From e29845f8dacac09ce3093d75c0d92330c24389e8 Mon Sep 17 00:00:00 2001 From: Onur <154966188+onurhanife@users.noreply.github.com> Date: Thu, 15 Feb 2024 03:07:35 +0300 Subject: [PATCH] feat: Deprecation DEPPS8: Parse Server option `allowExpiredAuthDataToken` defaults to `false` (#8860) BREAKING CHANGE: Parse Server option `allowExpiredAuthDataToken` defaults to `false`; a 3rd party authentication token will be validated every time the user tries to log in and the login will fail if the token has expired; the effect of this change may differ for different authentication adapters, depending on the token lifetime and the token refresh logic of the adapter --- DEPRECATIONS.md | 2 +- spec/ParseUser.spec.js | 75 +++------------------------------- src/Deprecator/Deprecations.js | 1 - src/Options/Definitions.js | 4 +- src/Options/docs.js | 2 +- src/Options/index.js | 4 +- 6 files changed, 12 insertions(+), 76 deletions(-) diff --git a/DEPRECATIONS.md b/DEPRECATIONS.md index 907568d21f..89819c2d94 100644 --- a/DEPRECATIONS.md +++ b/DEPRECATIONS.md @@ -11,7 +11,7 @@ The following is a list of deprecations, according to the [Deprecation Policy](h | DEPPS5 | Config option `allowClientClassCreation` defaults to `false` | [#7925](https://github.com/parse-community/parse-server/pull/7925) | 5.3.0 (2022) | 7.0.0 (2024) | deprecated | - | | DEPPS6 | Auth providers disabled by default | [#7953](https://github.com/parse-community/parse-server/pull/7953) | 5.3.0 (2022) | 7.0.0 (2024) | deprecated | - | | DEPPS7 | Remove file trigger syntax `Parse.Cloud.beforeSaveFile((request) => {})` | [#7966](https://github.com/parse-community/parse-server/pull/7966) | 5.3.0 (2022) | 7.0.0 (2024) | removed | - | -| DEPPS8 | Login with expired 3rd party authentication token defaults to `false` | [#7079](https://github.com/parse-community/parse-server/pull/7079) | 5.3.0 (2022) | 7.0.0 (2024) | deprecated | - | +| DEPPS8 | Login with expired 3rd party authentication token defaults to `false` | [#7079](https://github.com/parse-community/parse-server/pull/7079) | 5.3.0 (2022) | 7.0.0 (2024) | removed | - | | DEPPS9 | Rename LiveQuery `fields` option to `keys` | [#8389](https://github.com/parse-community/parse-server/issues/8389) | 6.0.0 (2023) | 7.0.0 (2024) | removed | - | | DEPPS10 | Config option `encodeParseObjectInCloudFunction` defaults to `true` | [#8634](https://github.com/parse-community/parse-server/issues/8634) | 6.2.0 (2023) | 8.0.0 (2025) | deprecated | - | diff --git a/spec/ParseUser.spec.js b/spec/ParseUser.spec.js index 5a4a81d0a7..4fa7cd2804 100644 --- a/spec/ParseUser.spec.js +++ b/spec/ParseUser.spec.js @@ -15,51 +15,18 @@ const cryptoUtils = require('../lib/cryptoUtils'); describe('allowExpiredAuthDataToken option', () => { it('should accept true value', async () => { - const logger = require('../lib/logger').logger; - const logSpy = spyOn(logger, 'warn').and.callFake(() => {}); await reconfigureServer({ allowExpiredAuthDataToken: true }); expect(Config.get(Parse.applicationId).allowExpiredAuthDataToken).toBe(true); - expect( - logSpy.calls - .all() - .filter( - log => - log.args[0] === - `DeprecationWarning: The Parse Server option 'allowExpiredAuthDataToken' default will change to 'false' in a future version.` - ).length - ).toEqual(0); }); it('should accept false value', async () => { - const logger = require('../lib/logger').logger; - const logSpy = spyOn(logger, 'warn').and.callFake(() => {}); await reconfigureServer({ allowExpiredAuthDataToken: false }); expect(Config.get(Parse.applicationId).allowExpiredAuthDataToken).toBe(false); - expect( - logSpy.calls - .all() - .filter( - log => - log.args[0] === - `DeprecationWarning: The Parse Server option 'allowExpiredAuthDataToken' default will change to 'false' in a future version.` - ).length - ).toEqual(0); - }); - - it('should default true', async () => { - const logger = require('../lib/logger').logger; - const logSpy = spyOn(logger, 'warn').and.callFake(() => {}); + }); + + it('should default false', async () => { await reconfigureServer({}); - expect(Config.get(Parse.applicationId).allowExpiredAuthDataToken).toBe(true); - expect( - logSpy.calls - .all() - .filter( - log => - log.args[0] === - `DeprecationWarning: The Parse Server option 'allowExpiredAuthDataToken' default will change to 'false' in a future version.` - ).length - ).toEqual(1); + expect(Config.get(Parse.applicationId).allowExpiredAuthDataToken).toBe(false); }); it('should enforce boolean values', async () => { @@ -1878,7 +1845,7 @@ describe('Parse.User testing', () => { }); }); - it('should allow login with expired authData token by default', async () => { + it('should not allow login with expired authData token since allowExpiredAuthDataToken is set to false by default', async () => { const provider = { authData: { id: '12345', @@ -1904,37 +1871,7 @@ describe('Parse.User testing', () => { // In this case, we want success as it was valid once. // If the client needs an updated token, do lock the user out defaultConfiguration.auth.shortLivedAuth.setValidAccessToken('otherToken'); - await Parse.User._logInWith('shortLivedAuth', {}); - }); - - it('should not allow login with expired authData token when allowExpiredAuthDataToken is set to false', async () => { - await reconfigureServer({ allowExpiredAuthDataToken: false }); - const provider = { - authData: { - id: '12345', - access_token: 'token', - }, - restoreAuthentication() { - return true; - }, - deauthenticate() { - provider.authData = {}; - }, - authenticate(options) { - options.success(this, provider.authData); - }, - getAuthType() { - return 