Results invalid session when providing an invalid session token (#2154)

* Results invalid session when providing an invalid session token * Reverts unsafe loggers * Fixes failing tests - The tests were failin when run in sequence as we called done() before the JSSDK had a chance to register the session token, therefore having a proper logout call in afterEach
2016-06-26 23:20:02 -04:00
parent a861c4e506
commit 147b493e23
5 changed files with 69 additions and 23 deletions
--- a/spec/ParseUser.spec.js
+++ b/spec/ParseUser.spec.js
@@ -1589,7 +1589,7 @@ describe('Parse.User testing', () => {
      bob.setPassword('meower');
      return bob.save();
    }).then(() => {
-      return Parse.User.logIn('bob', 'meower');
+      return Parse.User.logIn('bob', 'meower');  
    }).then((bob) => {
      expect(bob.getUsername()).toEqual('bob');
      done();
@@ -2091,7 +2091,7 @@ describe('Parse.User testing', () => {
      fail('Save should have failed.');
      done();
    }, (e) => {
-      expect(e.code).toEqual(Parse.Error.SESSION_MISSING);
+      expect(e.code).toEqual(Parse.Error.INVALID_SESSION_TOKEN);
      done();
    });
  });
@@ -2124,6 +2124,26 @@ describe('Parse.User testing', () => {
    });
  });

+  it("invalid session tokens are rejected", (done) => {
+    Parse.User.signUp("asdf", "zxcv", null, {
+      success: function(user) {
+        request.get({
+          url: 'http://localhost:8378/1/classes/AClass',
+          json: true,
+          headers: {
+            'X-Parse-Application-Id': 'test',
+            'X-Parse-Rest-API-Key': 'rest',
+            'X-Parse-Session-Token': 'text'
+          },
+        }, (error, response, body) => {
+          expect(body.code).toBe(209);
+          expect(body.error).toBe('invalid session token');
+          done();
+        })
+      }
+    });
+  });
+
  it_exclude_dbs(['postgres'])('should cleanup null authData keys (regression test for #935)', (done) => {
    let database = new Config(Parse.applicationId).database;
    database.create('_User', {
@@ -2374,7 +2394,7 @@ describe('Parse.User testing', () => {
        })
        .then(() => obj.fetch())
        .catch(error => {
-          expect(error.code).toEqual(Parse.Error.OBJECT_NOT_FOUND);
+          expect(error.code).toEqual(Parse.Error.INVALID_SESSION_TOKEN);
          done();
        });
      })
--- a/spec/ValidationAndPasswordsReset.spec.js
+++ b/spec/ValidationAndPasswordsReset.spec.js
@@ -304,11 +304,12 @@ describe("Custom Pages, Email Verification, Password Reset", () => {
  });

  it_exclude_dbs(['postgres'])('receives the app name and user in the adapter', done => {
+    var emailSent = false;
    var emailAdapter = {
      sendVerificationEmail: options => {
        expect(options.appName).toEqual('emailing app');
        expect(options.user.get('email')).toEqual('user@parse.com');
-        done();
+        emailSent = true;
      },
      sendPasswordResetEmail: () => Promise.resolve(),
      sendMail: () => {}
@@ -325,7 +326,10 @@ describe("Custom Pages, Email Verification, Password Reset", () => {
      user.setUsername("zxcv");
      user.set('email', 'user@parse.com');
      user.signUp(null, {
-        success: () => {},
+        success: () => {
+          expect(emailSent).toBe(true);
+          done();
+        },
        error: function(userAgain, error) {
          fail('Failed to save user');
          done();
@@ -336,23 +340,10 @@ describe("Custom Pages, Email Verification, Password Reset", () => {

  it_exclude_dbs(['postgres'])('when you click the link in the email it sets emailVerified to true and redirects you', done => {
    var user = new Parse.User();
+    var sendEmailOptions;
    var emailAdapter = {
      sendVerificationEmail: options => {
-        request.get(options.link, {
-          followRedirect: false,
-        }, (error, response, body) => {
-          expect(response.statusCode).toEqual(302);
-          expect(response.body).toEqual('Found. Redirecting to http://localhost:8378/1/apps/verify_email_success.html?username=user');
-          user.fetch()
-          .then(() => {
-            expect(user.get('emailVerified')).toEqual(true);
-            done();
-          }, (err) => {
-            console.error(err);
-            fail("this should not fail");
-            done();
-          });
-        });
+        sendEmailOptions = options;
      },
      sendPasswordResetEmail: () => Promise.resolve(),
      sendMail: () => {}
@@ -364,10 +355,32 @@ describe("Custom Pages, Email Verification, Password Reset", () => {
      publicServerURL: "http://localhost:8378/1"
    })
    .then(() => {
-      user.setPassword("asdf");
+      user.setPassword("other-password");
      user.setUsername("user");
      user.set('email', 'user@parse.com');
-      user.signUp();
+      return user.signUp();
+    }).then(() => {
+      expect(sendEmailOptions).not.toBeUndefined();
+      request.get(sendEmailOptions.link, {
+          followRedirect: false,
+      }, (error, response, body) => {
+        expect(response.statusCode).toEqual(302);
+        expect(response.body).toEqual('Found. Redirecting to http://localhost:8378/1/apps/verify_email_success.html?username=user');
+        user.fetch()
+        .then(() => {
+          expect(user.get('emailVerified')).toEqual(true);
+          done();
+        }, (err) => {
+          console.error(err);
+          fail("this should not fail");
+          done();
+        }).catch((err) =>
+        {
+          console.error(err);
+          fail(err);
+          done();
+        })
+      });
    });
  });

--- a/spec/helper.js
+++ b/spec/helper.js
@@ -329,6 +329,14 @@ global.it_exclude_dbs = excluded => {
  }
 }

+global.fit_exclude_dbs = excluded => {
+  if (excluded.includes(process.env.PARSE_SERVER_TEST_DB)) {
+    return xit;
+  } else {
+    return fit;
+  }
+}
+
 // LiveQuery test setting
 require('../src/LiveQuery/PLog').logLevel = 'NONE';
 var libraryCache = {};
--- a/src/Auth.js
+++ b/src/Auth.js
@@ -58,7 +58,7 @@ var getAuthForSessionToken = function({ config, sessionToken, installationId } =
    return query.execute().then((response) => {
      var results = response.results;
      if (results.length !== 1 || !results[0]['user']) {
-        return nobody(config);
+        throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'invalid session token');
      }

      var now = new Date(),
--- a/src/middlewares.js
+++ b/src/middlewares.js
@@ -130,6 +130,10 @@ function handleParseHeaders(req, res, next) {
    return invalidRequest(req, res);
  }

+  if (req.url == "/login") {
+    delete info.sessionToken;
+  }
+
  if (!info.sessionToken) {
    req.auth = new auth.Auth({ config: req.config, installationId: info.installationId, isMaster: false });
    next();
@@ -219,6 +223,7 @@ var allowMethodOverride = function(req, res, next) {
 };

 var handleParseErrors = function(err, req, res, next) {
+  // TODO: Add logging as those errors won't make it to the PromiseRouter
  if (err instanceof Parse.Error) {
    var httpStatus;