Merge pull request appwrite#1479 from TorstenDittmann/release-0-9-4

prepare: release 0.9.4

Author: TorstenDittmann

.gitignore

@@ -6,4 +6,5 @@
 .DS_Store
 .php_cs.cache
 debug/
-app/sdks
+app/sdks
+dev/yasd_init.php

CHANGES.md

@@ -1,3 +1,31 @@
+# Version 0.9.4
+
+## Security
+
+- Fixed security vulnerability that exposes project ID's from other admin users (#1453)
+
+# Version 0.9.3
+
+## Bugs
+
+- Fixed Abuse Limit keys for JWT and E-Mail confirmation (#1434)
+
+# Version 0.9.2
+
+## Bugs
+
+- Fixed JWT session validation (#1408)
+- Fixed passing valid JWT session to Cloud Functions (#1421)
+- Fixed race condition when uploading and extracting bigger Cloud Functions (#1419)
+
+# Version 0.9.1
+
+## Bugs
+
+- Fixed PDO Connection timeout (#1385)
+- Removed unnecessary `app` resource and replace with `utopia` (#1384)
+- Fixed missing quote in Functions Worker logs (#1375)
+
 # Version 0.9.0
 
 ## Features

CONTRIBUTING.md

@@ -123,6 +123,10 @@ Learn more at our [Technology Stack](## Technology Stack) section.
 
 Appwrite's current structure is a combination of both [Monolithic](https://en.wikipedia.org/wiki/Monolithic_application) and [Microservice](https://en.wikipedia.org/wiki/Microservices) architectures, but our final goal, as we grow, is to be using only microservices.
 
+---
+![Appwrite](docs/specs/overview.drawio.svg)
+---
+
 ### File Structure
 
 ```bash
@@ -174,10 +178,6 @@ Appwrite's current structure is a combination of both [Monolithic](https://en.wi
     └── unit
 ```
 
----
-![Appwrite](docs/specs/overview.drawio.svg)
----
-
 ### The Monolithic Part
 
 Appwrite's main API container is designed as a monolithic app. This is a decision we made to allow us to develop the project faster while still being a very small team.
@@ -282,6 +282,30 @@ docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v6,linux/arm/v7
 
 The Runtimes for all supported cloud functions (multicore builds) can be found at the [appwrite/php-runtimes](https://github.com/appwrite/php-runtimes) repository.
 
+## Debug
+
+Appwrite uses [yasd](https://github.com/swoole/yasd) debugger, which can be made available during build of Appwrite. You can connect to the debugger using VS Code [PHP Debug](https://marketplace.visualstudio.com/items?itemName=felixfbecker.php-debug) extension or if you are in PHP Storm you don't need any plugin. Below are the settings required for remote debugger connection.
+
+First, you need to create an init file. Duplicate **dev/yasd_init.php.stub** file and name it **dev/yasd_init.php** and there change the IP address to your development machine's IP. Without the proper IP address debugger wont connect. And you also need to set **DEBUG** build arg in **appwrite** service in **docker-compose.yml** file.
+
+### VS Code Launch Configuration
+
+```json
+{
+    "name": "Listen for Xdebug",
+    "type": "php",
+    "request": "launch",
+    "port": 9005,
+    "pathMappings": {
+        "/usr/src/code": "${workspaceRoot}"
+    },
+}
+```
+
+### PHPStorm Setup
+
+In settings, go to **Languages & Frameworks** > **PHP** > **Debug**, there under **Xdebug** set the debug port to **9005** and enable **can accept external connections** checkbox.
+
 ## Tests
 
 To run all tests manually, use the Appwrite Docker CLI from your terminal:

Dockerfile

@@ -14,6 +14,9 @@ RUN composer update --ignore-platform-reqs --optimize-autoloader \
 
 FROM php:8.0-cli-alpine as step1
 
+ARG DEBUG=false
+ENV DEBUG=$DEBUG
+
 ENV PHP_REDIS_VERSION=5.3.4 \
     PHP_SWOOLE_VERSION=v4.6.7 \
     PHP_IMAGICK_VERSION=3.5.0 \
@@ -75,11 +78,25 @@ RUN \
   make && make install && \
   cd ../..
 
