joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,296 Commits 2 Branches 18 Tags
93af48a8b4ca2ba19ed213af3dfd8ca2d786fafb
Commit Graph

192 Commits

Author SHA1 Message Date
Wes
77bbfb3f18 feat: Allow setting createdAt and updatedAt during Parse.Object creation with maintenance key (#8696) 2023-09-29 22:17:48 +02:00
Manuel
5954f0ffa0 refactor: Parse Pointer allows to access internal Parse Server classes and circumvent beforeFind query trigger (#8735) 2023-09-04 16:01:02 +02:00
Manuel
31805c96ec refactor: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-462x-c3jw-7vr6](https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6) (#8676) 2023-06-28 23:38:14 +02:00
Daniel
cc079a40f6 feat: Add TOTP authentication adapter (#8457) 2023-06-23 17:57:57 +02:00
Daniel
44acd6d9ed feat: Add conditional email verification via dynamic Parse Server options verifyUserEmails, sendUserEmailVerification that now accept functions (#8425) 2023-06-20 12:10:25 +02:00
Daniel
82da30842a feat: Add new Parse Server option preventSignupWithUnverifiedEmail to prevent returning a user without session token on sign-up with unverified email address (#8451) 2023-06-07 21:51:53 +02:00
Diamond Lewis
afd0515e20 fix: Cloud Code Trigger afterSave executes even if not set (#8520) 2023-05-12 02:39:54 +02:00
Daniel
f3bcc9365c feat: Access the internal scope of Parse Server using the new maintenanceKey; the internal scope contains unofficial and undocumented fields (prefixed with underscore _) which are used internally by Parse Server; you may want to manipulate these fields for out-of-band changes such as data migration or correction tasks; changes within the internal scope of Parse Server may happen at any time without notice or changelog entry, it is therefore recommended to look at the source code of Parse Server to understand the effects of manipulating internal fields before using the key; it is discouraged to use the maintenanceKey for routine operations in a production environment; see [access scopes](https://github.com/parse-community/parse-server#access-scopes) (#8212) 
BREAKING CHANGE: Fields in the internal scope of Parse Server (prefixed with underscore `_`) are only returned using the new `maintenanceKey`; previously the `masterKey` allowed reading of internal fields; see [access scopes](https://github.com/parse-community/parse-server#access-scopes) for a comparison of the keys' access permissions (#8212)
 2023-01-08 22:02:12 +01:00
dblythy
f29d9720e9 fix: Cloud Code trigger beforeSave does not work with Parse.Role (#8320) 2022-11-19 03:27:51 +01:00
dblythy
5bbf9cade9 feat: Improve authentication adapter interface to support multi-factor authentication (MFA), authentication challenges, and provide a more powerful interface for writing custom authentication adapters (#8156) 2022-11-10 17:35:39 +01:00
Manuel
d27dfa3464 refactor: Parse Server option requestKeywordDenylist can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](https://github.com/parse-community/parse-server/security/advisories/GHSA-xprv-wvh7-qqqx) (#8304) 2022-11-09 20:02:05 +01:00
Manuel
37fed3062c fix: session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects ([GHSA-6w4q-23cf-j9jp](https://github.com/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp)) [skip release] (#8180) 2022-09-20 02:23:49 +02:00
dblythy
37af1d78fc fix: updating object includes unchanged keys in client response for certain key types (#8159) 2022-09-17 18:20:50 +02:00
dblythy
3c75c2ba48 fix: push notifications badge doesn't update with Installation beforeSave trigger (#8162) 2022-09-16 21:43:03 +02:00
dblythy
199dfc1722 fix: live query role cache does not clear when a user is added to a role (#8026) 2022-06-11 10:21:55 +02:00
dblythy
c1e808f9e8 feat: selectively enable / disable default authentication adapters (#7953) 2022-05-29 01:50:43 +02:00
dblythy
47d796ea58 fix: afterSave trigger removes pointer in Parse object (#7913) 2022-05-20 10:47:38 +02:00
dblythy
19900fcdf8 fix: return correct response when revert is used in beforeSave (#7839) 2022-05-01 02:39:56 +02:00
Manuel
971adb5438 fix: security vulnerability that allows remote code execution (GHSA-p6h4-93qp-jhcm) (#7843) 2022-03-12 13:49:57 +01:00
dblythy
caee281bc5 fix: allow LiveQuery on Parse.Session (#7554) 2021-10-08 17:24:33 +02:00
dblythy
484c2e81ca fix: improve security by deprecating creating users with public access by default (#7319) 2021-10-08 05:24:20 +02:00
Manuel
24188a39a7 refactor: remove restricted session field (#7543) 
* add issue bot for prs

