joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Access the internal scope of Parse Server using the new maintenanceKey; the internal scope contains unofficial and undocumented fields (prefixed with underscore _) which are used internally by Parse Server; you may want to manipulate these fields for out-of-band changes such as data migration or correction tasks; changes within the internal scope of Parse Server may happen at any time without notice or changelog entry, it is therefore recommended to look at the source code of Parse Server to understand the effects of manipulating internal fields before using the key; it is discouraged to use the maintenanceKey for routine operations in a production environment; see [access scopes](https://github.com/parse-community/parse-server#access-scopes) (#8212)

Browse Source 
BREAKING CHANGE: Fields in the internal scope of Parse Server (prefixed with underscore `_`) are only returned using the new `maintenanceKey`; previously the `masterKey` allowed reading of internal fields; see [access scopes](https://github.com/parse-community/parse-server#access-scopes) for a comparison of the keys' access permissions (#8212)
This commit is contained in:
Daniel
2023-01-09 08:02:12 +11:00
committed by GitHub
parent 3d57072c1f
commit f3bcc9365c
23 changed files with 372 additions and 103 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/Auth.js
View File

@@ -11,6 +11,7 @@ function Auth({
config,
cacheController = undefined,
isMaster = false,
isMaintenance = false,
isReadOnly = false,
user,
installationId,
@@ -19,6 +20,7 @@ function Auth({
this.cacheController = cacheController || (config && config.cacheController);
this.installationId = installationId;
this.isMaster = isMaster;
this.isMaintenance = isMaintenance;
this.user = user;
this.isReadOnly = isReadOnly;
@@ -35,6 +37,9 @@ Auth.prototype.isUnauthenticated = function () {
if (this.isMaster) {
return false;
}
if (this.isMaintenance) {
return false;
}
if (this.user) {
return false;
}
@@ -46,6 +51,11 @@ function master(config) {
return new Auth({ config, isMaster: true });
}
// A helper to get a maintenance-level Auth object
function maintenance(config) {
return new Auth({ config, isMaintenance: true });
}
// A helper to get a master-level Auth object
function readOnly(config) {
return new Auth({ config, isMaster: true, isReadOnly: true });
@@ -149,7 +159,7 @@ var getAuthForLegacySessionToken = function ({ config, sessionToken, installatio
// Returns a promise that resolves to an array of role names
Auth.prototype.getUserRoles = function () {
if (this.isMaster || !this.user) {
if (this.isMaster || this.isMaintenance || !this.user) {
return Promise.resolve([]);
}
if (this.fetchedRoles) {
@@ -493,6 +503,7 @@ const handleAuthDataValidation = async (authData, req, foundUser) => {
module.exports = {
Auth,
master,
maintenance,
nobody,
readOnly,
getAuthForSessionToken,

13
src/Config.js
View File

@@ -73,6 +73,8 @@ export class Config {
passwordPolicy,
masterKeyIps,
masterKey,
maintenanceKey,
maintenanceKeyIps,
readOnlyMasterKey,
allowHeaders,
idempotencyOptions,
@@ -91,6 +93,10 @@ export class Config {
throw new Error('masterKey and readOnlyMasterKey should be different');
}
if (masterKey === maintenanceKey) {
throw new Error('masterKey and maintenanceKey should be different');
}
const emailAdapter = userController.adapter;
if (verifyUserEmails) {
this.validateEmailConfiguration({
@@ -116,7 +122,8 @@ export class Config {
}
}
this.validateSessionConfiguration(sessionLength, expireInactiveSessions);
this.validateMasterKeyIps(masterKeyIps);
this.validateIps('masterKeyIps', masterKeyIps);
this.validateIps('maintenanceKeyIps', maintenanceKeyIps);
this.validateDefaultLimit(defaultLimit);
this.validateMaxLimit(maxLimit);
this.validateAllowHeaders(allowHeaders);
@@ -440,13 +447,13 @@ export class Config {
}
}
static validateMasterKeyIps(masterKeyIps) {
static validateIps(field, masterKeyIps) {
for (let ip of masterKeyIps) {
if (ip.includes('/')) {
ip = ip.split('/')[0];
}
if (!net.isIP(ip)) {
throw `The Parse Server option "masterKeyIps" contains an invalid IP address "${ip}".`;
throw `The Parse Server option "${field}" contains an invalid IP address "${ip}".`;
}
}
}

