joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add request context middleware for config and dependency injection in hooks (#8480)

Browse Source
This commit is contained in:
Antoine Cormouls
2025-10-14 20:16:31 +02:00
committed by GitHub
parent e704de83e6
commit 64f104e5c5
12 changed files with 219 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

142
spec/CloudCode.spec.js
View File

@@ -11,8 +11,8 @@ const mockAdapter = {
name: filename,
location: `http://www.somewhere.com/${filename}`,
}),
deleteFile: () => {},
getFileData: () => {},
deleteFile: () => { },
getFileData: () => { },
getFileLocation: (config, filename) => `http://www.somewhere.com/${filename}`,
validateFilename: () => {
return null;
@@ -49,7 +49,7 @@ describe('Cloud Code', () => {
});
it('cloud code must be valid type', async () => {
spyOn(console, 'error').and.callFake(() => {});
spyOn(console, 'error').and.callFake(() => { });
await expectAsync(reconfigureServer({ cloud: true })).toBeRejectedWith(
"argument 'cloud' must either be a string or a function"
);
@@ -114,7 +114,7 @@ describe('Cloud Code', () => {
it('show warning on duplicate cloud functions', done => {
const logger = require('../lib/logger').logger;
spyOn(logger, 'warn').and.callFake(() => {});
spyOn(logger, 'warn').and.callFake(() => { });
Parse.Cloud.define('hello', () => {
return 'Hello world!';
});
@@ -1672,7 +1672,7 @@ describe('Cloud Code', () => {
});
it('trivial beforeSave should not affect fetched pointers (regression test for #1238)', done => {
Parse.Cloud.beforeSave('BeforeSaveUnchanged', () => {});
Parse.Cloud.beforeSave('BeforeSaveUnchanged', () => { });
const TestObject = Parse.Object.extend('TestObject');
const NoBeforeSaveObject = Parse.Object.extend('NoBeforeSave');
@@ -1745,7 +1745,7 @@ describe('Cloud Code', () => {
});
it('beforeSave should not affect fetched pointers', done => {
Parse.Cloud.beforeSave('BeforeSaveUnchanged', () => {});
Parse.Cloud.beforeSave('BeforeSaveUnchanged', () => { });
Parse.Cloud.beforeSave('BeforeSaveChanged', function (req) {
req.object.set('foo', 'baz');
@@ -2059,7 +2059,7 @@ describe('Cloud Code', () => {
});
it('pointer should not be cleared by triggers', async () => {
Parse.Cloud.afterSave('MyObject', () => {});
Parse.Cloud.afterSave('MyObject', () => { });
const foo = await new Parse.Object('Test', { foo: 'bar' }).save();
const obj = await new Parse.Object('MyObject', { foo }).save();
const foo2 = obj.get('foo');
@@ -2067,7 +2067,7 @@ describe('Cloud Code', () => {
});
it('can set a pointer in triggers', async () => {
Parse.Cloud.beforeSave('MyObject', () => {});
Parse.Cloud.beforeSave('MyObject', () => { });
Parse.Cloud.afterSave(
'MyObject',
async ({ object }) => {
@@ -2168,7 +2168,7 @@ describe('Cloud Code', () => {
it('should not run without master key', done => {
expect(() => {
Parse.Cloud.job('myJob', () => {});
Parse.Cloud.job('myJob', () => { });
}).not.toThrow();
request({
@@ -2354,6 +2354,14 @@ describe('cloud functions', () => {
Parse.Cloud.run('myFunction', {}).then(() => done());
});
it('should have request config', async () => {
Parse.Cloud.define('myConfigFunction', req => {
expect(req.config).toBeDefined();
return 'success';
});
await Parse.Cloud.run('myConfigFunction', {});
});
});
describe('beforeSave hooks', () => {
@@ -2377,6 +2385,16 @@ describe('beforeSave hooks', () => {
myObject.save().then(() => done());
});
it('should have request config', async () => {
Parse.Cloud.beforeSave('MyObject', req => {
expect(req.config).toBeDefined();
});
const MyObject = Parse.Object.extend('MyObject');
const myObject = new MyObject();
await myObject.save();
});
it('should respect custom object ids (#6733)', async () => {
