joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,084 Commits 2 Branches 18 Tags
99fcf45e55c368de2345b0c4d780e70e0adf0e15
Commit Graph

1268 Commits

Author SHA1 Message Date
Daniel
99fcf45e55 feat: Asynchronous initialization of Parse Server (#8232) 
BREAKING CHANGE: This release introduces the asynchronous initialization of Parse Server to prevent mounting Parse Server before being ready to receive request; it changes how Parse Server is imported, initialized and started; it also removes the callback `serverStartComplete`; see the [Parse Server 6 migration guide](https://github.com/parse-community/parse-server/blob/alpha/6.0.0.md) for more details (#8232)
 2022-12-21 15:30:13 +01:00
Daniel
1412666f75 fix: Nested objects are encoded incorrectly for MongoDB (#8209) 
BREAKING CHANGE: Nested objects are now properly stored in the database using JSON serialization; previously, due to a bug only top-level objects were serialized, but nested objects were saved as raw JSON; for example, a nested `Date` object was saved as a JSON object like `{ "__type": "Date", "iso": "2020-01-01T00:00:00.000Z" }` instead of its serialized representation `2020-01-01T00:00:00.000Z` (#8209)
 2022-12-20 16:57:29 +01:00
Daniel
e22b73d4b7 feat: Write log entry when request with master key is rejected as outside of masterKeyIps (#8350) 2022-12-16 03:43:50 +01:00
alljinx
8f3b694e39 feat: Add option to change the log level of the logs emitted by triggers (#8328) 2022-12-07 22:55:45 +01:00
Manuel
b48c27049a refactor: Improve incorrect deprecation log message for auth adapter (#8347) 2022-12-06 23:04:37 +01:00
Daniel
b2761fb378 feat: Upgrade Redis 3 to 4 for LiveQuery (#8333) 2022-11-26 17:45:30 +01:00
Daniel
ab82635b0d fix: Parse Server option masterKeyIps does not include localhost by default for IPv6 (#8322) 2022-11-25 23:19:14 +01:00
dblythy
f29d9720e9 fix: Cloud Code trigger beforeSave does not work with Parse.Role (#8320) 2022-11-19 03:27:51 +01:00
dblythy
ed499e32a2 feat: Remove deprecation DEPPS3: Config option enforcePrivateUsers defaults to true (#8283) 
BREAKING CHANGE: The Parse Server option `enforcePrivateUsers` is set to `true` by default; in previous releases this option defaults to `false`; this change improves the default security configuration of Parse Server (#8283)
 2022-11-16 22:59:44 +01:00
dblythy
6c16021a1f feat: Restrict use of masterKey to localhost by default (#8281) 
BREAKING CHANGE: This release restricts the use of `masterKey` to localhost by default; if you are using Parse Dashboard on a different server to connect to Parse Server you need to add the IP address of the server that hosts Parse Dashboard to this option (#8281)
 2022-11-11 03:24:48 +01:00
dblythy
7d622f06a4 feat: Upgrade Redis 3 to 4 (#8293) 
BREAKING CHANGE: This release upgrades to Redis 4; if you are using the Redis cache adapter with Parse Server then this is a breaking change as the Redis client options have changed; see the [Redis migration guide](https://github.com/redis/node-redis/blob/redis%404.0.0/docs/v3-to-v4.md) for more details (#8293)
 2022-11-11 01:16:50 +01:00
dblythy
37245f62ce feat: Remove support for MongoDB 4.0 (#8292) 
BREAKING CHANGE: This release removes support for MongoDB 4.0; the new minimum supported MongoDB version is 4.2. which also removes support for the deprecated MongoDB MMAPv1 storage engine
 2022-11-10 22:21:11 +01:00
dblythy
130d29074e fix: Throwing error in Cloud Code Triggers afterLogin, afterLogout crashes server (#8280) 
BREAKING CHANGE: Throwing an error in Cloud Code Triggers `afterLogin`, `afterLogout` returns a rejected promise; in previous releases it crashed the server if you did not handle the error on the Node.js process level; consider adapting your code if your app currently handles these errors on the Node.js process level with `process.on('unhandledRejection', ...)`
 2022-11-10 22:00:40 +01:00
dblythy
f535ee6ec2 feat: Remove deprecation DEPPS2: Config option directAccess defaults to true (#8284) 
BREAKING CHANGE: Config option `directAccess` defaults to true; set this to `false` in environments where multiple Parse Server instances run behind a load balancer and Parse requests within the current Node.js environment should be routed via the load balancer and distributed as HTTP requests among all instances via the `serverURL`.
