Accept context via header X-Parse-Cloud-Context (#7437)

* failing testcase * add header * switch to X-Parse-Cloud-Context header * add back blank line that lint removed * test replacing context header with body context. Add support for setting body with json string * add back blank line * cover error when _context body is wrong * Update middlewares.js * revert accidental status change * make sure context always decodes to an object else throw error * improve context object check Co-authored-by: Antonio Davi Macedo Coelho de Castro <adavimacedo@gmail.com>
2021-07-26 00:17:03 -04:00
parent c3b71ba5b6
commit c8e822b958
3 changed files with 247 additions and 3 deletions
--- a/src/middlewares.js
+++ b/src/middlewares.js
@@ -25,6 +25,17 @@ const getMountForRequest = function (req) {
 export function handleParseHeaders(req, res, next) {
  var mount = getMountForRequest(req);

+  let context = {};
+  if (req.get('X-Parse-Cloud-Context') != null) {
+    try {
+      context = JSON.parse(req.get('X-Parse-Cloud-Context'));
+      if (Object.prototype.toString.call(context) !== '[object Object]') {
+        throw 'Context is not an object';
+      }
+    } catch (e) {
+      return malformedContext(req, res);
+    }
+  }
  var info = {
    appId: req.get('X-Parse-Application-Id'),
    sessionToken: req.get('X-Parse-Session-Token'),
@@ -35,7 +46,7 @@ export function handleParseHeaders(req, res, next) {
    dotNetKey: req.get('X-Parse-Windows-Key'),
    restAPIKey: req.get('X-Parse-REST-API-Key'),
    clientVersion: req.get('X-Parse-Client-Version'),
-    context: {},
+    context: context,
  };

  var basicAuth = httpAuth(req);
@@ -105,8 +116,19 @@ export function handleParseHeaders(req, res, next) {
        info.masterKey = req.body._MasterKey;
        delete req.body._MasterKey;
      }
-      if (req.body._context && req.body._context instanceof Object) {
-        info.context = req.body._context;
+      if (req.body._context) {
+        if (req.body._context instanceof Object) {
+          info.context = req.body._context;
+        } else {
+          try {
+            info.context = JSON.parse(req.body._context);
+            if (Object.prototype.toString.call(info.context) !== '[object Object]') {
+              throw 'Context is not an object';
+            }
+          } catch (e) {
+            return malformedContext(req, res);
+          }
+        }
        delete req.body._context;
      }
      if (req.body._ContentType) {
@@ -454,3 +476,8 @@ function invalidRequest(req, res) {
  res.status(403);
  res.end('{"error":"unauthorized"}');
 }
+
+function malformedContext(req, res) {
+  res.status(400);
+  res.json({ code: Parse.Error.INVALID_JSON, error: 'Invalid object for context.' });
+}