Adds support for read-only masterKey (#4297)

* Adds support for read-only masterKey * Adds tests to make sure all endpoints are properly protected * Updates readme * nits
2017-10-26 15:35:07 -04:00
parent 87b79cedfa
commit 1dd58b7527
13 changed files with 195 additions and 7 deletions
--- a/src/Auth.js
+++ b/src/Auth.js
@@ -4,11 +4,12 @@ var RestQuery = require('./RestQuery');
 // An Auth object tells you who is requesting something and whether
 // the master key was used.
 // userObject is a Parse.User and can be null if there's no user.
-function Auth({ config, isMaster = false, user, installationId } = {}) {
+function Auth({ config, isMaster = false, isReadOnly = false, user, installationId } = {}) {
  this.config = config;
  this.installationId = installationId;
  this.isMaster = isMaster;
  this.user = user;
+  this.isReadOnly = isReadOnly;

  // Assuming a users roles won't change during a single request, we'll
  // only load them once.
@@ -34,6 +35,11 @@ function master(config) {
  return new Auth({ config, isMaster: true });
 }

+// A helper to get a master-level Auth object
+function readOnly(config) {
+  return new Auth({ config, isMaster: true, isReadOnly: true });
+}
+
 // A helper to get a nobody-level Auth object
 function nobody(config) {
  return new Auth({ config, isMaster: false });
@@ -207,9 +213,10 @@ Auth.prototype._getAllRolesNamesForRoleIds = function(roleIDs, names = [], queri
 }

 module.exports = {
-  Auth: Auth,
-  master: master,
-  nobody: nobody,
+  Auth,
+  master,
+  nobody,
+  readOnly,
  getAuthForSessionToken,
  getAuthForLegacySessionToken
 };