From ae74fbea24f4c2b5e03abeb10f479cd499ff71a5 Mon Sep 17 00:00:00 2001
From: Florent Vilmart <florentvilmart@me.com>
Date: Sun, 26 Jun 2016 16:58:33 -0400
Subject: [PATCH 1/3] Results invalid session when providing an invalid session
 token

---
 spec/ParseUser.spec.js | 26 +++++++++++++++++++++++---
 src/Auth.js            |  2 +-
 src/middlewares.js     |  7 +++++++
 3 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/spec/ParseUser.spec.js b/spec/ParseUser.spec.js
index 1dc650b0c2..e7c4ce009d 100644
--- a/spec/ParseUser.spec.js
+++ b/spec/ParseUser.spec.js
@@ -1589,7 +1589,7 @@ describe('Parse.User testing', () => {
       bob.setPassword('meower');
       return bob.save();
     }).then(() => {
-      return Parse.User.logIn('bob', 'meower');
+      return Parse.User.logIn('bob', 'meower');  
     }).then((bob) => {
       expect(bob.getUsername()).toEqual('bob');
       done();
@@ -2091,7 +2091,7 @@ describe('Parse.User testing', () => {
       fail('Save should have failed.');
       done();
     }, (e) => {
-      expect(e.code).toEqual(Parse.Error.SESSION_MISSING);
+      expect(e.code).toEqual(Parse.Error.INVALID_SESSION_TOKEN);
       done();
     });
   });
@@ -2124,6 +2124,26 @@ describe('Parse.User testing', () => {
     });
   });
 
+  it("invalid session tokens are rejected", (done) => {
+    Parse.User.signUp("asdf", "zxcv", null, {
+      success: function(user) {
+        request.get({
+          url: 'http://localhost:8378/1/classes/AClass',
+          json: true,
+          headers: {
+            'X-Parse-Application-Id': 'test',
+            'X-Parse-Rest-API-Key': 'rest',
+            'X-Parse-Session-Token': 'text'
+          },
+        }, (error, response, body) => {
+          expect(body.code).toBe(209);
+          expect(body.error).toBe('invalid session token');
+          done();
+        })
+      }
+    });
+  });
+
   it_exclude_dbs(['postgres'])('should cleanup null authData keys (regression test for #935)', (done) => {
     let database = new Config(Parse.applicationId).database;
     database.create('_User', {
@@ -2374,7 +2394,7 @@ describe('Parse.User testing', () => {
         })
         .then(() => obj.fetch())
         .catch(error => {
-          expect(error.code).toEqual(Parse.Error.OBJECT_NOT_FOUND);
+          expect(error.code).toEqual(Parse.Error.INVALID_SESSION_TOKEN);
           done();
         });
       })
diff --git a/src/Auth.js b/src/Auth.js
index f4707b6bda..efceb62699 100644
--- a/src/Auth.js
+++ b/src/Auth.js
@@ -58,7 +58,7 @@ var getAuthForSessionToken = function({ config, sessionToken, installationId } =
     return query.execute().then((response) => {
       var results = response.results;
       if (results.length !== 1 || !results[0]['user']) {
-        return nobody(config);
+        throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'invalid session token');
       }
 
       var now = new Date(),
diff --git a/src/middlewares.js b/src/middlewares.js
index aea470e380..44f4925301 100644
--- a/src/middlewares.js
+++ b/src/middlewares.js
@@ -130,6 +130,10 @@ function handleParseHeaders(req, res, next) {
     return invalidRequest(req, res);
   }
 
+  if (req.url == "/login") {
+    delete info.sessionToken;
+  }
+
   if (!info.sessionToken) {
     req.auth = new auth.Auth({ config: req.config, installationId: info.installationId, isMaster: false });
     next();
@@ -219,6 +223,9 @@ var allowMethodOverride = function(req, res, next) {
 };
 
 var handleParseErrors = function(err, req, res, next) {
+  log.verbose(req.method, req.originalUrl.toString(), req.headers,
+                  JSON.stringify(req.body, null, 2));
+  log.verbose('error:', err);
   if (err instanceof Parse.Error) {
     var httpStatus;
 

From 161285e15d31091f6bb25d26838ad7a483e59b83 Mon Sep 17 00:00:00 2001
From: Florent Vilmart <florentvilmart@me.com>
Date: Sun, 26 Jun 2016 17:09:10 -0400
Subject: [PATCH 2/3] Reverts unsafe loggers

---
 src/middlewares.js | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/middlewares.js b/src/middlewares.js
index 44f4925301..ab9fb2655b 100644
--- a/src/middlewares.js
+++ b/src/middlewares.js
@@ -223,9 +223,7 @@ var allowMethodOverride = function(req, res, next) {
 };
 
 var handleParseErrors = function(err, req, res, next) {
-  log.verbose(req.method, req.originalUrl.toString(), req.headers,
-                  JSON.stringify(req.body, null, 2));
-  log.verbose('error:', err);
+  // TODO: Add logging as those errors won't make it to the PromiseRouter
   if (err instanceof Parse.Error) {
     var httpStatus;
 

