1569 Commits

Author	SHA1	Message	Date
dblythy	5bbf9cade9	feat: Improve authentication adapter interface to support multi-factor authentication (MFA), authentication challenges, and provide a more powerful interface for writing custom authentication adapters (#8156)	2022-11-10 17:35:39 +01:00
Manuel	7cb266b207	refactor: Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](https://github.com/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf) (#8308)	2022-11-10 00:24:42 +01:00
Manuel	d27dfa3464	refactor: Parse Server option requestKeywordDenylist can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](https://github.com/parse-community/parse-server/security/advisories/GHSA-xprv-wvh7-qqqx) (#8304)	2022-11-09 20:02:05 +01:00
Manuel	42581225f1	refactor: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](https://github.com/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg) (#8297)	2022-11-07 23:17:03 +01:00
Antoine Cormouls	e90a5183ec	refactor: replace deprecated LRU cache methods (#8266)	2022-11-01 21:33:14 +01:00
dblythy	9f111158ed	feat: add convenience access to Parse Server configuration in Cloud Code via Parse.Server (#8244)	2022-10-29 19:03:31 +02:00
dblythy	28f0d26677	fix: relation constraints in compound queries Parse.Query.or, Parse.Query.and not working (#8203)	2022-10-24 12:45:17 +02:00
Manuel	c03908f74e	fix: server crashes when receiving file download request with invalid byte range; this fixes a security vulnerability that allows an attacker to impact the availability of the server instance; the fix improves parsing of the range parameter to properly handle invalid range requests ([GHSA-h423-w6qv-2wj3](https://github.com/parse-community/parse-server/security/advisories/GHSA-h423-w6qv-2wj3)) [skip release] (#8238)	2022-10-15 01:06:45 +02:00
Diamond Lewis	0f763da17d	feat: liveQuery support for unsorted distance queries (#8221)	2022-10-12 00:27:29 +02:00
dblythy	2a82d19dbd	refactor: code style fixes with prettier and lint (#8208)	2022-10-03 13:55:05 +02:00
vzukanov	0388956808	feat: add option to change the default value of the Parse.Query.limit() constraint (#8152)	2022-09-30 00:38:57 +02:00
Manuel	8c8ec71573	fix: authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for *Facebook* or *Spotify* and where the server-side authentication adapter configuration appIds is set as a string (e.g. abc) instead of an array of strings (e.g. ["abc"]) ([GHSA-r657-33vp-gp22](https://github.com/parse-community/parse-server/security/advisories/GHSA-r657-33vp-gp22)) [skip release] (#8187)	2022-09-20 23:05:44 +02:00
Manuel	37fed3062c	fix: session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects ([GHSA-6w4q-23cf-j9jp](https://github.com/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp)) [skip release] (#8180)	2022-09-20 02:23:49 +02:00
dblythy	df12ba3ba2	docs: regenerate API docs (#8179)	2022-09-19 12:40:15 +02:00
dblythy	a5ba5da36d	docs: describe additional database options (#8173)	2022-09-18 18:44:31 +02:00
dblythy	3b775a1fb8	fix: sorting by non-existing value throws INVALID_SERVER_ERROR on Postgres (#8157)	2022-09-17 20:41:45 +02:00
dblythy	37af1d78fc	fix: updating object includes unchanged keys in client response for certain key types (#8159)	2022-09-17 18:20:50 +02:00
dblythy	e424137406	fix: query aggregation pipeline cannot handle value of type Date when directAccess: true (#8167)	2022-09-17 16:19:28 +02:00
Stew	1d9605bc93	fix: liveQuery with containedIn not working when object field is an array (#8128)	2022-09-17 13:59:45 +02:00
dblythy	3c75c2ba48	fix: push notifications badge doesn't update with Installation beforeSave trigger (#8162)	2022-09-16 21:43:03 +02:00
