Skip to content

Adds support for readOnly masterKey #787

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Oct 26, 2017
Merged

Adds support for readOnly masterKey #787

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
3c13c58
Adds support for readOnly masterKey
flovilmart Oct 26, 2017
11f8656
nits
flovilmart Oct 26, 2017
b55c23b
Adds tests for readOnly
flovilmart Oct 26, 2017
716b78e
Updates documentation
flovilmart Oct 26, 2017
49cb761
nit
flovilmart Oct 26, 2017
8fd3f52
nits
flovilmart Oct 26, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions Parse-Dashboard/Authentication.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,8 +79,9 @@ function initialize(app, options) {
* @returns {Object} Object with `isAuthenticated` and `appsUserHasAccessTo` properties
*/
function authenticate(userToTest, usernameOnly) {
var appsUserHasAccessTo = null;
var matchingUsername = null;
let appsUserHasAccessTo = null;
let matchingUsername = null;
let isReadOnly = false;

//they provided auth
let isAuthenticated = userToTest &&
Expand All @@ -96,6 +97,7 @@ function authenticate(userToTest, usernameOnly) {
matchingUsername = user.user;
// User restricted apps
appsUserHasAccessTo = user.apps || null;
isReadOnly = !!user.readOnly; // make it true/false
}

return isAuthenticated;
Expand All @@ -104,7 +106,8 @@ function authenticate(userToTest, usernameOnly) {
return {
isAuthenticated,
matchingUsername,
appsUserHasAccessTo
appsUserHasAccessTo,
isReadOnly,
};
}

Expand Down
19 changes: 17 additions & 2 deletions Parse-Dashboard/app.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ module.exports = function(config, options) {
// Serve the configuration.
app.get('/parse-dashboard-config.json', function(req, res) {
let response = {
apps: config.apps,
apps: [...config.apps], // make a copy
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

neat trick.

newFeaturesInLatestVersion: newFeaturesInLatestVersion,
};

Expand All @@ -101,14 +101,29 @@ module.exports = function(config, options) {

const successfulAuth = authentication && authentication.isAuthenticated;
const appsUserHasAccess = authentication && authentication.appsUserHasAccessTo;
const isReadOnly = authentication && authentication.isReadOnly;
// User is full read-only, replace the masterKey by the read-only one
if (isReadOnly) {
response.apps = response.apps.map((app) => {
app.masterKey = app.readOnlyMasterKey;
if (!app.masterKey) {
throw new Error('You need to provide a readOnlyMasterKey to use read-only features.');
}
return app;
});
}

if (successfulAuth) {
if (appsUserHasAccess) {
// Restric access to apps defined in user dictionary
// If they didn't supply any app id, user will access all apps
response.apps = response.apps.filter(function (app) {
return appsUserHasAccess.find(appUserHasAccess => {
return app.appId == appUserHasAccess.appId
const isSame = app.appId === appUserHasAccess.appId;
if (isSame && appUserHasAccess.readOnly) {
app.masterKey = app.readOnlyMasterKey;
}
return isSame;
})
});
}
Expand Down
74 changes: 74 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -282,6 +282,80 @@ When `user1` logs in, he/she will be able to manage `myAppId1` and `myAppId2` fr

When *`user2`* logs in, he/she will only be able to manage *`myAppId1`* from the dashboard.

## Use Read-Only masterKey

Starting parse-server 2.6.5, it is possible to provide a `readOnlyMasterKey` to parse-server to prevent mutations on objects from a client.
If you want to protect your dashboard with this feature, just use the `readOnlyMasterKey` instead of the `masterKey`. All write calls will fail.

### Making an app read-only for all users

Start your `parse-server` with

```json
{
"masterKey": "YOUR_MASTER_KEY_HERE",
"readOnlyMasterKey": "YOUR_READ_ONLY_MASTER_KEY",
}
```

Then in your dashboard configuration:

```
var trustProxy = true;
var dashboard = new ParseDashboard({
"apps": [
{
"serverURL": "http://localhost:1337/parse",
"appId": "myAppId",
"masterKey": "YOUR_READ_ONLY_MASTER_KEY",
"appName": "MyApp"
}
],
"trustProxy": 1
});
```

### Makings users read-only

You can mark a user as a read-only user:

```json
{
"apps": [{"...": "..."}],
"users": [
{
"user":"user1",
"pass":"pass1",
"readOnly": true,
"apps": [{"appId": "myAppId1"}, {"appId": "myAppId2"}]
},
{
"user":"user2",
"pass":"pass2",
"apps": [{"appId": "myAppId1"}]
} ]
}
```

This way `user1` will have a readOnly access to `myAppId1` and `myAppId2`

### Making user's apps readOnly

You can give read only access to a user on a per-app basis:

```json
{
"apps": [{"...": "..."}],
"users": [
{
"user":"user1",
"pass":"pass1",
"apps": [{"appId": "myAppId1", "readOnly": true}, {"appId": "myAppId2"}]
} ]
}
```

With this configuration, user1 will have read only access to `myAppId1` and read/write access to `myAppId2`.

## Run with Docker

Expand Down
33 changes: 31 additions & 2 deletions src/lib/tests/Authentication.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,11 @@ jest.dontMock('bcryptjs');

const Authentication = require('../../../Parse-Dashboard/Authentication');
const apps = [{appId: 'test123'}, {appId: 'test789'}];
const readOnlyApps = apps.map((app) => {
app.readOnly = true;
return app;
});

const unencryptedUsers = [
{
user: 'parse.dashboard',
Expand All @@ -19,6 +24,16 @@ const unencryptedUsers = [
user: 'parse.apps',
pass: 'xyz789',
apps: apps
},
{
user: 'parse.readonly',
pass: 'abc123',
readOnly: true,
},
{
user: 'parse.readonly.apps',
pass: 'abc123',
apps: readOnlyApps,
}
];
const encryptedUsers = [
Expand All @@ -33,11 +48,13 @@ const encryptedUsers = [
}
]

function createAuthenticationResult(isAuthenticated, matchingUsername, appsUserHasAccessTo) {
function createAuthenticationResult(isAuthenticated, matchingUsername, appsUserHasAccessTo, isReadOnly) {
isReadOnly = !!isReadOnly;
return {
isAuthenticated,
matchingUsername,
appsUserHasAccessTo
appsUserHasAccessTo,
isReadOnly
}
}

Expand Down Expand Up @@ -107,4 +124,16 @@ describe('Authentication', () => {
expect(authentication.authenticate({name: 'parse.dashboard'}, true))
.toEqual(createAuthenticationResult(true, 'parse.dashboard', null));
});

it('makes readOnly auth when specified', () => {
let authentication = new Authentication(unencryptedUsers, false);
expect(authentication.authenticate({name: 'parse.readonly', pass: 'abc123'}))
.toEqual(createAuthenticationResult(true, 'parse.readonly', null, true));
});

it('makes readOnly auth when specified in apps', () => {
let authentication = new Authentication(unencryptedUsers, false);
expect(authentication.authenticate({name: 'parse.readonly.apps', pass: 'abc123'}))
.toEqual(createAuthenticationResult(true, 'parse.readonly.apps', readOnlyApps, false));
});
});