Results invalid session when providing an invalid session token (#2154)

* Results invalid session when providing an invalid session token

* Reverts unsafe loggers

* Fixes failing tests

- The tests were failin when run in sequence as we called done() before the JSSDK had a chance to register the session token, therefore having a proper logout call in afterEach

Author: flovilmart

spec/ParseUser.spec.js

@@ -1589,7 +1589,7 @@ describe('Parse.User testing', () => {
       bob.setPassword('meower');
       return bob.save();
     }).then(() => {
-      return Parse.User.logIn('bob', 'meower');
+      return Parse.User.logIn('bob', 'meower');  
     }).then((bob) => {
       expect(bob.getUsername()).toEqual('bob');
       done();
@@ -2091,7 +2091,7 @@ describe('Parse.User testing', () => {
       fail('Save should have failed.');
       done();
     }, (e) => {
-      expect(e.code).toEqual(Parse.Error.SESSION_MISSING);
+      expect(e.code).toEqual(Parse.Error.INVALID_SESSION_TOKEN);
       done();
     });
   });
@@ -2124,6 +2124,26 @@ describe('Parse.User testing', () => {
     });
   });
 
+  it("invalid session tokens are rejected", (done) => {
+    Parse.User.signUp("asdf", "zxcv", null, {
+      success: function(user) {
+        request.get({
+          url: 'http://localhost:8378/1/classes/AClass',
+          json: true,
+          headers: {
+            'X-Parse-Application-Id': 'test',
+            'X-Parse-Rest-API-Key': 'rest',
+            'X-Parse-Session-Token': 'text'
+          },
+        }, (error, response, body) => {
+          expect(body.code).toBe(209);
+          expect(body.error).toBe('invalid session token');
+          done();
+        })
+      }
+    });
+  });
+
   it_exclude_dbs(['postgres'])('should cleanup null authData keys (regression test for #935)', (done) => {
     let database = new Config(Parse.applicationId).database;
     database.create('_User', {
@@ -2374,7 +2394,7 @@ describe('Parse.User testing', () => {
         })
         .then(() => obj.fetch())
         .catch(error => {
-          expect(error.code).toEqual(Parse.Error.OBJECT_NOT_FOUND);
+          expect(error.code).toEqual(Parse.Error.INVALID_SESSION_TOKEN);
           done();
         });
       })

spec/ValidationAndPasswordsReset.spec.js

@@ -304,11 +304,12 @@ describe("Custom Pages, Email Verification, Password Reset", () => {
   });
 
   it_exclude_dbs(['postgres'])('receives the app name and user in the adapter', done => {
+    var emailSent = false;
     var emailAdapter = {
       sendVerificationEmail: options => {
         expect(options.appName).toEqual('emailing app');
         expect(options.user.get('email')).toEqual('[email protected]');
-        done();
+        emailSent = true;
       },
       sendPasswordResetEmail: () => Promise.resolve(),
       sendMail: () => {}
@@ -325,7 +326,10 @@ describe("Custom Pages, Email Verification, Password Reset", () => {
       user.setUsername("zxcv");
       user.set('email', '[email protected]');
       user.signUp(null, {
-        success: () => {},
+        success: () => {
+          expect(emailSent).toBe(true);
+          done();
+        },
         error: function(userAgain, error) {
           fail('Failed to save user');
           done();
@@ -336,23 +340,10 @@ describe("Custom Pages, Email Verification, Password Reset", () => {
 
   it_exclude_dbs(['postgres'])('when you click the link in the email it sets emailVerified to true and redirects you', done => {
     var user = new Parse.User();
+    var sendEmailOptions;
     var emailAdapter = {
       sendVerificationEmail: options => {
-        request.get(options.link, {
-          followRedirect: false,
-        }, (error, response, body) => {
-          expect(response.statusCode).toEqual(302);
-          expect(response.body).toEqual('Found. Redirecting to http://localhost:8378/1/apps/verify_email_success.html?username=user');
-          user.fetch()
-          .then(() => {
-            expect(user.get('emailVerified')).toEqual(true);
-            done();
-          }, (err) => {
-            console.error(err);
-            fail("this should not fail");
-            done();
-          });
-        });
+        sendEmailOptions = options;
       },
       sendPasswordResetEmail: () => Promise.resolve(),
       sendMail: () => {}
@@ -364,10 +355,32 @@ describe("Custom Pages, Email Verification, Password Reset", () => {
       publicServerURL: "http://localhost:8378/1"
     })
     .then(() => {
-      user.setPassword("asdf");
+      user.setPassword("other-password");
       user.setUsername("user");
       user.set('email', '[email protected]');
-      user.signUp();
+      return user.signUp();
+    }).then(() => {
+      expect(sendEmailOptions).not.toBeUndefined();
+      request.get(sendEmailOptions.link, {
+          followRedirect: false,
+      }, (error, response, body) => {
+        expect(response.statusCode).toEqual(302);
+        expect(response.body).toEqual('Found. Redirecting to http://localhost:8378/1/apps/verify_email_success.html?username=user');
+        user.fetch()
+        .then(() => {
+          expect(user.get('emailVerified')).toEqual(true);
+          done();
+        }, (err) => {
+          console.error(err);
+          fail("this should not fail");
+          done();
+        }).catch((err) =>
+        {
+          console.error(err);
+          fail(err);
+          done();
+        })
+      });
     });
   });
 

spec/helper.js

@@ -329,6 +329,14 @@ global.it_exclude_dbs = excluded => {
   }
 }
 
+global.fit_exclude_dbs = excluded => {
+  if (excluded.includes(process.env.PARSE_SERVER_TEST_DB)) {
+    return xit;
+  } else {
+    return fit;
+  }
+}
+
 // LiveQuery test setting
 require('../src/LiveQuery/PLog').logLevel = 'NONE';
 var libraryCache = {};

src/Auth.js

@@ -58,7 +58,7 @@ var getAuthForSessionToken = function({ config, sessionToken, installationId } =
     return query.execute().then((response) => {
       var results = response.results;
       if (results.length !== 1 || !results[0]['user']) {
-        return nobody(config);
+        throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'invalid session token');
       }
 
       var now = new Date(),

src/middlewares.js

@@ -130,6 +130,10 @@ function handleParseHeaders(req, res, next) {
     return invalidRequest(req, res);
   }
 
+  if (req.url == "/login") {
+    delete info.sessionToken;
+  }
+
   if (!info.sessionToken) {
     req.auth = new auth.Auth({ config: req.config, installationId: info.installationId, isMaster: false });
     next();
@@ -219,6 +223,7 @@ var allowMethodOverride = function(req, res, next) {
 };
 
 var handleParseErrors = function(err, req, res, next) {
+  // TODO: Add logging as those errors won't make it to the PromiseRouter
   if (err instanceof Parse.Error) {
     var httpStatus;