Fix LiveQuery unsafe user (#3525)

* LiveQuery should not use unsafe user setting

* server should issue queries with the master key

Author: dstarke

spec/SessionTokenCache.spec.js

@@ -4,13 +4,14 @@ describe('SessionTokenCache', function() {
 
   beforeEach(function(done) {
     var Parse = require('parse/node');
-    // Mock parse
-    var mockUser = {
-      become: jasmine.createSpy('become').and.returnValue(Parse.Promise.as({
-        id: 'userId'
-      }))
-    }
-    jasmine.mockLibrary('parse/node', 'User', mockUser);
+
+    spyOn(Parse, "Query").and.returnValue({
+      first: jasmine.createSpy("first").and.returnValue(Parse.Promise.as(new Parse.Object("_Session", {
+        user: new Parse.User({id:"userId"})
+      }))),
+      equalTo: function(){}
+    })
+
     done();
   });
 
@@ -46,7 +47,4 @@ describe('SessionTokenCache', function() {
     });
   });
 
-  afterEach(function() {
-    jasmine.restoreLibrary('parse/node', 'User');
-  });
 });

src/LiveQuery/ParseLiveQueryServer.js

@@ -37,7 +37,6 @@ class ParseLiveQueryServer {
 
     // Initialize Parse
     Parse.Object.disableSingleInstance();
-    Parse.User.enableUnsafeCurrentUser();
 
     const serverURL = config.serverURL || Parse.serverURL;
     Parse.serverURL = serverURL;
@@ -363,7 +362,7 @@ class ParseLiveQueryServer {
             // Then get the user's roles
           var rolesQuery = new Parse.Query(Parse.Role);
           rolesQuery.equalTo("users", user);
-          return rolesQuery.find();
+          return rolesQuery.find({useMasterKey:true});
         }).
         then((roles) => {
 

src/LiveQuery/SessionTokenCache.js

@@ -2,6 +2,17 @@ import Parse from 'parse/node';
 import LRU from 'lru-cache';
 import logger from '../logger';
 
+function userForSessionToken(sessionToken){
+  var q = new Parse.Query("_Session");
+  q.equalTo("sessionToken", sessionToken);
+  return q.first({useMasterKey:true}).then(function(session){
+    if(!session){
+      return Parse.Promise.error("No session found for session token");
+    }
+    return session.get("user");
+  });
+}
+
 class SessionTokenCache {
   cache: Object;
 
@@ -21,7 +32,7 @@ class SessionTokenCache {
       logger.verbose('Fetch userId %s of sessionToken %s from Cache', userId, sessionToken);
       return Parse.Promise.as(userId);
     }
-    return Parse.User.become(sessionToken).then((user) => {
+    return userForSessionToken(sessionToken).then((user) => {
       logger.verbose('Fetch userId %s of sessionToken %s from Parse', user.id, sessionToken);
       const userId = user.id;
       this.cache.set(sessionToken, userId);