 2022-11-10 20:31:07 +01:00
dblythy
2d79c0835b feat: Remove deprecation DEPPS4: Remove convenience method for http request Parse.Cloud.httpRequest (#8287) 
BREAKING CHANGE: The convenience method for HTTP requests `Parse.Cloud.httpRequest` is removed; use your preferred 3rd party library for making HTTP requests
 2022-11-10 18:28:49 +01:00
dblythy
5bbf9cade9 feat: Improve authentication adapter interface to support multi-factor authentication (MFA), authentication challenges, and provide a more powerful interface for writing custom authentication adapters (#8156) 2022-11-10 17:35:39 +01:00
dblythy
2546cc8572 fix: Remove Node 12 and Node 17 support (#8279) 
BREAKING CHANGE: This release removes Node 12 and Node 17 support
 2022-11-10 16:15:55 +01:00
Manuel
7cb266b207 refactor: Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](https://github.com/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf) (#8308) 2022-11-10 00:24:42 +01:00
Manuel
d27dfa3464 refactor: Parse Server option requestKeywordDenylist can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](https://github.com/parse-community/parse-server/security/advisories/GHSA-xprv-wvh7-qqqx) (#8304) 2022-11-09 20:02:05 +01:00
Manuel
42581225f1 refactor: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](https://github.com/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg) (#8297) 2022-11-07 23:17:03 +01:00
Manuel
5e9d494979 Merge branch 'beta' into build-beta 2022-10-29 21:31:22 +02:00
dblythy
9f111158ed feat: add convenience access to Parse Server configuration in Cloud Code via Parse.Server (#8244) 2022-10-29 19:03:31 +02:00
dblythy
28f0d26677 fix: relation constraints in compound queries Parse.Query.or, Parse.Query.and not working (#8203) 2022-10-24 12:45:17 +02:00
Manuel
aba0081ce1 feat: add support for MongoDB 6 (#8242) 2022-10-17 19:21:32 +02:00
dblythy
4af13af991 ci: reduce timeout after idempotency tests (#8227) 2022-10-17 01:53:10 +02:00
Manuel
c03908f74e fix: server crashes when receiving file download request with invalid byte range; this fixes a security vulnerability that allows an attacker to impact the availability of the server instance; the fix improves parsing of the range parameter to properly handle invalid range requests ([GHSA-h423-w6qv-2wj3](https://github.com/parse-community/parse-server/security/advisories/GHSA-h423-w6qv-2wj3)) [skip release] (#8238) 2022-10-15 01:06:45 +02:00
Manuel
4c1befabf2 fix: server crashes when receiving file download request with invalid byte range; this fixes a security vulnerability that allows an attacker to impact the availability of the server instance; the fix improves parsing of the range parameter to properly handle invalid range requests ([GHSA-h423-w6qv-2wj3](https://github.com/parse-community/parse-server/security/advisories/GHSA-h423-w6qv-2wj3)) [skip release] (#8237) 2022-10-15 00:54:08 +02:00
Diamond Lewis
0f763da17d feat: liveQuery support for unsorted distance queries (#8221) 2022-10-12 00:27:29 +02:00
dblythy
2a82d19dbd refactor: code style fixes with prettier and lint (#8208) 2022-10-03 13:55:05 +02:00
dblythy
eb649f226f test: fix flaky Apple Game Center tests (#8204) 2022-10-01 12:14:59 +02:00
vzukanov
0388956808 feat: add option to change the default value of the Parse.Query.limit() constraint (#8152) 2022-09-30 00:38:57 +02:00
