feat: Deprecation DEPPS8: Parse Server option allowExpiredAuthDataToken defaults to false (#8860)

BREAKING CHANGE: Parse Server option `allowExpiredAuthDataToken` defaults to `false`; a 3rd party authentication token will be validated every time the user tries to log in and the login will fail if the token has expired; the effect of this change may differ for different authentication adapters, depending on the token lifetime and the token refresh logic of the adapter

DEPRECATIONS.md

@@ -11,7 +11,7 @@ The following is a list of deprecations, according to the [Deprecation Policy](h
 | DEPPS5 | Config option `allowClientClassCreation` defaults to `false` | [#7925](https://github.com/parse-community/parse-server/pull/7925)   | 5.3.0 (2022)                    | 7.0.0 (2024)                    | deprecated            | -     |
 | DEPPS6 | Auth providers disabled by default | [#7953](https://github.com/parse-community/parse-server/pull/7953)   | 5.3.0 (2022)                    | 7.0.0 (2024)                    | deprecated            | -     |
 | DEPPS7 | Remove file trigger syntax `Parse.Cloud.beforeSaveFile((request) => {})` | [#7966](https://github.com/parse-community/parse-server/pull/7966)   | 5.3.0 (2022)                    | 7.0.0 (2024)                    | removed            | -     |
-| DEPPS8 | Login with expired 3rd party authentication token defaults to `false` | [#7079](https://github.com/parse-community/parse-server/pull/7079)   | 5.3.0 (2022)                    | 7.0.0 (2024)                    | deprecated            | -     |
+| DEPPS8 | Login with expired 3rd party authentication token defaults to `false` | [#7079](https://github.com/parse-community/parse-server/pull/7079)   | 5.3.0 (2022)                    | 7.0.0 (2024)                    | removed            | -     |
 | DEPPS9 | Rename LiveQuery `fields` option to `keys` | [#8389](https://github.com/parse-community/parse-server/issues/8389)   | 6.0.0 (2023)                    | 7.0.0 (2024)                    | removed            | -     |
 | DEPPS10 | Config option `encodeParseObjectInCloudFunction` defaults to `true`  | [#8634](https://github.com/parse-community/parse-server/issues/8634)   | 6.2.0 (2023)                    | 8.0.0 (2025)                    | deprecated            | -     |
 

spec/ParseUser.spec.js

@@ -15,51 +15,18 @@ const cryptoUtils = require('../lib/cryptoUtils');
 
 describe('allowExpiredAuthDataToken option', () => {
   it('should accept true value', async () => {
-    const logger = require('../lib/logger').logger;
-    const logSpy = spyOn(logger, 'warn').and.callFake(() => {});
     await reconfigureServer({ allowExpiredAuthDataToken: true });
     expect(Config.get(Parse.applicationId).allowExpiredAuthDataToken).toBe(true);
-    expect(
-      logSpy.calls
-        .all()
-        .filter(
-          log =>
-            log.args[0] ===
-            `DeprecationWarning: The Parse Server option 'allowExpiredAuthDataToken' default will change to 'false' in a future version.`
-        ).length
-    ).toEqual(0);
   });
 
   it('should accept false value', async () => {
-    const logger = require('../lib/logger').logger;
-    const logSpy = spyOn(logger, 'warn').and.callFake(() => {});
     await reconfigureServer({ allowExpiredAuthDataToken: false });
     expect(Config.get(Parse.applicationId).allowExpiredAuthDataToken).toBe(false);
-    expect(
-      logSpy.calls
-        .all()
-        .filter(
-          log =>
-            log.args[0] ===
-            `DeprecationWarning: The Parse Server option 'allowExpiredAuthDataToken' default will change to 'false' in a future version.`
-        ).length
-    ).toEqual(0);
   });
 
-  it('should default true', async () => {
+  it('should default false', async () => {
-    const logger = require('../lib/logger').logger;
-    const logSpy = spyOn(logger, 'warn').and.callFake(() => {});
     await reconfigureServer({});
-    expect(Config.get(Parse.applicationId).allowExpiredAuthDataToken).toBe(true);
+    expect(Config.get(Parse.applicationId).allowExpiredAuthDataToken).toBe(false);
-    expect(
-      logSpy.calls
-        .all()
-        .filter(
-          log =>
-            log.args[0] ===
-            `DeprecationWarning: The Parse Server option 'allowExpiredAuthDataToken' default will change to 'false' in a future version.`
-        ).length
-    ).toEqual(1);
   });
 
   it('should enforce boolean values', async () => {
@@ -1878,7 +1845,7 @@ describe('Parse.User testing', () => {
     });
   });
 