56
src/Controllers/DatabaseController.js
View File

@@ -68,14 +68,22 @@ const specialMasterQueryKeys = [
'_password_history',
];
const validateQuery = (query: any, isMaster: boolean, update: boolean): void => {
const validateQuery = (
query: any,
isMaster: boolean,
isMaintenance: boolean,
update: boolean
): void => {
if (isMaintenance) {
isMaster = true;
}
if (query.ACL) {
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.');
}
if (query.$or) {
if (query.$or instanceof Array) {
query.$or.forEach(value => validateQuery(value, isMaster, update));
query.$or.forEach(value => validateQuery(value, isMaster, isMaintenance, update));
} else {
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Bad $or format - use an array value.');
}
@@ -83,7 +91,7 @@ const validateQuery = (query: any, isMaster: boolean, update: boolean): void =>
if (query.$and) {
if (query.$and instanceof Array) {
query.$and.forEach(value => validateQuery(value, isMaster, update));
query.$and.forEach(value => validateQuery(value, isMaster, isMaintenance, update));
} else {
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Bad $and format - use an array value.');
}
@@ -91,7 +99,7 @@ const validateQuery = (query: any, isMaster: boolean, update: boolean): void =>
if (query.$nor) {
if (query.$nor instanceof Array && query.$nor.length > 0) {
query.$nor.forEach(value => validateQuery(value, isMaster, update));
query.$nor.forEach(value => validateQuery(value, isMaster, isMaintenance, update));
} else {
throw new Parse.Error(
Parse.Error.INVALID_QUERY,
@@ -124,6 +132,7 @@ const validateQuery = (query: any, isMaster: boolean, update: boolean): void =>
// Filters out any data that shouldn't be on this REST-formatted object.
const filterSensitiveData = (
isMaster: boolean,
isMaintenance: boolean,
aclGroup: any[],
auth: any,
operation: any,
@@ -195,6 +204,15 @@ const filterSensitiveData = (
}
const isUserClass = className === '_User';
if (isUserClass) {
object.password = object._hashed_password;
delete object._hashed_password;
delete object.sessionToken;
}
if (isMaintenance) {
return object;
}
/* special treat for the user class: don't filter protectedFields if currently loggedin user is
the retrieved user */
@@ -208,22 +226,13 @@ const filterSensitiveData = (
perms.protectedFields.temporaryKeys.forEach(k => delete object[k]);
}
if (isUserClass) {
object.password = object._hashed_password;
delete object._hashed_password;
delete object.sessionToken;
}
if (isMaster) {
return object;
}
for (const key in object) {
if (key.charAt(0) === '_') {
delete object[key];
}
}
if (!isUserClass) {
if (!isUserClass || isMaster) {
return object;
}
@@ -439,7 +448,8 @@ class DatabaseController {
className: string,
object: any,
query: any,
runOptions: QueryOptions
runOptions: QueryOptions,
maintenance: boolean
): Promise<boolean> {
let schema;
const acl = runOptions.acl;
@@ -454,7 +464,7 @@ class DatabaseController {
return this.canAddField(schema, className, object, aclGroup, runOptions);
})
.then(() => {
return schema.validateObject(className, object, query);
return schema.validateObject(className, object, query, maintenance);
});
}
@@ -512,7 +522,7 @@ class DatabaseController {
if (acl) {
query = addWriteACL(query, acl);
}
validateQuery(query, isMaster, true);
validateQuery(query, isMaster, false, true);
return schemaController
.getOneSchema(className, true)
.catch(error => {
@@ -758,7 +768,7 @@ class DatabaseController {
if (acl) {
query = addWriteACL(query, acl);
}
validateQuery(query, isMaster, false);
validateQuery(query, isMaster, false, false);
return schemaController
.getOneSchema(className)
.catch(error => {
@@ -1151,7 +1161,8 @@ class DatabaseController {
auth: any = {},
validSchemaController: SchemaController.SchemaController
): Promise<any> {
const isMaster = acl === undefined;
const isMaintenance = auth.isMaintenance;
const isMaster = acl === undefined || isMaintenance;
const aclGroup = acl || [];
op =
op || (typeof query.objectId == 'string' && Object.keys(query).length === 1 ? 'get' : 'find');
@@ -1253,7 +1264,7 @@ class DatabaseController {
query = addReadACL(query, aclGroup);
}
}
validateQuery(query, isMaster, false);
validateQuery(query, isMaster, isMaintenance, false);
if (count) {
if (!classExists) {
return 0;
@@ -1296,6 +1307,7 @@ class DatabaseController {
object = untransformObjectACL(object);
return filterSensitiveData(
isMaster,
isMaintenance,
aclGroup,
auth,
op,
@@ -1813,8 +1825,8 @@ class DatabaseController {
return Promise.resolve(response);
}
static _validateQuery: (any, boolean, boolean) => void;
static filterSensitiveData: (boolean, any[], any, any, any, string, any[], any) => void;
static _validateQuery: (any, boolean, boolean, boolean) => void;
static filterSensitiveData: (boolean, boolean, any[], any, any, any, string, any[], any) => void;
}
module.exports = DatabaseController;

