joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
5,126 Commits 2 Branches 18 Tags
b93c618bc23fcd8f22af3a37f74e3484e2b910c5
Commit Graph

204 Commits

Author SHA1 Message Date
Palixir
ed98c15f90 feat: Add event information to verifyUserEmails, preventLoginWithUnverifiedEmail to identify invoking signup / login action and auth provider (#9963) 2026-02-06 03:48:35 +00:00
Lucas Coratger
47521974ae feat: Add Parse Server option enableSanitizedErrorResponse to remove detailed error messages from responses sent to clients (#9944) 2025-11-28 19:48:35 +01:00
Lucas Coratger
50edb5ab4b fix: Server internal error details leaking in error messages returned to clients (#9937) 2025-11-23 13:51:42 +01:00
Antoine Cormouls
eb052d8e6a fix: Error in afterSave trigger for Parse.Role due to name field (#9883) 2025-10-22 14:12:51 +02:00
Daniel
12b5d781dc feat: Add default ACL (#8701) 2025-03-24 15:15:27 +01:00
Manuel
5ef0440c8e fix: Authentication provider credentials are usable across Parse Server apps; fixes security vulnerability [GHSA-837q-jhwx-cmpv](https://github.com/parse-community/parse-server/security/advisories/GHSA-837q-jhwx-cmpv) (#9667) 2025-03-21 10:49:09 +01:00
Manuel
dfd5a8edbf ci: Add lint rule for mandatory curly braces (#9348) 2024-10-16 19:57:42 +02:00
Vahid Sane
1a2da4055a feat: Add support for asynchronous invocation of FilesAdapter.getFileLocation (#9271) 2024-08-27 17:09:19 +02:00
Antoine Cormouls
6d4663b47e refactor: Dry handleAuthData for safer code maintenance in the future (#9025) 2024-03-19 22:41:21 +01:00
Daniel
ad4aa83983 feat: Upgrade to Parse JS SDK 5 (#9022) 2024-03-17 04:08:52 +01:00
Manuel
8e7a6b1480 fix: Conditional email verification not working in some cases if verifyUserEmails, preventLoginWithUnverifiedEmail set to functions (#8838) 2023-12-26 21:01:27 +01:00
Manuel
a22dbe16d5 feat: Add installationId to arguments for verifyUserEmails, preventLoginWithUnverifiedEmail (#8836) 2023-12-17 01:50:19 +01:00
Wes
77bbfb3f18 feat: Allow setting createdAt and updatedAt during Parse.Object creation with maintenance key (#8696) 2023-09-29 22:17:48 +02:00
Manuel
5954f0ffa0 refactor: Parse Pointer allows to access internal Parse Server classes and circumvent beforeFind query trigger (#8735) 2023-09-04 16:01:02 +02:00
Manuel
31805c96ec refactor: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-462x-c3jw-7vr6](https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6) (#8676) 2023-06-28 23:38:14 +02:00
Daniel
cc079a40f6 feat: Add TOTP authentication adapter (#8457) 2023-06-23 17:57:57 +02:00
Daniel
44acd6d9ed feat: Add conditional email verification via dynamic Parse Server options verifyUserEmails, sendUserEmailVerification that now accept functions (#8425) 2023-06-20 12:10:25 +02:00
Daniel
82da30842a feat: Add new Parse Server option preventSignupWithUnverifiedEmail to prevent returning a user without session token on sign-up with unverified email address (#8451) 2023-06-07 21:51:53 +02:00
Diamond Lewis
afd0515e20 fix: Cloud Code Trigger afterSave executes even if not set (#8520) 2023-05-12 02:39:54 +02:00
Daniel
f3bcc9365c feat: Access the internal scope of Parse Server using the new maintenanceKey; the internal scope contains unofficial and undocumented fields (prefixed with underscore _) which are used internally by Parse Server; you may want to manipulate these fields for out-of-band changes such as data migration or correction tasks; changes within the internal scope of Parse Server may happen at any time without notice or changelog entry, it is therefore recommended to look at the source code of Parse Server to understand the effects of manipulating internal fields before using the key; it is discouraged to use the maintenanceKey for routine operations in a production environment; see [access scopes](https://github.com/parse-community/parse-server#access-scopes) (#8212) 
BREAKING CHANGE: Fields in the internal scope of Parse Server (prefixed with underscore `_`) are only returned using the new `maintenanceKey`; previously the `masterKey` allowed reading of internal fields; see [access scopes](https://github.com/parse-community/parse-server#access-scopes) for a comparison of the keys' access permissions (#8212)
 2023-01-08 22:02:12 +01:00
dblythy
f29d9720e9 fix: Cloud Code trigger beforeSave does not work with Parse.Role (#8320) 2022-11-19 03:27:51 +01:00
dblythy
5bbf9cade9 feat: Improve authentication adapter interface to support multi-factor authentication (MFA), authentication challenges, and provide a more powerful interface for writing custom authentication adapters (#8156) 2022-11-10 17:35:39 +01:00
Manuel
d27dfa3464 refactor: Parse Server option requestKeywordDenylist can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](https://github.com/parse-community/parse-server/security/advisories/GHSA-xprv-wvh7-qqqx) (#8304) 2022-11-09 20:02:05 +01:00
Manuel
37fed3062c fix: session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects ([GHSA-6w4q-23cf-j9jp](https://github.com/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp)) [skip release] (#8180) 2022-09-20 02:23:49 +02:00
dblythy
37af1d78fc fix: updating object includes unchanged keys in client response for certain key types (#8159) 2022-09-17 18:20:50 +02:00
dblythy
3c75c2ba48 fix: push notifications badge doesn't update with Installation beforeSave trigger (#8162) 2022-09-16 21:43:03 +02:00
dblythy
199dfc1722 fix: live query role cache does not clear when a user is added to a role (#8026) 2022-06-11 10:21:55 +02:00
dblythy
c1e808f9e8 feat: selectively enable / disable default authentication adapters (#7953) 2022-05-29 01:50:43 +02:00
dblythy
47d796ea58 fix: afterSave trigger removes pointer in Parse object (#7913) 2022-05-20 10:47:38 +02:00
dblythy
19900fcdf8 fix: return correct response when revert is used in beforeSave (#7839) 2022-05-01 02:39:56 +02:00
Manuel
971adb5438 fix: security vulnerability that allows remote code execution (GHSA-p6h4-93qp-jhcm) (#7843) 2022-03-12 13:49:57 +01:00
dblythy
caee281bc5 fix: allow LiveQuery on Parse.Session (#7554) 2021-10-08 17:24:33 +02:00
dblythy
484c2e81ca fix: improve security by deprecating creating users with public access by default (#7319) 2021-10-08 05:24:20 +02:00
Manuel
24188a39a7 refactor: remove restricted session field (#7543) 
* add issue bot for prs