-  it('should allow login with expired authData token by default', async () => {
+  it('should not allow login with expired authData token since allowExpiredAuthDataToken is set to false by default', async () => {
     const provider = {
       authData: {
         id: '12345',
@@ -1904,37 +1871,7 @@ describe('Parse.User testing', () => {
     // In this case, we want success as it was valid once.
     // If the client needs an updated token, do lock the user out
     defaultConfiguration.auth.shortLivedAuth.setValidAccessToken('otherToken');
-    await Parse.User._logInWith('shortLivedAuth', {});
+    await expectAsync(Parse.User._logInWith('shortLivedAuth', {})).toBeRejected();
-  });
-
-  it('should not allow login with expired authData token when allowExpiredAuthDataToken is set to false', async () => {
-    await reconfigureServer({ allowExpiredAuthDataToken: false });
-    const provider = {
-      authData: {
-        id: '12345',
-        access_token: 'token',
-      },
-      restoreAuthentication() {
-        return true;
-      },
-      deauthenticate() {
-        provider.authData = {};
-      },
-      authenticate(options) {
-        options.success(this, provider.authData);
-      },
-      getAuthType() {
-        return 'shortLivedAuth';
-      },
-    };
-    defaultConfiguration.auth.shortLivedAuth.setValidAccessToken('token');
-    Parse.User._registerAuthenticationProvider(provider);
-    await Parse.User._logInWith('shortLivedAuth', {});
-    // Simulate a remotely expired token (like a short lived one)
-    // In this case, we want success as it was valid once.
-    // If the client needs an updated token, do lock the user out
-    defaultConfiguration.auth.shortLivedAuth.setValidAccessToken('otherToken');
-    expectAsync(Parse.User._logInWith('shortLivedAuth', {})).toBeRejected();
   });
 
   it('should allow PUT request with stale auth Data', done => {

src/Deprecator/Deprecations.js

@@ -17,6 +17,5 @@
  */
 module.exports = [
   { optionKey: 'allowClientClassCreation', changeNewDefault: 'false' },
-  { optionKey: 'allowExpiredAuthDataToken', changeNewDefault: 'false' },
   { optionKey: 'encodeParseObjectInCloudFunction', changeNewDefault: 'true' },
 ];

src/Options/Definitions.js

@@ -70,9 +70,9 @@ module.exports.ParseServerOptions = {
   allowExpiredAuthDataToken: {
     env: 'PARSE_SERVER_ALLOW_EXPIRED_AUTH_DATA_TOKEN',
     help:
-      'Allow a user to log in even if the 3rd party authentication token that was used to sign in to their account has expired. If this is set to `false`, then the token will be validated every time the user signs in to their account. This refers to the token that is stored in the `_User.authData` field. Defaults to `true`.',
+      'Allow a user to log in even if the 3rd party authentication token that was used to sign in to their account has expired. If this is set to `false`, then the token will be validated every time the user signs in to their account. This refers to the token that is stored in the `_User.authData` field. Defaults to `false`.',
     action: parsers.booleanParser,
-    default: true,
+    default: false,
   },
   allowHeaders: {
     env: 'PARSE_SERVER_ALLOW_HEADERS',

src/Options/docs.js

@@ -14,7 +14,7 @@
  * @property {AccountLockoutOptions} accountLockout The account lockout policy for failed login attempts.
  * @property {Boolean} allowClientClassCreation Enable (or disable) client class creation, defaults to true
  * @property {Boolean} allowCustomObjectId Enable (or disable) custom objectId
- * @property {Boolean} allowExpiredAuthDataToken Allow a user to log in even if the 3rd party authentication token that was used to sign in to their account has expired. If this is set to `false`, then the token will be validated every time the user signs in to their account. This refers to the token that is stored in the `_User.authData` field. Defaults to `true`.
+ * @property {Boolean} allowExpiredAuthDataToken Allow a user to log in even if the 3rd party authentication token that was used to sign in to their account has expired. If this is set to `false`, then the token will be validated every time the user signs in to their account. This refers to the token that is stored in the `_User.authData` field. Defaults to `false`.
  * @property {String[]} allowHeaders Add headers to Access-Control-Allow-Headers
  * @property {String|String[]} allowOrigin Sets origins for Access-Control-Allow-Origin. This can be a string for a single origin or an array of strings for multiple origins.
  * @property {Adapter<AnalyticsAdapter>} analyticsAdapter Adapter module for the analytics

src/Options/index.js

@@ -320,8 +320,8 @@ export interface ParseServerOptions {
   /* Set to true if new users should be created without public read and write access.
   :DEFAULT: true */
   enforcePrivateUsers: ?boolean;
-  /* Allow a user to log in even if the 3rd party authentication token that was used to sign in to their account has expired. If this is set to `false`, then the token will be validated every time the user signs in to their account. This refers to the token that is stored in the `_User.authData` field. Defaults to `true`.
+  /* Allow a user to log in even if the 3rd party authentication token that was used to sign in to their account has expired. If this is set to `false`, then the token will be validated every time the user signs in to their account. This refers to the token that is stored in the `_User.authData` field. Defaults to `false`.
-  :DEFAULT: true */
+  :DEFAULT: false */
   allowExpiredAuthDataToken: ?boolean;
   /* An array of keys and values that are prohibited in database read and write requests to prevent potential security vulnerabilities. It is possible to specify only a key (`{"key":"..."}`), only a value (`{"value":"..."}`) or a key-value pair (`{"key":"...","value":"..."}`). The specification can use the following types: `boolean`, `numeric` or `string`, where `string` will be interpreted as a regex notation. Request data is deep-scanned for matching definitions to detect also any nested occurrences. Defaults are patterns that are likely to be used in malicious requests. Setting this option will override the default patterns.
   :DEFAULT: [{"key":"_bsontype","value":"Code"},{"key":"constructor"},{"key":"__proto__"}] */