13
src/Controllers/SchemaController.js
View File

@@ -1071,14 +1071,19 @@ export default class SchemaController {
className: string,
fieldName: string,
type: string | SchemaField,
isValidation?: boolean
isValidation?: boolean,
maintenance?: boolean
) {
if (fieldName.indexOf('.') > 0) {
// subdocument key (x.y) => ok if x is of type 'object'
fieldName = fieldName.split('.')[0];
type = 'Object';
}
if (!fieldNameIsValid(fieldName, className)) {
let fieldNameToValidate = `${fieldName}`;
if (maintenance && fieldNameToValidate.charAt(0) === '_') {
fieldNameToValidate = fieldNameToValidate.substring(1);
}
if (!fieldNameIsValid(fieldNameToValidate, className)) {
throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, `Invalid field name: ${fieldName}.`);
}
@@ -1228,7 +1233,7 @@ export default class SchemaController {
// Validates an object provided in REST format.
// Returns a promise that resolves to the new schema if this object is
// valid.
async validateObject(className: string, object: any, query: any) {
async validateObject(className: string, object: any, query: any, maintenance: boolean) {
let geocount = 0;
const schema = await this.enforceClassExists(className);
const promises = [];
@@ -1258,7 +1263,7 @@ export default class SchemaController {
// Every object has ACL implicitly.
continue;
}
promises.push(schema.enforceFieldExists(className, fieldName, expected, true));
promises.push(schema.enforceFieldExists(className, fieldName, expected, true, maintenance));
}
const results = await Promise.all(promises);
const enforceFields = results.filter(result => !!result);

19
src/Controllers/UserController.js
View File

@@ -69,20 +69,17 @@ export class UserController extends AdaptableController {
updateFields._email_verify_token_expires_at = { __op: 'Delete' };
}
const masterAuth = Auth.master(this.config);
var findUserForEmailVerification = new RestQuery(
this.config,
Auth.master(this.config),
'_User',
{ username: username }
);
const maintenanceAuth = Auth.maintenance(this.config);
var findUserForEmailVerification = new RestQuery(this.config, maintenanceAuth, '_User', {
username,
});
return findUserForEmailVerification.execute().then(result => {
if (result.results.length && result.results[0].emailVerified) {
return Promise.resolve(result.results.length[0]);
} else if (result.results.length) {
query.objectId = result.results[0].objectId;
}
return rest.update(this.config, masterAuth, '_User', query, updateFields);
return rest.update(this.config, maintenanceAuth, '_User', query, updateFields);
});
}
@@ -94,7 +91,8 @@ export class UserController extends AdaptableController {
username: username,
_perishable_token: token,
},
{ limit: 1 }
{ limit: 1 },
Auth.maintenance(this.config)
)
.then(results => {
if (results.length != 1) {
@@ -228,7 +226,8 @@ export class UserController extends AdaptableController {
{ username: email, email: { $exists: false }, _perishable_token: { $exists: true } },
],
},
{ limit: 1 }
{ limit: 1 },
Auth.maintenance(this.config)
);
if (results.length == 1) {
let expiresDate = results[0]._perishable_token_expires_at;

