Merge remote-tracking branch 'upstream/master' into add-idempotency

mtrezza · mtrezza · commit 401e5843db30 · 2020-07-10T21:16:21.000+02:00
diff --git a/README.md b/README.md
@@ -32,8 +32,8 @@
 
 </p>
 <p align="center">
-  <a href="#backers"><img alt="Backers on Open Collective" src="https://opencollective.com/parse-server/backers/badge.svg" /></a>
-  <a href="#sponsors"><img alt="Sponsors on Open Collective" src="https://opencollective.com/parse-server/sponsors/badge.svg" /></a>
+  <a href="#backers"><img alt="Backers on Open Collective" src="https://opencollective.com/parse-server/tiers/backers/badge.svg" /></a>
+  <a href="#sponsors"><img alt="Sponsors on Open Collective" src="https://opencollective.com/parse-server/tiers/sponsors/badge.svg" /></a>
 </p>
 <br>
 
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -19,35 +19,35 @@
   ],
   "license": "BSD-3-Clause",
   "dependencies": {
-    "@apollographql/graphql-playground-html": "1.6.24",
-    "@graphql-tools/stitch": "^6.0.0",
-    "@graphql-tools/utils": "^6.0.0",
+    "@apollographql/graphql-playground-html": "1.6.26",
+    "@graphql-tools/stitch": "^6.0.1",
+    "@graphql-tools/utils": "^6.0.1",
     "@parse/fs-files-adapter": "1.0.1",
     "@parse/push-adapter": "3.2.0",
     "@parse/s3-files-adapter": "1.4.0",
     "@parse/simple-mailgun-adapter": "1.1.0",
-    "apollo-server-express": "2.14.0",
+    "apollo-server-express": "2.14.1",
     "bcryptjs": "2.4.3",
     "body-parser": "1.19.0",
     "commander": "5.1.0",
     "cors": "2.8.5",
     "deepcopy": "2.0.0",
     "express": "4.17.1",
     "follow-redirects": "1.11.0",
-    "graphql": "15.0.0",
+    "graphql": "15.1.0",
     "graphql-list-fields": "2.0.2",
     "graphql-relay": "^0.6.0",
     "graphql-upload": "11.0.0",
     "intersect": "1.0.1",
     "jsonwebtoken": "8.5.1",
     "jwks-rsa": "1.8.0",
-    "ldapjs": "1.0.2",
-    "lodash": "4.17.15",
+    "ldapjs": "2.0.0",
+    "lodash": "4.17.16",
     "lru-cache": "5.1.1",
     "mime": "2.4.6",
-    "mongodb": "3.5.8",
-    "parse": "2.13.0",
-    "pg-promise": "10.5.4",
+    "mongodb": "3.5.9",
+    "parse": "2.14.0",
+    "pg-promise": "10.5.6",
     "pluralize": "^8.0.0",
     "redis": "3.0.2",
     "semver": "7.3.2",
@@ -66,7 +66,7 @@
     "@babel/preset-env": "7.10.0",
     "@parse/minami": "1.0.0",
     "apollo-cache-inmemory": "1.6.6",
-    "apollo-client": "2.6.9",
+    "apollo-client": "2.6.10",
     "apollo-link": "1.2.14",
     "apollo-link-http": "1.5.17",
     "apollo-link-ws": "1.0.20",
@@ -77,10 +77,9 @@
     "cross-env": "7.0.2",
     "deep-diff": "1.0.2",
     "eslint": "6.8.0",
-    "eslint-plugin-flowtype": "5.0.3",
+    "eslint-plugin-flowtype": "5.1.3",
     "flow-bin": "0.119.1",
     "form-data": "3.0.0",
-    "gaze": "1.1.3",
     "graphql-tag": "^2.10.1",
     "husky": "4.2.5",
     "jasmine": "3.5.0",
@@ -89,13 +88,12 @@
     "lint-staged": "10.2.3",
     "mongodb-runner": "4.8.0",
     "node-fetch": "2.6.0",
-    "nyc": "15.0.1",
+    "nyc": "15.1.0",
     "prettier": "2.0.5"
   },
   "scripts": {
     "definitions": "node ./resources/buildConfigDefinitions.js",
     "docs": "jsdoc -c ./jsdoc-conf.json",
-    "dev": "npm run build && node bin/dev",
     "lint": "flow && eslint --cache ./",
     "lint-fix": "eslint --fix --cache ./",
     "build": "babel src/ -d lib/ --copy-files",
diff --git a/spec/CloudCode.spec.js b/spec/CloudCode.spec.js
@@ -2912,16 +2912,60 @@ describe('afterLogin hook', () => {
     done();
   });
 
