joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Restrict use of masterKey to localhost by default (#8281)

Browse Source 
BREAKING CHANGE: This release restricts the use of `masterKey` to localhost by default; if you are using Parse Dashboard on a different server to connect to Parse Server you need to add the IP address of the server that hosts Parse Dashboard to this option (#8281)
This commit is contained in:
dblythy
2022-11-11 13:24:48 +11:00
committed by GitHub
parent 7336afc562
commit 6c16021a1f
10 changed files with 98 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/middlewares.js
View File

@@ -7,6 +7,7 @@ import defaultLogger from './logger';
import rest from './rest';
import MongoStorageAdapter from './Adapters/Storage/Mongo/MongoStorageAdapter';
import PostgresStorageAdapter from './Adapters/Storage/Postgres/PostgresStorageAdapter';
import ipRangeCheck from 'ip-range-check';
export const DEFAULT_ALLOWED_HEADERS =
'X-Parse-Master-Key, X-Parse-REST-API-Key, X-Parse-Javascript-Key, X-Parse-Application-Id, X-Parse-Client-Version, X-Parse-Session-Token, X-Requested-With, X-Parse-Revocable-Session, X-Parse-Request-Id, Content-Type, Pragma, Cache-Control';
@@ -164,17 +165,11 @@ export function handleParseHeaders(req, res, next) {
req.config.ip = clientIp;
req.info = info;
if (
info.masterKey &&
req.config.masterKeyIps &&
req.config.masterKeyIps.length !== 0 &&
req.config.masterKeyIps.indexOf(clientIp) === -1
) {
return invalidRequest(req, res);
let isMaster = info.masterKey === req.config.masterKey;
if (isMaster && !ipRangeCheck(clientIp, req.config.masterKeyIps || [])) {
isMaster = false;
}
var isMaster = info.masterKey === req.config.masterKey;
if (isMaster) {
req.auth = new auth.Auth({
config: req.config,