+## Swoole Debugger setup
+RUN if [ "$DEBUG" == "true" ]; then \
+    cd /tmp && \
+    apk add boost-dev && \
+    git clone --depth 1 https://github.com/swoole/yasd && \
+    cd yasd && \
+    phpize && \
+    ./configure && \
+    make && make install && \
+    cd ..;\
+  fi
+
 FROM php:8.0-cli-alpine as final
 
 LABEL maintainer="team@appwrite.io"
 
 ARG VERSION=dev
+ARG DEBUG=false
+ENV DEBUG=$DEBUG
 
 ENV _APP_SERVER=swoole \
     _APP_ENV=production \
@@ -160,10 +177,15 @@ RUN \
   && apk del .deps \
   && rm -rf /var/cache/apk/*
 
+RUN \
+  if [ "$DEBUG" == "true" ]; then \
+    apk add boost boost-dev; \
+  fi
+
 WORKDIR /usr/src/code
 
 COPY --from=step0 /usr/local/src/vendor /usr/src/code/vendor
-COPY --from=step1 /usr/local/lib/php/extensions/no-debug-non-zts-20200930/swoole.so /usr/local/lib/php/extensions/no-debug-non-zts-20200930/
+COPY --from=step1 /usr/local/lib/php/extensions/no-debug-non-zts-20200930/swoole.so /usr/local/lib/php/extensions/no-debug-non-zts-20200930/yasd.so* /usr/local/lib/php/extensions/no-debug-non-zts-20200930/
 COPY --from=step1 /usr/local/lib/php/extensions/no-debug-non-zts-20200930/redis.so /usr/local/lib/php/extensions/no-debug-non-zts-20200930/
 COPY --from=step1 /usr/local/lib/php/extensions/no-debug-non-zts-20200930/imagick.so /usr/local/lib/php/extensions/no-debug-non-zts-20200930/
 COPY --from=step1 /usr/local/lib/php/extensions/no-debug-non-zts-20200930/yaml.so /usr/local/lib/php/extensions/no-debug-non-zts-20200930/
@@ -218,7 +240,9 @@ RUN echo extension=redis.so >> /usr/local/etc/php/conf.d/redis.ini
 RUN echo extension=imagick.so >> /usr/local/etc/php/conf.d/imagick.ini
 RUN echo extension=yaml.so >> /usr/local/etc/php/conf.d/yaml.ini
 RUN echo extension=maxminddb.so >> /usr/local/etc/php/conf.d/maxminddb.ini
+RUN if [ "$DEBUG" == "true" ]; then printf "zend_extension=yasd \nyasd.debug_mode=remote \nyasd.init_file=/usr/local/dev/yasd_init.php \nyasd.remote_port=9005 \nyasd.log_level=-1" >> /usr/local/etc/php/conf.d/yasd.ini; fi
 
+RUN if [ "$DEBUG" == "true" ]; then echo "opcache.enable=0" >> /usr/local/etc/php/conf.d/appwrite.ini; fi
 RUN echo "opcache.preload_user=www-data" >> /usr/local/etc/php/conf.d/appwrite.ini
 RUN echo "opcache.preload=/usr/src/code/app/preload.php" >> /usr/local/etc/php/conf.d/appwrite.ini
 RUN echo "opcache.enable_cli=1" >> /usr/local/etc/php/conf.d/appwrite.ini

README.md

@@ -1,6 +1,6 @@
 <br />
 <p align="center">
-    <a href="https://appwrite.io" target="_blank"><img width="260" height="39" src="https://appwrite.io/images/github-logo.png" alt="Appwrite Logo"></a>
+    <a href="https://appwrite.io" target="_blank"><img width="260" height="39" src="https://appwrite.io/images/appwrite.svg" alt="Appwrite Logo"></a>
     <br />
     <br />
     <b>A complete backend solution for your [Flutter / Vue / Angular / React / iOS / Android / *ANY OTHER*] app</b>
@@ -15,7 +15,7 @@
 [![Build Status](https://img.shields.io/travis/com/appwrite/appwrite?style=flat-square)](https://travis-ci.com/appwrite/appwrite)
 [![Twitter Account](https://img.shields.io/twitter/follow/appwrite_io?color=00acee&label=twitter&style=flat-square)](https://twitter.com/appwrite_io)
 
-[**Appwrite 0.8 has been released! Learn what's new!**](https://dev.to/appwrite/announcing-appwrite-0-8-an-open-source-self-hosted-baas-kda)
+[**Appwrite 0.9 has been released! Learn what's new!**](https://dev.to/appwrite/announcing-appwrite-0-9-the-open-source-firebase-alternative-53ho)
 
 Appwrite is an end-to-end backend server for Web, Mobile, Native, or Backend apps packaged as a set of Docker<nobr> microservices. Appwrite abstracts the complexity and repetitiveness required to build a modern backend API from scratch and allows you to build secure apps faster.
 
