Skip to content

Commit 932a474

Browse files
gyratorycircusmontymxb
gyratorycircus
authored and
montymxb
committed
Remove hidden properties in handleLogin & handleMe (#4335)
1 parent 08ab1f4 commit 932a474

File tree

2 files changed

+87
-9
lines changed

2 files changed

+87
-9
lines changed

spec/ParseUser.spec.js

+68-1
Original file line numberDiff line numberDiff line change
@@ -3038,7 +3038,7 @@ describe('Parse.User testing', () => {
30383038
});
30393039
});
30403040

3041-
it('should not retrieve hidden fields', done => {
3041+
it('should not retrieve hidden fields on GET users/me (#3432)', done => {
30423042

30433043
var emailAdapter = {
30443044
sendVerificationEmail: () => {},
@@ -3073,6 +3073,34 @@ describe('Parse.User testing', () => {
30733073
expect(res.emailVerified).toBe(false);
30743074
expect(res._email_verify_token).toBeUndefined();
30753075
done()
3076+
}).catch((err) => {
3077+
fail(JSON.stringify(err));
3078+
done();
3079+
});
3080+
});
3081+
3082+
it('should not retrieve hidden fields on GET users/id (#3432)', done => {
3083+
3084+
var emailAdapter = {
3085+
sendVerificationEmail: () => {},
3086+
sendPasswordResetEmail: () => Promise.resolve(),
3087+
sendMail: () => Promise.resolve()
3088+
}
3089+
3090+
const user = new Parse.User();
3091+
user.set({
3092+
username: 'hello',
3093+
password: 'world',
3094+
email: "[email protected]"
3095+
})
3096+
3097+
reconfigureServer({
3098+
appName: 'unused',
3099+
verifyUserEmails: true,
3100+
emailAdapter: emailAdapter,
3101+
publicServerURL: "http://localhost:8378/1"
3102+
}).then(() => {
3103+
return user.signUp();
30763104
}).then(() => rp({
30773105
method: 'GET',
30783106
url: 'http://localhost:8378/1/users/' + Parse.User.current().id,
@@ -3091,6 +3119,45 @@ describe('Parse.User testing', () => {
30913119
});
30923120
});
30933121

3122+
it('should not retrieve hidden fields on login (#3432)', done => {
3123+
3124+
var emailAdapter = {
3125+
sendVerificationEmail: () => {},
3126+
sendPasswordResetEmail: () => Promise.resolve(),
3127+
sendMail: () => Promise.resolve()
3128+
}
3129+
3130+
const user = new Parse.User();
3131+
user.set({
3132+
username: 'hello',
3133+
password: 'world',
3134+
email: "[email protected]"
3135+
})
3136+
3137+
reconfigureServer({
3138+
appName: 'unused',
3139+
verifyUserEmails: true,
3140+
emailAdapter: emailAdapter,
3141+
publicServerURL: "http://localhost:8378/1"
3142+
}).then(() => {
3143+
return user.signUp();
3144+
}).then(() => rp.get({
3145+
url: 'http://localhost:8378/1/[email protected]&username=hello&password=world',
3146+
json: true,
3147+
headers: {
3148+
'X-Parse-Application-Id': Parse.applicationId,
3149+
'X-Parse-REST-API-Key': 'rest'
3150+
},
3151+
})).then((res) => {
3152+
expect(res.emailVerified).toBe(false);
3153+
expect(res._email_verify_token).toBeUndefined();
3154+
done();
3155+
}).catch((err) => {
3156+
fail(JSON.stringify(err));
3157+
done();
3158+
});
3159+
});
3160+
30943161
it('should not allow updates to hidden fields', done => {
30953162
var emailAdapter = {
30963163
sendVerificationEmail: () => {},

src/Routers/UsersRouter.js

+19-8
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,21 @@ export class UsersRouter extends ClassesRouter {
1616
return '_User';
1717
}
1818

19+
/**
20+
* Removes all "_" prefixed properties from an object, except "__type"
21+
* @param {Object} obj An object.
22+
*/
23+
static removeHiddenProperties (obj) {
24+
for (var key in obj) {
25+
if (obj.hasOwnProperty(key)) {
26+
// Regexp comes from Parse.Object.prototype.validate
27+
if (key !== "__type" && !(/^[A-Za-z][0-9A-Za-z_]*$/).test(key)) {
28+
delete obj[key];
29+
}
30+
}
31+
}
32+
}
33+
1934
handleMe(req) {
2035
if (!req.info || !req.info.sessionToken) {
2136
throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'invalid session token');
@@ -35,14 +50,7 @@ export class UsersRouter extends ClassesRouter {
3550
user.sessionToken = sessionToken;
3651

3752
// Remove hidden properties.
38-
for (var key in user) {
39-
if (user.hasOwnProperty(key)) {
40-
// Regexp comes from Parse.Object.prototype.validate
41-
if (key !== "__type" && !(/^[A-Za-z][0-9A-Za-z_]*$/).test(key)) {
42-
delete user[key];
43-
}
44-
}
45-
}
53+
UsersRouter.removeHiddenProperties(user);
4654

4755
return { response: user };
4856
}
@@ -125,6 +133,9 @@ export class UsersRouter extends ClassesRouter {
125133
user.sessionToken = token;
126134
delete user.password;
127135

136+
// Remove hidden properties.
137+
UsersRouter.removeHiddenProperties(user);
138+
128139
// Sometimes the authData still has null on that keys
129140
// https://github.com/parse-community/parse-server/issues/935
130141
if (user.authData) {

0 commit comments

Comments
 (0)