From 23bffc8883d2695b9ff76d472fa8af35aecc304f Mon Sep 17 00:00:00 2001 From: Chris Norris Date: Mon, 2 Oct 2017 06:23:09 -0700 Subject: [PATCH] Add maxLimit server configuration (#4048) * Add maxLimit server configuration * Fix maxlimit validation logic to correctly handle maxLimit:0 case --- README.md | 1 + spec/ParseQuery.spec.js | 32 +++++++++++++++++++++++++++++ spec/index.spec.js | 8 ++++++++ src/Config.js | 10 +++++++++ src/ParseServer.js | 3 +++ src/Routers/ClassesRouter.js | 4 ++++ src/cli/definitions/parse-server.js | 5 +++++ 7 files changed, 63 insertions(+) diff --git a/README.md b/README.md index 92c252cb..aad080e1 100644 --- a/README.md +++ b/README.md @@ -218,6 +218,7 @@ The client keys used with Parse are no longer necessary with Parse Server. If yo * `loggerAdapter` - The default behavior/transport (File) can be changed by creating an adapter class (see [`LoggerAdapter.js`](https://github.com/parse-community/parse-server/blob/master/src/Adapters/Logger/LoggerAdapter.js)). * `logLevel` - Set the specific level you want to log. Defaults to `info`. The default logger uses the npm log levels as defined by the underlying winston logger. Check [Winston logging levels](https://github.com/winstonjs/winston#logging-levels) for details on values to specify. * `sessionLength` - The length of time in seconds that a session should be valid for. Defaults to 31536000 seconds (1 year). +* `maxLimit` - The maximum value supported for the limit option on queries. Defaults to unlimited. * `revokeSessionOnPasswordReset` - When a user changes their password, either through the reset password email or while logged in, all sessions are revoked if this is true. Set to false if you don't want to revoke sessions. * `accountLockout` - Lock account when a malicious user is attempting to determine an account password by trial and error. * `passwordPolicy` - Optional password policy rules to enforce. diff --git a/spec/ParseQuery.spec.js b/spec/ParseQuery.spec.js index da53ca62..e2f8a9b7 100644 --- a/spec/ParseQuery.spec.js +++ b/spec/ParseQuery.spec.js @@ -239,6 +239,38 @@ describe('Parse.Query testing', () => { }); }); + it("query with limit equal to maxlimit", function(done) { + var baz = new TestObject({ foo: 'baz' }); + var qux = new TestObject({ foo: 'qux' }); + reconfigureServer({ maxLimit: 1 }) + Parse.Object.saveAll([baz, qux], function() { + var query = new Parse.Query(TestObject); + query.limit(1); + query.find({ + success: function(results) { + equal(results.length, 1); + done(); + } + }); + }); + }); + + it("query with limit exceeding maxlimit", function(done) { + var baz = new TestObject({ foo: 'baz' }); + var qux = new TestObject({ foo: 'qux' }); + reconfigureServer({ maxLimit: 1 }) + Parse.Object.saveAll([baz, qux], function() { + var query = new Parse.Query(TestObject); + query.limit(2); + query.find({ + success: function(results) { + equal(results.length, 1); + done(); + } + }); + }); + }); + it("containedIn object array queries", function(done) { var messageList = []; for (var i = 0; i < 4; ++i) { diff --git a/spec/index.spec.js b/spec/index.spec.js index a70c110e..632bb7a4 100644 --- a/spec/index.spec.js +++ b/spec/index.spec.js @@ -415,6 +415,14 @@ describe('server', () => { .then(done); }) + it('fails if maxLimit is negative', (done) => { + reconfigureServer({ maxLimit: -100 }) + .catch(error => { + expect(error).toEqual('Max limit must be a value greater than 0.'); + done(); + }); + }); + it('fails if you try to set revokeSessionOnPasswordReset to non-boolean', done => { reconfigureServer({ revokeSessionOnPasswordReset: 'non-bool' }) .catch(done); diff --git a/src/Config.js b/src/Config.js index 2678b6a0..675b24ac 100644 --- a/src/Config.js +++ b/src/Config.js @@ -71,6 +71,7 @@ export class Config { this.mount = removeTrailingSlash(mount); this.liveQueryController = cacheInfo.liveQueryController; this.sessionLength = cacheInfo.sessionLength; + this.maxLimit = cacheInfo.maxLimit; this.expireInactiveSessions = cacheInfo.expireInactiveSessions; this.generateSessionExpiresAt = this.generateSessionExpiresAt.bind(this); this.generateEmailVerifyTokenExpiresAt = this.generateEmailVerifyTokenExpiresAt.bind(this); @@ -86,6 +87,7 @@ export class Config { revokeSessionOnPasswordReset, expireInactiveSessions, sessionLength, + maxLimit, emailVerifyTokenValidityDuration, accountLockout, passwordPolicy, @@ -113,6 +115,8 @@ export class Config { this.validateSessionConfiguration(sessionLength, expireInactiveSessions); this.validateMasterKeyIps(masterKeyIps); + + this.validateMaxLimit(maxLimit); } static validateAccountLockoutPolicy(accountLockout) { @@ -220,6 +224,12 @@ export class Config { } } + static validateMaxLimit(maxLimit) { + if (maxLimit <= 0) { + throw 'Max limit must be a value greater than 0.' + } + } + generateEmailVerifyTokenExpiresAt() { if (!this.verifyUserEmails || !this.emailVerifyTokenValidityDuration) { return undefined; diff --git a/src/ParseServer.js b/src/ParseServer.js index be9d8160..ab8afbb3 100644 --- a/src/ParseServer.js +++ b/src/ParseServer.js @@ -86,6 +86,7 @@ addParseCloud(); // "javascriptKey": optional key from Parse dashboard // "push": optional key from configure push // "sessionLength": optional length in seconds for how long Sessions should be valid for +// "maxLimit": optional upper bound for what can be specified for the 'limit' parameter on queries class ParseServer { @@ -138,6 +139,7 @@ class ParseServer { }, liveQuery = {}, sessionLength = defaults.sessionLength, // 1 Year in seconds + maxLimit, expireInactiveSessions = defaults.expireInactiveSessions, revokeSessionOnPasswordReset = defaults.revokeSessionOnPasswordReset, schemaCacheTTL = defaults.schemaCacheTTL, // cache for 5s @@ -264,6 +266,7 @@ class ParseServer { maxUploadSize: maxUploadSize, liveQueryController: liveQueryController, sessionLength: Number(sessionLength), + maxLimit: Number(maxLimit), expireInactiveSessions: expireInactiveSessions, jsonLogs, revokeSessionOnPasswordReset, diff --git a/src/Routers/ClassesRouter.js b/src/Routers/ClassesRouter.js index 5793445a..6801f3bc 100644 --- a/src/Routers/ClassesRouter.js +++ b/src/Routers/ClassesRouter.js @@ -15,6 +15,10 @@ export class ClassesRouter extends PromiseRouter { handleFind(req) { const body = Object.assign(req.body, ClassesRouter.JSONFromQuery(req.query)); const options = ClassesRouter.optionsFromBody(body); + if (req.config.maxLimit && (body.limit > req.config.maxLimit)) { + // Silently replace the limit on the query with the max configured + options.limit = Number(req.config.maxLimit); + } if (body.redirectClassNameForKey) { options.redirectClassNameForKey = String(body.redirectClassNameForKey); } diff --git a/src/cli/definitions/parse-server.js b/src/cli/definitions/parse-server.js index 63762239..689bb93d 100644 --- a/src/cli/definitions/parse-server.js +++ b/src/cli/definitions/parse-server.js @@ -194,6 +194,11 @@ export default { help: "Session duration, defaults to 1 year", action: numberParser("sessionLength") }, + "maxLimit": { + env: "PARSE_SERVER_MAX_LIMIT", + help: "Max value for limit option on queries, defaults to unlimited", + action: numberParser("maxLimit") + }, "verbose": { env: "VERBOSE", help: "Set the logging to verbose"