Add maxLimit server configuration (#4048)

* Add maxLimit server configuration

* Fix maxlimit validation logic to correctly handle maxLimit:0 case

src/Config.js

@@ -71,6 +71,7 @@ export class Config {
     this.mount = removeTrailingSlash(mount);
     this.liveQueryController = cacheInfo.liveQueryController;
     this.sessionLength = cacheInfo.sessionLength;
+    this.maxLimit = cacheInfo.maxLimit;
     this.expireInactiveSessions = cacheInfo.expireInactiveSessions;
     this.generateSessionExpiresAt = this.generateSessionExpiresAt.bind(this);
     this.generateEmailVerifyTokenExpiresAt = this.generateEmailVerifyTokenExpiresAt.bind(this);
@@ -86,6 +87,7 @@ export class Config {
     revokeSessionOnPasswordReset,
     expireInactiveSessions,
     sessionLength,
+    maxLimit,
     emailVerifyTokenValidityDuration,
     accountLockout,
     passwordPolicy,
@@ -113,6 +115,8 @@ export class Config {
     this.validateSessionConfiguration(sessionLength, expireInactiveSessions);
 
     this.validateMasterKeyIps(masterKeyIps);
+
+    this.validateMaxLimit(maxLimit);
   }
 
   static validateAccountLockoutPolicy(accountLockout) {
@@ -220,6 +224,12 @@ export class Config {
     }
   }
 
+  static validateMaxLimit(maxLimit) {
+    if (maxLimit <= 0) {
+      throw 'Max limit must be a value greater than 0.'
+    }
+  }
+
   generateEmailVerifyTokenExpiresAt() {
     if (!this.verifyUserEmails || !this.emailVerifyTokenValidityDuration) {
       return undefined;

src/ParseServer.js

@@ -86,6 +86,7 @@ addParseCloud();
 // "javascriptKey": optional key from Parse dashboard
 // "push": optional key from configure push
 // "sessionLength": optional length in seconds for how long Sessions should be valid for
+// "maxLimit": optional upper bound for what can be specified for the 'limit' parameter on queries
 
 class ParseServer {
 
@@ -138,6 +139,7 @@ class ParseServer {
     },
     liveQuery = {},
     sessionLength = defaults.sessionLength, // 1 Year in seconds
+    maxLimit,
     expireInactiveSessions = defaults.expireInactiveSessions,
     revokeSessionOnPasswordReset = defaults.revokeSessionOnPasswordReset,
     schemaCacheTTL = defaults.schemaCacheTTL, // cache for 5s
@@ -264,6 +266,7 @@ class ParseServer {
       maxUploadSize: maxUploadSize,
       liveQueryController: liveQueryController,
       sessionLength: Number(sessionLength),
+      maxLimit: Number(maxLimit),
       expireInactiveSessions: expireInactiveSessions,
       jsonLogs,
       revokeSessionOnPasswordReset,

src/Routers/ClassesRouter.js

@@ -15,6 +15,10 @@ export class ClassesRouter extends PromiseRouter {
   handleFind(req) {
     const body = Object.assign(req.body, ClassesRouter.JSONFromQuery(req.query));
     const options = ClassesRouter.optionsFromBody(body);
+    if (req.config.maxLimit && (body.limit > req.config.maxLimit)) {
+      // Silently replace the limit on the query with the max configured
+      options.limit = Number(req.config.maxLimit);
+    }
     if (body.redirectClassNameForKey) {
       options.redirectClassNameForKey = String(body.redirectClassNameForKey);
     }

src/cli/definitions/parse-server.js

@@ -194,6 +194,11 @@ export default {
     help: "Session duration, defaults to 1 year",
     action: numberParser("sessionLength")
   },
+  "maxLimit": {
+    env: "PARSE_SERVER_MAX_LIMIT",
+    help: "Max value for limit option on queries, defaults to unlimited",
+    action: numberParser("maxLimit")
+  },
   "verbose": {
     env: "VERBOSE",
     help: "Set the logging to verbose"