@@ -56,7 +56,7 @@ docker run -it --rm \
     --volume /var/run/docker.sock:/var/run/docker.sock \
     --volume "$(pwd)"/appwrite:/usr/src/code/appwrite:rw \
     --entrypoint="install" \
-    appwrite/appwrite:0.8.0
+    appwrite/appwrite:0.9.4
 ```
 
 ### Windows
@@ -68,7 +68,7 @@ docker run -it --rm ^
     --volume //var/run/docker.sock:/var/run/docker.sock ^
     --volume "%cd%"/appwrite:/usr/src/code/appwrite:rw ^
     --entrypoint="install" ^
-    appwrite/appwrite:0.8.0
+    appwrite/appwrite:0.9.4
 ```
 
 #### PowerShell
@@ -78,7 +78,7 @@ docker run -it --rm ,
     --volume /var/run/docker.sock:/var/run/docker.sock ,
     --volume ${pwd}/appwrite:/usr/src/code/appwrite:rw ,
     --entrypoint="install" ,
-    appwrite/appwrite:0.8.0
+    appwrite/appwrite:0.9.4
 ```
 
 Once the Docker installation completes, go to http://localhost to access the Appwrite console from your browser. Please note that on non-linux native hosts, the server might take a few minutes to start after installation completes.
@@ -121,14 +121,16 @@ Below is a list of currently supported platforms and languages. If you wish to h
 #### Client
 * ✅  &nbsp; [Web](https://github.com/appwrite/sdk-for-web) (Maintained by the Appwrite Team)
 * ✅  &nbsp; [Flutter](https://github.com/appwrite/sdk-for-flutter) (Maintained by the Appwrite Team)
+* ✅  &nbsp; [Android](https://github.com/appwrite/sdk-for-android) (Maintained by the Appwrite Team)
 
 #### Server
 * ✅  &nbsp; [NodeJS](https://github.com/appwrite/sdk-for-node) (Maintained by the Appwrite Team)
 * ✅  &nbsp; [PHP](https://github.com/appwrite/sdk-for-php) (Maintained by the Appwrite Team)
 * ✅  &nbsp; [Dart](https://github.com/appwrite/sdk-for-dart) **Beta** (Maintained by the Appwrite Team)
 * ✅  &nbsp; [Deno](https://github.com/appwrite/sdk-for-deno) - **Beta** (Maintained by the Appwrite Team)
-* ✅  &nbsp; [Ruby](https://github.com/appwrite/sdk-for-ruby) - **Beta** (Maintained by the Appwrite Team)
-* ✅  &nbsp; [Python](https://github.com/appwrite/sdk-for-python) - **Beta** (Maintained by the Appwrite Team)
+* ✅  &nbsp; [Ruby](https://github.com/appwrite/sdk-for-ruby) (Maintained by the Appwrite Team)
+* ✅  &nbsp; [Python](https://github.com/appwrite/sdk-for-python) (Maintained by the Appwrite Team)
+* ✅  &nbsp; [Kotlin](https://github.com/appwrite/sdk-for-kotlin) - **Beta** (Maintained by the Appwrite Team)
 * ✅  &nbsp; [.NET](https://github.com/appwrite/sdk-for-dotnet) - **Experimental** (Maintained by the Appwrite Team)
 
 Looking for more SDKs? - Help us by contributing a pull request to our [SDK Generator](https://github.com/appwrite/sdk-generator)!

app/config/platforms.php

@@ -113,7 +113,7 @@
                 'name' => 'Android',
                 'version' => '0.0.1',
                 'url' => 'https://github.com/appwrite/sdk-for-android',
-                'package' => 'https://repo1.maven.org/maven2/io/appwrite/sdk-for-android/',
+                'package' => 'https://search.maven.org/artifact/io.appwrite/sdk-for-android',
                 'enabled' => true,
                 'beta' => true,
                 'dev' => false,
@@ -355,7 +355,7 @@
                 'name' => 'Kotlin',
                 'version' => '0.0.1',
                 'url' => 'https://github.com/appwrite/sdk-for-kotlin',
-                'package' => 'https://repo1.maven.org/maven2/io/appwrite/sdk-for-kotlin/',
+                'package' => 'https://search.maven.org/artifact/io.appwrite/sdk-for-kotlin',
                 'enabled' => true,
                 'beta' => true,
                 'dev' => false,

app/controllers/api/account.php

@@ -782,7 +782,7 @@
     ->label('sdk.response.type', Response::CONTENT_TYPE_JSON)
     ->label('sdk.response.model', Response::MODEL_JWT)
     ->label('abuse-limit', 10)
-    ->label('abuse-key', 'url:{url},userId:{param-userId}')
+    ->label('abuse-key', 'url:{url},userId:{userId}')
     ->inject('response')
     ->inject('user')
     ->action(function ($response, $user) {
@@ -918,16 +918,16 @@
     ->inject('user')
     ->inject('locale')
     ->inject('geodb')
-    ->inject('app')
-    ->action(function ($response, $project, $user, $locale, $geodb, $app) {
+    ->inject('utopia')
+    ->action(function ($response, $project, $user, $locale, $geodb, $utopia) {