* Update CHANGELOG.md

* Update issue-bot.yml

* remove session restriction artifacts

* Update CHANGELOG.md

* Update CHANGELOG.md
 2021-09-04 03:03:46 +02:00
Antonio Davi Macedo Coelho de Castro
fc0fef5922 Merge pull request from GHSA-23r4-5mxp-c7g5 (#7497) 
* Merge pull request from GHSA-23r4-5mxp-c7g5

* add anonymous login security fix

* add changelog entry

* update changelog

* Update package.json (#7498)

* Update package-lock.json (#7499)

Co-authored-by: Corey <coreyearleon@icloud.com>
 2021-08-18 19:03:54 +02:00
Manuel
c56d326b17 Add circular dependency detection to CI (#7316) 
* add circular dependency detection to CI

* fixed Auth-RestWrite circular dependency

* updated package lock

* fixed Logger circular dependency

* fix lint
 2021-04-07 20:47:57 -05:00
Diamond Lewis
c1971b2ab1 fix(beforeSave/afterSave): Return value instead of Parse.Op for nested fields (#7005) 
* fix(beforeSave): Return value instead of Parse.Op

* afterSave test

* Improve Tests

* Fixed postgres test by saveArgumentsByValue
 2020-11-12 13:14:44 -08:00
Diamond Lewis
a4c84c09be fix(beforeSave): Skip Sanitizing Database results (#7003) 
* fix(beforeSave): Skip Sanitizing Database results

* fix test
 2020-11-11 17:39:25 -08:00
Diamond Lewis
e6ac3b6932 fix(prettier): Properly handle lint-stage files (#6970) 
Now handles top level files and recursive files in folders.

Set max line length to be 100
 2020-10-25 15:06:58 -05:00
Diamond Lewis
e89cf25bc2 fix(directAccess): Properly handle response status (#6966) 
* fix(directAccess): Properly handle response status

* clean up

* handle status in batch
 2020-10-25 12:34:50 -05:00
Antoine Cormouls
62048260c9 GraphQL: Optimize queries, fixes some null returns (on object), fix stitched GraphQLUpload (#6709) 
* Optimize query, fixes some null returns, fix stitched GraphQLUpload

* Fix authData key selection

* Prefer Iso string since other GraphQL solutions use this format

* fix tests

Co-authored-by: Antonio Davi Macedo Coelho de Castro <adavimacedo@gmail.com>
 2020-10-01 15:19:26 -07:00
Kevin Kuang
dfa22391ad Fix beforeLogin for users logging in with AuthData (#6872) 
* fix beforeLogin

* Remove Facebook AccountKit auth (#6870)

* Remove Facebook AccountKit auth

Account Kit services are no longer available.

https://developers.facebook.com/blog/post/2019/09/09/account-kit-services-no-longer-available-starting-march/

https://www.sinch.com/blog/facebook-account-kit-is-closing-down-are-your-apps-covered/

* remove flaky test

* fix: upgrade uuid from 8.2.0 to 8.3.0 (#6865)

Snyk has created this PR to upgrade uuid from 8.2.0 to 8.3.0.

See this package in npm:
https://www.npmjs.com/package/uuid

See this project in Snyk:
https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* fix: package.json & package-lock.json to reduce vulnerabilities (#6864)

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-LODASH-590103

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* fix: upgrade ldapjs from 2.0.0 to 2.1.0 (#6857)

Snyk has created this PR to upgrade ldapjs from 2.0.0 to 2.1.0.

See this package in npm:
https://www.npmjs.com/package/ldapjs

See this project in Snyk:
https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* fix: upgrade apollo-server-express from 2.15.1 to 2.16.0 (#6851)

Snyk has created this PR to upgrade apollo-server-express from 2.15.1 to 2.16.0.

See this package in npm:
https://www.npmjs.com/package/apollo-server-express

See this project in Snyk:
https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* fix: upgrade @graphql-tools/stitch from 6.0.12 to 6.0.13 (#6845)

Snyk has created this PR to upgrade @graphql-tools/stitch from 6.0.12 to 6.0.13.

