From 69fa6b65d1c3018fe3ddf22e534f44865396733e Mon Sep 17 00:00:00 2001 From: Onur Eren Hanife Date: Wed, 27 Dec 2023 15:45:18 +0300 Subject: [PATCH 1/7] #8841 allowClientClassCreation defaulting to false --- DEPRECATIONS.md | 2 +- src/Deprecator/Deprecations.js | 1 - src/Options/index.js | 2 +- 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/DEPRECATIONS.md b/DEPRECATIONS.md index b825e50b2f..1df7ad2e09 100644 --- a/DEPRECATIONS.md +++ b/DEPRECATIONS.md @@ -8,7 +8,7 @@ The following is a list of deprecations, according to the [Deprecation Policy](h | DEPPS2 | Config option `directAccess` defaults to `true` | [#6636](https://github.com/parse-community/parse-server/pull/6636) | 5.0.0 (2022) | 6.0.0 (2023) | removed | - | | DEPPS3 | Config option `enforcePrivateUsers` defaults to `true` | [#7319](https://github.com/parse-community/parse-server/pull/7319) | 5.0.0 (2022) | 6.0.0 (2023) | removed | - | | DEPPS4 | Remove convenience method for http request `Parse.Cloud.httpRequest` | [#7589](https://github.com/parse-community/parse-server/pull/7589) | 5.0.0 (2022) | 6.0.0 (2023) | removed | - | -| DEPPS5 | Config option `allowClientClassCreation` defaults to `false` | [#7925](https://github.com/parse-community/parse-server/pull/7925) | 5.3.0 (2022) | 7.0.0 (2024) | deprecated | - | +| DEPPS5 | Config option `allowClientClassCreation` defaults to `false` | [#7925](https://github.com/parse-community/parse-server/pull/7925) | 5.3.0 (2023) | 7.0.0 (2024) | removed | - | | DEPPS6 | Auth providers disabled by default | [#7953](https://github.com/parse-community/parse-server/pull/7953) | 5.3.0 (2022) | 7.0.0 (2024) | deprecated | - | | DEPPS7 | Remove file trigger syntax `Parse.Cloud.beforeSaveFile((request) => {})` | [#7966](https://github.com/parse-community/parse-server/pull/7966) | 5.3.0 (2022) | 7.0.0 (2024) | deprecated | - | | DEPPS8 | Login with expired 3rd party authentication token defaults to `false` | [#7079](https://github.com/parse-community/parse-server/pull/7079) | 5.3.0 (2022) | 7.0.0 (2024) | deprecated | - | diff --git a/src/Deprecator/Deprecations.js b/src/Deprecator/Deprecations.js index 2f698ad33e..a13d082158 100644 --- a/src/Deprecator/Deprecations.js +++ b/src/Deprecator/Deprecations.js @@ -16,7 +16,6 @@ * If there are no deprecations, this must return an empty array. */ module.exports = [ - { optionKey: 'allowClientClassCreation', changeNewDefault: 'false' }, { optionKey: 'allowExpiredAuthDataToken', changeNewDefault: 'false' }, { optionKey: 'encodeParseObjectInCloudFunction', changeNewDefault: 'true' }, ]; diff --git a/src/Options/index.js b/src/Options/index.js index cfda946a05..7f36915bbc 100644 --- a/src/Options/index.js +++ b/src/Options/index.js @@ -150,7 +150,7 @@ export interface ParseServerOptions { enableAnonymousUsers: ?boolean; /* Enable (or disable) client class creation, defaults to true :ENV: PARSE_SERVER_ALLOW_CLIENT_CLASS_CREATION - :DEFAULT: true */ + :DEFAULT: false */ allowClientClassCreation: ?boolean; /* Enable (or disable) custom objectId :ENV: PARSE_SERVER_ALLOW_CUSTOM_OBJECT_ID From 63f0e1c69989ee0f11fc031406b960cba50b8f7a Mon Sep 17 00:00:00 2001 From: Onur Eren Hanife Date: Thu, 28 Dec 2023 11:49:47 +0300 Subject: [PATCH 2/7] #8841 definitions docs updated --- src/Options/Definitions.js | 2 +- src/Options/docs.js | 2 +- src/Options/index.js | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js index 35da35bb5f..9b46805bbb 100644 --- a/src/Options/Definitions.js +++ b/src/Options/Definitions.js @@ -57,7 +57,7 @@ module.exports.ParseServerOptions = { }, allowClientClassCreation: { env: 'PARSE_SERVER_ALLOW_CLIENT_CLASS_CREATION', - help: 'Enable (or disable) client class creation, defaults to true', + help: 'Enable (or disable) client class creation, defaults to false', action: parsers.booleanParser, default: true, }, diff --git a/src/Options/docs.js b/src/Options/docs.js index 643123c253..8550e55b2e 100644 --- a/src/Options/docs.js +++ b/src/Options/docs.js @@ -12,7 +12,7 @@ /** * @interface ParseServerOptions * @property {AccountLockoutOptions} accountLockout The account lockout policy for failed login attempts. - * @property {Boolean} allowClientClassCreation Enable (or disable) client class creation, defaults to true + * @property {Boolean} allowClientClassCreation Enable (or disable) client class creation, defaults to false * @property {Boolean} allowCustomObjectId Enable (or disable) custom objectId * @property {Boolean} allowExpiredAuthDataToken Allow a user to log in even if the 3rd party authentication token that was used to sign in to their account has expired. If this is set to `false`, then the token will be validated every time the user signs in to their account. This refers to the token that is stored in the `_User.authData` field. Defaults to `true`. * @property {String[]} allowHeaders Add headers to Access-Control-Allow-Headers diff --git a/src/Options/index.js b/src/Options/index.js index 7f36915bbc..36675ee9e8 100644 --- a/src/Options/index.js +++ b/src/Options/index.js @@ -148,7 +148,7 @@ export interface ParseServerOptions { :ENV: PARSE_SERVER_ENABLE_ANON_USERS :DEFAULT: true */ enableAnonymousUsers: ?boolean; - /* Enable (or disable) client class creation, defaults to true + /* Enable (or disable) client class creation, defaults to false :ENV: PARSE_SERVER_ALLOW_CLIENT_CLASS_CREATION :DEFAULT: false */ allowClientClassCreation: ?boolean; From 0e48d3432595569a701c96b41d694148d2222f8a Mon Sep 17 00:00:00 2001 From: Suat Karabacak Date: Thu, 28 Dec 2023 12:47:12 +0300 Subject: [PATCH 3/7] npm run definitions executed --- src/Options/Definitions.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js index 9b46805bbb..931ce2e619 100644 --- a/src/Options/Definitions.js +++ b/src/Options/Definitions.js @@ -59,7 +59,7 @@ module.exports.ParseServerOptions = { env: 'PARSE_SERVER_ALLOW_CLIENT_CLASS_CREATION', help: 'Enable (or disable) client class creation, defaults to false', action: parsers.booleanParser, - default: true, + default: false, }, allowCustomObjectId: { env: 'PARSE_SERVER_ALLOW_CUSTOM_OBJECT_ID', From 003cd8cfd7a7fc7c898f1751c9eaf0e3ad4dbe94 Mon Sep 17 00:00:00 2001 From: Manuel <5673677+mtrezza@users.noreply.github.com> Date: Thu, 15 Feb 2024 01:46:26 +0100 Subject: [PATCH 4/7] Update DEPRECATIONS.md Signed-off-by: Manuel <5673677+mtrezza@users.noreply.github.com> --- DEPRECATIONS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DEPRECATIONS.md b/DEPRECATIONS.md index 46ca344da1..af683c2d46 100644 --- a/DEPRECATIONS.md +++ b/DEPRECATIONS.md @@ -8,7 +8,7 @@ The following is a list of deprecations, according to the [Deprecation Policy](h | DEPPS2 | Config option `directAccess` defaults to `true` | [#6636](https://github.com/parse-community/parse-server/pull/6636) | 5.0.0 (2022) | 6.0.0 (2023) | removed | - | | DEPPS3 | Config option `enforcePrivateUsers` defaults to `true` | [#7319](https://github.com/parse-community/parse-server/pull/7319) | 5.0.0 (2022) | 6.0.0 (2023) | removed | - | | DEPPS4 | Remove convenience method for http request `Parse.Cloud.httpRequest` | [#7589](https://github.com/parse-community/parse-server/pull/7589) | 