Security: limit Masterkey remote access (#4017)

* update choose_password to have the confirmation * add comment mark * First version, no test * throw error right away instead of just use masterKey false * fix the logic * move it up before the masterKey check * adding some test * typo * remove the choose_password * newline * add cli options * remove trailing space * handle in case the server is behind proxy * add getting the first ip in the ip list of xff * sanity check the ip in config if it is a valid ip address * split ip extraction to another function * trailing spaces
2017-07-23 18:26:30 +02:00
parent 811d8b0c7a
commit 7e54265f6d
7 changed files with 223 additions and 2 deletions
--- a/src/ParseServer.js
+++ b/src/ParseServer.js
@@ -92,6 +92,7 @@ class ParseServer {
  constructor({
    appId = requiredParameter('You must provide an appId!'),
    masterKey = requiredParameter('You must provide a masterKey!'),
+    masterKeyIps = [],
    appName,
    analyticsAdapter,
    filesAdapter,
@@ -167,6 +168,11 @@ class ParseServer {
      userSensitiveFields
    )));

+    masterKeyIps = Array.from(new Set(masterKeyIps.concat(
+      defaults.masterKeyIps,
+      masterKeyIps
+    )));
+
    const loggerControllerAdapter = loadAdapter(loggerAdapter, WinstonLoggerAdapter, { jsonLogs, logsFolder, verbose, logLevel, silent });
    const loggerController = new LoggerController(loggerControllerAdapter, appId);
    logging.setLogger(loggerController);
@@ -228,6 +234,7 @@ class ParseServer {
    AppCache.put(appId, {
      appId,
      masterKey: masterKey,
+      masterKeyIps:masterKeyIps,
      serverURL: serverURL,
      collectionPrefix: collectionPrefix,
      clientKey: clientKey,