6641: PR feedback: grouped /loginAs tests, adjusted their names. Change error code for invalid userId parameter and test against additional invalid values. Adjusted error messages.

gormanfletcher · gormanfletcher · commit 526efa946a59 · 2021-06-03T10:53:17.000-04:00
diff --git a/spec/ParseUser.spec.js b/spec/ParseUser.spec.js
@@ -142,123 +142,6 @@ describe('Parse.User testing', () => {
       });
   });
 
-  it('/loginAs allows the master key to manually create a user session for a given user ID', async done => {
-    await Parse.User.signUp('some_user', 'some_password');
-    const userId = Parse.User.current().id;
-    await Parse.User.logOut();
-
-    try {
-      const response = await request({
-        method: 'POST',
-        url: 'http://localhost:8378/1/loginAs',
-        headers: {
-          'X-Parse-Application-Id': Parse.applicationId,
-          'X-Parse-REST-API-Key': 'rest',
-          'X-Parse-Master-Key': 'test',
-        },
-        body: {
-          userId,
-        },
-      });
-
-      expect(response.data.sessionToken).toBeDefined();
-    } catch (err) {
-      fail(`no request should fail: ${JSON.stringify(err)}`);
-      done();
-    }
-
-    const sessionsQuery = new Parse.Query(Parse.Session);
-    const sessionsAfterRequest = await sessionsQuery.find({ useMasterKey: true });
-    expect(sessionsAfterRequest.length).toBe(1);
-
-    done();
-  });
-
-  it("/loginAs returns an error if a session is requested for a user ID that doesn't exist", async done => {
-    try {
-      await request({
-        method: 'POST',
-        url: 'http://localhost:8378/1/loginAs',
-        headers: {
-          'X-Parse-Application-Id': Parse.applicationId,
-          'X-Parse-REST-API-Key': 'rest',
-          'X-Parse-Master-Key': 'test',
-        },
-        body: {
-          userId: 'bogus-user',
-        },
-      });
-
-      fail('Request should fail without a valid user ID');
-      done();
-    } catch (err) {
-      expect(err.data.code).toBe(Parse.Error.OBJECT_NOT_FOUND);
-    }
-
-    const sessionsQuery = new Parse.Query(Parse.Session);
-    const sessionsAfterRequest = await sessionsQuery.find({ useMasterKey: true });
-    expect(sessionsAfterRequest.length).toBe(0);
-
-    done();
-  });
-
-  it('/loginAs returns an error if a session is requested without specifying a user ID', async done => {
-    try {
-      await request({
-        method: 'POST',
-        url: 'http://localhost:8378/1/loginAs',
-        headers: {
-          'X-Parse-Application-Id': Parse.applicationId,
-          'X-Parse-REST-API-Key': 'rest',
-          'X-Parse-Master-Key': 'test',
-        },
-        body: {},
-      });
-
-      fail('Request should fail without a valid user ID');
-      done();
-    } catch (err) {
-      expect(err.data.code).toBe(Parse.Error.MISSING_OBJECT_ID);
-    }
-
-    const sessionsQuery = new Parse.Query(Parse.Session);
-    const sessionsAfterRequest = await sessionsQuery.find({ useMasterKey: true });
-    expect(sessionsAfterRequest.length).toBe(0);
-
-    done();
-  });
-
-  it('/loginAs forbids non-master clients from creating sessions', async done => {
-    await Parse.User.signUp('some_user', 'some_password');
-    const userId = Parse.User.current().id;
-    await Parse.User.logOut();
-
-    try {
-      await request({
-        method: 'POST',
-        url: 'http://localhost:8378/1/loginAs',
-        headers: {
-          'X-Parse-Application-Id': Parse.applicationId,
-          'X-Parse-REST-API-Key': 'rest',
-        },
-        body: {
-          userId,
-        },
-      });
-
-      fail('Request should fail without the master key');
-      done();
-    } catch (err) {
-      expect(err.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
-    }
-
-    const sessionsQuery = new Parse.Query(Parse.Session);
-    const sessionsAfterRequest = await sessionsQuery.find({ useMasterKey: true });
-    expect(sessionsAfterRequest.length).toBe(0);
-
-    done();
-  });
-
   it('user login', async done => {
     await Parse.User.signUp('asdf', 'zxcv');
     const user = await Parse.User.logIn('asdf', 'zxcv');
@@ -4149,3 +4032,131 @@ describe('Security Advisory GHSA-8w3j-g983-8jh5', function () {
     expect(user.get('authData')).toEqual({ custom: { id: 'linkedID' } });
   });
 });
+
+describe('login as other user', () => {
+  it('allows creating a session for another user with the master key', async done => {
+    await Parse.User.signUp('some_user', 'some_password');
+    const userId = Parse.User.current().id;
+    await Parse.User.logOut();
+
+    try {
+      const response = await request({
+        method: 'POST',
+        url: 'http://localhost:8378/1/loginAs',
