build: Release (#3014)

Author: mtrezza

.gitignore

@@ -17,3 +17,6 @@ test_logs
 
 # visual studio code
 .vscode
+
+# AI tools
+.claude

Parse-Dashboard/Authentication.js

@@ -55,34 +55,53 @@ function initialize(app, options) {
 
   const cookieSessionSecret = options.cookieSessionSecret || require('crypto').randomBytes(64).toString('hex');
   const cookieSessionMaxAge = options.cookieSessionMaxAge;
-  app.use(require('connect-flash')());
+
   app.use(require('body-parser').urlencoded({ extended: true }));
-  app.use(require('cookie-session')({
-    key    : 'parse_dash',
-    secret : cookieSessionSecret,
-    maxAge : cookieSessionMaxAge
+  app.use(require('express-session')({
+    name: 'parse_dash',
+    secret: cookieSessionSecret,
+    resave: false,
+    saveUninitialized: false,
+    cookie: {
+      maxAge: cookieSessionMaxAge,
+      httpOnly: true,
+      sameSite: 'lax',
+    }
   }));
+  app.use(require('connect-flash')());
   app.use(passport.initialize());
   app.use(passport.session());
 
   app.post('/login',
     csrf(),
     (req,res,next) => {
       let redirect = 'apps';
+      let originalRedirect = null;
       if (req.body.redirect) {
-        redirect = req.body.redirect.charAt(0) === '/' ? req.body.redirect.substring(1) : req.body.redirect
+        originalRedirect = req.body.redirect;
+        // Validate redirect to prevent open redirect vulnerability
+        if (originalRedirect.includes('://') || originalRedirect.startsWith('//')) {
+          // Reject absolute URLs and protocol-relative URLs
+          redirect = 'apps';
+          originalRedirect = null;
+        } else {
+          // Strip leading slash from redirect to prevent double slashes
+          redirect = originalRedirect.charAt(0) === '/' ? originalRedirect.substring(1) : originalRedirect;
+        }
       }
       return passport.authenticate('local', {
         successRedirect: `${self.mountPath}${redirect}`,
-        failureRedirect: `${self.mountPath}login${req.body.redirect ? `?redirect=${req.body.redirect}` : ''}`,
+        failureRedirect: `${self.mountPath}login${originalRedirect ? `?redirect=${originalRedirect}` : ''}`,
         failureFlash : true
       })(req, res, next)
     },
   );
 
-  app.get('/logout', function(req, res){
-    req.logout();
-    res.redirect(`${self.mountPath}login`);
+  app.get('/logout', function (req, res, next) {
+    req.logout(function (err) {
+      if (err) { return next(err); }
+      res.redirect(`${self.mountPath}login`);
+    });
   });
 }
 

Parse-Dashboard/app.js

@@ -1062,8 +1062,26 @@ You have direct access to the Parse database through function calls, so you can
     }
 
     app.get('/login', csrf(), function(req, res) {
-      const redirectURL = req.url.includes('?redirect=') && req.url.split('?redirect=')[1].length > 1 && req.url.split('?redirect=')[1];
+      let redirectURL = null;
+      try {
+        const url = new URL(req.url, 'http://localhost');
+        redirectURL = url.searchParams.get('redirect');
+      } catch (error) {
+        console.warn('Invalid URL in login redirect:', error.message);
+      }
       if (!users || (req.user && req.user.isAuthenticated)) {
+        // Validate and sanitize redirect URL to prevent open redirect vulnerability
+        if (redirectURL) {
+          // Reject absolute URLs and protocol-relative URLs
+          if (redirectURL.includes('://') || redirectURL.startsWith('//')) {
+            redirectURL = null;
+          } else {
+            // Strip leading slash to prevent double slashes
+            if (redirectURL.charAt(0) === '/') {
+              redirectURL = redirectURL.substring(1);
+            }
+          }
+        }
         return res.redirect(`${mountPath}${redirectURL || 'apps'}`);
       }
 