* Update CHANGELOG.md

* Update issue-bot.yml

* remove session restriction artifacts

* Update CHANGELOG.md

* Update CHANGELOG.md
 2021-09-04 03:03:46 +02:00
Antonio Davi Macedo Coelho de Castro
fc0fef5922 Merge pull request from GHSA-23r4-5mxp-c7g5 (#7497) 
* Merge pull request from GHSA-23r4-5mxp-c7g5

* add anonymous login security fix

* add changelog entry

* update changelog

* Update package.json (#7498)

* Update package-lock.json (#7499)

Co-authored-by: Corey <coreyearleon@icloud.com>
 2021-08-18 19:03:54 +02:00
Manuel
c56d326b17 Add circular dependency detection to CI (#7316) 
* add circular dependency detection to CI

* fixed Auth-RestWrite circular dependency

* updated package lock

* fixed Logger circular dependency

* fix lint
 2021-04-07 20:47:57 -05:00
Diamond Lewis
c1971b2ab1 fix(beforeSave/afterSave): Return value instead of Parse.Op for nested fields (#7005) 
* fix(beforeSave): Return value instead of Parse.Op

* afterSave test

* Improve Tests

* Fixed postgres test by saveArgumentsByValue
 2020-11-12 13:14:44 -08:00
Diamond Lewis
a4c84c09be fix(beforeSave): Skip Sanitizing Database results (#7003) 
* fix(beforeSave): Skip Sanitizing Database results

* fix test
 2020-11-11 17:39:25 -08:00
Diamond Lewis
e6ac3b6932 fix(prettier): Properly handle lint-stage files (#6970) 
Now handles top level files and recursive files in folders.

