joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Results invalid session when providing an invalid session token (#2154)

Browse Source 
* Results invalid session when providing an invalid session token

* Reverts unsafe loggers

* Fixes failing tests

- The tests were failin when run in sequence as we called done() before the JSSDK had a chance to register the session token, therefore having a proper logout call in afterEach
This commit is contained in:
Florent Vilmart
2016-06-26 23:20:02 -04:00
committed by GitHub
parent a861c4e506
commit 147b493e23
5 changed files with 69 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
spec/ParseUser.spec.js
View File

@@ -1589,7 +1589,7 @@ describe('Parse.User testing', () => {
bob.setPassword('meower'); bob.setPassword('meower');
return bob.save(); return bob.save();
}).then(() => { }).then(() => {
return Parse.User.logIn('bob', 'meower'); return Parse.User.logIn('bob', 'meower');
}).then((bob) => { }).then((bob) => {
expect(bob.getUsername()).toEqual('bob'); expect(bob.getUsername()).toEqual('bob');
done(); done();
@@ -2091,7 +2091,7 @@ describe('Parse.User testing', () => {
fail('Save should have failed.'); fail('Save should have failed.');
done(); done();
}, (e) => { }, (e) => {
expect(e.code).toEqual(Parse.Error.SESSION_MISSING); expect(e.code).toEqual(Parse.Error.INVALID_SESSION_TOKEN);
done(); done();
}); });
}); });
@@ -2124,6 +2124,26 @@ describe('Parse.User testing', () => {
}); });
}); });
it("invalid session tokens are rejected", (done) => {
Parse.User.signUp("asdf", "zxcv", null, {
success: function(user) {
request.get({
url: 'http://localhost:8378/1/classes/AClass',
json: true,
headers: {
'X-Parse-Application-Id': 'test',
'X-Parse-Rest-API-Key': 'rest',
'X-Parse-Session-Token': 'text'
},
}, (error, response, body) => {
expect(body.code).toBe(209);
expect(body.error).toBe('invalid session token');
done();
})
}
});
});
it_exclude_dbs(['postgres'])('should cleanup null authData keys (regression test for #935)', (done) => { it_exclude_dbs(['postgres'])('should cleanup null authData keys (regression test for #935)', (done) => {
let database = new Config(Parse.applicationId).database; let database = new Config(Parse.applicationId).database;
database.create('_User', { database.create('_User', {
@@ -2374,7 +2394,7 @@ describe('Parse.User testing', () => {
}) })
.then(() => obj.fetch()) .then(() => obj.fetch())
.catch(error => { .catch(error => {
expect(error.code).toEqual(Parse.Error.OBJECT_NOT_FOUND); expect(error.code).toEqual(Parse.Error.INVALID_SESSION_TOKEN);
done(); done();
}); });
}) })