README.md

@@ -1,3 +1,141 @@
+# [8.0.0-alpha.6](https://github.com/parse-community/parse-dashboard/compare/8.0.0-alpha.5...8.0.0-alpha.6) (2025-10-29)
+
+
+### Bug Fixes
+
+* Session management issue that causes malformed redirect URLs ([#3011](https://github.com/parse-community/parse-dashboard/issues/3011)) ([1649dd3](https://github.com/parse-community/parse-dashboard/commit/1649dd31129d9dc7153ffa116f57fbec216142f6))
+
+# [8.0.0-alpha.5](https://github.com/parse-community/parse-dashboard/compare/8.0.0-alpha.4...8.0.0-alpha.5) (2025-10-29)
+
+
+### Bug Fixes
+
+* Switching between browser tabs can cause illegible text color for config parameter value field ([#3010](https://github.com/parse-community/parse-dashboard/issues/3010)) ([77c5c67](https://github.com/parse-community/parse-dashboard/commit/77c5c67cfecedb20654eede3a167c65654e35b4a))
+
+# [8.0.0-alpha.4](https://github.com/parse-community/parse-dashboard/compare/8.0.0-alpha.3...8.0.0-alpha.4) (2025-10-29)
+
+
+### Features
+
+* Add info panel options `prefetchImage`, `prefetchVideo`, `prefetchAudio` to pre-fetch media content in the info panel ([#3009](https://github.com/parse-community/parse-dashboard/issues/3009)) ([6796c9e](https://github.com/parse-community/parse-dashboard/commit/6796c9e5f1fd0110100fb9814f55db4052ebb677))
+
+# [8.0.0-alpha.3](https://github.com/parse-community/parse-dashboard/compare/8.0.0-alpha.2...8.0.0-alpha.3) (2025-10-29)
+
+
+### Bug Fixes
+
+* Info panel briefly shows cached media content from previously selected cell when using pre-fetch ([#3008](https://github.com/parse-community/parse-dashboard/issues/3008)) ([dd6a85e](https://github.com/parse-community/parse-dashboard/commit/dd6a85e4734adda9bc9a92d7bdfba2e7a061dd83))
+
+# [8.0.0-alpha.2](https://github.com/parse-community/parse-dashboard/compare/8.0.0-alpha.1...8.0.0-alpha.2) (2025-10-25)
+
+
+### Bug Fixes
+
+* Cannot connect to server with error invalid header name ([#3006](https://github.com/parse-community/parse-dashboard/issues/3006)) ([ea4ec07](https://github.com/parse-community/parse-dashboard/commit/ea4ec071ae5d88f4cf6ba2c3b1da72509123b39c))
+
+# [8.0.0-alpha.1](https://github.com/parse-community/parse-dashboard/compare/7.6.0-alpha.13...8.0.0-alpha.1) (2025-10-25)
+
+
+### Bug Fixes
+
+* Add missing major version increase of dashboard release ([#3005](https://github.com/parse-community/parse-dashboard/issues/3005)) ([5debb4d](https://github.com/parse-community/parse-dashboard/commit/5debb4dc143e4eebcfabb3e25cc882b6ea3594e7))
+
+
+### BREAKING CHANGES
+
+* This increases the required minimum version to Parse Server 7. ([5debb4d](5debb4d))
+
+# [7.6.0-alpha.13](https://github.com/parse-community/parse-dashboard/compare/7.6.0-alpha.12...7.6.0-alpha.13) (2025-10-25)
+
+
+### Features
+
+* Add Parse Server version compatibility detection ([#3004](https://github.com/parse-community/parse-dashboard/issues/3004)) ([9a7a60f](https://github.com/parse-community/parse-dashboard/commit/9a7a60fea3e76e66e5c6e5d39d3ad8fb02ba5e38))
+
+# [7.6.0-alpha.12](https://github.com/parse-community/parse-dashboard/compare/7.6.0-alpha.11...7.6.0-alpha.12) (2025-10-22)
+
+
+### Bug Fixes
+
+* Security upgrade parse from 3.5.1 to 7.0.1 ([#3003](https://github.com/parse-community/parse-dashboard/issues/3003)) ([5123fbf](https://github.com/parse-community/parse-dashboard/commit/5123fbf28f40d6a4e2e3030c2a0b810131397aea))
+
+# [7.6.0-alpha.11](https://github.com/parse-community/parse-dashboard/compare/7.6.0-alpha.10...7.6.0-alpha.11) (2025-10-14)
+
+
+### Bug Fixes
+
+* Currently displayed view reloads when editing and saving a different view ([#3002](https://github.com/parse-community/parse-dashboard/issues/3002)) ([794a35a](https://github.com/parse-community/parse-dashboard/commit/794a35ae265ed74f56634429d37e1b6826be3c45))
+
+# [7.6.0-alpha.10](https://github.com/parse-community/parse-dashboard/compare/7.6.0-alpha.9...7.6.0-alpha.10) (2025-10-14)
+
+
+### Bug Fixes
+