See this package in npm:
https://www.npmjs.com/package/@graphql-tools/stitch

See this project in Snyk:
https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* fix: upgrade @graphql-tools/utils from 6.0.12 to 6.0.13 (#6846)

Snyk has created this PR to upgrade @graphql-tools/utils from 6.0.12 to 6.0.13.

See this package in npm:
https://www.npmjs.com/package/@graphql-tools/utils

See this project in Snyk:
https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* [Snyk] Upgrade winston from 3.2.1 to 3.3.2 (#6799)

* fix: upgrade winston from 3.2.1 to 3.3.2

Snyk has created this PR to upgrade winston from 3.2.1 to 3.3.2.

See this package in NPM:
https://www.npmjs.com/package/winston

See this project in Snyk:
https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr

* fix tests

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* fix beforeLogin

* add test case

Co-authored-by: Diamond Lewis <findlewis@gmail.com>
Co-authored-by: Snyk bot <snyk-bot@snyk.io>
 2020-08-25 09:34:26 -05:00
yog27ray
34614e0f78 Pass context in beforeDelete, afterDelete, beforeFind and Parse.Cloud.run. (#6666) 
* add context for following hooks.
1. beforeDelete
2. afterDelete
3. beforeFind
4. Cloud Function

* revert un-necessary code change.

* fix: failing test cases.

* fix: failing test cases.

* fix: failing test cases.

* fix: failing test cases.

* fix: failing test cases.

* fix: failing test cases.

* fix: failing test cases.

* review changes

* revert changes

* revert changes

* review changes

* lint changes

* review changes
 2020-07-10 22:47:27 +02:00
Manuel
f095dffcc3 fix context for cascade-saving and saving existing object (#6735) 
* added test cases

* fixed unparsed context when updating object

* fixed context inheritance for cascade-saved objects

* upgraded parse dependecy to 2.14.0

* rebuild

* removed superfluous comments

* undo lint changes
 2020-07-02 14:37:41 -05:00
Manuel
288e746888 add context to Parse.Object.save (#6626) 
* added failing test

* added parsing of context in REST save request

* undo lint changes
 2020-04-28 11:36:46 -07:00
Arthur Cinader
fd0b535159 Case insensitive signup (#5634) 
* Always delete data after each, even for mongo.

* Add failing simple case test

* run all tests

* 1. when validating username be case insensitive

2. add _auth_data_anonymous to specialQueryKeys...whatever that is!

* More case sensitivity

1. also make email validation case insensitive
2. update comments to reflect what this change does

* wordsmithery and grammar

* first pass at a preformant case insensitive query.  mongo only so far.

* change name of parameter from insensitive to
caseInsensitive

* Postgres support

* properly handle auth data null

* wip

* use 'caseInsensitive' instead of 'insensitive' in all places.

* update commenet to reclect current plan

* skip the mystery test for now

* create case insensitive indecies for
mongo to support case insensitive
checks for email and username

* remove unneeded specialKey

* pull collation out to a function.

* not sure what i planned
to do with this test.
removing.

* remove typo

* remove another unused flag

* maintain order

* maintain order of params

* boil the ocean on param sequence
i like having explain last cause it seems
like something you would
change/remove after getting what you want
from the explain?

* add test to verify creation
and use of caseInsensitive index

* add no op func to prostgress

* get collation object from mongocollection
make flow lint happy by declaring things Object.

* fix typo

* add changelog

* kick travis

* properly reference static method

* add a test to confirm that anonymous users with
unique username that do collide when compared
insensitively can still be created.

* minot doc nits

* add a few tests to make sure our spy is working as expected
wordsmith the changelog

Co-authored-by: Diamond Lewis <findlewis@gmail.com>
 2020-02-14 09:44:51 -08:00
Old Grandpa
3c46117d9b Granular CLP pointer permissions (#6352) 
* set pointer permissions per operatioon; tests

* more tests

* fixes addField permission; tests
 2020-01-27 22:21:30 -08:00
Rhuan
8bc201d228 #6101 Let users define objectId (#6177) 
* #6101 Let users define objectId

* Add `allowCustomObjectId` to PS Option

* Add checking in objectId creation

* Add test

* Update docs

* Update definition

* Change default to false

* throw on empty, null, undefined

* better tests

* unused async

* removed comment

* retain comment

* Linting fix according to contributing spec.
 2019-12-17 12:23:18 -06:00
Manuel Trezza
9d781c481f Throw error when setting authData to null (#6154) 
* added ignore authData field