         /** @var Appwrite\Utopia\Response $response */
         /** @var Appwrite\Database\Document $project */
         /** @var Appwrite\Database\Document $user */
         /** @var Utopia\Locale\Locale $locale */
         /** @var MaxMind\Db\Reader $geodb */
-        /** @var Utopia\App $app */
+        /** @var Utopia\App $utopia */
 
-        $adapter = new AuditAdapter($app->getResource('db'));
+        $adapter = new AuditAdapter($utopia->getResource('db'));
         $adapter->setNamespace('app_'.$project->getId());
 
         $audit = new Audit($adapter);
@@ -1668,7 +1668,7 @@
     ->label('sdk.response.type', Response::CONTENT_TYPE_JSON)
     ->label('sdk.response.model', Response::MODEL_TOKEN)
     ->label('abuse-limit', 10)
-    ->label('abuse-key', 'url:{url},email:{param-email}')
+    ->label('abuse-key', 'url:{url},userId:{userId}')
     ->param('url', '', function ($clients) { return new Host($clients); }, 'URL to redirect the user back to your app from the verification email. Only URLs from hostnames in your project platform list are allowed. This requirement helps to prevent an [open redirect](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html) attack against your project API.', false, ['clients']) // TODO add built-in confirm page
     ->inject('request')
     ->inject('response')

app/controllers/api/database.php

@@ -437,7 +437,7 @@
         }
 
         $types = [];
-        foreach ($collection->getAttribute('rules') as $rule) {
+        foreach ($collection->getAttribute('rules', []) as $rule) {
             /** @var Document $rule */
             $types[$rule->getAttribute('key')] = $rule->getAttribute('type');
         }
@@ -630,4 +630,4 @@
         ;
 
         $response->noContent();
-    });
+    });

app/controllers/api/functions.php

@@ -748,20 +748,20 @@
         $jwt = ''; // initialize
         if (!empty($user->getId())) { // If userId exists, generate a JWT for function
 
-            $tokens = $user->getAttribute('tokens', []);
-            $session = new Document();
+            $sessions = $user->getAttribute('sessions', []);
+            $current = new Document();
 
-            foreach ($tokens as $token) { /** @var Appwrite\Database\Document $token */
-                if ($token->getAttribute('secret') == Auth::hash(Auth::$secret)) { // If current session delete the cookies too
-                    $session = $token;
+            foreach ($sessions as $session) { /** @var Appwrite\Database\Document $session */
+                if ($session->getAttribute('secret') == Auth::hash(Auth::$secret)) { // If current session delete the cookies too
+                    $current = $session;
                 }
             }
 
-            if(!$session->isEmpty()) {
+            if(!$current->isEmpty()) {
                 $jwtObj = new JWT(App::getEnv('_APP_OPENSSL_KEY_V1'), 'HS256', 900, 10); // Instantiate with key, algo, maxAge and leeway.
                 $jwt = $jwtObj->encode([
                     'userId' => $user->getId(),
-                    'sessionId' => $session->getId(),
+                    'sessionId' => $current->getId(),
                 ]);
             }
         }

app/controllers/api/health.php

@@ -42,11 +42,11 @@
     ->label('sdk.method', 'getDB')
     ->label('sdk.description', '/docs/references/health/get-db.md')
     ->inject('response')
-    ->inject('app')
-    ->action(function ($response, $app) {
+    ->inject('utopia')
+    ->action(function ($response, $utopia) {
         /** @var Appwrite\Utopia\Response $response */
-        /** @var Utopia\App $app */
-        $app->getResource('db');
+        /** @var Utopia\App $utopia */
+        $utopia->getResource('db');
 
         $response->json(['status' => 'OK']);
     });
@@ -60,11 +60,11 @@
     ->label('sdk.method', 'getCache')
     ->label('sdk.description', '/docs/references/health/get-cache.md')
     ->inject('response')
-    ->inject('app')
-    ->action(function ($response, $app) {
+    ->inject('utopia')
+    ->action(function ($response, $utopia) {
         /** @var Appwrite\Utopia\Response $response */
-        /** @var Utopia\App $register */
-        $app->getResource('cache');
+        /** @var Utopia\App $utopia */
+        $utopia->getResource('cache');
 
         $response->json(['status' => 'OK']);
     });