL is public and accessible by any user.
Upgrading to Spring boot 2.2.2 for features in Spring security
Now, we have an authenticationSuccessHandler & authenticationFailureHandler for OAuth & Form sign ups. This makes the whole flow much cleaner & easier to handle.
See merge request theappsmith/internal-tools-server!115
Now, we have an authenticationSuccessHandler & authenticationFailureHandler for OAuth & Form sign ups. This makes the whole flow much easier to handle.
Adding endpoint to fetch current user's profile.
Also redirecting the browser to this user profile endpoint on username password login success. This ensures that the client fetches the profile along with setting the session ID cookie in the browser
See merge request theappsmith/internal-tools-server!113
Also redirecting the browser to this user profile endpoint on username password login success. This ensures that the client fetches the profile along with setting the session ID cookie in the browser
Redirect to the client's homepage on success of username password login
This has been done with the express purpose of ensuring that the session ID is set correctly in the browser by the client. This can only happen when there is a 302 redirect by the browser.
See merge request theappsmith/internal-tools-server!112
This involves overriding the default success and failure handlers for login in the SecurityConfig class. The handlers are defined in the filters package.
Fixed : Unbinding action from page during DSL update leads to unbinding of all actions.
Removed unbinding of actions from the page if not present in the DSL.
See merge request theappsmith/internal-tools-server!110
Moving the annotation @EnableMongoAuditing to the CommonConfig class because it wasn't being acknowledged by Spring
This now ensures that Spring JPA inserts the createdAt and updatedAt timestamps to the MongoDB along with the document itself.
See merge request theappsmith/internal-tools-server!109
Removes pageId from actions no longer in DSL in action collection
Removes pageId from actions no longer in DSL and adds pageIds for actions in DSL in actions collection.
All of these operations are now happening in bulk to improve performance
See merge request theappsmith/internal-tools-server!107
Assigning groups & permissions to new user signups
When a new user signs up, a new personal organization is created for that user. Default permission groups are created for this personal organization based on the database that contains this information in the `groups` collection with organization name `default-org`. These default groups should NEVER be deleted from the DB.
The user is then assigned to these default groups which allows him/her to administer their personal organization as org admins
would.
Also, the `User` domain object now returns the email ID as the username of the user.
See merge request theappsmith/internal-tools-server!108
The default groups for an organization are created by copying over data from the groups collection with the organizationId 'default-org'. This ensures that we can update the permissions in the DB and add new permissions without any code changes. The new user is then assigned to these groups so that they have all the permissions required to administer the organization.
Also adding a display name for the groups so that the UI can show a different name than the one used internally within the DB to represent the group.
Create personal workspace/organization on user create
Create user now also leads to creation of personal organization for the user. It also gets assigned as the default (current) workspace (or currentOrganizationId)
See merge request theappsmith/internal-tools-server!105
Published page has layout on load actions and layout load actions now.
LayoutOnLoadActions are now being copied to the published version. Now viewing the published page would give all three published datastructures : DSL, Layout Actions, and Layout Load Actions
See merge request theappsmith/internal-tools-server!104
Adding email sending capability when the user resets their password
At the moment, the email sending is sent in the same thread that slows down the API request. Future changes should include:
1. Publish the request to send an email to Redis and actually send the email on subscribe event.
2. Disable the email sending in local environments.
See merge request theappsmith/internal-tools-server!102