-  it('should have access to context as save argument', async () => {
-    // Declare triggers
+  it('should have access to context when saving a new object', async () => {
     Parse.Cloud.beforeSave('TestObject', (req) => {
       expect(req.context.a).toEqual('a');
     });
     Parse.Cloud.afterSave('TestObject', (req) => {
       expect(req.context.a).toEqual('a');
     });
-    // Save object
     const obj = new TestObject();
     await obj.save(null, { context: { a: 'a' } });
   });
+
+  it('should have access to context when saving an existing object', async () => {
+    const obj = new TestObject();
+    await obj.save(null);
+    Parse.Cloud.beforeSave('TestObject', (req) => {
+      expect(req.context.a).toEqual('a');
+    });
+    Parse.Cloud.afterSave('TestObject', (req) => {
+      expect(req.context.a).toEqual('a');
+    });
+    await obj.save(null, { context: { a: 'a' } });
+  });
+
+  it('should have access to context when saving a new object in a trigger', async () => {
+    Parse.Cloud.beforeSave('TestObject', (req) => {
+      expect(req.context.a).toEqual('a');
+    });
+    Parse.Cloud.afterSave('TestObject', (req) => {
+      expect(req.context.a).toEqual('a');
+    });
+    Parse.Cloud.afterSave('TriggerObject', async () => {
+      const obj = new TestObject();
+      await obj.save(null, { context: { a: 'a' } });
+    });
+    const obj = new Parse.Object('TriggerObject');
+    await obj.save(null);
+  });
+
+  it('should have access to context when cascade-saving objects', async () => {
+    Parse.Cloud.beforeSave('TestObject', (req) => {
+      expect(req.context.a).toEqual('a');
+    });
+    Parse.Cloud.afterSave('TestObject', (req) => {
+      expect(req.context.a).toEqual('a');
+    });
+    Parse.Cloud.beforeSave('TestObject2', (req) => {
+      expect(req.context.a).toEqual('a');
+    });
+    Parse.Cloud.afterSave('TestObject2', (req) => {
+      expect(req.context.a).toEqual('a');
+    });
+    const obj = new Parse.Object("TestObject");
+    const obj2 = new Parse.Object("TestObject2");
+    obj.set("obj2", obj2);
+    await obj.save(null, { context: { a: 'a' } });
+  });
 });
diff --git a/spec/GridFSBucketStorageAdapter.spec.js b/spec/GridFSBucketStorageAdapter.spec.js
@@ -35,6 +35,22 @@ describe_only_db('mongo')('GridFSBucket and GridStore interop', () => {
     expect(gfsResult.toString('utf8')).toBe(originalString);
   });
 
+  it('an encypted file created in GridStore should be available in GridFS', async () => {
+    const gsAdapter = new GridStoreAdapter(databaseURI);
+    const gfsAdapter = new GridFSBucketAdapter(
+      databaseURI,
+      {},
+      '89E4AFF1-DFE4-4603-9574-BFA16BB446FD'
+    );
+    await expectMissingFile(gfsAdapter, 'myFileName');
+    const originalString = 'abcdefghi';
+    await gfsAdapter.createFile('myFileName', originalString);
+    const gsResult = await gsAdapter.getFileData('myFileName');
+    expect(gsResult.toString('utf8')).not.toBe(originalString);
+    const gfsResult = await gfsAdapter.getFileData('myFileName');
+    expect(gfsResult.toString('utf8')).toBe(originalString);
+  });
+
   it('should save metadata', async () => {
     const gfsAdapter = new GridFSBucketAdapter(databaseURI);
     const originalString = 'abcdefghi';
diff --git a/spec/Middlewares.spec.js b/spec/Middlewares.spec.js
@@ -357,6 +357,42 @@ describe('middlewares', () => {
     );
   });
 