1
src/LiveQuery/ParseLiveQueryServer.js
View File

@@ -625,6 +625,7 @@ class ParseLiveQueryServer {
}
return DatabaseController.filterSensitiveData(
client.hasMasterKey,
false,
aclGroup,
clientAuth,
op,

15
src/Options/Definitions.js
View File

@@ -300,6 +300,19 @@ module.exports.ParseServerOptions = {
help: "Folder for the logs (defaults to './logs'); set to null to disable file based logging",
default: './logs',
},
maintenanceKey: {
env: 'PARSE_SERVER_MAINTENANCE_KEY',
help:
'(Optional) The maintenance key is used for modifying internal fields of Parse Server.<br><br>\u26A0\uFE0F This key is not intended to be used as part of a regular operation of Parse Server. This key is intended to conduct out-of-band changes such as one-time migrations or data correction tasks. Internal fields are not officially documented and may change at any time without publication in release changelogs. We strongly advice not to rely on internal fields as part of your regular operation and to investigate the implications of any planned changes *directly in the source code* of your current version of Parse Server.',
required: true,
},
maintenanceKeyIps: {
env: 'PARSE_SERVER_MAINTENANCE_KEY_IPS',
help:
"(Optional) Restricts the use of maintenance key permissions to a list of IP addresses.<br><br>This option accepts a list of single IP addresses, for example:<br>`['10.0.0.1', '10.0.0.2']`<br><br>You can also use CIDR notation to specify an IP address range, for example:<br>`['10.0.1.0/24']`<br><br>Special cases:<br>- Setting an empty array `[]` means that `maintenanceKey` cannot be used even in Parse Server Cloud Code.<br>- Setting `['0.0.0.0/0']` means disabling the filter and the maintenance key can be used from any IP address.<br><br>Defaults to `['127.0.0.1', '::1']` which means that only `localhost`, the server itself, is allowed to use the maintenance key.",
action: parsers.arrayParser,
default: ['127.0.0.1', '::1'],
},
masterKey: {
env: 'PARSE_SERVER_MASTER_KEY',
help: 'Your Parse Master Key',
@@ -308,7 +321,7 @@ module.exports.ParseServerOptions = {
masterKeyIps: {
env: 'PARSE_SERVER_MASTER_KEY_IPS',
help:
"(Optional) Restricts the use of master key permissions to a list of IP addresses.<br><br>This option accepts a list of single IP addresses, for example:<br>`['10.0.0.1', '10.0.0.2']`<br><br>You can also use CIDR notation to specify an IP address range, for example:<br>`['10.0.1.0/24']`<br><br>Special cases:<br>- Setting an empty array `[]` means that `masterKey`` cannot be used even in Parse Server Cloud Code.<br>- Setting `['0.0.0.0/0']` means disabling the filter and the master key can be used from any IP address.<br><br>To connect Parse Dashboard from a different server requires to add the IP address of the server that hosts Parse Dashboard because Parse Dashboard uses the master key.<br><br>Defaults to `['127.0.0.1', '::1']` which means that only `localhost`, the server itself, is allowed to use the master key.",
"(Optional) Restricts the use of master key permissions to a list of IP addresses.<br><br>This option accepts a list of single IP addresses, for example:<br>`['10.0.0.1', '10.0.0.2']`<br><br>You can also use CIDR notation to specify an IP address range, for example:<br>`['10.0.1.0/24']`<br><br>Special cases:<br>- Setting an empty array `[]` means that `masterKey` cannot be used even in Parse Server Cloud Code.<br>- Setting `['0.0.0.0/0']` means disabling the filter and the master key can be used from any IP address.<br><br>To connect Parse Dashboard from a different server requires to add the IP address of the server that hosts Parse Dashboard because Parse Dashboard uses the master key.<br><br>Defaults to `['127.0.0.1', '::1']` which means that only `localhost`, the server itself, is allowed to use the master key.",
action: parsers.arrayParser,
default: ['127.0.0.1', '::1'],
},

