BREAKING CHANGE: Parse Server option `allowExpiredAuthDataToken` defaults to `false`; a 3rd party authentication token will be validated every time the user tries to log in and the login will fail if the token has expired; the effect of this change may differ for different authentication adapters, depending on the token lifetime and the token refresh logic of the adapter
BREAKING CHANGE: `Parse.Session.current()` no longer throws an error if the session token is expired, but instead returns the session token with its expiration date to allow checking its validity
BREAKING CHANGE: Fields in the internal scope of Parse Server (prefixed with underscore `_`) are only returned using the new `maintenanceKey`; previously the `masterKey` allowed reading of internal fields; see [access scopes](https://github.com/parse-community/parse-server#access-scopes) for a comparison of the keys' access permissions (#8212)
BREAKING CHANGE: The Parse Server option `enforcePrivateUsers` is set to `true` by default; in previous releases this option defaults to `false`; this change improves the default security configuration of Parse Server (#8283)
* 6641: Implement support for user impersonation: master key clients can log in as any user, without access to the user's credentials, and without presuming the user already has a session
* reworded changelog
* rebuilt package lock
* fit test
* using lodash flatMap
* bump to node 12 for postgres test
* revert test fit
* add node version to postgres CI
* revert package-lock
Co-authored-by: gormanfletcher <git@gormanfletcher.com>
Co-authored-by: Manuel <5673677+mtrezza@users.noreply.github.com>
* Optimize query, fixes some null returns, fix stitched GraphQLUpload
* Fix authData key selection
* Prefer Iso string since other GraphQL solutions use this format
* fix tests
Co-authored-by: Antonio Davi Macedo Coelho de Castro <adavimacedo@gmail.com>
* Always delete data after each, even for mongo.
* Add failing simple case test
* run all tests
* 1. when validating username be case insensitive
2. add _auth_data_anonymous to specialQueryKeys...whatever that is!
* More case sensitivity
1. also make email validation case insensitive
2. update comments to reflect what this change does
* wordsmithery and grammar
* first pass at a preformant case insensitive query. mongo only so far.
* change name of parameter from insensitive to
caseInsensitive
* Postgres support
* properly handle auth data null
* wip
* use 'caseInsensitive' instead of 'insensitive' in all places.
* update commenet to reclect current plan
* skip the mystery test for now
* create case insensitive indecies for
mongo to support case insensitive
checks for email and username
* remove unneeded specialKey
* pull collation out to a function.
* not sure what i planned
to do with this test.
removing.
* remove typo
* remove another unused flag
* maintain order
* maintain order of params
* boil the ocean on param sequence
i like having explain last cause it seems
like something you would
change/remove after getting what you want
from the explain?
* add test to verify creation
and use of caseInsensitive index
* add no op func to prostgress
* get collation object from mongocollection
make flow lint happy by declaring things Object.
* fix typo
* add changelog
* kick travis
* properly reference static method
* add a test to confirm that anonymous users with
unique username that do collide when compared
insensitively can still be created.
* minot doc nits
* add a few tests to make sure our spy is working as expected
wordsmith the changelog
Co-authored-by: Diamond Lewis <findlewis@gmail.com>
* added ignore authData field
* add fix for Postgres
* add test for mongoDB
* add test login with provider despite invalid authData
* removed fit
* fixed ignoring authData in postgres
* Fix postgres test
* Throw error instead of ignore
* improve tests
* Add mongo test
* allow authData when not user class
* fix tests
* more tests
* add condition to synthesize authData field only in _User class
it is forbidden to add a custom field name beginning with `_`, so if the object is not `_User` , the transform should throw
* add warning log when ignoring invalid `authData` in `_User`
* add test to throw when custom field begins with underscore
* Add beforeLogin trigger with support for auth providers
* adjust comment that boxed off beforeLogin to a negative use-case only
* add internal error to help future maintainers regarding use of beforeLogin
* let beforeLogin accept className or constructor like other hook types
* add assertions for beforeLogin trigger className validation
* removes from emailverificationtoken spec
* updates winston
* Updates ValidationAndPasswordsReset
* Use local request in schemas
* Removes request in rest.spec
* Removes request from PushRouter0
* removes request from public API
* removes request from index.spec
* Removes request form parse.push spec
* removes request from ParseInstallation spec
* Removes from ParseHooks
* removes request from ParseGlobalConfig.spec
* Removes request from ParseAPI.spec.js
* removes request from LogsRouter
* removes in features
* Filters undefined headers instead of crashing
* Removes request from ParseUser spec
* Removes usage of request in ParseFile.spec.js
* Removes request from AuthAdapters.js
* removes request-promise from ParseGeoPoint.spec
* Removes request-promise from ParseQuery spec
* remove request-promise from UserPII
* removes request-promise from EnableExpressErrorHandler
* Updates RevocableSessionUpgrade spec
* Update RestQuery
* Removes read preferenceOptionM
* ensure we forward auth from URL
* use request in CloudCode.spec.js
* Removes request-promise from JobSchedule.spec
* Removes rp from VerifyUserPassword.spec.js
* Removes rp from PasswordPolicy spec
* Removes rp from ParsePolygon spec
* Removes rp from fullTextSearch spec
* Removes rp from PArseQuery.Aggregate
* Ensure we properly forward errors
* Removes request and request-promise
* Silences warnings from mongodb client
* Update count, delete and finds to recommended implementations
* With new parser, readPref will be null by default
* Update flaky specs wih async/await style
* Adds gridstore adapter spec
* Use GridFSBucketStorage adapter
* WIP: Integrate JS SDK v2
- Removes backbone style callbacks
- Use Promise instead of Parse.Promise
* Fixes ParseObject and ParseRelation
* Updates Parse.Query with promises
* Alls tests should pass
* Ensure a fresh user is used for each test
* Use REST implementation to avoid side effects for username/email duplicates
* Uses js sdk v2
* Various improvements in test name / de-duplications
* Reverts to class by class deletion, introduced fast mode that just delete data for mongo
- Speeds up are incredible Executed 1695 of 1713 specs INCOMPLETE (18 PENDING) in 4 mins 19 secs.
* Adds documentation about the deleteEverything
* Removes need to use babel-register
- Adds watch to watch changes when running the test to regenerate
- Tests are now pure node 8
* Adds timing to helper.js
* Update contribution guide
* Adds inline sourcemaps generation to restore coverage
* nits
* Fixes an issue that would let the beforeDelete be called when user has no access to the object
* Ensure we properly lock user
- Improves find method so we can attempt to read for a write poking the right ACL instead of using masterKey
- This ensure we do not run beforeDelete/beforeFind/beforeSave in the wrong scenarios
* nits
* Caps insufficient