5.0.0 (2022) | 6.0.0 (2023) | removed | - | -| DEPPS5 | Config option `allowClientClassCreation` defaults to `false` | [#7925](https://github.com/parse-community/parse-server/pull/7925) | 5.3.0 (2023) | 7.0.0 (2024) | removed | - | +| DEPPS5 | Config option `allowClientClassCreation` defaults to `false` | [#7925](https://github.com/parse-community/parse-server/pull/7925) | 5.3.0 (2022) | 7.0.0 (2024) | removed | - | | DEPPS6 | Auth providers disabled by default | [#7953](https://github.com/parse-community/parse-server/pull/7953) | 5.3.0 (2022) | 7.0.0 (2024) | removed | - | | DEPPS7 | Remove file trigger syntax `Parse.Cloud.beforeSaveFile((request) => {})` | [#7966](https://github.com/parse-community/parse-server/pull/7966) | 5.3.0 (2022) | 7.0.0 (2024) | removed | - | | DEPPS8 | Login with expired 3rd party authentication token defaults to `false` | [#7079](https://github.com/parse-community/parse-server/pull/7079) | 5.3.0 (2022) | 7.0.0 (2024) | removed | - | From 44025526e1cc2bfc38283ec1400d2f3066c1371f Mon Sep 17 00:00:00 2001 From: Onur Eren Hanife Date: Fri, 1 Mar 2024 23:59:27 +0300 Subject: [PATCH 5/7] allowClientClassCreation is set to true in the tests defaultConfiguration --- spec/ParseUser.spec.js | 8 ++------ spec/helper.js | 1 + 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/spec/ParseUser.spec.js b/spec/ParseUser.spec.js index 4fa7cd2804..44cafa887b 100644 --- a/spec/ParseUser.spec.js +++ b/spec/ParseUser.spec.js @@ -24,11 +24,6 @@ describe('allowExpiredAuthDataToken option', () => { expect(Config.get(Parse.applicationId).allowExpiredAuthDataToken).toBe(false); }); - it('should default false', async () => { - await reconfigureServer({}); - expect(Config.get(Parse.applicationId).allowExpiredAuthDataToken).toBe(false); - }); - it('should enforce boolean values', async () => { const options = [[], 'a', '', 0, 1, {}, 'true', 'false']; for (const option of options) { @@ -1845,7 +1840,8 @@ describe('Parse.User testing', () => { }); }); - it('should not allow login with expired authData token since allowExpiredAuthDataToken is set to false by default', async () => { + it('should not allow login with expired authData token since allowExpiredAuthDataToken is set to false', async () => { + reconfigureServer({allowExpiredAuthDataToken:false}) const provider = { authData: { id: '12345', diff --git a/spec/helper.js b/spec/helper.js index f17f105e85..802dc90893 100644 --- a/spec/helper.js +++ b/spec/helper.js @@ -129,6 +129,7 @@ const defaultConfiguration = { }, shortLivedAuth: mockShortLivedAuth(), }, + allowClientClassCreation: true, }; if (process.env.PARSE_SERVER_TEST_CACHE === 'redis') { From c8dd644c8a05c033ebcd04a91e095a1eb43e6228 Mon Sep 17 00:00:00 2001 From: Onur Eren Hanife Date: Mon, 4 Mar 2024 16:51:40 +0300 Subject: [PATCH 6/7] tests for allowClientClassCreation option implemented --- spec/ParseUser.spec.js | 37 +++++++++++++++++++++++++++++++++++-- src/Config.js | 8 ++++++++ 2 files changed, 43 insertions(+), 2 deletions(-) diff --git a/spec/ParseUser.spec.js b/spec/ParseUser.spec.js index 44cafa887b..b997899142 100644 --- a/spec/ParseUser.spec.js +++ b/spec/ParseUser.spec.js @@ -24,6 +24,11 @@ describe('allowExpiredAuthDataToken option', () => { expect(Config.get(Parse.applicationId).allowExpiredAuthDataToken).toBe(false); }); + it('should default false', async () => { + await reconfigureServer({}); + expect(Config.get(Parse.applicationId).allowExpiredAuthDataToken).toBe(false); + }); + it('should enforce boolean values', async () => { const