+  it('should set default Access-Control-Allow-Origin if allowOrigin is empty', () => {
+    AppCache.put(fakeReq.body._ApplicationId, {
+      allowOrigin: undefined,
+    });
+    const headers = {};
+    const res = {
+      header: (key, value) => {
+        headers[key] = value;
+      },
+    };
+    const allowCrossDomain = middlewares.allowCrossDomain(
+      fakeReq.body._ApplicationId
+    );
+    allowCrossDomain(fakeReq, res, () => {});
+    expect(headers['Access-Control-Allow-Origin']).toEqual('*');
+  });
+
+  it('should set custom origin to Access-Control-Allow-Origin if allowOrigin is provided', () => {
+    AppCache.put(fakeReq.body._ApplicationId, {
+      allowOrigin: 'https://parseplatform.org/',
+    });
+    const headers = {};
+    const res = {
+      header: (key, value) => {
+        headers[key] = value;
+      },
+    };
+    const allowCrossDomain = middlewares.allowCrossDomain(
+      fakeReq.body._ApplicationId
+    );
+    allowCrossDomain(fakeReq, res, () => {});
+    expect(headers['Access-Control-Allow-Origin']).toEqual(
+      'https://parseplatform.org/'
+    );
+  });
+
   it('should use user provided on field userFromJWT', (done) => {
     AppCache.put(fakeReq.body._ApplicationId, {
       masterKey: 'masterKey',
diff --git a/src/Adapters/Files/GridFSBucketAdapter.js b/src/Adapters/Files/GridFSBucketAdapter.js
@@ -10,16 +10,30 @@
 import { MongoClient, GridFSBucket, Db } from 'mongodb';
 import { FilesAdapter, validateFilename } from './FilesAdapter';
 import defaults from '../../defaults';
+const crypto = require('crypto');
 
 export class GridFSBucketAdapter extends FilesAdapter {
   _databaseURI: string;
   _connectionPromise: Promise<Db>;
   _mongoOptions: Object;
+  _algorithm: string;
 