* add fix for Postgres

* add test for mongoDB

* add test login with provider despite invalid authData

* removed fit

* fixed ignoring authData in postgres

* Fix postgres test

* Throw error instead of ignore

* improve tests

* Add mongo test

* allow authData when not user class

* fix tests

* more tests

* add condition to synthesize authData field only in _User class

it is forbidden to add a custom field name beginning with `_`, so if the object is not `_User` , the transform should throw

* add warning log when ignoring invalid `authData` in `_User`

* add test to throw when custom field begins with underscore
 2019-10-27 20:28:06 -05:00
Omair Vaiyani
618fe37c5a fix(RestWrite): make method async as expected in usage (#6025) 
The method `createSessionToken` in RestWrite.js is assumed to always return a promise (see Line 961 in `handleFollowUp`) - this was throwing an error `cannot read 'then' of undefined`. This simply one word change fixes that error.
 2019-09-04 09:46:34 -07:00
Diamond Lewis
cf6e79ee75 Fix: Lint no-prototype-builtins (#5920) 
* Fix: Lint no-prototype-builtins

Closes: https://github.com/parse-community/parse-server/issues/5842

Reference: https://eslint.org/docs/rules/no-prototype-builtins

* replace Object.hasOwnProperty.call
 2019-08-14 14:57:00 -07:00
Lucas Alencar
6080dbc4f9 fix: Set falsy values as default to schema fields (#5868) 2019-07-30 15:51:49 -05:00
Antonio Davi Macedo Coelho de Castro
fd637ff4f8 Required fields and default values (#5835) 
* Add field options to mongo schema metadata

* Add/fix test with fields options

* Add required validation failing test

* Add more tests

* Only set default value if field is undefined

* Fix redis test

* Fix tests

* Test for creating a new class with field options

* Validate default value type

* fix lint (weird)

* Fix lint another way

* Add tests for beforeSave trigger and solve small issue regarding the use of unset in the beforeSave trigger
 2019-07-25 21:13:59 -07:00
BrunoMaurice
50f1e8eb77 Make possible to alter response using the after save trigger (#5814) 
* make possible to alter response using the after save trigger like for after find

* code clearing to follow same object checking

* remove console log debug

* fix test unit
 2019-07-25 09:31:18 -07:00
Diamond Lewis
bb06376a32 Prevent linkWith sessionToken from generating new session (#5801) 2019-07-11 09:32:11 -05:00
Diamond Lewis
5341b8248f Generate sessionToken with linkWith (#5799) 
* Generate sessionToken with linkWith

* improve test

* Add comment
 2019-07-10 20:23:16 +00:00
Fabian Strachanski
73b0f9a339 Merge pull request from GHSA-8w3j-g983-8jh5 
* Add Test and Authenticator for ghsa-8w3j-g983-8jh5

* fix for ghsa-8w3j-g983-8jh5

* nit whitespace

not sure why lint isn't catching...
 2019-07-10 09:47:23 -04:00
greenkeeper[bot]
af82dd7bdd Update eslint-plugin-flowtype to the latest version 🚀 (#5656) 
* chore(package): update eslint-plugin-flowtype to version 3.10.0

* chore(package): update lockfile package-lock.json
 2019-06-12 05:41:21 +00:00
Diamond Lewis
7a080478b5 Fix #5654 (#5664) 
* Fix #5654

* fix tests

* throw error instead
 2019-06-11 13:40:34 -05:00
Diamond Lewis
cc6d474dcb Schema Cache Improvement 2 (#5616) 
* schema hasClass improvement

* create object improvement

* destroy object

* update object

* hasClass test rewrite

* more tests

* improve signing up users
 2019-05-30 11:14:05 -05:00
Antonio Davi Macedo Coelho de Castro
90c81c1750 Validates permission before calling beforeSave trigger (#5546) 
* Test to reproduce the problem

* Validating update before calling beforeSave trigger

* Fixing lint

* Commenting code

* Improving the code
 2019-05-11 10:37:27 -07:00
Omair Vaiyani
a1e1cef6d2 Add beforeLogin trigger with support for auth providers (#5445) 
* Add beforeLogin trigger with support for auth providers

* adjust comment that boxed off beforeLogin to a negative use-case only

* add internal error to help future maintainers regarding use of beforeLogin

* let beforeLogin accept className or constructor like other hook types

* add assertions for beforeLogin trigger className validation
 2019-04-23 08:24:20 -07:00