Merge pull request from GHSA-236h-rqv8-8q73
* Fix graphql viewer breach * fix * remove comment
This commit is contained in:
Antoine Cormouls
GitHub
File diff suppressed because it is too large
Load Diff
@@ -41,7 +41,7 @@ const load = parseGraphQLSchema => {
|
||||
const { fields } = args;
|
||||
const { config, auth, info } = context;
|
||||
|
||||
const { sessionToken } = await objectsMutations.createObject(
|
||||
const { sessionToken, objectId } = await objectsMutations.createObject(
|
||||
'_User',
|
||||
fields,
|
||||
config,
|
||||
@@ -49,15 +49,14 @@ const load = parseGraphQLSchema => {
|
||||
info
|
||||
);
|
||||
|
||||
info.sessionToken = sessionToken;
|
||||
context.info.sessionToken = sessionToken;
|
||||
|
||||
return {
|
||||
viewer: await getUserFromSessionToken(
|
||||
config,
|
||||
info,
|
||||
context,
|
||||
mutationInfo,
|
||||
'viewer.user.',
|
||||
true
|
||||
objectId
|
||||
),
|
||||
};
|
||||
} catch (e) {
|
||||
@@ -120,7 +119,7 @@ const load = parseGraphQLSchema => {
|
||||
const { fields, authData } = args;
|
||||
const { config, auth, info } = context;
|
||||
|
||||
const { sessionToken } = await objectsMutations.createObject(
|
||||
const { sessionToken, objectId } = await objectsMutations.createObject(
|
||||
'_User',
|
||||
{ ...fields, authData },
|
||||
config,
|
||||
@@ -128,15 +127,14 @@ const load = parseGraphQLSchema => {
|
||||
info
|
||||
);
|
||||
|
||||
info.sessionToken = sessionToken;
|
||||
context.info.sessionToken = sessionToken;
|
||||
|
||||
return {
|
||||
viewer: await getUserFromSessionToken(
|
||||
config,
|
||||
info,
|
||||
context,
|
||||
mutationInfo,
|
||||
'viewer.user.',
|
||||
true
|
||||
objectId
|
||||
),
|
||||
};
|
||||
} catch (e) {
|
||||
@@ -183,7 +181,7 @@ const load = parseGraphQLSchema => {
|
||||
const { username, password } = args;
|
||||
const { config, auth, info } = context;
|
||||
|
||||
const { sessionToken } = (
|
||||
const { sessionToken, objectId } = (
|
||||
await usersRouter.handleLogIn({
|
||||
body: {
|
||||
username,
|
||||
@@ -196,15 +194,14 @@ const load = parseGraphQLSchema => {
|
||||
})
|
||||
).response;
|
||||
|
||||
info.sessionToken = sessionToken;
|
||||
context.info.sessionToken = sessionToken;
|
||||
|
||||
return {
|
||||
viewer: await getUserFromSessionToken(
|
||||
config,
|
||||
info,
|
||||
context,
|
||||
mutationInfo,
|
||||
'viewer.user.',
|
||||
true
|
||||
objectId
|
||||
),
|
||||
};
|
||||
} catch (e) {
|
||||
@@ -236,11 +233,10 @@ const load = parseGraphQLSchema => {
|
||||
const { config, auth, info } = context;
|
||||
|
||||
const viewer = await getUserFromSessionToken(
|
||||
config,
|
||||
info,
|
||||
context,
|
||||
mutationInfo,
|
||||
'viewer.user.',
|
||||
true
|
||||
auth.user.id
|
||||
);
|
||||
|
||||
await usersRouter.handleLogOut({
|
||||
|
||||
@@ -2,16 +2,16 @@ import { GraphQLNonNull } from 'graphql';
|
||||
import getFieldNames from 'graphql-list-fields';
|
||||
import Parse from 'parse/node';
|
||||
import rest from '../../rest';
|
||||
import Auth from '../../Auth';
|
||||
import { extractKeysAndInclude } from './parseClassTypes';
|
||||
import { Auth } from '../../Auth';
|
||||
|
||||
const getUserFromSessionToken = async (
|
||||
config,
|
||||
info,
|
||||
context,
|
||||
queryInfo,
|
||||
keysPrefix,
|
||||
validatedToken
|
||||
userId
|
||||
) => {
|
||||
const { info, config } = context;
|
||||
if (!info || !info.sessionToken) {
|
||||
throw new Parse.Error(
|
||||
Parse.Error.INVALID_SESSION_TOKEN,
|
||||
@@ -27,7 +27,7 @@ const getUserFromSessionToken = async (
|
||||
const { keys } = keysAndInclude;
|
||||
let { include } = keysAndInclude;
|
||||
|
||||
if (validatedToken && !keys && !include) {
|
||||
if (userId && !keys && !include) {
|
||||
return {
|
||||
sessionToken,
|
||||
};
|
||||
@@ -35,40 +35,47 @@ const getUserFromSessionToken = async (
|
||||
include = 'user';
|
||||
}
|
||||
|
||||
if (userId) {
|
||||
// We need to re create the auth context
|
||||
// to avoid security breach if userId is provided
|
||||
context.auth = new Auth({
|
||||
config,
|
||||
isMaster: context.auth.isMaster,
|
||||
user: { id: userId },
|
||||
});
|
||||
}
|
||||
|
||||
const options = {};
|
||||
if (keys) {
|
||||
options.keys = keys
|
||||
.split(',')
|
||||
.map(key => `user.${key}`)
|
||||
.map(key => `${key}`)
|
||||
.join(',');
|
||||
}
|
||||
if (include) {
|
||||
options.include = include
|
||||
.split(',')
|
||||
.map(included => `user.${included}`)
|
||||
.map(included => `${included}`)
|
||||
.join(',');
|
||||
}
|
||||
|
||||
const response = await rest.find(
|
||||
config,
|
||||
Auth.master(config),
|
||||
'_Session',
|
||||
{ sessionToken },
|
||||
context.auth,
|
||||
'_User',
|
||||
// Get the user it self from auth object
|
||||
{ objectId: context.auth.user.id },
|
||||
options,
|
||||
info.clientVersion,
|
||||
info.context,
|
||||
info.context
|
||||
);
|
||||
if (
|
||||
!response.results ||
|
||||
response.results.length == 0 ||
|
||||
!response.results[0].user
|
||||
) {
|
||||
if (!response.results || response.results.length == 0) {
|
||||
throw new Parse.Error(
|
||||
Parse.Error.INVALID_SESSION_TOKEN,
|
||||
'Invalid session token'
|
||||
);
|
||||
} else {
|
||||
const user = response.results[0].user;
|
||||
const user = response.results[0];
|
||||
return {
|
||||
sessionToken,
|
||||
user,
|
||||
@@ -89,10 +96,8 @@ const load = parseGraphQLSchema => {
|
||||
type: new GraphQLNonNull(parseGraphQLSchema.viewerType),
|
||||
async resolve(_source, _args, context, queryInfo) {
|
||||
try {
|
||||
const { config, info } = context;
|
||||
return await getUserFromSessionToken(
|
||||
config,
|
||||
info,
|
||||
context,
|
||||
queryInfo,
|
||||
'user.',
|
||||
false
|
||||
|
||||
Reference in New Issue
Block a user