51
spec/ValidationAndPasswordsReset.spec.js
View File

@@ -304,11 +304,12 @@ describe("Custom Pages, Email Verification, Password Reset", () => {
}); });
it_exclude_dbs(['postgres'])('receives the app name and user in the adapter', done => { it_exclude_dbs(['postgres'])('receives the app name and user in the adapter', done => {
var emailSent = false;
var emailAdapter = { var emailAdapter = {
sendVerificationEmail: options => { sendVerificationEmail: options => {
expect(options.appName).toEqual('emailing app'); expect(options.appName).toEqual('emailing app');
expect(options.user.get('email')).toEqual('user@parse.com'); expect(options.user.get('email')).toEqual('user@parse.com');
done(); emailSent = true;
}, },
sendPasswordResetEmail: () => Promise.resolve(), sendPasswordResetEmail: () => Promise.resolve(),
sendMail: () => {} sendMail: () => {}
@@ -325,7 +326,10 @@ describe("Custom Pages, Email Verification, Password Reset", () => {
user.setUsername("zxcv"); user.setUsername("zxcv");
user.set('email', 'user@parse.com'); user.set('email', 'user@parse.com');
user.signUp(null, { user.signUp(null, {
success: () => {}, success: () => {
expect(emailSent).toBe(true);
done();
},
error: function(userAgain, error) { error: function(userAgain, error) {
fail('Failed to save user'); fail('Failed to save user');
done(); done();
@@ -336,23 +340,10 @@ describe("Custom Pages, Email Verification, Password Reset", () => {
it_exclude_dbs(['postgres'])('when you click the link in the email it sets emailVerified to true and redirects you', done => { it_exclude_dbs(['postgres'])('when you click the link in the email it sets emailVerified to true and redirects you', done => {
var user = new Parse.User(); var user = new Parse.User();
var sendEmailOptions;
var emailAdapter = { var emailAdapter = {
sendVerificationEmail: options => { sendVerificationEmail: options => {
request.get(options.link, { sendEmailOptions = options;
followRedirect: false,
}, (error, response, body) => {
expect(response.statusCode).toEqual(302);
expect(response.body).toEqual('Found. Redirecting to http://localhost:8378/1/apps/verify_email_success.html?username=user');
user.fetch()
.then(() => {
expect(user.get('emailVerified')).toEqual(true);
done();
}, (err) => {
console.error(err);
fail("this should not fail");
done();
});
});
}, },
sendPasswordResetEmail: () => Promise.resolve(), sendPasswordResetEmail: () => Promise.resolve(),
sendMail: () => {} sendMail: () => {}
@@ -364,10 +355,32 @@ describe("Custom Pages, Email Verification, Password Reset", () => {
publicServerURL: "http://localhost:8378/1" publicServerURL: "http://localhost:8378/1"
}) })
.then(() => { .then(() => {
user.setPassword("asdf"); user.setPassword("other-password");
user.setUsername("user"); user.setUsername("user");
user.set('email', 'user@parse.com'); user.set('email', 'user@parse.com');
user.signUp(); return user.signUp();
}).then(() => {
expect(sendEmailOptions).not.toBeUndefined();
request.get(sendEmailOptions.link, {
followRedirect: false,
}, (error, response, body) => {
expect(response.statusCode).toEqual(302);
expect(response.body).toEqual('Found. Redirecting to http://localhost:8378/1/apps/verify_email_success.html?username=user');
user.fetch()
.then(() => {
expect(user.get('emailVerified')).toEqual(true);
done();
}, (err) => {
console.error(err);
fail("this should not fail");
done();
}).catch((err) =>
{
console.error(err);
fail(err);
done();
})
});
}); });
}); });

8
spec/helper.js
View File

@@ -329,6 +329,14 @@ global.it_exclude_dbs = excluded => {
} }
} }
global.fit_exclude_dbs = excluded => {
if (excluded.includes(process.env.PARSE_SERVER_TEST_DB)) {
return xit;
} else {
return fit;
}
}
// LiveQuery test setting // LiveQuery test setting
require('../src/LiveQuery/PLog').logLevel = 'NONE'; require('../src/LiveQuery/PLog').logLevel = 'NONE';
var libraryCache = {}; var libraryCache = {};

2
src/Auth.js
View File

@@ -58,7 +58,7 @@ var getAuthForSessionToken = function({ config, sessionToken, installationId } =
return query.execute().then((response) => { return query.execute().then((response) => {
var results = response.results; var results = response.results;
if (results.length !== 1 || !results[0]['user']) { if (results.length !== 1 || !results[0]['user']) {
return nobody(config); throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'invalid session token');
} }
var now = new Date(), var now = new Date(),

5
src/middlewares.js
View File

@@ -130,6 +130,10 @@ function handleParseHeaders(req, res, next) {
return invalidRequest(req, res); return invalidRequest(req, res);
} }
if (req.url == "/login") {
delete info.sessionToken;
}
if (!info.sessionToken) { if (!info.sessionToken) {
req.auth = new auth.Auth({ config: req.config, installationId: info.installationId, isMaster: false }); req.auth = new auth.Auth({ config: req.config, installationId: info.installationId, isMaster: false });
next(); next();
@@ -219,6 +223,7 @@ var allowMethodOverride = function(req, res, next) {
}; };
var handleParseErrors = function(err, req, res, next) { var handleParseErrors = function(err, req, res, next) {
// TODO: Add logging as those errors won't make it to the PromiseRouter
if (err instanceof Parse.Error) { if (err instanceof Parse.Error) {
var httpStatus; var httpStatus;