4
src/Options/docs.js
View File

@@ -58,8 +58,10 @@
* @property {String} logLevel Sets the level for logs
* @property {LogLevels} logLevels (Optional) Overrides the log levels used internally by Parse Server to log events.
* @property {String} logsFolder Folder for the logs (defaults to './logs'); set to null to disable file based logging
* @property {String} maintenanceKey (Optional) The maintenance key is used for modifying internal fields of Parse Server.<br><br>⚠️ This key is not intended to be used as part of a regular operation of Parse Server. This key is intended to conduct out-of-band changes such as one-time migrations or data correction tasks. Internal fields are not officially documented and may change at any time without publication in release changelogs. We strongly advice not to rely on internal fields as part of your regular operation and to investigate the implications of any planned changes *directly in the source code* of your current version of Parse Server.
* @property {String[]} maintenanceKeyIps (Optional) Restricts the use of maintenance key permissions to a list of IP addresses.<br><br>This option accepts a list of single IP addresses, for example:<br>`['10.0.0.1', '10.0.0.2']`<br><br>You can also use CIDR notation to specify an IP address range, for example:<br>`['10.0.1.0/24']`<br><br>Special cases:<br>- Setting an empty array `[]` means that `maintenanceKey` cannot be used even in Parse Server Cloud Code.<br>- Setting `['0.0.0.0/0']` means disabling the filter and the maintenance key can be used from any IP address.<br><br>Defaults to `['127.0.0.1', '::1']` which means that only `localhost`, the server itself, is allowed to use the maintenance key.
* @property {String} masterKey Your Parse Master Key
* @property {String[]} masterKeyIps (Optional) Restricts the use of master key permissions to a list of IP addresses.<br><br>This option accepts a list of single IP addresses, for example:<br>`['10.0.0.1', '10.0.0.2']`<br><br>You can also use CIDR notation to specify an IP address range, for example:<br>`['10.0.1.0/24']`<br><br>Special cases:<br>- Setting an empty array `[]` means that `masterKey`` cannot be used even in Parse Server Cloud Code.<br>- Setting `['0.0.0.0/0']` means disabling the filter and the master key can be used from any IP address.<br><br>To connect Parse Dashboard from a different server requires to add the IP address of the server that hosts Parse Dashboard because Parse Dashboard uses the master key.<br><br>Defaults to `['127.0.0.1', '::1']` which means that only `localhost`, the server itself, is allowed to use the master key.
* @property {String[]} masterKeyIps (Optional) Restricts the use of master key permissions to a list of IP addresses.<br><br>This option accepts a list of single IP addresses, for example:<br>`['10.0.0.1', '10.0.0.2']`<br><br>You can also use CIDR notation to specify an IP address range, for example:<br>`['10.0.1.0/24']`<br><br>Special cases:<br>- Setting an empty array `[]` means that `masterKey` cannot be used even in Parse Server Cloud Code.<br>- Setting `['0.0.0.0/0']` means disabling the filter and the master key can be used from any IP address.<br><br>To connect Parse Dashboard from a different server requires to add the IP address of the server that hosts Parse Dashboard because Parse Dashboard uses the master key.<br><br>Defaults to `['127.0.0.1', '::1']` which means that only `localhost`, the server itself, is allowed to use the master key.
* @property {Number} maxLimit Max value for limit option on queries, defaults to unlimited
* @property {Number|String} maxLogFiles Maximum number of logs to keep. If not set, no logs will be removed. This can be a number of files or number of days. If using days, add 'd' as the suffix. (default: null)
* @property {String} maxUploadSize Max file size for uploads, defaults to 20mb