+        headers: {
+          'X-Parse-Application-Id': Parse.applicationId,
+          'X-Parse-REST-API-Key': 'rest',
+          'X-Parse-Master-Key': 'test',
+        },
+        body: {
+          userId,
+        },
+      });
+
+      expect(response.data.sessionToken).toBeDefined();
+    } catch (err) {
+      fail(`no request should fail: ${JSON.stringify(err)}`);
+      done();
+    }
+
+    const sessionsQuery = new Parse.Query(Parse.Session);
+    const sessionsAfterRequest = await sessionsQuery.find({ useMasterKey: true });
+    expect(sessionsAfterRequest.length).toBe(1);
+
+    done();
+  });
+
+  it('rejects creating a session for another user if the user does not exist', async done => {
+    try {
+      await request({
+        method: 'POST',
+        url: 'http://localhost:8378/1/loginAs',
+        headers: {
+          'X-Parse-Application-Id': Parse.applicationId,
+          'X-Parse-REST-API-Key': 'rest',
+          'X-Parse-Master-Key': 'test',
+        },
+        body: {
+          userId: 'bogus-user',
+        },
+      });
+
+      fail('Request should fail without a valid user ID');
+      done();
+    } catch (err) {
+      expect(err.data.code).toBe(Parse.Error.OBJECT_NOT_FOUND);
+      expect(err.data.error).toBe('user not found');
+    }
+
+    const sessionsQuery = new Parse.Query(Parse.Session);
+    const sessionsAfterRequest = await sessionsQuery.find({ useMasterKey: true });
+    expect(sessionsAfterRequest.length).toBe(0);
+
+    done();
+  });
+
+  it('rejects creating a session for another user with invalid parameters', async done => {
+    const invalidUserIds = [undefined, null, ''];
+
+    for (const invalidUserId of invalidUserIds) {
+      try {
+        await request({
+          method: 'POST',
+          url: 'http://localhost:8378/1/loginAs',
+          headers: {
+            'X-Parse-Application-Id': Parse.applicationId,
+            'X-Parse-REST-API-Key': 'rest',
+            'X-Parse-Master-Key': 'test',
+          },
+          body: {
+            userId: invalidUserId,
+          },
+        });
+
+        fail('Request should fail without a valid user ID');
+        done();
+      } catch (err) {
+        expect(err.data.code).toBe(Parse.Error.INVALID_VALUE);
+        expect(err.data.error).toBe('userId must not be empty, null, or undefined');
+      }
+
+      const sessionsQuery = new Parse.Query(Parse.Session);
+      const sessionsAfterRequest = await sessionsQuery.find({ useMasterKey: true });
+      expect(sessionsAfterRequest.length).toBe(0);
+    }
+
+    done();
+  });
+
+  it('rejects creating a session for another user without the master key', async done => {
+    await Parse.User.signUp('some_user', 'some_password');
+    const userId = Parse.User.current().id;
+    await Parse.User.logOut();
+
+    try {
+      await request({
+        method: 'POST',
+        url: 'http://localhost:8378/1/loginAs',
+        headers: {
+          'X-Parse-Application-Id': Parse.applicationId,
+          'X-Parse-REST-API-Key': 'rest',
+        },
+        body: {
+          userId,
+        },
+      });
+
+      fail('Request should fail without the master key');
+      done();
+    } catch (err) {
+      expect(err.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
+      expect(err.data.error).toBe('master key is required');
+    }
+
+    const sessionsQuery = new Parse.Query(Parse.Session);
+    const sessionsAfterRequest = await sessionsQuery.find({ useMasterKey: true });
+    expect(sessionsAfterRequest.length).toBe(0);
+
+    done();
+  });
+});
diff --git a/src/Routers/UsersRouter.js b/src/Routers/UsersRouter.js
@@ -269,21 +269,21 @@ export class UsersRouter extends ClassesRouter {
    */
   async handleLogInAs(req) {
     if (!req.auth.isMaster) {
-      throw new Parse.Error(
-        Parse.Error.OPERATION_FORBIDDEN,
-        'The master key is required to perform the loginAs action'
-      );
+      throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'master key is required');
     }
 
     const userId = req.body.userId || req.query.userId;
     if (!userId) {
-      throw new Parse.Error(Parse.Error.MISSING_OBJECT_ID, 'User ID is required');
+      throw new Parse.Error(
+        Parse.Error.INVALID_VALUE,
+        'userId must not be empty, null, or undefined'
+      );
     }
 
     const queryResults = await req.config.database.find('_User', { objectId: userId });
     const user = queryResults[0];
     if (!user) {
-      throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'No user with that ID');
+      throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'user not found');
     }
 
     this._sanitizeAuthData(user);
