parse-community · flovilmart · Jun 16, 2017 · Jun 16, 2017 · Jun 16, 2017 · acinader
diff --git a/spec/ParseUser.spec.js b/spec/ParseUser.spec.js
@@ -1960,10 +1960,8 @@ describe('Parse.User testing', () => {
   });
 
   it("querying for users doesn't get session tokens", (done) => {
-    Parse.Promise.as().then(function() {
-      return Parse.User.signUp("finn", "human", { foo: "bar" });
-
-    }).then(function() {
+    Parse.User.signUp("finn", "human", { foo: "bar" })
+    .then(function() {
       return Parse.User.logOut();
     }).then(() => {
       var user = new Parse.User();
@@ -1992,9 +1990,8 @@ describe('Parse.User testing', () => {
   });
 
   it("querying for users only gets the expected fields", (done) => {
-    Parse.Promise.as().then(() => {
-      return Parse.User.signUp("finn", "human", { foo: "bar" });
-    }).then(() => {
+    Parse.User.signUp("finn", "human", { foo: "bar" })
+    .then(() => {
       request.get({
         headers: {'X-Parse-Application-Id': 'test',
           'X-Parse-REST-API-Key': 'rest'},
@@ -2192,7 +2189,8 @@ describe('Parse.User testing', () => {
         request.put({
           headers: {
             'X-Parse-Application-Id': 'test',
-            'X-Parse-Session-Token': user.getSessionToken()
+            'X-Parse-Session-Token': user.getSessionToken(),
+            'X-Parse-REST-API-Key': 'rest'
           },
           url: 'http://localhost:8378/1/sessions/' + b.objectId,
           body: JSON.stringify({ foo: 'bar' })
@@ -2205,6 +2203,50 @@ describe('Parse.User testing', () => {
     });
   });
 
+  it('cannot update session if invalid or no session token', (done) => {
+    Parse.Promise.as().then(() => {
+      return Parse.User.signUp("finn", "human", { foo: "bar" });
+    }).then((user) => {
+      request.get({
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-Session-Token': user.getSessionToken(),
+          'X-Parse-REST-API-Key': 'rest'
+        },
+        url: 'http://localhost:8378/1/sessions/me',
+      }, (error, response, body) => {
+        expect(error).toBe(null);
+        var b = JSON.parse(body);
+        request.put({
+          headers: {
+            'X-Parse-Application-Id': 'test',
+            'X-Parse-Session-Token': 'foo',
+            'X-Parse-REST-API-Key': 'rest'
+          },
+          url: 'http://localhost:8378/1/sessions/' + b.objectId,
+          body: JSON.stringify({ foo: 'bar' })
+        }, (error, response, body) => {
+          expect(error).toBe(null);
+          var b = JSON.parse(body);
+          expect(b.error).toBe('invalid session token');
+          request.put({
+            headers: {
+              'X-Parse-Application-Id': 'test',
+              'X-Parse-REST-API-Key': 'rest'
+            },
+            url: 'http://localhost:8378/1/sessions/' + b.objectId,
+            body: JSON.stringify({ foo: 'bar' })
+          }, (error, response, body) => {
+            expect(error).toBe(null);
+            var b = JSON.parse(body);
+            expect(b.error).toBe('Session token required.');
+            done();
+          });
+        });
+      });
+    });
+  });
+
   it('get session only for current user', (done) => {
     Parse.Promise.as().then(() => {
       return Parse.User.signUp("test1", "test", { foo: "bar" });
@@ -2278,13 +2320,55 @@ describe('Parse.User testing', () => {
             expect(error).toBe(null);
             var b = JSON.parse(body);
             expect(b.code).toEqual(209);
+            expect(b.error).toBe('invalid session token');
             done();
           });
         });
       });
     });
   });
 
+  it('cannot delete session if no sessionToken', (done) => {
+    Parse.Promise.as().then(() => {
+      return Parse.User.signUp("test1", "test", { foo: "bar" });
+    }).then(() => {
+      return Parse.User.signUp("test2", "test", { foo: "bar" });
+    }).then((user) => {
+      request.get({
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-Session-Token': user.getSessionToken(),
+          'X-Parse-REST-API-Key': 'rest'
+        },
+        url: 'http://localhost:8378/1/sessions'
+      }, (error, response, body) => {
+        expect(error).toBe(null);
+        var objId;
+        try {
+          var b = JSON.parse(body);
+          expect(b.results.length).toEqual(1);
+          objId = b.results[0].objectId;
+        } catch(e) {
+          jfail(e);
+          done();
+          return;
+        }
+        request.del({
+          headers: {
+            'X-Parse-Application-Id': 'test',
+            'X-Parse-REST-API-Key': 'rest'
+          },
+          url: 'http://localhost:8378/1/sessions/' + objId
+        }, (error,response,body) => {
+          var b = JSON.parse(body);
+          expect(b.code).toEqual(209);
+          expect(b.error).toBe('invalid session token');
+          done();
+        });
+      });
+    });
+  });
+
   it('password format matches hosted parse', (done) => {
     var hashed = '$2a$10$8/wZJyEuiEaobBBqzTG.jeY.XSFJd0rzaN//ososvEI4yLqI.4aie';
     passwordCrypto.compare('test', hashed)

diff --git a/src/rest.js b/src/rest.js
@@ -65,11 +65,16 @@ function del(config, auth, className, objectId) {
       return find(config, Auth.master(config), className, {objectId: objectId})
       .then((response) => {
         if (response && response.results && response.results.length) {
-          response.results[0].className = className;
-
+          const firstResult = response.results[0];
+          firstResult.className = className;
+          if (className === '_Session' && !auth.isMaster) {
+            if (!auth.user || firstResult.user.objectId !== auth.user.id) {
+              throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'invalid session token');
+            }
+          }
           var cacheAdapter = config.cacheController;
-          cacheAdapter.user.del(response.results[0].sessionToken);
-          inflatedObject = Parse.Object.fromJSON(response.results[0]);
+          cacheAdapter.user.del(firstResult.sessionToken);
+          inflatedObject = Parse.Object.fromJSON(firstResult);
           // Notify LiveQuery server if possible
           config.liveQueryController.onAfterDelete(inflatedObject.className, inflatedObject);
           return triggers.maybeRunTrigger(triggers.Types.beforeDelete, auth, inflatedObject, null,  config);