+* ESC key does not cancel editing in data browser cell ([#3001](https://github.com/parse-community/parse-dashboard/issues/3001)) ([d1d7241](https://github.com/parse-community/parse-dashboard/commit/d1d724169ae12489fb30eeca558e4cc926e4d851))
+
+# [7.6.0-alpha.9](https://github.com/parse-community/parse-dashboard/compare/7.6.0-alpha.8...7.6.0-alpha.9) (2025-10-14)
+
+
+### Bug Fixes
+
+* Security upgrade passport from 0.5.3 to 0.6.0 ([#3000](https://github.com/parse-community/parse-dashboard/issues/3000)) ([fbb5e6d](https://github.com/parse-community/parse-dashboard/commit/fbb5e6d9df5575519d414b98481afd96a4ae11d8))
+
+# [7.6.0-alpha.8](https://github.com/parse-community/parse-dashboard/compare/7.6.0-alpha.7...7.6.0-alpha.8) (2025-10-05)
+
+
+### Performance Improvements
+
+* Storing, deleting, modifying view in server storage now only affects the specific view instead of updating all views ([#2998](https://github.com/parse-community/parse-dashboard/issues/2998)) ([48cea3c](https://github.com/parse-community/parse-dashboard/commit/48cea3c06001fe74be2990bc65036b5111f943b2))
+
+# [7.6.0-alpha.7](https://github.com/parse-community/parse-dashboard/compare/7.6.0-alpha.6...7.6.0-alpha.7) (2025-10-05)
+
+
+### Bug Fixes
+
+* Dashboard config objects stored on server with public read / write access ([#2997](https://github.com/parse-community/parse-dashboard/issues/2997)) ([31a4639](https://github.com/parse-community/parse-dashboard/commit/31a4639bb44fa7223d669aa40580b2348420f522))
+
+# [7.6.0-alpha.6](https://github.com/parse-community/parse-dashboard/compare/7.6.0-alpha.5...7.6.0-alpha.6) (2025-10-05)
+
+
+### Bug Fixes
+
+* Storing view on server creates view key with hashed view name instead of UUID ([#2995](https://github.com/parse-community/parse-dashboard/issues/2995)) ([7cb65f3](https://github.com/parse-community/parse-dashboard/commit/7cb65f360a2cd7f57782dad408c606671e271c7d))
+
+# [7.6.0-alpha.5](https://github.com/parse-community/parse-dashboard/compare/7.6.0-alpha.4...7.6.0-alpha.5) (2025-10-05)
+
+
+### Bug Fixes
+
+* View table data may be retained when switching between views ([#2996](https://github.com/parse-community/parse-dashboard/issues/2996)) ([ddc91c9](https://github.com/parse-community/parse-dashboard/commit/ddc91c991f8ef6ea2695448cdb10edec71c8ad1a))
+
+# [7.6.0-alpha.4](https://github.com/parse-community/parse-dashboard/compare/7.6.0-alpha.3...7.6.0-alpha.4) (2025-10-05)
+
+
+### Bug Fixes
+
+* Missing alert when changing data browser browser data while rows are selected ([#2994](https://github.com/parse-community/parse-dashboard/issues/2994)) ([6cabaa3](https://github.com/parse-community/parse-dashboard/commit/6cabaa36a95b0059ebbcd7b90a744fa9d0a403af))
+
+# [7.6.0-alpha.3](https://github.com/parse-community/parse-dashboard/compare/7.6.0-alpha.2...7.6.0-alpha.3) (2025-10-04)
+
+
+### Bug Fixes
+
+* Filter text field in data browser partly looses focus when selecting in drop-down element by hitting enter key to apply filter ([#2993](https://github.com/parse-community/parse-dashboard/issues/2993)) ([f4c17c7](https://github.com/parse-community/parse-dashboard/commit/f4c17c7d9046d9296c7cd9cb99109cad8c8a0e5b))
+
+# [7.6.0-alpha.2](https://github.com/parse-community/parse-dashboard/compare/7.6.0-alpha.1...7.6.0-alpha.2) (2025-10-04)
+
+
+### Bug Fixes
+
+* Filter text field in data browser partly looses focus when hitting enter key to apply filter ([#2992](https://github.com/parse-community/parse-dashboard/issues/2992)) ([e3085b9](https://github.com/parse-community/parse-dashboard/commit/e3085b9f62af359c04ce74498eb2029bce85a5d1))
+
+# [7.6.0-alpha.1](https://github.com/parse-community/parse-dashboard/compare/7.5.0...7.6.0-alpha.1) (2025-10-04)
+
+
+### Features
+
+* Add `matches regex` filter to data browser replacing limited `string contains string` filter ([#2991](https://github.com/parse-community/parse-dashboard/issues/2991)) ([64a9f71](https://github.com/parse-community/parse-dashboard/commit/64a9f71bf89a818a7cf69573f652f554cac6a751))
+
 # [7.5.0-alpha.2](https://github.com/parse-community/parse-dashboard/compare/7.5.0-alpha.1...7.5.0-alpha.2) (2025-09-11)