-  constructor(mongoDatabaseURI = defaults.DefaultMongoURI, mongoOptions = {}) {
+  constructor(
+    mongoDatabaseURI = defaults.DefaultMongoURI,
+    mongoOptions = {},
+    fileKey = undefined
+  ) {
     super();
     this._databaseURI = mongoDatabaseURI;
-
+    this._algorithm = 'aes-256-gcm';
+    this._fileKey =
+      fileKey !== undefined
+        ? crypto
+          .createHash('sha256')
+          .update(String(fileKey))
+          .digest('base64')
+          .substr(0, 32)
+        : null;
     const defaultMongoOptions = {
       useNewUrlParser: true,
       useUnifiedTopology: true,
@@ -51,7 +65,19 @@ export class GridFSBucketAdapter extends FilesAdapter {
     const stream = await bucket.openUploadStream(filename, {
       metadata: options.metadata,
     });
-    await stream.write(data);
+    if (this._fileKey !== null) {
+      const iv = crypto.randomBytes(16);
+      const cipher = crypto.createCipheriv(this._algorithm, this._fileKey, iv);
+      const encryptedResult = Buffer.concat([
+        cipher.update(data),
+        cipher.final(),
+        iv,
+        cipher.getAuthTag(),
+      ]);
+      await stream.write(encryptedResult);
+    } else {
+      await stream.write(data);
+    }
     stream.end();
     return new Promise((resolve, reject) => {
       stream.on('finish', resolve);
@@ -82,7 +108,24 @@ export class GridFSBucketAdapter extends FilesAdapter {
         chunks.push(data);
       });
       stream.on('end', () => {
-        resolve(Buffer.concat(chunks));
+        const data = Buffer.concat(chunks);
+        if (this._fileKey !== null) {
+          const authTagLocation = data.length - 16;
+          const ivLocation = data.length - 32;
+          const authTag = data.slice(authTagLocation);
+          const iv = data.slice(ivLocation, authTagLocation);
+          const encrypted = data.slice(0, ivLocation);
+          const decipher = crypto.createDecipheriv(
+            this._algorithm,
+            this._fileKey,
+            iv
+          );
+          decipher.setAuthTag(authTag);
+          return resolve(
+            Buffer.concat([decipher.update(encrypted), decipher.final()])
+          );
+        }
+        resolve(data);
       });
       stream.on('error', (err) => {
         reject(err);
diff --git a/src/Controllers/index.js b/src/Controllers/index.js
@@ -105,12 +105,13 @@ export function getFilesController(
     filesAdapter,
     databaseAdapter,
     preserveFileName,
+    fileKey,
   } = options;
   if (!filesAdapter && databaseAdapter) {
     throw 'When using an explicit database adapter, you must also use an explicit filesAdapter.';
   }
   const filesControllerAdapter = loadAdapter(filesAdapter, () => {
-    return new GridFSBucketAdapter(databaseURI);
+    return new GridFSBucketAdapter(databaseURI, {}, fileKey);
   });
   return new FilesController(filesControllerAdapter, appId, {
     preserveFileName,
diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js
@@ -28,6 +28,10 @@ module.exports.ParseServerOptions = {
     "help": "Add headers to Access-Control-Allow-Headers",
     "action": parsers.arrayParser
   },
+  "allowOrigin": {
+    "env": "PARSE_SERVER_ALLOW_ORIGIN",
+    "help": "Sets the origin to Access-Control-Allow-Origin"
+  },
   "analyticsAdapter": {
     "env": "PARSE_SERVER_ANALYTICS_ADAPTER",
     "help": "Adapter module for the analytics",
diff --git a/src/Options/docs.js b/src/Options/docs.js
@@ -4,6 +4,7 @@
  * @property {Boolean} allowClientClassCreation Enable (or disable) client class creation, defaults to true
  * @property {Boolean} allowCustomObjectId Enable (or disable) custom objectId
  * @property {String[]} allowHeaders Add headers to Access-Control-Allow-Headers
+ * @property {String} allowOrigin Sets the origin to Access-Control-Allow-Origin
  * @property {Adapter<AnalyticsAdapter>} analyticsAdapter Adapter module for the analytics
  * @property {String} appId Your Parse Application ID
  * @property {String} appName Sets the app name
diff --git a/src/Options/index.js b/src/Options/index.js
@@ -29,6 +29,8 @@ export interface ParseServerOptions {
   appName: ?string;
   /* Add headers to Access-Control-Allow-Headers */
   allowHeaders: ?(string[]);
+  /* Sets the origin to Access-Control-Allow-Origin */
+  allowOrigin: ?string;
   /* Adapter module for the analytics */
   analyticsAdapter: ?Adapter<AnalyticsAdapter>;
   /* Adapter module for the files sub-system */
diff --git a/src/RestWrite.js b/src/RestWrite.js
@@ -52,12 +52,13 @@ function RestWrite(
     this.runOptions.action = action;
   }
 
+  // Parse context
+  if (data._context && data._context instanceof Object) {
+    this.context = data._context;
+    delete data._context;
+  }
+
   if (!query) {
-    // Parse context
-    if (data._context && data._context instanceof Object) {
-      this.context = data._context;
-      delete data._context;
-    }
     if (this.config.allowCustomObjectId) {
       if (
         Object.prototype.hasOwnProperty.call(data, 'objectId') &&
diff --git a/src/batch.js b/src/batch.js
@@ -91,15 +91,18 @@ function handleBatch(router, req) {
   return initialPromise.then(() => {
     const promises = req.body.requests.map(restRequest => {
       const routablePath = makeRoutablePath(restRequest.path);
-      // Construct a request that we can send to a handler
 
+      // Construct a request that we can send to a handler
       const request = {
         body: restRequest.body,
         config: req.config,
         auth: req.auth,
         info: req.info,
       };
 
+      // Add context to request body
+      if (req.body._context) { request.body._context = req.body._context; }
+
       return router
         .tryRouteRequest(restRequest.method, routablePath, request)
         .then(
diff --git a/src/middlewares.js b/src/middlewares.js
@@ -318,7 +318,8 @@ export function allowCrossDomain(appId) {
     if (config && config.allowHeaders) {
       allowHeaders += `, ${config.allowHeaders.join(', ')}`;
     }
-    res.header('Access-Control-Allow-Origin', '*');
+    const allowOrigin = (config && config.allowOrigin) || '*';
+    res.header('Access-Control-Allow-Origin', allowOrigin);
     res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
     res.header('Access-Control-Allow-Headers', allowHeaders);
     res.header(
