BREAKING CHANGE: A request using the master key will now be rejected as unauthorized if the IP from which the request originates is not set in the Parse Server option `masterKeyIps`, even if the request does not require the master key permission, for example for a public object in a public class class.
BREAKING CHANGE: Fields in the internal scope of Parse Server (prefixed with underscore `_`) are only returned using the new `maintenanceKey`; previously the `masterKey` allowed reading of internal fields; see [access scopes](https://github.com/parse-community/parse-server#access-scopes) for a comparison of the keys' access permissions (#8212)
BREAKING CHANGE: The mechanism to determine the client IP address has been rewritten; to correctly determine the IP address it is now required to set the Parse Server option `trustProxy` accordingly if Parse Server runs behind a proxy server, see the express framework's [trust proxy](https://expressjs.com/en/guide/behind-proxies.html) setting (#8372)
BREAKING CHANGE: This release restricts the use of `masterKey` to localhost by default; if you are using Parse Dashboard on a different server to connect to Parse Server you need to add the IP address of the server that hosts Parse Dashboard to this option (#8281)
* Optimize query, fixes some null returns, fix stitched GraphQLUpload
* Fix authData key selection
* Prefer Iso string since other GraphQL solutions use this format
* fix tests
Co-authored-by: Antonio Davi Macedo Coelho de Castro <adavimacedo@gmail.com>
* feat: add allowHeaders to Options
This allows developers to use custom headers in their API requests, and they will be accepted by their mounted app.
* refactor: convert allowCrossDomain to generator to add appId in scope
This is necessary as the middleware may run in OPTIONS request that do not contain the appId within the header.
* chore: update Definitions and docs
* fix: update test to use new allowCrossDomain params
* chore: add tests for allowCustomDomain middleware re: allowHeadrs
* Removes need to use babel-register
- Adds watch to watch changes when running the test to regenerate
- Tests are now pure node 8
* Adds timing to helper.js
* Update contribution guide
* Adds inline sourcemaps generation to restore coverage
* nits
* chore(package): update jasmine to version 3.0.0
Closes#4547
* Fixes failing tests for jasmine 3.0
Starting 3.0, done(something) will fail
* Update tests so they dont leverage var, but let and const
With jasmine 3.0, the randomization engine was making the test fails because of the scope of `var`
* Remove randomizer
* Use same adapter for PG tests, drop table to ensure the tests dont side effect
* update choose_password to have the confirmation
* add comment mark
* First version, no test
* throw error right away instead of just use masterKey false
* fix the logic
* move it up before the masterKey check
* adding some test
* typo
* remove the choose_password
* newline
* add cli options
* remove trailing space
* handle in case the server is behind proxy
* add getting the first ip in the ip list of xff
* sanity check the ip in config if it is a valid ip address
* split ip extraction to another function
* trailing spaces
* Add tests. Fail request if any of the 4 optional keys does not match
* Only require one key to be supplied in the request, except when no keys are configured
* Use const over let, var
* Adding a test demonstrating issue #1840.
* Fixes#1840
* Adds failing test with other use case
- That test fails on parse.com as well
* Bumps parse to 1.9.0
* exclude pg db
* Exclude pg on other test
* Adds clientSDK compatibility check for forward deletion
- Mark js1.9.0 as compatible
* Strips all operations from result
- fix for #1606
* Fixing #1900 JS SDK file upload
JS SDK file upload uses req.body._ContentType to specify the upload content type
* Fixing import statements
* Dont clear the cache just delete the new entry that the test added.
* adding E2E test for _ContentType support
