BREAKING CHANGE: This upgrades the internally used Express framework from version 4 to 5, which may be a breaking change. If Parse Server is set up to be mounted on an Express application, we recommend to also use version 5 of the Express framework to avoid any compatibility issues. Note that even if there are no issues after upgrading, future releases of Parse Server may introduce issues if Parse Server internally relies on Express 5-specific features which are unsupported by the Express version on which it is mounted. See the Express [migration guide](https://expressjs.com/en/guide/migrating-5.html) and [release announcement](https://expressjs.com/2024/10/15/v5-release.html#breaking-changes) for more info.
BREAKING CHANGE: This removes the username from the email verification and password reset process to prevent storing personally identifiable information (PII) in server and infrastructure logs. Customized HTML pages or emails related to email verification and password reset may need to be adapted accordingly. See the new templates that come bundled with Parse Server and the [migration guide](https://github.com/parse-community/parse-server/blob/alpha/8.0.0.md) for more details.
BREAKING CHANGE: The `Parse.User` passed as argument if `verifyUserEmails` is set to a function is renamed from `user` to `object` for consistency with invocations of `verifyUserEmails` on signup or login; the user object is not a plain JavaScript object anymore but an instance of `Parse.User`
BREAKING CHANGE: Fields in the internal scope of Parse Server (prefixed with underscore `_`) are only returned using the new `maintenanceKey`; previously the `masterKey` allowed reading of internal fields; see [access scopes](https://github.com/parse-community/parse-server#access-scopes) for a comparison of the keys' access permissions (#8212)
BREAKING CHANGE: Throwing an error in Cloud Code Triggers `afterLogin`, `afterLogout` returns a rejected promise; in previous releases it crashed the server if you did not handle the error on the Node.js process level; consider adapting your code if your app currently handles these errors on the Node.js process level with `process.on('unhandledRejection', ...)`
* 6641: Implement support for user impersonation: master key clients can log in as any user, without access to the user's credentials, and without presuming the user already has a session
* reworded changelog
* rebuilt package lock
* fit test
* using lodash flatMap
* bump to node 12 for postgres test
* revert test fit
* add node version to postgres CI
* revert package-lock
Co-authored-by: gormanfletcher <git@gormanfletcher.com>
Co-authored-by: Manuel <5673677+mtrezza@users.noreply.github.com>
* Add beforeLogin trigger with support for auth providers
* adjust comment that boxed off beforeLogin to a negative use-case only
* add internal error to help future maintainers regarding use of beforeLogin
* let beforeLogin accept className or constructor like other hook types
* add assertions for beforeLogin trigger className validation
* Auth module refactoring in order to be reusable
* Ensure cache controller is properly forwarded from helpers
* Nits
* Adds support for static validation
* Adds support for CLP in Live query (no support for roles yet)
* Adds e2e test to validate liveQuery hooks is properly called
* Adds tests over LiveQueryController to ensure data is correctly transmitted
* nits
* Fixes for flow types
* Removes usage of Parse.Promise
* Use the Auth module for authentication and caches
* Cleaner implementation of getting auth
* Adds authCache that stores auth promises
* Proper testing of the caching
* nits
* Fixes an issue that would let the beforeDelete be called when user has no access to the object
* Ensure we properly lock user
- Improves find method so we can attempt to read for a write poking the right ACL instead of using masterKey
- This ensure we do not run beforeDelete/beforeFind/beforeSave in the wrong scenarios
* nits
* Caps insufficient
* Added verify password to users router and tests.
* Added more tests to support more coverage.
* Added additional tests to spec. Removed condition from verifyPassword function where authData null keys condition wasn't necessary.
* Removed POST handling from verifyPassword.
* Refactored handleLogin and handleVerifyPassword to use shared helper function to validate the password provided in the request.
* Refactored verifyPassword and login to not use try/catch. Parent promise returns the error. Moved login specific functions to login handler.
* Added account lockout policy to verify password function. Added test spec for account lockout in verify password.
* no message
* Merged new changes from master. Made changes as requested from comments.
* We cannot remove hidden properties from the helper before returning to the login function. The password expiration check in the login function is dependent on some hidden properties, otherwise three password policy tests fail.
* Allows masterKey to lock _User object and prevent login with email / password
* Ensure the authData based auth can be locked out as well when accounts is masterKey only
* Fix "undefined property '__op'" in postgres update
This causes a TypeError which becomes a regular Error,
before the update can be issued. (I think)
This happens when there is an object schema,
and there is also an unrelated field in originalUpdate
which is null or undefined.
e.g. when 'location' is a mandatory object in postgres,
and 'middleName' is an optional string,
PostgresStorageAdapter would throw when a query similar
to the below was performed:
(Object.keys(originalUpdate) would include "middleName" as a value of `k`)
query.set('location', {'country': 'US'})
query.set('middleName', undefined);
* Fix lint error
* Makes InstallationRouter like others
* Adds testing for Range file requests
- Fixes issue with small requests (0-2)
* Revert "Makes InstallationRouter like others"
This reverts commit e2d2a16ebf2757db6138c7b5b33c97c56c69ead6.
* Better handling of errors in FilesRouter
* Fix incorrectness in range requests
* Better/simpler logic
* Only on mongo at it requires Gridstore
* Open file streaming to all adapters supporting it
* Improves coverage of parsers
* Ensures depreciation warning is effective
* Removes unused function
* de-duplicate logic
* Removes necessity of overriding req.params.className on subclasses routers
* Use babel-preset-env to ensure min-version compatible code
* removes dead code
* Leverage indexes in order to infer which field is duplicated upon signup
- A note mentioned that it would be possible to leverage using the indexes on username/email to infer which is duplicated
* Small nit
* Better template to match column name
* Restores original implementation for safety
* nits
