Adds support for readOnly masterKey (#787)

* Adds support for readOnly masterKey

* nits

* Adds tests for readOnly

* Updates documentation

* nit

* nits

Author: flovilmart

Parse-Dashboard/Authentication.js

@@ -79,8 +79,9 @@ function initialize(app, options) {
  * @returns {Object} Object with `isAuthenticated` and `appsUserHasAccessTo` properties
  */
 function authenticate(userToTest, usernameOnly) {
-  var appsUserHasAccessTo = null;
-  var matchingUsername = null;
+  let appsUserHasAccessTo = null;
+  let matchingUsername = null;
+  let isReadOnly = false;
 
   //they provided auth
   let isAuthenticated = userToTest &&
@@ -96,6 +97,7 @@ function authenticate(userToTest, usernameOnly) {
         matchingUsername = user.user;
         // User restricted apps
         appsUserHasAccessTo = user.apps || null;
+        isReadOnly = !!user.readOnly; // make it true/false
       }
 
       return isAuthenticated;
@@ -104,7 +106,8 @@ function authenticate(userToTest, usernameOnly) {
   return {
     isAuthenticated,
     matchingUsername,
-    appsUserHasAccessTo
+    appsUserHasAccessTo,
+    isReadOnly,
   };
 }
 

Parse-Dashboard/app.js

@@ -76,9 +76,11 @@ module.exports = function(config, options) {
 
     // Serve the configuration.
     app.get('/parse-dashboard-config.json', function(req, res) {
+      // Copy the apps
+      const apps = config.apps.map((app) => Object.assign({}, app));
       let response = {
-        apps: config.apps,
-        newFeaturesInLatestVersion: newFeaturesInLatestVersion,
+        apps, 
+        newFeaturesInLatestVersion,
       };
 
       //Based on advice from Doug Wilson here:
@@ -101,14 +103,29 @@ module.exports = function(config, options) {
 
       const successfulAuth = authentication && authentication.isAuthenticated;
       const appsUserHasAccess = authentication && authentication.appsUserHasAccessTo;
+      const isReadOnly = authentication && authentication.isReadOnly;
+      // User is full read-only, replace the masterKey by the read-only one
+      if (isReadOnly) {
+        response.apps = response.apps.map((app) => {
+          app.masterKey = app.readOnlyMasterKey;
+          if (!app.masterKey) {
+            throw new Error('You need to provide a readOnlyMasterKey to use read-only features.');
+          }
+          return app;
+        });
+      }
 
       if (successfulAuth) {
         if (appsUserHasAccess) {
           // Restric access to apps defined in user dictionary
           // If they didn't supply any app id, user will access all apps
           response.apps = response.apps.filter(function (app) {
             return appsUserHasAccess.find(appUserHasAccess => {
-              return app.appId == appUserHasAccess.appId
+              const isSame = app.appId === appUserHasAccess.appId;
+              if (isSame && appUserHasAccess.readOnly) {
+                app.masterKey = app.readOnlyMasterKey;
+              }
+              return isSame;
             })
           });
         }

README.md

@@ -282,6 +282,80 @@ When `user1` logs in, he/she will be able to manage `myAppId1` and `myAppId2` fr
 
 When *`user2`*  logs in, he/she will only be able to manage *`myAppId1`* from the dashboard.
 
+## Use Read-Only masterKey
+
+Starting parse-server 2.6.5, it is possible to provide a `readOnlyMasterKey` to parse-server to prevent mutations on objects from a client.
+If you want to protect your dashboard with this feature, just use the `readOnlyMasterKey` instead of the `masterKey`. All write calls will fail.
+
+### Making an app read-only for all users
+
+Start your `parse-server` with
+
+```json
+{
+"masterKey": "YOUR_MASTER_KEY_HERE",
+"readOnlyMasterKey": "YOUR_READ_ONLY_MASTER_KEY",
+}
+```
+
+Then in your dashboard configuration:
+
+```
+var trustProxy = true;
+var dashboard = new ParseDashboard({
+  "apps": [
+    {
+      "serverURL": "http://localhost:1337/parse",
+      "appId": "myAppId",
+      "masterKey": "YOUR_READ_ONLY_MASTER_KEY",
+      "appName": "MyApp"
+    }
+  ],
+  "trustProxy": 1
+});
+```
+
+### Makings users read-only
+
+You can mark a user as a read-only user:
+
+```json
+{
+  "apps": [{"...": "..."}],
+  "users": [
+     {
+       "user":"user1",
+       "pass":"pass1",
+       "readOnly": true,
+       "apps": [{"appId": "myAppId1"}, {"appId": "myAppId2"}]
+     },
+     {
+       "user":"user2",
+       "pass":"pass2",
+       "apps": [{"appId": "myAppId1"}]
+     }  ]
+}
+```
+
+This way `user1` will have a readOnly access to `myAppId1` and `myAppId2`
+
+### Making user's apps readOnly
+
+You can give read only access to a user on a per-app basis:
+
+```json
+{
+  "apps": [{"...": "..."}],
+  "users": [
+     {
+       "user":"user1",
+       "pass":"pass1",
+       "apps": [{"appId": "myAppId1", "readOnly": true}, {"appId": "myAppId2"}]
+     } ]
+}
+```
+
+With this configuration, user1 will have read only access to `myAppId1` and read/write access to `myAppId2`.
 
 ## Run with Docker
 

src/lib/tests/Authentication.test.js

@@ -10,6 +10,11 @@ jest.dontMock('bcryptjs');
 
 const Authentication = require('../../../Parse-Dashboard/Authentication');
 const apps = [{appId: 'test123'}, {appId: 'test789'}];
+const readOnlyApps = apps.map((app) => { 
+  app.readOnly = true;
+  return app;
+});
+
 const unencryptedUsers = [
   {
     user: 'parse.dashboard',
@@ -19,6 +24,16 @@ const unencryptedUsers = [
     user: 'parse.apps',
     pass: 'xyz789',
     apps: apps
+  },
+  {
+    user: 'parse.readonly',
+    pass: 'abc123',
+    readOnly: true,
+  },
+  {
+    user: 'parse.readonly.apps',
+    pass: 'abc123',
+    apps: readOnlyApps,
   }
 ];
 const encryptedUsers = [
@@ -33,11 +48,13 @@ const encryptedUsers = [
   }
 ]
 
-function createAuthenticationResult(isAuthenticated, matchingUsername, appsUserHasAccessTo) {
+function createAuthenticationResult(isAuthenticated, matchingUsername, appsUserHasAccessTo, isReadOnly) {
+  isReadOnly = !!isReadOnly;
   return {
     isAuthenticated,
     matchingUsername,
-    appsUserHasAccessTo
+    appsUserHasAccessTo,
+    isReadOnly
   }
 }
 
@@ -107,4 +124,16 @@ describe('Authentication', () => {
     expect(authentication.authenticate({name: 'parse.dashboard'}, true))
       .toEqual(createAuthenticationResult(true, 'parse.dashboard', null));
   });
+
+  it('makes readOnly auth when specified', () => {
+    let authentication = new Authentication(unencryptedUsers, false);
+    expect(authentication.authenticate({name: 'parse.readonly', pass: 'abc123'}))
+      .toEqual(createAuthenticationResult(true, 'parse.readonly', null, true));
+  });
+
+  it('makes readOnly auth when specified in apps', () => {
+    let authentication = new Authentication(unencryptedUsers, false);
+    expect(authentication.authenticate({name: 'parse.readonly.apps', pass: 'abc123'}))
+      .toEqual(createAuthenticationResult(true, 'parse.readonly.apps', readOnlyApps, false));
+  });
 });