Manuel	4c0c7c77b7	fix: brute force guessing of user sensitive data via search patterns (GHSA-2m6g-crv8-p3c6) (#8146) [skip release]	2022-09-02 21:43:31 +02:00
Antoine Cormouls	c16f529f74	fix: internal indices for classes _Idempotency and _Role are not protected in defined schema (#8121)	2022-08-05 11:25:02 +02:00
Jong Eun Lee	7f5a15d5df	fix: graphQL query ignores condition equalTo with value false (#8032)	2022-07-03 12:13:10 +02:00
Manuel	9fd4516cde	fix: protected fields exposed via LiveQuery (GHSA-crrq-vr9j-fxxh) [skip release] (#8076)	2022-06-30 13:01:40 +02:00
Manuel	4c9e95674a	fix: invalid file request not properly handled [skip release] (#8062)	2022-06-18 02:38:04 +02:00
Manuel	75af9a26cc	fix: certificate in Apple Game Center auth adapter not validated [skip release] (#8058)	2022-06-17 20:22:35 +02:00
Antoine Cormouls	0d818879c2	fix: errors in GraphQL do not show the original error but a general Unexpected Error (#8045)	2022-06-17 13:40:31 +02:00
Layne Bernardo	03caae1e61	fix: websocket connection of LiveQuery interrupts frequently (#8048)	2022-06-17 13:20:48 +02:00
Antoine Cormouls	72fac8a5fc	refactor: lru-cache maxAge to ttl (#8039)	2022-06-13 15:29:50 +02:00
dblythy	199dfc1722	fix: live query role cache does not clear when a user is added to a role (#8026)	2022-06-11 10:21:55 +02:00
Antoine Cormouls	0cd902b8c2	refactor: upgrade GraphQL dependencies (#7970)	2022-06-10 14:01:45 +02:00
Javad	2d5221e480	fix: interrupted WebSocket connection not closed by LiveQuery server (#8012)	2022-06-05 16:01:48 +02:00
dblythy	c6dcad8d16	feat: align file trigger syntax with class trigger; use the new syntax Parse.Cloud.beforeSave(Parse.File, (request) => {}), the old syntax Parse.Cloud.beforeSaveFile((request) => {}) has been deprecated (#7966)	2022-05-29 20:48:55 +02:00
dblythy	c1e808f9e8	feat: selectively enable / disable default authentication adapters (#7953)	2022-05-29 01:50:43 +02:00
dblythy	47d796ea58	fix: afterSave trigger removes pointer in Parse object (#7913)	2022-05-20 10:47:38 +02:00
Antoine Cormouls	1aa2204aeb	feat: replace GraphQL Apollo with GraphQL Yoga (#7967)	2022-05-18 19:55:43 +02:00
dblythy	38ed96ace5	fix: depreciate allowClientClassCreation defaulting to true (#7925)	2022-05-07 21:08:59 +02:00
Antoine Cormouls	68b15c298e	refactor: replace internal GraphQL array classes to object style (#7788)	2022-05-06 02:09:09 +02:00
dblythy	3fb6b2b4ab	ci: fix flaky tests for Apple Game Center authentication (#7958)	2022-05-01 04:26:08 +02:00
dblythy	b1e5565b22	fix: custom database options are not passed to MongoDB GridFS (#7911)	2022-05-01 04:21:40 +02:00
Antoine Cormouls	a169663304	refactor: add missing schema definitions (#7917)	2022-05-01 04:21:33 +02:00
dblythy	041197fb4c	perf: reduce database operations when using the constant parameter in Cloud Function validation (#7892)	2022-05-01 04:17:14 +02:00
dblythy	19900fcdf8	fix: return correct response when revert is used in beforeSave (#7839)	2022-05-01 02:39:56 +02:00
Manuel	af4a0417a9	fix: authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter (GHSA-qf8x-vqjv-92gr) (#7962)	2022-05-01 02:28:16 +02:00
Manuel	0d6f9e951d	fix: sensitive keyword detection may produce false positives (#7881)	2022-03-24 02:54:07 +01:00
dblythy	443a509905	feat: improved LiveQuery error logging with additional information (#7837)	2022-03-23 02:11:39 +01:00
Manuel Trezza	1593575a87	build: release	2022-03-18 15:17:12 +01:00
Manuel	0c1b75fcbe	Merge branch 'beta' into build-release-beta-19837863611	2022-03-15 00:56:54 +01:00
Manuel	e569f402b1	fix: security vulnerability that allows remote code execution (GHSA-p6h4-93qp-jhcm) (#7844)	2022-03-12 14:47:23 +01:00
Manuel	971adb5438	fix: security vulnerability that allows remote code execution (GHSA-p6h4-93qp-jhcm) (#7843)	2022-03-12 13:49:57 +01:00