joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove hidden properties in handleLogin & handleMe (#4335)

Browse Source
This commit is contained in:
Tom
2017-11-09 17:48:50 -08:00
committed by Benjamin Wilson Friedman
parent 08ab1f453d
commit 932a474606
2 changed files with 87 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
spec/ParseUser.spec.js
View File

@@ -3038,7 +3038,7 @@ describe('Parse.User testing', () => {
});
});
it('should not retrieve hidden fields', done => {
it('should not retrieve hidden fields on GET users/me (#3432)', done => {
var emailAdapter = {
sendVerificationEmail: () => {},
@@ -3073,6 +3073,34 @@ describe('Parse.User testing', () => {
expect(res.emailVerified).toBe(false);
expect(res._email_verify_token).toBeUndefined();
done()
}).catch((err) => {
fail(JSON.stringify(err));
done();
});
});
it('should not retrieve hidden fields on GET users/id (#3432)', done => {
var emailAdapter = {
sendVerificationEmail: () => {},
sendPasswordResetEmail: () => Promise.resolve(),
sendMail: () => Promise.resolve()
}
const user = new Parse.User();
user.set({
username: 'hello',
password: 'world',
email: "test@email.com"
})
reconfigureServer({
appName: 'unused',
verifyUserEmails: true,
emailAdapter: emailAdapter,
publicServerURL: "http://localhost:8378/1"
}).then(() => {
return user.signUp();
}).then(() => rp({
method: 'GET',
url: 'http://localhost:8378/1/users/' + Parse.User.current().id,
@@ -3091,6 +3119,45 @@ describe('Parse.User testing', () => {
});
});
it('should not retrieve hidden fields on login (#3432)', done => {
var emailAdapter = {
sendVerificationEmail: () => {},
sendPasswordResetEmail: () => Promise.resolve(),
sendMail: () => Promise.resolve()
}
const user = new Parse.User();
user.set({
username: 'hello',
password: 'world',
email: "test@email.com"
})
reconfigureServer({
appName: 'unused',
verifyUserEmails: true,
emailAdapter: emailAdapter,
publicServerURL: "http://localhost:8378/1"
}).then(() => {
return user.signUp();
}).then(() => rp.get({
url: 'http://localhost:8378/1/login?email=test@email.com&username=hello&password=world',
json: true,
headers: {
'X-Parse-Application-Id': Parse.applicationId,
'X-Parse-REST-API-Key': 'rest'
},
})).then((res) => {
expect(res.emailVerified).toBe(false);
expect(res._email_verify_token).toBeUndefined();
done();
}).catch((err) => {
fail(JSON.stringify(err));
done();
});
});
it('should not allow updates to hidden fields', done => {
var emailAdapter = {
sendVerificationEmail: () => {},

27
src/Routers/UsersRouter.js
View File

@@ -16,6 +16,21 @@ export class UsersRouter extends ClassesRouter {
return '_User';
}
/**
* Removes all "_" prefixed properties from an object, except "__type"
* @param {Object} obj An object.
*/
static removeHiddenProperties (obj) {
for (var key in obj) {
if (obj.hasOwnProperty(key)) {
// Regexp comes from Parse.Object.prototype.validate
if (key !== "__type" && !(/^[A-Za-z][0-9A-Za-z_]*$/).test(key)) {
delete obj[key];
}
}
}
}
handleMe(req) {
if (!req.info || !req.info.sessionToken) {
throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'invalid session token');
@@ -35,14 +50,7 @@ export class UsersRouter extends ClassesRouter {
user.sessionToken = sessionToken;
// Remove hidden properties.
for (var key in user) {
if (user.hasOwnProperty(key)) {
// Regexp comes from Parse.Object.prototype.validate
if (key !== "__type" && !(/^[A-Za-z][0-9A-Za-z_]*$/).test(key)) {
delete user[key];
}
}
}
UsersRouter.removeHiddenProperties(user);
return { response: user };
}
@@ -125,6 +133,9 @@ export class UsersRouter extends ClassesRouter {
user.sessionToken = token;
delete user.password;
// Remove hidden properties.
UsersRouter.removeHiddenProperties(user);
// Sometimes the authData still has null on that keys
// https://github.com/parse-community/parse-server/issues/935
if (user.authData) {