Parse.Cloud.beforeSave('TestObject', req => {
expect(req.object.id).toEqual('test_6733');
@@ -2432,6 +2450,16 @@ describe('afterSave hooks', () => {
myObject.save().then(() => done());
});
it('should have request config', async () => {
Parse.Cloud.afterSave('MyObject', req => {
expect(req.config).toBeDefined();
});
const MyObject = Parse.Object.extend('MyObject');
const myObject = new MyObject();
await myObject.save();
});
it('should unset in afterSave', async () => {
Parse.Cloud.afterSave(
'MyObject',
@@ -2489,6 +2517,17 @@ describe('beforeDelete hooks', () => {
.then(myObj => myObj.destroy())
.then(() => done());
});
it('should have request config', async () => {
Parse.Cloud.beforeDelete('MyObject', req => {
expect(req.config).toBeDefined();
});
const MyObject = Parse.Object.extend('MyObject');
const myObject = new MyObject();
await myObject.save();
await myObject.destroy();
});
});
describe('afterDelete hooks', () => {
@@ -2517,6 +2556,17 @@ describe('afterDelete hooks', () => {
.then(myObj => myObj.destroy())
.then(() => done());
});
it('should have request config', async () => {
Parse.Cloud.afterDelete('MyObject', req => {
expect(req.config).toBeDefined();
});
const MyObject = Parse.Object.extend('MyObject');
const myObject = new MyObject();
await myObject.save();
await myObject.destroy();
});
});
describe('beforeFind hooks', () => {
@@ -2824,6 +2874,18 @@ describe('beforeFind hooks', () => {
.then(() => done());
});
it('should have request config', async () => {
Parse.Cloud.beforeFind('MyObject', req => {
expect(req.config).toBeDefined();
});
const MyObject = Parse.Object.extend('MyObject');
const myObject = new MyObject();
await myObject.save();
const query = new Parse.Query('MyObject');
query.equalTo('objectId', myObject.id);
await Promise.all([query.get(myObject.id), query.first(), query.find()]);
})
it('should run beforeFind on pointers and array of pointers from an object', async () => {
const obj1 = new Parse.Object('TestObject');
const obj2 = new Parse.Object('TestObject2');
@@ -3208,54 +3270,67 @@ describe('afterFind hooks', () => {
.catch(done.fail);
});
it('should have request config', async () => {
Parse.Cloud.afterFind('MyObject', req => {
expect(req.config).toBeDefined();
});
const MyObject = Parse.Object.extend('MyObject');
const myObject = new MyObject();
await myObject.save();
const query = new Parse.Query('MyObject');
query.equalTo('objectId', myObject.id);
await Promise.all([query.get(myObject.id), query.first(), query.find()]);
});
it('should validate triggers correctly', () => {
expect(() => {
Parse.Cloud.beforeSave('_Session', () => {});
Parse.Cloud.beforeSave('_Session', () => { });
}).toThrow('Only the afterLogout trigger is allowed for the _Session class.');
expect(() => {
Parse.Cloud.afterSave('_Session', () => {});
Parse.Cloud.afterSave('_Session', () => { });
}).toThrow('Only the afterLogout trigger is allowed for the _Session class.');
expect(() => {
Parse.Cloud.beforeSave('_PushStatus', () => {});
Parse.Cloud.beforeSave('_PushStatus', () => { });
}).toThrow('Only afterSave is allowed on _PushStatus');
expect(() => {
Parse.Cloud.afterSave('_PushStatus', () => {});
Parse.Cloud.afterSave('_PushStatus', () => { });
}).not.toThrow();
expect(() => {
Parse.Cloud.beforeLogin(() => {});
Parse.Cloud.beforeLogin(() => { });
}).not.toThrow('Only the _User class is allowed for the beforeLogin and afterLogin triggers');
expect(() => {
Parse.Cloud.beforeLogin('_User', () => {});
Parse.Cloud.beforeLogin('_User', () => { });
}).not.toThrow('Only the _User class is allowed for the beforeLogin and afterLogin triggers');
expect(() => {
Parse.Cloud.beforeLogin(Parse.User, () => {});
