From 4c8d9d79421950a82c500903d96ccc071bcff0a1 Mon Sep 17 00:00:00 2001 From: Marco129 Date: Sat, 14 May 2016 16:50:40 +0800 Subject: [PATCH] Fix keys aren't enforced --- spec/ParseAPI.spec.js | 124 ++++++++++++++++++++++++++++++++++++++++++ src/middlewares.js | 8 ++- 2 files changed, 130 insertions(+), 2 deletions(-) diff --git a/spec/ParseAPI.spec.js b/spec/ParseAPI.spec.js index 68e0544bb6..9b76d8b59c 100644 --- a/spec/ParseAPI.spec.js +++ b/spec/ParseAPI.spec.js @@ -1164,6 +1164,50 @@ describe('miscellaneous', function() { }); }); + it('should not fail without any key', done => { + let customConfig = Object.assign({}, defaultConfiguration); + delete customConfig.clientKey; + delete customConfig.javascriptKey; + delete customConfig.dotNetKey; + delete customConfig.restAPIKey; + setServerConfiguration(customConfig); + var headers = { + 'Content-Type': 'application/octet-stream', + 'X-Parse-Application-Id': 'test' + }; + request.get({ + headers: headers, + url: 'http://localhost:8378/1/classes/TestObject' + }, (error, response, body) => { + expect(error).toBe(null); + var b = JSON.parse(body); + expect(b.results.length).toEqual(0); + done(); + }); + }); + + it('fails on missing key when empty keys are defined', done => { + let customConfig = Object.assign({}, defaultConfiguration); + customConfig.clientKey = ''; + customConfig.javascriptKey = ''; + customConfig.dotNetKey = ''; + customConfig.restAPIKey = ''; + setServerConfiguration(customConfig); + var headers = { + 'Content-Type': 'application/octet-stream', + 'X-Parse-Application-Id': 'test' + }; + request.get({ + headers: headers, + url: 'http://localhost:8378/1/classes/TestObject' + }, (error, response, body) => { + expect(error).toBe(null); + var b = JSON.parse(body); + expect(b.error).toEqual('unauthorized'); + done(); + }); + }); + it('fails on invalid client key', done => { var headers = { 'Content-Type': 'application/octet-stream', @@ -1181,6 +1225,26 @@ describe('miscellaneous', function() { }); }); + it('fails on invalid client key when only some keys are defined', done => { + let customConfig = Object.assign({}, defaultConfiguration); + delete customConfig.restAPIKey; + setServerConfiguration(customConfig); + var headers = { + 'Content-Type': 'application/octet-stream', + 'X-Parse-Application-Id': 'test', + 'X-Parse-Client-Key': 'notclient' + }; + request.get({ + headers: headers, + url: 'http://localhost:8378/1/classes/TestObject' + }, (error, response, body) => { + expect(error).toBe(null); + var b = JSON.parse(body); + expect(b.error).toEqual('unauthorized'); + done(); + }); + }); + it('fails on invalid windows key', done => { var headers = { 'Content-Type': 'application/octet-stream', @@ -1198,6 +1262,26 @@ describe('miscellaneous', function() { }); }); + it('fails on invalid windows key when only some keys are defined', done => { + let customConfig = Object.assign({}, defaultConfiguration); + delete customConfig.restAPIKey; + setServerConfiguration(customConfig); + var headers = { + 'Content-Type': 'application/octet-stream', + 'X-Parse-Application-Id': 'test', + 'X-Parse-Windows-Key': 'notwindows' + }; + request.get({ + headers: headers, + url: 'http://localhost:8378/1/classes/TestObject' + }, (error, response, body) => { + expect(error).toBe(null); + var b = JSON.parse(body); + expect(b.error).toEqual('unauthorized'); + done(); + }); + }); + it('fails on invalid javascript key', done => { var headers = { 'Content-Type': 'application/octet-stream', @@ -1215,6 +1299,26 @@ describe('miscellaneous', function() { }); }); + it('fails on invalid javascript key when only some keys are defined', done => { + let customConfig = Object.assign({}, defaultConfiguration); + delete customConfig.restAPIKey; + setServerConfiguration(customConfig); + var headers = { + 'Content-Type': 'application/octet-stream', + 'X-Parse-Application-Id': 'test', + 'X-Parse-Javascript-Key': 'notjavascript' + }; + request.get({ + headers: headers, + url: 'http://localhost:8378/1/classes/TestObject' + }, (error, response, body) => { + expect(error).toBe(null); + var b = JSON.parse(body); + expect(b.error).toEqual('unauthorized'); + done(); + }); + }); + it('fails on invalid rest api key', done => { var headers = { 'Content-Type': 'application/octet-stream', @@ -1232,6 +1336,26 @@ describe('miscellaneous', function() { }); }); + it('fails on invalid rest api key when only some keys are defined', done => { + let customConfig = Object.assign({}, defaultConfiguration); + delete customConfig.clientKey; + setServerConfiguration(customConfig); + var headers = { + 'Content-Type': 'application/octet-stream', + 'X-Parse-Application-Id': 'test', + 'X-Parse-REST-API-Key': 'notrest' + }; + request.get({ + headers: headers, + url: 'http://localhost:8378/1/classes/TestObject' + }, (error, response, body) => { + expect(error).toBe(null); + var b = JSON.parse(body); + expect(b.error).toEqual('unauthorized'); + done(); + }); + }); + it('fails on invalid function', done => { Parse.Cloud.run('somethingThatDoesDefinitelyNotExist').then((s) => { fail('This should have never suceeded'); diff --git a/src/middlewares.js b/src/middlewares.js index 10115d6853..c3a5ae34e7 100644 --- a/src/middlewares.js +++ b/src/middlewares.js @@ -102,19 +102,23 @@ function handleParseHeaders(req, res, next) { // Client keys are not required in parse-server, but if any have been configured in the server, validate them // to preserve original behavior. let keys = ["clientKey", "javascriptKey", "dotNetKey", "restAPIKey"]; + let missingKeys = []; // We do it with mismatching keys to support no-keys config var keyMismatch = keys.reduce(function(mismatch, key){ // check if set in the config and compare - if (req.config[key] && info[key] !== req.config[key]) { + if (!req.config[key] && req.config[key] !== '') { + missingKeys.push(key); + } else if (info[key] !== req.config[key]) { mismatch++; } return mismatch; }, 0); // All keys mismatch - if (keyMismatch == keys.length) { + keys = keys.filter(key => missingKeys.indexOf(key) < 0); + if (keyMismatch == keys.length && keys.length > 0) { return invalidRequest(req, res); }