fix: Endpoints /login and /verifyPassword disclose MFA secrets and protected fields when _User get is denied (GHSA-75v4-m273-5j49)

[mtrezza]

Issue

Endpoints /login and /verifyPassword disclose MFA secrets and protected fields when _User get is denied (GHSA-75v4-m273-5j49)

Tasks

• Add tests

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR prevents post-auth _User re-fetch failures from falling back to the unfiltered DB user: handleLogIn and handleVerifyPassword now return only { objectId } for non-master/non-maintenance callers when re-fetch is denied, and tests validate MFA/authData and protected-field outcomes.

Changes

Auth Flow CLP-Aware User Re-fetch

Layer / File(s)	Summary
Auth flow re-fetch failure handling src/Routers/UsersRouter.js	handleLogIn and handleVerifyPassword now catch rest.get re-fetch failures and, for non-master/non-maintenance callers, set filteredUser to { objectId: user.objectId } instead of falling back to the raw DB user, preserving sanitization and session token attachment.
CLP refetch security test suite spec/vulnerabilities.spec.js	Adds GHSA-75v4-m273-5j49 tests that create an MFA user, modify _User CLP to deny/permit get, and assert /verifyPassword and /login responses for (1) denied re-fetch (no authData, no protected phone), (2) permitted re-fetch (MFA sanitized to authData.mfa.status, secrets omitted), and (3) master-key override returning protected phone.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant UsersRouter as handleLogIn/handleVerifyPassword
  participant RestAPI as rest.get
  participant Sanitizer as removeHiddenProperties
  participant DB as Database
  participant Response
  Client->>UsersRouter: POST /login or POST /verifyPassword
  UsersRouter->>RestAPI: refetch _User with caller context
  RestAPI-->>UsersRouter: returns sanitized user OR throws/returns empty (CLP denied)
  alt re-fetch denied for non-master
    UsersRouter->>UsersRouter: set filteredUser = { objectId }
  else re-fetch allowed or master
    UsersRouter->>UsersRouter: use refetched filtered user
  end
  UsersRouter->>Sanitizer: remove hidden properties, attach session token, sanitize authData/MFA
  Sanitizer->>Response: send final response to Client

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• parse-community/parse-server#10409: Modifies handleLogIn and handleVerifyPassword re-fetch behavior with CLP/ACL awareness and sanitization fallback patterns.
• parse-community/parse-server#10412: Modifies the same auth re-fetch flows to control which auth context (master/maintenance) is used for the post-auth _User re-fetch.
• parse-community/parse-server#10323: Addresses MFA authData exposure prevention in handleVerifyPassword and runAfterFind processing to sanitize secret and recovery fields.

🚥 Pre-merge checks | ✅ 4 | ❌ 3

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	No pull request description was provided; the required template sections (Issue, Approach, Tasks) are missing.	Add a complete PR description following the template, including issue details, description of changes made, and relevant task checklist items.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Engage In Review Feedback	❓ Inconclusive	Cannot verify review engagement without GitHub PR comment access; git history shows only one commit with no iteration evidence.	Access GitHub PR #10492 directly to review reviewer comments and verify user engagement with feedback.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Security Check	✅ Passed	PR properly fixes GHSA-75v4-m273-5j49 by wrapping rest.get in try/catch and returning only {objectId} for non-master callers when CLP denies access, preventing MFA secret and protected field leaks.
Title check	✅ Passed	The PR title begins with the required 'fix:' prefix and clearly describes the security vulnerability being addressed in the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.60%. Comparing base (66484ce) to head (a4a8d34).
⚠️ Report is 1 commits behind head on alpha.

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha   #10492      +/-   ##
==========================================
+ Coverage   92.59%   92.60%   +0.01%     
==========================================
  Files         193      193              
  Lines       16897    16897              
  Branches      234      234              
==========================================
+ Hits        15645    15648       +3     
+ Misses       1229     1226       -3     
  Partials       23       23              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[parseplatformorg]

🎉 This change has been released in version 9.9.1-alpha.5