Parse.Cloud.beforeLogin(Parse.User, () => { });
}).not.toThrow('Only the _User class is allowed for the beforeLogin and afterLogin triggers');
expect(() => {
Parse.Cloud.beforeLogin('SomeClass', () => {});
Parse.Cloud.beforeLogin('SomeClass', () => { });
}).toThrow('Only the _User class is allowed for the beforeLogin and afterLogin triggers');
expect(() => {
Parse.Cloud.afterLogin(() => {});
Parse.Cloud.afterLogin(() => { });
}).not.toThrow('Only the _User class is allowed for the beforeLogin and afterLogin triggers');
expect(() => {
Parse.Cloud.afterLogin('_User', () => {});
Parse.Cloud.afterLogin('_User', () => { });
}).not.toThrow('Only the _User class is allowed for the beforeLogin and afterLogin triggers');
expect(() => {
Parse.Cloud.afterLogin(Parse.User, () => {});
Parse.Cloud.afterLogin(Parse.User, () => { });
}).not.toThrow('Only the _User class is allowed for the beforeLogin and afterLogin triggers');
expect(() => {
Parse.Cloud.afterLogin('SomeClass', () => {});
Parse.Cloud.afterLogin('SomeClass', () => { });
}).toThrow('Only the _User class is allowed for the beforeLogin and afterLogin triggers');
expect(() => {
Parse.Cloud.afterLogout(() => {});
Parse.Cloud.afterLogout(() => { });
}).not.toThrow();
expect(() => {
Parse.Cloud.afterLogout('_Session', () => {});
Parse.Cloud.afterLogout('_Session', () => { });
}).not.toThrow();
expect(() => {
Parse.Cloud.afterLogout('_User', () => {});
Parse.Cloud.afterLogout('_User', () => { });
}).toThrow('Only the _Session class is allowed for the afterLogout trigger.');
expect(() => {
Parse.Cloud.afterLogout('SomeClass', () => {});
Parse.Cloud.afterLogout('SomeClass', () => { });
}).toThrow('Only the _Session class is allowed for the afterLogout trigger.');
});
@@ -3695,6 +3770,7 @@ describe('beforeLogin hook', () => {
expect(req.ip).toBeDefined();
expect(req.installationId).toBeDefined();
expect(req.context).toBeDefined();
expect(req.config).toBeDefined();
});
await Parse.User.signUp('tupac', 'shakur');
@@ -3812,6 +3888,7 @@ describe('afterLogin hook', () => {
expect(req.ip).toBeDefined();
expect(req.installationId).toBeDefined();
expect(req.context).toBeDefined();
expect(req.config).toBeDefined();
});
await Parse.User.signUp('testuser', 'p@ssword');
@@ -4014,6 +4091,15 @@ describe('saveFile hooks', () => {
}
});
it('beforeSaveFile should have config', async () => {
await reconfigureServer({ filesAdapter: mockAdapter });
Parse.Cloud.beforeSave(Parse.File, req => {
expect(req.config).toBeDefined();
});
const file = new Parse.File('popeye.txt', [1, 2, 3], 'text/plain');
await file.save({ useMasterKey: true });
});
it('beforeSave(Parse.File) should change values of uploaded file by editing fileObject directly', async () => {
await reconfigureServer({ filesAdapter: mockAdapter });
const createFileSpy = spyOn(mockAdapter, 'createFile').and.callThrough();
@@ -4316,7 +4402,7 @@ describe('Parse.File hooks', () => {
beforeFind() {
throw 'unauthorized';
},
afterFind() {},
afterFind() { },
};
for (const hook in hooks) {
spyOn(hooks, hook).and.callThrough();
@@ -4344,7 +4430,7 @@ describe('Parse.File hooks', () => {
await file.save({ useMasterKey: true });
const user = await Parse.User.signUp('username', 'password');
const hooks = {
beforeFind() {},
beforeFind() { },
afterFind() {
throw 'unauthorized';
},
@@ -4563,7 +4649,7 @@ describe('sendEmail', () => {
it('cannot send email without adapter', async () => {
const logger = require('../lib/logger').logger;
spyOn(logger, 'error').and.callFake(() => {});
spyOn(logger, 'error').and.callFake(() => { });
await Parse.Cloud.sendEmail({});
expect(logger.error).toHaveBeenCalledWith(
'Failed to send email because no mail adapter is configured for Parse Server.'

