joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

build: Release (#9990)

Browse Source
This commit is contained in:
Manuel
2025-12-16 02:34:01 +01:00
committed by GitHub
parent 2e06fa1139 9f98d3999c
commit 519d798781
5 changed files with 36 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
changelogs/CHANGELOG_alpha.md
View File

@@ -1,3 +1,10 @@
## [9.1.1-alpha.1](https://github.com/parse-community/parse-server/compare/9.1.0...9.1.1-alpha.1) (2025-12-16)
### Bug Fixes
* Server-Side Request Forgery (SSRF) in Instagram auth adapter [GHSA-3f5f-xgrj-97pf](https://github.com/parse-community/parse-server/security/advisories/GHSA-3f5f-xgrj-97pf) ([#9988](https://github.com/parse-community/parse-server/issues/9988)) ([fbcc938](https://github.com/parse-community/parse-server/commit/fbcc938b5ade5ff4c30598ac51272ef7ecef0616))
# [9.1.0-alpha.4](https://github.com/parse-community/parse-server/compare/9.1.0-alpha.3...9.1.0-alpha.4) (2025-12-14) # [9.1.0-alpha.4](https://github.com/parse-community/parse-server/compare/9.1.0-alpha.3...9.1.0-alpha.4) (2025-12-14)

4
package-lock.json generated
View File

@@ -1,12 +1,12 @@
{ {
"name": "parse-server", "name": "parse-server",
"version": "9.1.0", "version": "9.1.1-alpha.1",
"lockfileVersion": 2, "lockfileVersion": 2,
"requires": true, "requires": true,
"packages": { "packages": {
"": { "": {
"name": "parse-server", "name": "parse-server",
"version": "9.1.0", "version": "9.1.1-alpha.1",
"hasInstallScript": true, "hasInstallScript": true,
"license": "Apache-2.0", "license": "Apache-2.0",
"dependencies": { "dependencies": {

2
package.json
View File

@@ -1,6 +1,6 @@
{ {
"name": "parse-server", "name": "parse-server",
"version": "9.1.0", "version": "9.1.1-alpha.1",
"description": "An express module providing a Parse-compatible API server", "description": "An express module providing a Parse-compatible API server",
"main": "lib/index.js", "main": "lib/index.js",
"repository": { "repository": {

25
spec/Adapters/Auth/instagram.spec.js
View File

@@ -101,6 +101,31 @@ describe('InstagramAdapter', function () {
'Instagram auth is invalid for this user.' 'Instagram auth is invalid for this user.'
); );
}); });
it('should ignore client-provided apiURL and use hardcoded endpoint', async () => {
const accessToken = 'mockAccessToken';
const authData = {
id: 'mockUserId',
apiURL: 'https://example.com/',
};
mockFetch([
{
url: 'https://graph.instagram.com/me?fields=id&access_token=mockAccessToken',
method: 'GET',
response: {
ok: true,
json: () =>
Promise.resolve({
id: 'mockUserId',
}),
},
},
]);
const user = await adapter.getUserFromAccessToken(accessToken, authData);
expect(user).toEqual({ id: 'mockUserId' });
});
}); });
describe('InstagramAdapter E2E Test', function () { describe('InstagramAdapter E2E Test', function () {

3
src/Adapters/Auth/instagram.js
View File

@@ -96,8 +96,7 @@ class InstagramAdapter extends BaseAuthCodeAdapter {
} }
async getUserFromAccessToken(accessToken, authData) { async getUserFromAccessToken(accessToken, authData) {
const defaultURL = 'https://graph.instagram.com/'; const apiURL = 'https://graph.instagram.com/';
const apiURL = authData.apiURL || defaultURL;
const path = `${apiURL}me?fields=id&access_token=${accessToken}`; const path = `${apiURL}me?fields=id&access_token=${accessToken}`;
const response = await fetch(path); const response = await fetch(path);