7
src/Options/index.js
View File

@@ -46,12 +46,17 @@ export interface ParseServerOptions {
appId: string;
/* Your Parse Master Key */
masterKey: string;
/* (Optional) The maintenance key is used for modifying internal fields of Parse Server.<br><br>⚠️ This key is not intended to be used as part of a regular operation of Parse Server. This key is intended to conduct out-of-band changes such as one-time migrations or data correction tasks. Internal fields are not officially documented and may change at any time without publication in release changelogs. We strongly advice not to rely on internal fields as part of your regular operation and to investigate the implications of any planned changes *directly in the source code* of your current version of Parse Server. */
maintenanceKey: string;
/* URL to your parse server with http:// or https://.
:ENV: PARSE_SERVER_URL */
serverURL: string;
/* (Optional) Restricts the use of master key permissions to a list of IP addresses.<br><br>This option accepts a list of single IP addresses, for example:<br>`['10.0.0.1', '10.0.0.2']`<br><br>You can also use CIDR notation to specify an IP address range, for example:<br>`['10.0.1.0/24']`<br><br>Special cases:<br>- Setting an empty array `[]` means that `masterKey`` cannot be used even in Parse Server Cloud Code.<br>- Setting `['0.0.0.0/0']` means disabling the filter and the master key can be used from any IP address.<br><br>To connect Parse Dashboard from a different server requires to add the IP address of the server that hosts Parse Dashboard because Parse Dashboard uses the master key.<br><br>Defaults to `['127.0.0.1', '::1']` which means that only `localhost`, the server itself, is allowed to use the master key.
/* (Optional) Restricts the use of master key permissions to a list of IP addresses.<br><br>This option accepts a list of single IP addresses, for example:<br>`['10.0.0.1', '10.0.0.2']`<br><br>You can also use CIDR notation to specify an IP address range, for example:<br>`['10.0.1.0/24']`<br><br>Special cases:<br>- Setting an empty array `[]` means that `masterKey` cannot be used even in Parse Server Cloud Code.<br>- Setting `['0.0.0.0/0']` means disabling the filter and the master key can be used from any IP address.<br><br>To connect Parse Dashboard from a different server requires to add the IP address of the server that hosts Parse Dashboard because Parse Dashboard uses the master key.<br><br>Defaults to `['127.0.0.1', '::1']` which means that only `localhost`, the server itself, is allowed to use the master key.
:DEFAULT: ["127.0.0.1","::1"] */
masterKeyIps: ?(string[]);
/* (Optional) Restricts the use of maintenance key permissions to a list of IP addresses.<br><br>This option accepts a list of single IP addresses, for example:<br>`['10.0.0.1', '10.0.0.2']`<br><br>You can also use CIDR notation to specify an IP address range, for example:<br>`['10.0.1.0/24']`<br><br>Special cases:<br>- Setting an empty array `[]` means that `maintenanceKey` cannot be used even in Parse Server Cloud Code.<br>- Setting `['0.0.0.0/0']` means disabling the filter and the maintenance key can be used from any IP address.<br><br>Defaults to `['127.0.0.1', '::1']` which means that only `localhost`, the server itself, is allowed to use the maintenance key.
:DEFAULT: ["127.0.0.1","::1"] */
maintenanceKeyIps: ?(string[]);
/* Sets the app name */
appName: ?string;
/* Add headers to Access-Control-Allow-Headers */

4
src/ParseServer.js
View File

@@ -513,10 +513,6 @@ function injectDefaults(options: ParseServerOptions) {
});
}
});
options.masterKeyIps = Array.from(
new Set(options.masterKeyIps.concat(defaults.masterKeyIps, options.masterKeyIps))
);
}
// Those can't be tested as it requires a subprocess