35
spec/ParseGraphQLServer.spec.js
View File

@@ -607,6 +607,41 @@ describe('ParseGraphQLServer', () => {
]);
};
describe('Context', () => {
it('should support dependency injection on graphql api', async () => {
const requestContextMiddleware = (req, res, next) => {
req.config.aCustomController = 'aCustomController';
next();
};
let called;
const parseServer = await reconfigureServer({ requestContextMiddleware });
await createGQLFromParseServer(parseServer);
Parse.Cloud.beforeSave('_User', request => {
expect(request.config.aCustomController).toEqual('aCustomController');
called = true;
});
await apolloClient.query({
query: gql`
mutation {
createUser(input: { fields: { username: "test", password: "test" } }) {
user {
objectId
}
}
}
`,
context: {
headers: {
'X-Parse-Master-Key': 'test',
},
}
})
expect(called).toBe(true);
})
})
describe('Introspection', () => {
it('should have public introspection disabled by default without master key', async () => {

22
spec/rest.spec.js
View File

@@ -1139,3 +1139,25 @@ describe('read-only masterKey', () => {
});
});
});
describe('rest context', () => {
it('should support dependency injection on rest api', async () => {
const requestContextMiddleware = (req, res, next) => {
req.config.aCustomController = 'aCustomController';
next();
};
let called
await reconfigureServer({ requestContextMiddleware });
Parse.Cloud.beforeSave('_User', request => {
expect(request.config.aCustomController).toEqual('aCustomController');
called = true;
});
const user = new Parse.User();
user.setUsername('test');
user.setPassword('test');
await user.signUp();
expect(called).toBe(true);
});
});

2
src/Controllers/HooksController.js
View File

@@ -188,6 +188,8 @@ function wrapToHTTPRequest(hook, key) {
return req => {
const jsonBody = {};
for (var i in req) {
// Parse Server config is not serializable
if (i === 'config') { continue; }
jsonBody[i] = req[i];
}
if (req.object) {

14
src/GraphQL/ParseGraphQLServer.js
View File

@@ -128,6 +128,19 @@ class ParseGraphQLServer {
);
}
/**
* @static
* Allow developers to customize each request with inversion of control/dependency injection
*/
applyRequestContextMiddleware(api, options) {
if (options.requestContextMiddleware) {
if (typeof options.requestContextMiddleware !== 'function') {
throw new Error('requestContextMiddleware must be a function');
}
api.use(this.config.graphQLPath, options.requestContextMiddleware);
}
}
applyGraphQL(app) {
if (!app || !app.use) {
requiredParameter('You must provide an Express.js app instance!');
@@ -135,6 +148,7 @@ class ParseGraphQLServer {
app.use(this.config.graphQLPath, corsMiddleware());
app.use(this.config.graphQLPath, handleParseHeaders);
app.use(this.config.graphQLPath, handleParseSession);
this.applyRequestContextMiddleware(app, this.parseServer.config);
app.use(this.config.graphQLPath, handleParseErrors);
app.use(
this.config.graphQLPath,