options = [[], 'a', '', 0, 1, {}, 'true', 'false']; for (const option of options) { @@ -1840,8 +1845,8 @@ describe('Parse.User testing', () => { }); }); - it('should not allow login with expired authData token since allowExpiredAuthDataToken is set to false', async () => { - reconfigureServer({allowExpiredAuthDataToken:false}) + it('should not allow login with expired authData token since allowExpiredAuthDataToken is set to false by default', async () => { + reconfigureServer({ allowExpiredAuthDataToken: false }); const provider = { authData: { id: '12345', @@ -4398,3 +4403,31 @@ describe('login as other user', () => { done(); }); }); + +describe('allowClientClassCreation option', () => { + it('should enforce boolean values', async () => { + const options = [[], 'a', '', 0, 1, {}, 'true', 'false']; + for (const option of options) { + await expectAsync(reconfigureServer({ allowClientClassCreation: option })).toBeRejected(); + } + }); + + it('should accept true value', async () => { + await reconfigureServer({ allowClientClassCreation: true }); + expect(Config.get(Parse.applicationId).allowClientClassCreation).toBe(true); + }); + + it('should accept false value', async () => { + await reconfigureServer({ allowClientClassCreation: false }); + expect(Config.get(Parse.applicationId).allowClientClassCreation).toBe(false); + }); + + it('should default false', async () => { + // remove predefined allowClientClassCreation:true on global defaultConfiguration + delete defaultConfiguration.allowClientClassCreation; + await reconfigureServer(defaultConfiguration); + expect(Config.get(Parse.applicationId).allowClientClassCreation).toBe(false); + // Need to set it back to true to avoid other test fails + defaultConfiguration.allowClientClassCreation = true; + }); +}); diff --git a/src/Config.js b/src/Config.js index 0e8cdda246..933cf39858 100644 --- a/src/Config.js +++ b/src/Config.js @@ -90,6 +90,7 @@ export class Config { rateLimit, databaseOptions, extendSessionOnUse, + allowClientClassCreation, }) { if (masterKey === readOnlyMasterKey) { throw new Error('masterKey and readOnlyMasterKey should be different'); @@ -132,6 +133,7 @@ export class Config { this.validateRateLimit(rateLimit); this.validateLogLevels(logLevels); this.validateDatabaseOptions(databaseOptions); + this.validateAllowClientClassCreation(allowClientClassCreation); } static validateControllers({ @@ -174,6 +176,12 @@ export class Config { } } + static validateAllowClientClassCreation(allowClientClassCreation) { + if (typeof allowClientClassCreation !== 'boolean') { + throw 'Parse Server option allowClientClassCreation must be a boolean.'; + } + } + static validateSecurityOptions(security) { if (Object.prototype.toString.call(security) !== '[object Object]') { throw 'Parse Server option security must be an object.'; From 6e5fdf487e5abb0b848e90816d707ffccc32765d Mon Sep 17 00:00:00 2001 From: Onur Eren Hanife Date: Mon, 4 Mar 2024 16:56:43 +0300 Subject: [PATCH 7/7] unnecessary reconfigureServer removed on a allowExpiredAuthDataToken test --- spec/ParseUser.spec.js | 1 - 1 file changed, 1 deletion(-) diff --git a/spec/ParseUser.spec.js b/spec/ParseUser.spec.js index b997899142..e97db08a6c 100644 --- a/spec/ParseUser.spec.js +++ b/spec/ParseUser.spec.js @@ -1846,7 +1846,6 @@ describe('Parse.User testing', () => { }); it('should not allow login with expired authData token since allowExpiredAuthDataToken is set to false by default', async () => { - reconfigureServer({ allowExpiredAuthDataToken: false }); const provider = { authData: { id: '12345',