31
src/RestWrite.js
View File

@@ -166,7 +166,7 @@ RestWrite.prototype.execute = function () {
// Uses the Auth object to get the list of roles, adds the user id
RestWrite.prototype.getUserAndRoleACL = function () {
if (this.auth.isMaster) {
if (this.auth.isMaster || this.auth.isMaintenance) {
return Promise.resolve();
}
@@ -187,6 +187,7 @@ RestWrite.prototype.validateClientClassCreation = function () {
if (
this.config.allowClientClassCreation === false &&
!this.auth.isMaster &&
!this.auth.isMaintenance &&
SchemaController.systemClasses.indexOf(this.className) === -1
) {
return this.config.database
@@ -211,7 +212,8 @@ RestWrite.prototype.validateSchema = function () {
this.className,
this.data,
this.query,
this.runOptions
this.runOptions,
this.auth.isMaintenance
);
};
@@ -434,7 +436,7 @@ RestWrite.prototype.validateAuthData = function () {
};
RestWrite.prototype.filteredObjectsByACL = function (objects) {
if (this.auth.isMaster) {
if (this.auth.isMaster || this.auth.isMaintenance) {
return objects;
}
return objects.filter(object => {
@@ -605,7 +607,7 @@ RestWrite.prototype.transformUser = function () {
return promise;
}
if (!this.auth.isMaster && 'emailVerified' in this.data) {
if (!this.auth.isMaintenance && !this.auth.isMaster && 'emailVerified' in this.data) {
const error = `Clients aren't allowed to manually update email verification.`;
throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, error);
}
@@ -640,7 +642,7 @@ RestWrite.prototype.transformUser = function () {
if (this.query) {
this.storage['clearSessions'] = true;
// Generate a new session only if the user requested
if (!this.auth.isMaster) {
if (!this.auth.isMaster && !this.auth.isMaintenance) {
this.storage['generateNewSession'] = true;
}
}
@@ -813,7 +815,8 @@ RestWrite.prototype._validatePasswordHistory = function () {
.find(
'_User',
{ objectId: this.objectId() },
{ keys: ['_password_history', '_hashed_password'] }
{ keys: ['_password_history', '_hashed_password'] },
Auth.maintenance(this.config)
)
.then(results => {
if (results.length != 1) {
@@ -1015,7 +1018,7 @@ RestWrite.prototype.handleSession = function () {
return;
}
if (!this.auth.user && !this.auth.isMaster) {
if (!this.auth.user && !this.auth.isMaster && !this.auth.isMaintenance) {
throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'Session token required.');
}
@@ -1048,7 +1051,7 @@ RestWrite.prototype.handleSession = function () {
}
}
if (!this.query && !this.auth.isMaster) {
if (!this.query && !this.auth.isMaster && !this.auth.isMaintenance) {
const additionalSessionData = {};
for (var key in this.data) {
if (key === 'objectId' || key === 'user') {
@@ -1115,7 +1118,7 @@ RestWrite.prototype.handleInstallation = function () {
let installationId = this.data.installationId;
// If data.installationId is not set and we're not master, we can lookup in auth
if (!installationId && !this.auth.isMaster) {
if (!installationId && !this.auth.isMaster && !this.auth.isMaintenance) {
installationId = this.auth.installationId;
}
@@ -1379,7 +1382,12 @@ RestWrite.prototype.runDatabaseOperation = function () {
if (this.query) {
// Force the user to not lockout
// Matched with parse.com
if (this.className === '_User' && this.data.ACL && this.auth.isMaster !== true) {
if (
this.className === '_User' &&
this.data.ACL &&
this.auth.isMaster !== true &&
this.auth.isMaintenance !== true
) {
this.data.ACL[this.query.objectId] = { read: true, write: true };
}
// update password timestamp if user password is being changed
@@ -1406,7 +1414,8 @@ RestWrite.prototype.runDatabaseOperation = function () {
.find(
'_User',
{ objectId: this.objectId() },
{ keys: ['_password_history', '_hashed_password'] }
{ keys: ['_password_history', '_hashed_password'] },
Auth.maintenance(this.config)
)
.then(results => {
if (results.length != 1) {

2
src/Routers/UsersRouter.js
View File

@@ -103,7 +103,7 @@ export class UsersRouter extends ClassesRouter {
query = { $or: [{ username }, { email: username }] };
}
return req.config.database
.find('_User', query)
.find('_User', query, {}, Auth.maintenance(req.config))
.then(results => {
if (!results.length) {
throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Invalid username/password.');