5
src/Options/Definitions.js
View File

@@ -514,6 +514,11 @@ module.exports.ParseServerOptions = {
env: 'PARSE_SERVER_READ_ONLY_MASTER_KEY',
help: 'Read-only key, which has the same capabilities as MasterKey without writes',
},
requestContextMiddleware: {
env: 'PARSE_SERVER_REQUEST_CONTEXT_MIDDLEWARE',
help:
'Options to customize the request context using inversion of control/dependency injection.',
},
requestKeywordDenylist: {
env: 'PARSE_SERVER_REQUEST_KEYWORD_DENYLIST',
help:

1
src/Options/docs.js
View File

@@ -91,6 +91,7 @@
* @property {Any} push Configuration for push, as stringified JSON. See http://docs.parseplatform.org/parse-server/guide/#push-notifications
* @property {RateLimitOptions[]} rateLimit Options to limit repeated requests to Parse Server APIs. This can be used to protect sensitive endpoints such as `/requestPasswordReset` from brute-force attacks or Parse Server as a whole from denial-of-service (DoS) attacks.<br><br> Mind the following limitations:<br>- rate limits applied per IP address; this limits protection against distributed denial-of-service (DDoS) attacks where many requests are coming from various IP addresses<br>- if multiple Parse Server instances are behind a load balancer or ran in a cluster, each instance will calculate it's own request rates, independent from other instances; this limits the applicability of this feature when using a load balancer and another rate limiting solution that takes requests across all instances into account may be more suitable<br>- this feature provides basic protection against denial-of-service attacks, but a more sophisticated solution works earlier in the request flow and prevents a malicious requests to even reach a server instance; it's therefore recommended to implement a solution according to architecture and user case.
* @property {String} readOnlyMasterKey Read-only key, which has the same capabilities as MasterKey without writes
* @property {Function} requestContextMiddleware Options to customize the request context using inversion of control/dependency injection.
* @property {RequestKeywordDenylist[]} requestKeywordDenylist An array of keys and values that are prohibited in database read and write requests to prevent potential security vulnerabilities. It is possible to specify only a key (`{"key":"..."}`), only a value (`{"value":"..."}`) or a key-value pair (`{"key":"...","value":"..."}`). The specification can use the following types: `boolean`, `numeric` or `string`, where `string` will be interpreted as a regex notation. Request data is deep-scanned for matching definitions to detect also any nested occurrences. Defaults are patterns that are likely to be used in malicious requests. Setting this option will override the default patterns.
* @property {String} restAPIKey Key for REST calls
* @property {Boolean} revokeSessionOnPasswordReset When a user changes their password, either through the reset password email or while logged in, all sessions are revoked if this is true. Set to false if you don't want to revoke sessions.

2
src/Options/index.js
View File

@@ -342,6 +342,8 @@ export interface ParseServerOptions {
/* Options to limit repeated requests to Parse Server APIs. This can be used to protect sensitive endpoints such as `/requestPasswordReset` from brute-force attacks or Parse Server as a whole from denial-of-service (DoS) attacks.<br><br> Mind the following limitations:<br>- rate limits applied per IP address; this limits protection against distributed denial-of-service (DDoS) attacks where many requests are coming from various IP addresses<br>- if multiple Parse Server instances are behind a load balancer or ran in a cluster, each instance will calculate it's own request rates, independent from other instances; this limits the applicability of this feature when using a load balancer and another rate limiting solution that takes requests across all instances into account may be more suitable<br>- this feature provides basic protection against denial-of-service attacks, but a more sophisticated solution works earlier in the request flow and prevents a malicious requests to even reach a server instance; it's therefore recommended to implement a solution according to architecture and user case.
:DEFAULT: [] */
rateLimit: ?(RateLimitOptions[]);
/* Options to customize the request context using inversion of control/dependency injection.*/
requestContextMiddleware: ?((req: any, res: any, next: any) => void);
}
export interface RateLimitOptions {