From a1c74179a291b4a3a9f536c2c3505a2211f9b240 Mon Sep 17 00:00:00 2001
From: Florent Vilmart <florentvilmart@me.com>
Date: Sun, 26 Jun 2016 17:37:28 -0400
Subject: [PATCH 3/3] Fixes failing tests

- The tests were failin when run in sequence as we called done() before the JSSDK had a chance to register the session token, therefore having a proper logout call in afterEach
---
 spec/ValidationAndPasswordsReset.spec.js | 51 +++++++++++++++---------
 spec/helper.js                           |  8 ++++
 2 files changed, 40 insertions(+), 19 deletions(-)

diff --git a/spec/ValidationAndPasswordsReset.spec.js b/spec/ValidationAndPasswordsReset.spec.js
index 9c55748938..81a901d2c2 100644
--- a/spec/ValidationAndPasswordsReset.spec.js
+++ b/spec/ValidationAndPasswordsReset.spec.js
@@ -304,11 +304,12 @@ describe("Custom Pages, Email Verification, Password Reset", () => {
   });
 
   it_exclude_dbs(['postgres'])('receives the app name and user in the adapter', done => {
+    var emailSent = false;
     var emailAdapter = {
       sendVerificationEmail: options => {
         expect(options.appName).toEqual('emailing app');
         expect(options.user.get('email')).toEqual('user@parse.com');
-        done();
+        emailSent = true;
       },
       sendPasswordResetEmail: () => Promise.resolve(),
       sendMail: () => {}
@@ -325,7 +326,10 @@ describe("Custom Pages, Email Verification, Password Reset", () => {
       user.setUsername("zxcv");
       user.set('email', 'user@parse.com');
       user.signUp(null, {
-        success: () => {},
+        success: () => {
+          expect(emailSent).toBe(true);
+          done();
+        },
         error: function(userAgain, error) {
           fail('Failed to save user');
           done();
@@ -336,23 +340,10 @@ describe("Custom Pages, Email Verification, Password Reset", () => {
 
   it_exclude_dbs(['postgres'])('when you click the link in the email it sets emailVerified to true and redirects you', done => {
     var user = new Parse.User();
+    var sendEmailOptions;
     var emailAdapter = {
       sendVerificationEmail: options => {
-        request.get(options.link, {
-          followRedirect: false,
-        }, (error, response, body) => {
-          expect(response.statusCode).toEqual(302);
-          expect(response.body).toEqual('Found. Redirecting to http://localhost:8378/1/apps/verify_email_success.html?username=user');
-          user.fetch()
-          .then(() => {
-            expect(user.get('emailVerified')).toEqual(true);
-            done();
-          }, (err) => {
-            console.error(err);
-            fail("this should not fail");
-            done();
-          });
-        });
+        sendEmailOptions = options;
       },
       sendPasswordResetEmail: () => Promise.resolve(),
       sendMail: () => {}
@@ -364,10 +355,32 @@ describe("Custom Pages, Email Verification, Password Reset", () => {
       publicServerURL: "http://localhost:8378/1"
     })
     .then(() => {
-      user.setPassword("asdf");
+      user.setPassword("other-password");
       user.setUsername("user");
       user.set('email', 'user@parse.com');
-      user.signUp();
+      return user.signUp();
+    }).then(() => {
+      expect(sendEmailOptions).not.toBeUndefined();
+      request.get(sendEmailOptions.link, {
+          followRedirect: false,
+      }, (error, response, body) => {
+        expect(response.statusCode).toEqual(302);
+        expect(response.body).toEqual('Found. Redirecting to http://localhost:8378/1/apps/verify_email_success.html?username=user');
+        user.fetch()
+        .then(() => {
+          expect(user.get('emailVerified')).toEqual(true);
+          done();
+        }, (err) => {
+          console.error(err);
+          fail("this should not fail");
+          done();
+        }).catch((err) =>
+        {
+          console.error(err);
+          fail(err);
+          done();
+        })
+      });
     });
   });
 
diff --git a/spec/helper.js b/spec/helper.js
index d22983e621..3e22f59b61 100644
--- a/spec/helper.js
+++ b/spec/helper.js
@@ -329,6 +329,14 @@ global.it_exclude_dbs = excluded => {
   }
 }
 
+global.fit_exclude_dbs = excluded => {
+  if (excluded.includes(process.env.PARSE_SERVER_TEST_DB)) {
+    return xit;
+  } else {
+    return fit;
+  }
+}
+
 // LiveQuery test setting
 require('../src/LiveQuery/PLog').logLevel = 'NONE';
 var libraryCache = {};