Remove hidden properties in handleLogin & handleMe (#4335)
This commit is contained in:
Tom
committed by
Benjamin Wilson Friedman
Benjamin Wilson Friedman
parent
08ab1f453d
commit
932a474606
@@ -3038,7 +3038,7 @@ describe('Parse.User testing', () => {
|
|||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should not retrieve hidden fields', done => {
|
it('should not retrieve hidden fields on GET users/me (#3432)', done => {
|
||||||
|
|
||||||
var emailAdapter = {
|
var emailAdapter = {
|
||||||
sendVerificationEmail: () => {},
|
sendVerificationEmail: () => {},
|
||||||
@@ -3073,6 +3073,34 @@ describe('Parse.User testing', () => {
|
|||||||
expect(res.emailVerified).toBe(false);
|
expect(res.emailVerified).toBe(false);
|
||||||
expect(res._email_verify_token).toBeUndefined();
|
expect(res._email_verify_token).toBeUndefined();
|
||||||
done()
|
done()
|
||||||
|
}).catch((err) => {
|
||||||
|
fail(JSON.stringify(err));
|
||||||
|
done();
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
it('should not retrieve hidden fields on GET users/id (#3432)', done => {
|
||||||
|
|
||||||
|
var emailAdapter = {
|
||||||
|
sendVerificationEmail: () => {},
|
||||||
|
sendPasswordResetEmail: () => Promise.resolve(),
|
||||||
|
sendMail: () => Promise.resolve()
|
||||||
|
}
|
||||||
|
|
||||||
|
const user = new Parse.User();
|
||||||
|
user.set({
|
||||||
|
username: 'hello',
|
||||||
|
password: 'world',
|
||||||
|
email: "test@email.com"
|
||||||
|
})
|
||||||
|
|
||||||
|
reconfigureServer({
|
||||||
|
appName: 'unused',
|
||||||
|
verifyUserEmails: true,
|
||||||
|
emailAdapter: emailAdapter,
|
||||||
|
publicServerURL: "http://localhost:8378/1"
|
||||||
|
}).then(() => {
|
||||||
|
return user.signUp();
|
||||||
}).then(() => rp({
|
}).then(() => rp({
|
||||||
method: 'GET',
|
method: 'GET',
|
||||||
url: 'http://localhost:8378/1/users/' + Parse.User.current().id,
|
url: 'http://localhost:8378/1/users/' + Parse.User.current().id,
|
||||||
@@ -3091,6 +3119,45 @@ describe('Parse.User testing', () => {
|
|||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
it('should not retrieve hidden fields on login (#3432)', done => {
|
||||||
|
|
||||||
|
var emailAdapter = {
|
||||||
|
sendVerificationEmail: () => {},
|
||||||
|
sendPasswordResetEmail: () => Promise.resolve(),
|
||||||
|
sendMail: () => Promise.resolve()
|
||||||
|
}
|
||||||
|
|
||||||
|
const user = new Parse.User();
|
||||||
|
user.set({
|
||||||
|
username: 'hello',
|
||||||
|
password: 'world',
|
||||||
|
email: "test@email.com"
|
||||||
|
})
|
||||||
|
|
||||||
|
reconfigureServer({
|
||||||
|
appName: 'unused',
|
||||||
|
verifyUserEmails: true,
|
||||||
|
emailAdapter: emailAdapter,
|
||||||
|
publicServerURL: "http://localhost:8378/1"
|
||||||
|
}).then(() => {
|
||||||
|
return user.signUp();
|
||||||
|
}).then(() => rp.get({
|
||||||
|
url: 'http://localhost:8378/1/login?email=test@email.com&username=hello&password=world',
|
||||||
|
json: true,
|
||||||
|
headers: {
|
||||||
|
'X-Parse-Application-Id': Parse.applicationId,
|
||||||
|
'X-Parse-REST-API-Key': 'rest'
|
||||||
|
},
|
||||||
|
})).then((res) => {
|
||||||
|
expect(res.emailVerified).toBe(false);
|
||||||
|
expect(res._email_verify_token).toBeUndefined();
|
||||||
|
done();
|
||||||
|
}).catch((err) => {
|
||||||
|
fail(JSON.stringify(err));
|
||||||
|
done();
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
it('should not allow updates to hidden fields', done => {
|
it('should not allow updates to hidden fields', done => {
|
||||||
var emailAdapter = {
|
var emailAdapter = {
|
||||||
sendVerificationEmail: () => {},
|
sendVerificationEmail: () => {},
|
||||||
|
|||||||
@@ -16,6 +16,21 @@ export class UsersRouter extends ClassesRouter {
|
|||||||
return '_User';
|
return '_User';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Removes all "_" prefixed properties from an object, except "__type"
|
||||||
|
* @param {Object} obj An object.
|
||||||
|
*/
|
||||||
|
static removeHiddenProperties (obj) {
|
||||||
|
for (var key in obj) {
|
||||||
|
if (obj.hasOwnProperty(key)) {
|
||||||
|
// Regexp comes from Parse.Object.prototype.validate
|
||||||
|
if (key !== "__type" && !(/^[A-Za-z][0-9A-Za-z_]*$/).test(key)) {
|
||||||
|
delete obj[key];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
handleMe(req) {
|
handleMe(req) {
|
||||||
if (!req.info || !req.info.sessionToken) {
|
if (!req.info || !req.info.sessionToken) {
|
||||||
throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'invalid session token');
|
throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'invalid session token');
|
||||||
@@ -35,14 +50,7 @@ export class UsersRouter extends ClassesRouter {
|
|||||||
user.sessionToken = sessionToken;
|
user.sessionToken = sessionToken;
|
||||||
|
|
||||||
// Remove hidden properties.
|
// Remove hidden properties.
|
||||||
for (var key in user) {
|
UsersRouter.removeHiddenProperties(user);
|
||||||
if (user.hasOwnProperty(key)) {
|
|
||||||
// Regexp comes from Parse.Object.prototype.validate
|
|
||||||
if (key !== "__type" && !(/^[A-Za-z][0-9A-Za-z_]*$/).test(key)) {
|
|
||||||
delete user[key];
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return { response: user };
|
return { response: user };
|
||||||
}
|
}
|
||||||
@@ -125,6 +133,9 @@ export class UsersRouter extends ClassesRouter {
|
|||||||
user.sessionToken = token;
|
user.sessionToken = token;
|
||||||
delete user.password;
|
delete user.password;
|
||||||
|
|
||||||
|
// Remove hidden properties.
|
||||||
|
UsersRouter.removeHiddenProperties(user);
|
||||||
|
|
||||||
// Sometimes the authData still has null on that keys
|
// Sometimes the authData still has null on that keys
|
||||||
// https://github.com/parse-community/parse-server/issues/935
|
// https://github.com/parse-community/parse-server/issues/935
|
||||||
if (user.authData) {
|
if (user.authData) {
|
||||||
|
|||||||
Reference in New Issue
Block a user