Skip to content

Fix keys aren't enforced #1789

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Fix keys aren't enforced #1789

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
124 changes: 124 additions & 0 deletions spec/ParseAPI.spec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1164,6 +1164,50 @@ describe('miscellaneous', function() {
});
});

it('should not fail without any key', done => {
let customConfig = Object.assign({}, defaultConfiguration);
delete customConfig.clientKey;
delete customConfig.javascriptKey;
delete customConfig.dotNetKey;
delete customConfig.restAPIKey;
setServerConfiguration(customConfig);
var headers = {
'Content-Type': 'application/octet-stream',
'X-Parse-Application-Id': 'test'
};
request.get({
headers: headers,
url: 'http://localhost:8378/1/classes/TestObject'
}, (error, response, body) => {
expect(error).toBe(null);
var b = JSON.parse(body);
expect(b.results.length).toEqual(0);
done();
});
});

it('fails on missing key when empty keys are defined', done => {
let customConfig = Object.assign({}, defaultConfiguration);
customConfig.clientKey = '';
customConfig.javascriptKey = '';
customConfig.dotNetKey = '';
customConfig.restAPIKey = '';
setServerConfiguration(customConfig);
var headers = {
'Content-Type': 'application/octet-stream',
'X-Parse-Application-Id': 'test'
};
request.get({
headers: headers,
url: 'http://localhost:8378/1/classes/TestObject'
}, (error, response, body) => {
expect(error).toBe(null);
var b = JSON.parse(body);
expect(b.error).toEqual('unauthorized');
done();
});
});

it('fails on invalid client key', done => {
var headers = {
'Content-Type': 'application/octet-stream',
Expand All @@ -1181,6 +1225,26 @@ describe('miscellaneous', function() {
});
});

it('fails on invalid client key when only some keys are defined', done => {
let customConfig = Object.assign({}, defaultConfiguration);
delete customConfig.restAPIKey;
setServerConfiguration(customConfig);
var headers = {
'Content-Type': 'application/octet-stream',
'X-Parse-Application-Id': 'test',
'X-Parse-Client-Key': 'notclient'
};
request.get({
headers: headers,
url: 'http://localhost:8378/1/classes/TestObject'
}, (error, response, body) => {
expect(error).toBe(null);
var b = JSON.parse(body);
expect(b.error).toEqual('unauthorized');
done();
});
});

it('fails on invalid windows key', done => {
var headers = {
'Content-Type': 'application/octet-stream',
Expand All @@ -1198,6 +1262,26 @@ describe('miscellaneous', function() {
});
});

it('fails on invalid windows key when only some keys are defined', done => {
let customConfig = Object.assign({}, defaultConfiguration);
delete customConfig.restAPIKey;
setServerConfiguration(customConfig);
var headers = {
'Content-Type': 'application/octet-stream',
'X-Parse-Application-Id': 'test',
'X-Parse-Windows-Key': 'notwindows'
};
request.get({
headers: headers,
url: 'http://localhost:8378/1/classes/TestObject'
}, (error, response, body) => {
expect(error).toBe(null);
var b = JSON.parse(body);
expect(b.error).toEqual('unauthorized');
done();
});
});

it('fails on invalid javascript key', done => {
var headers = {
'Content-Type': 'application/octet-stream',
Expand All @@ -1215,6 +1299,26 @@ describe('miscellaneous', function() {
});
});

it('fails on invalid javascript key when only some keys are defined', done => {
let customConfig = Object.assign({}, defaultConfiguration);
delete customConfig.restAPIKey;
setServerConfiguration(customConfig);
var headers = {
'Content-Type': 'application/octet-stream',
'X-Parse-Application-Id': 'test',
'X-Parse-Javascript-Key': 'notjavascript'
};
request.get({
headers: headers,
url: 'http://localhost:8378/1/classes/TestObject'
}, (error, response, body) => {
expect(error).toBe(null);
var b = JSON.parse(body);
expect(b.error).toEqual('unauthorized');
done();
});
});

it('fails on invalid rest api key', done => {
var headers = {
'Content-Type': 'application/octet-stream',
Expand All @@ -1232,6 +1336,26 @@ describe('miscellaneous', function() {
});
});

it('fails on invalid rest api key when only some keys are defined', done => {
let customConfig = Object.assign({}, defaultConfiguration);
delete customConfig.clientKey;
setServerConfiguration(customConfig);
var headers = {
'Content-Type': 'application/octet-stream',
'X-Parse-Application-Id': 'test',
'X-Parse-REST-API-Key': 'notrest'
};
request.get({
headers: headers,
url: 'http://localhost:8378/1/classes/TestObject'
}, (error, response, body) => {
expect(error).toBe(null);
var b = JSON.parse(body);
expect(b.error).toEqual('unauthorized');
done();
});
});

it('fails on invalid function', done => {
Parse.Cloud.run('somethingThatDoesDefinitelyNotExist').then((s) => {
fail('This should have never suceeded');
Expand Down
8 changes: 6 additions & 2 deletions src/middlewares.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,19 +102,23 @@ function handleParseHeaders(req, res, next) {
// Client keys are not required in parse-server, but if any have been configured in the server, validate them
// to preserve original behavior.
let keys = ["clientKey", "javascriptKey", "dotNetKey", "restAPIKey"];
let missingKeys = [];

// We do it with mismatching keys to support no-keys config
var keyMismatch = keys.reduce(function(mismatch, key){

// check if set in the config and compare
if (req.config[key] && info[key] !== req.config[key]) {
if (!req.config[key] && req.config[key] !== '') {
missingKeys.push(key);
} else if (info[key] !== req.config[key]) {
mismatch++;
}
return mismatch;
}, 0);

// All keys mismatch
if (keyMismatch == keys.length) {
keys = keys.filter(key => missingKeys.indexOf(key) < 0);
if (keyMismatch == keys.length && keys.length > 0) {
return invalidRequest(req, res);
}

Expand Down