Manuel
8c8ec71573 fix: authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for *Facebook* or *Spotify* and where the server-side authentication adapter configuration appIds is set as a string (e.g. abc) instead of an array of strings (e.g. ["abc"]) ([GHSA-r657-33vp-gp22](https://github.com/parse-community/parse-server/security/advisories/GHSA-r657-33vp-gp22)) [skip release] (#8187) 2022-09-20 23:05:44 +02:00
Manuel
1a2b1b9bc1 fix: authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for *Facebook* or *Spotify* and where the server-side authentication adapter configuration appIds is set as a string (e.g. abc) instead of an array of strings (e.g. ["abc"]) ([GHSA-r657-33vp-gp22](https://github.com/parse-community/parse-server/security/advisories/GHSA-r657-33vp-gp22)) [skip release] (#8188) 2022-09-20 23:03:21 +02:00
Manuel
83cdc89be9 fix: session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects ([GHSA-6w4q-23cf-j9jp](https://github.com/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp)) [skip release] (#8181) 2022-09-20 02:36:54 +02:00
Manuel
37fed3062c fix: session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects ([GHSA-6w4q-23cf-j9jp](https://github.com/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp)) [skip release] (#8180) 2022-09-20 02:23:49 +02:00
dblythy
3b775a1fb8 fix: sorting by non-existing value throws INVALID_SERVER_ERROR on Postgres (#8157) 2022-09-17 20:41:45 +02:00
dblythy
37af1d78fc fix: updating object includes unchanged keys in client response for certain key types (#8159) 2022-09-17 18:20:50 +02:00
dblythy
e424137406 fix: query aggregation pipeline cannot handle value of type Date when directAccess: true (#8167) 2022-09-17 16:19:28 +02:00
Stew
1d9605bc93 fix: liveQuery with containedIn not working when object field is an array (#8128) 2022-09-17 13:59:45 +02:00
dblythy
3c75c2ba48 fix: push notifications badge doesn't update with Installation beforeSave trigger (#8162) 2022-09-16 21:43:03 +02:00
dblythy
c85bc016e2 ci: fix flaky Apple Game Center tests (#8163) 2022-09-14 16:33:55 +02:00
Snyk bot
149884fe3e refactor: upgrade mongodb from 4.6.0 to 4.7.0 (#8083) 2022-09-03 11:22:42 +02:00
Manuel
4c0c7c77b7 fix: brute force guessing of user sensitive data via search patterns (GHSA-2m6g-crv8-p3c6) (#8146) [skip release] 2022-09-02 21:43:31 +02:00
Manuel
f0db4ca4a4 fix: brute force guessing of user sensitive data via search patterns (GHSA-2m6g-crv8-p3c6) (#8145) [skip release] 2022-09-02 21:43:09 +02:00
Antoine Cormouls
c16f529f74 fix: internal indices for classes _Idempotency and _Role are not protected in defined schema (#8121) 2022-08-05 11:25:02 +02:00
Jong Eun Lee
7f5a15d5df fix: graphQL query ignores condition equalTo with value false (#8032) 2022-07-03 12:13:10 +02:00
Manuel
9fd4516cde fix: protected fields exposed via LiveQuery (GHSA-crrq-vr9j-fxxh) [skip release] (#8076) 2022-06-30 13:01:40 +02:00
Manuel
636d16e0f9 fix: protected fields exposed via LiveQuery (GHSA-crrq-vr9j-fxxh) [skip release] (#8075) 2022-06-30 12:53:31 +02:00
Manuel
4c9e95674a fix: invalid file request not properly handled [skip release] (#8062) 2022-06-18 02:38:04 +02:00
Manuel
1a04a347cf fix: invalid file request not properly handled [skip release] (#8061) 2022-06-18 02:15:08 +02:00