'shortLivedAuth'; - }, - }; - defaultConfiguration.auth.shortLivedAuth.setValidAccessToken('token'); - Parse.User._registerAuthenticationProvider(provider); - await Parse.User._logInWith('shortLivedAuth', {}); - // Simulate a remotely expired token (like a short lived one) - // In this case, we want success as it was valid once. - // If the client needs an updated token, do lock the user out - defaultConfiguration.auth.shortLivedAuth.setValidAccessToken('otherToken'); - expectAsync(Parse.User._logInWith('shortLivedAuth', {})).toBeRejected(); + await expectAsync(Parse.User._logInWith('shortLivedAuth', {})).toBeRejected(); }); it('should allow PUT request with stale auth Data', done => { diff --git a/src/Deprecator/Deprecations.js b/src/Deprecator/Deprecations.js index 2f698ad33e..0e901dfda4 100644 --- a/src/Deprecator/Deprecations.js +++ b/src/Deprecator/Deprecations.js @@ -17,6 +17,5 @@ */ module.exports = [ { optionKey: 'allowClientClassCreation', changeNewDefault: 'false' }, - { optionKey: 'allowExpiredAuthDataToken', changeNewDefault: 'false' }, { optionKey: 'encodeParseObjectInCloudFunction', changeNewDefault: 'true' }, ]; diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js index b9dd882dbb..b3b09fafa5 100644 --- a/src/Options/Definitions.js +++ b/src/Options/Definitions.js @@ -70,9 +70,9 @@ module.exports.ParseServerOptions = { allowExpiredAuthDataToken: { env: 'PARSE_SERVER_ALLOW_EXPIRED_AUTH_DATA_TOKEN', help: - 'Allow a user to log in even if the 3rd party authentication token that was used to sign in to their account has expired. If this is set to `false`, then the token will be validated every time the user signs in to their account. This refers to the token that is stored in the `_User.authData` field. Defaults to `true`.', + 'Allow a user to log in even if the 3rd party authentication token that was used to sign in to their account has expired. If this is set to `false`, then the token will be validated every time the user signs in to their account. This refers to the token that is stored in the `_User.authData` field. Defaults to `false`.', action: parsers.booleanParser, - default: true, + default: false, }, allowHeaders: { env: 'PARSE_SERVER_ALLOW_HEADERS', diff --git a/src/Options/docs.js b/src/Options/docs.js index 3dbb9b34d0..2938662949 100644 --- a/src/Options/docs.js +++ b/src/Options/docs.js @@ -14,7 +14,7 @@ * @property {AccountLockoutOptions} accountLockout The account lockout policy for failed login attempts. * @property {Boolean} allowClientClassCreation Enable (or disable) client class creation, defaults to true * @property {Boolean} allowCustomObjectId Enable (or disable) custom objectId - * @property {Boolean} allowExpiredAuthDataToken Allow a user to log in even if the 3rd party authentication token that was used to sign in to their account has expired. If this is set to `false`, then the token will be validated every time the user signs in to their account. This refers to the token that is stored in the `_User.authData` field. Defaults to `true`. + * @property {Boolean} allowExpiredAuthDataToken Allow a user to log in even if the 3rd party authentication token that was used to sign in to their account has expired. If this is set to `false`, then the token will be validated every time the user signs in to their account. This refers to the token that is stored in the `_User.authData` field. Defaults to `false`. * @property {String[]} allowHeaders Add headers to Access-Control-Allow-Headers * @property {String|String[]} allowOrigin Sets origins for Access-Control-Allow-Origin. This can be a string for a single origin or an array of strings for multiple origins. * @property {Adapter} analyticsAdapter Adapter module for the analytics diff --git a/src/Options/index.js b/src/Options/index.js index 0c6e82e4c6..2b09790dee 100644 --- a/src/Options/index.js +++ b/src/Options/index.js @@ -320,8 +320,8 @@ export interface ParseServerOptions { /* Set to true if new users should be created without public read and write access. :DEFAULT: true */ enforcePrivateUsers: ?boolean; - /* Allow a user to log in even if the 3rd party authentication token that was used to sign in to their account has expired. If this is set to `false`, then the token will be validated every time the user signs in to their account. This refers to the token that is stored in the `_User.authData` field. Defaults to `true`. - :DEFAULT: true */ + /* Allow a user to log in even if the 3rd party authentication token that was used to sign in to their account has expired. If this is set to `false`, then the token will be validated every time the user signs in to their account. This refers to the token that is stored in the `_User.authData` field. Defaults to `false`. + :DEFAULT: false */ allowExpiredAuthDataToken: ?boolean; /* An array of keys and values that are prohibited in database read and write requests to prevent potential security vulnerabilities. It is possible to specify only a key (`{"key":"..."}`), only a value (`{"value":"..."}`) or a key-value pair (`{"key":"...","value":"..."}`). The specification can use the following types: `boolean`, `numeric` or `string`, where `string` will be interpreted as a regex notation. Request data is deep-scanned for matching definitions to detect also any nested occurrences. Defaults are patterns that are likely to be used in malicious requests. Setting this option will override the default patterns. :DEFAULT: [{"key":"_bsontype","value":"Code"},{"key":"constructor"},{"key":"__proto__"}] */