19
src/middlewares.js
View File

@@ -45,6 +45,7 @@ export function handleParseHeaders(req, res, next) {
appId: req.get('X-Parse-Application-Id'),
sessionToken: req.get('X-Parse-Session-Token'),
masterKey: req.get('X-Parse-Master-Key'),
maintenanceKey: req.get('X-Parse-Maintenance-Key'),
installationId: req.get('X-Parse-Installation-Id'),
clientKey: req.get('X-Parse-Client-Key'),
javascriptKey: req.get('X-Parse-Javascript-Key'),
@@ -177,6 +178,24 @@ export function handleParseHeaders(req, res, next) {
req.config.ip = clientIp;
req.info = info;
const isMaintenance =
req.config.maintenanceKey && info.maintenanceKey === req.config.maintenanceKey;
if (isMaintenance) {
if (ipRangeCheck(clientIp, req.config.maintenanceKeyIps || [])) {
req.auth = new auth.Auth({
config: req.config,
installationId: info.installationId,
isMaintenance: true,
});
next();
return;
}
const log = req.config?.loggerController || defaultLogger;
log.error(
`Request using maintenance key rejected as the request IP address '${clientIp}' is not set in Parse Server option 'maintenanceKeyIps'.`
);
}
let isMaster = info.masterKey === req.config.masterKey;
if (isMaster && !ipRangeCheck(clientIp, req.config.masterKeyIps || [])) {
const log = req.config?.loggerController || defaultLogger;

21
src/rest.js
View File

@@ -111,7 +111,7 @@ function del(config, auth, className, objectId, context) {
if (response && response.results && response.results.length) {
const firstResult = response.results[0];
firstResult.className = className;
if (className === '_Session' && !auth.isMaster) {
if (className === '_Session' && !auth.isMaster && !auth.isMaintenance) {
if (!auth.user || firstResult.user.objectId !== auth.user.id) {
throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'Invalid session token');
}
@@ -134,7 +134,7 @@ function del(config, auth, className, objectId, context) {
return Promise.resolve({});
})
.then(() => {
if (!auth.isMaster) {
if (!auth.isMaster && !auth.isMaintenance) {
return auth.getUserRoles();
} else {
return;
@@ -144,7 +144,7 @@ function del(config, auth, className, objectId, context) {
.then(s => {
schemaController = s;
const options = {};
if (!auth.isMaster) {
if (!auth.isMaster && !auth.isMaintenance) {
options.acl = ['*'];
if (auth.user) {
options.acl.push(auth.user.id);
@@ -237,7 +237,12 @@ function update(config, auth, className, restWhere, restObject, clientSDK, conte
function handleSessionMissingError(error, className, auth) {
// If we're trying to update a user without / with bad session token
if (className === '_User' && error.code === Parse.Error.OBJECT_NOT_FOUND && !auth.isMaster) {
if (
className === '_User' &&
error.code === Parse.Error.OBJECT_NOT_FOUND &&
!auth.isMaster &&
!auth.isMaintenance
) {
throw new Parse.Error(Parse.Error.SESSION_MISSING, 'Insufficient auth.');
}
throw error;
@@ -253,7 +258,7 @@ const classesWithMasterOnlyAccess = [
];
// Disallowing access to the _Role collection except by master key
function enforceRoleSecurity(method, className, auth) {
if (className === '_Installation' && !auth.isMaster) {
if (className === '_Installation' && !auth.isMaster && !auth.isMaintenance) {
if (method === 'delete' || method === 'find') {
const error = `Clients aren't allowed to perform the ${method} operation on the installation collection.`;
throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, error);
@@ -261,7 +266,11 @@ function enforceRoleSecurity(method, className, auth) {
}
//all volatileClasses are masterKey only
if (classesWithMasterOnlyAccess.indexOf(className) >= 0 && !auth.isMaster) {
if (
classesWithMasterOnlyAccess.indexOf(className) >= 0 &&
!auth.isMaster &&
!auth.isMaintenance
) {
const error = `Clients aren't allowed to perform the ${method} operation on the ${className} collection.`;
throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, error);
}