Set max line length to be 100
 2020-10-25 15:06:58 -05:00
Diamond Lewis
e89cf25bc2 fix(directAccess): Properly handle response status (#6966) 
* fix(directAccess): Properly handle response status

* clean up

* handle status in batch
 2020-10-25 12:34:50 -05:00
Antoine Cormouls
62048260c9 GraphQL: Optimize queries, fixes some null returns (on object), fix stitched GraphQLUpload (#6709) 
* Optimize query, fixes some null returns, fix stitched GraphQLUpload

* Fix authData key selection

* Prefer Iso string since other GraphQL solutions use this format

* fix tests

Co-authored-by: Antonio Davi Macedo Coelho de Castro <adavimacedo@gmail.com>
 2020-10-01 15:19:26 -07:00
Kevin Kuang
dfa22391ad Fix beforeLogin for users logging in with AuthData (#6872) 
* fix beforeLogin

* Remove Facebook AccountKit auth (#6870)

* Remove Facebook AccountKit auth

Account Kit services are no longer available.

https://developers.facebook.com/blog/post/2019/09/09/account-kit-services-no-longer-available-starting-march/

https://www.sinch.com/blog/facebook-account-kit-is-closing-down-are-your-apps-covered/

* remove flaky test

* fix: upgrade uuid from 8.2.0 to 8.3.0 (#6865)

Snyk has created this PR to upgrade uuid from 8.2.0 to 8.3.0.

See this package in npm:
https://www.npmjs.com/package/uuid

See this project in Snyk:
https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* fix: package.json & package-lock.json to reduce vulnerabilities (#6864)

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-LODASH-590103

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* fix: upgrade ldapjs from 2.0.0 to 2.1.0 (#6857)

Snyk has created this PR to upgrade ldapjs from 2.0.0 to 2.1.0.

See this package in npm:
https://www.npmjs.com/package/ldapjs

See this project in Snyk:
https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* fix: upgrade apollo-server-express from 2.15.1 to 2.16.0 (#6851)

Snyk has created this PR to upgrade apollo-server-express from 2.15.1 to 2.16.0.

See this package in npm:
https://www.npmjs.com/package/apollo-server-express

See this project in Snyk:
https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* fix: upgrade @graphql-tools/stitch from 6.0.12 to 6.0.13 (#6845)

Snyk has created this PR to upgrade @graphql-tools/stitch from 6.0.12 to 6.0.13.

See this package in npm:
https://www.npmjs.com/package/@graphql-tools/stitch

See this project in Snyk:
https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* fix: upgrade @graphql-tools/utils from 6.0.12 to 6.0.13 (#6846)

Snyk has created this PR to upgrade @graphql-tools/utils from 6.0.12 to 6.0.13.

See this package in npm:
https://www.npmjs.com/package/@graphql-tools/utils

See this project in Snyk:
https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* [Snyk] Upgrade winston from 3.2.1 to 3.3.2 (#6799)

* fix: upgrade winston from 3.2.1 to 3.3.2

Snyk has created this PR to upgrade winston from 3.2.1 to 3.3.2.

See this package in NPM:
https://www.npmjs.com/package/winston

See this project in Snyk:
https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr

* fix tests

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* fix beforeLogin

* add test case

Co-authored-by: Diamond Lewis <findlewis@gmail.com>
Co-authored-by: Snyk bot <snyk-bot@snyk.io>
 2020-08-25 09:34:26 -05:00
yog27ray
34614e0f78 Pass context in beforeDelete, afterDelete, beforeFind and Parse.Cloud.run. (#6666) 
* add context for following hooks.
1. beforeDelete
2. afterDelete
3. beforeFind
4. Cloud Function

* revert un-necessary code change.

* fix: failing test cases.