14
src/ParseServer.ts
View File

@@ -279,6 +279,18 @@ class ParseServer {
}
}
/**
* @static
* Allow developers to customize each request with inversion of control/dependency injection
*/
static applyRequestContextMiddleware(api, options) {
if (options.requestContextMiddleware) {
if (typeof options.requestContextMiddleware !== 'function') {
throw new Error('requestContextMiddleware must be a function');
}
api.use(options.requestContextMiddleware);
}
}
/**
* @static
* Create an express app for the parse server
@@ -326,7 +338,7 @@ class ParseServer {
middlewares.addRateLimit(route, options);
}
api.use(middlewares.handleParseSession);
this.applyRequestContextMiddleware(api, options);
const appRouter = ParseServer.promiseRouter({ appId });
api.use(appRouter.expressRouter());

2
src/Routers/FunctionsRouter.js
View File

@@ -73,6 +73,7 @@ export class FunctionsRouter extends PromiseRouter {
headers: req.config.headers,
ip: req.config.ip,
jobName,
config: req.config,
message: jobHandler.setMessage.bind(jobHandler),
};
@@ -129,6 +130,7 @@ export class FunctionsRouter extends PromiseRouter {
params = parseParams(params, req.config);
const request = {
params: params,
config: req.config,
master: req.auth && req.auth.isMaster,
user: req.auth && req.auth.user,
installationId: req.info.installationId,

6
src/cloud-code/Parse.Cloud.js
View File

@@ -670,6 +670,7 @@ module.exports = ParseCloud;
* @property {String} triggerName The name of the trigger (`beforeSave`, `afterSave`, ...)
* @property {Object} log The current logger inside Parse Server.
* @property {Parse.Object} original If set, the object, as currently stored.
* @property {Object} config The Parse Server config.
*/
/**
@@ -684,6 +685,7 @@ module.exports = ParseCloud;
* @property {Object} headers The original HTTP headers for the request.
* @property {String} triggerName The name of the trigger (`beforeSave`, `afterSave`)
* @property {Object} log The current logger inside Parse Server.
* @property {Object} config The Parse Server config.
*/
/**
@@ -721,6 +723,7 @@ module.exports = ParseCloud;
* @property {String} triggerName The name of the trigger (`beforeSave`, `afterSave`, ...)
* @property {Object} log The current logger inside Parse Server.
* @property {Boolean} isGet wether the query a `get` or a `find`
* @property {Object} config The Parse Server config.
*/
/**
@@ -734,6 +737,7 @@ module.exports = ParseCloud;
* @property {Object} headers The original HTTP headers for the request.
* @property {String} triggerName The name of the trigger (`beforeSave`, `afterSave`, ...)
* @property {Object} log The current logger inside Parse Server.
* @property {Object} config The Parse Server config.
*/
/**
@@ -742,12 +746,14 @@ module.exports = ParseCloud;
* @property {Boolean} master If true, means the master key was used.
* @property {Parse.User} user If set, the user that made the request.
* @property {Object} params The params passed to the cloud function.
* @property {Object} config The Parse Server config.
*/
/**
* @interface Parse.Cloud.JobRequest
* @property {Object} params The params passed to the background job.
* @property {function} message If message is called with a string argument, will update the current message to be stored in the job status.
* @property {Object} config The Parse Server config.
*/
/**

3
src/triggers.js
View File

@@ -270,6 +270,7 @@ export function getRequestObject(
log: config.loggerController,
headers: config.headers,
ip: config.ip,
config,
};
if (isGet !== undefined) {
@@ -320,6 +321,7 @@ export function getRequestQueryObject(triggerType, auth, query, count, config, c
headers: config.headers,
ip: config.ip,
context: context || {},
config,
};
if (!auth) {
@@ -1018,6 +1020,7 @@ export function getRequestFileObject(triggerType, auth, fileObject, config) {
log: config.loggerController,
headers: config.headers,
ip: config.ip,
config,
};
if (!auth) {