* fix: failing test cases.

* fix: failing test cases.

* fix: failing test cases.

* fix: failing test cases.

* fix: failing test cases.

* fix: failing test cases.

* review changes

* revert changes

* revert changes

* review changes

* lint changes

* review changes
 2020-07-10 22:47:27 +02:00
Manuel
f095dffcc3 fix context for cascade-saving and saving existing object (#6735) 
* added test cases

* fixed unparsed context when updating object

* fixed context inheritance for cascade-saved objects

* upgraded parse dependecy to 2.14.0

* rebuild

* removed superfluous comments

* undo lint changes
 2020-07-02 14:37:41 -05:00
Manuel
288e746888 add context to Parse.Object.save (#6626) 
* added failing test

* added parsing of context in REST save request

* undo lint changes
 2020-04-28 11:36:46 -07:00
Arthur Cinader
fd0b535159 Case insensitive signup (#5634) 
* Always delete data after each, even for mongo.

* Add failing simple case test

* run all tests

* 1. when validating username be case insensitive

2. add _auth_data_anonymous to specialQueryKeys...whatever that is!

* More case sensitivity

1. also make email validation case insensitive
2. update comments to reflect what this change does

* wordsmithery and grammar

* first pass at a preformant case insensitive query.  mongo only so far.

* change name of parameter from insensitive to
caseInsensitive

* Postgres support

* properly handle auth data null

* wip

* use 'caseInsensitive' instead of 'insensitive' in all places.

* update commenet to reclect current plan

* skip the mystery test for now

* create case insensitive indecies for
mongo to support case insensitive
checks for email and username

* remove unneeded specialKey

* pull collation out to a function.

* not sure what i planned
to do with this test.
removing.

* remove typo

* remove another unused flag

* maintain order

* maintain order of params

* boil the ocean on param sequence
i like having explain last cause it seems
like something you would
change/remove after getting what you want
from the explain?

* add test to verify creation
and use of caseInsensitive index

* add no op func to prostgress

* get collation object from mongocollection
make flow lint happy by declaring things Object.

* fix typo

* add changelog

* kick travis

* properly reference static method

* add a test to confirm that anonymous users with
unique username that do collide when compared
insensitively can still be created.

* minot doc nits

* add a few tests to make sure our spy is working as expected
wordsmith the changelog

Co-authored-by: Diamond Lewis <findlewis@gmail.com>
 2020-02-14 09:44:51 -08:00
Old Grandpa
3c46117d9b Granular CLP pointer permissions (#6352) 
* set pointer permissions per operatioon; tests

* more tests

* fixes addField permission; tests
 2020-01-27 22:21:30 -08:00
Rhuan
8bc201d228 #6101 Let users define objectId (#6177) 
* #6101 Let users define objectId

* Add `allowCustomObjectId` to PS Option

* Add checking in objectId creation

* Add test

* Update docs

* Update definition

* Change default to false

* throw on empty, null, undefined

* better tests

* unused async

* removed comment

* retain comment

* Linting fix according to contributing spec.
 2019-12-17 12:23:18 -06:00
Manuel Trezza
9d781c481f Throw error when setting authData to null (#6154) 
* added ignore authData field

* add fix for Postgres

* add test for mongoDB

* add test login with provider despite invalid authData

* removed fit

* fixed ignoring authData in postgres

* Fix postgres test

* Throw error instead of ignore

* improve tests

* Add mongo test

* allow authData when not user class

* fix tests

* more tests

* add condition to synthesize authData field only in _User class

it is forbidden to add a custom field name beginning with `_`, so if the object is not `_User` , the transform should throw

* add warning log when ignoring invalid `authData` in `_User`

* add test to throw when custom field begins with underscore
 2019-10-27 20:28:06 -05:00
Omair Vaiyani
618fe37c5a fix(RestWrite): make method async as expected in usage (#6025) 
The method `createSessionToken` in RestWrite.js is assumed to always return a promise (see Line 961 in `handleFollowUp`) - this was throwing an error `cannot read 'then' of undefined`. This simply one word change fixes that error.
 2019-09-04 09:46:34 -07:00