Is Master Key required in all GraphQL request headers?

[borekwa]

Throughout the Parse GraphQL guide, it suggests that the Master Key is an optional header (eg, https://docs.parseplatform.org/graphql/guide/#get) and a lot of articles say you should avoid using the Master Key in client side code, but if I remove the "X-Parse-Master-Key" from my headers, the request is always "unauthorized", even if I use a valid session token.

Please clarify: is the Master Key required in all request headers? If not, how do I make an authorized request without passing in the Master Key?

[Moumouls]

Hi, master key is totally optional, but app id is required. Can you provide an example of your requests ?

[mtrezza]

I'm closing this as it seems to be resolved. Feel free to comment if you have any questions and we can re-open this issue.

[borekwa]

I am still having the the issue, and it's reproducible using the GraphQL Playground, so I don't think it's an issue in my client-side code. Even when I'm in the playground, I can make a successful query when the X-Parse-Master-Key header is included, but if I remove that header, then I get an "unauthorized" response.

I thought it might be ACL related, so I've been trying to include an X-Parse-Session-Token, but that is also coming back with an "unauthorized" response.

Please advise and let me know what code snippet would be relevant given the fact that I can replicate it in the Playground.

[mtrezza]

Thanks for the update. Can you please provide a simple code example including the database data that allows us to reproduce the issue?

Please advise and let me know what code snippet would be relevant given the fact that I can replicate it in the Playground.

I would suggest to remove as much code as possible while the bug can still be observed.

[borekwa]

Thanks for your help.

Here's my server setup:

const express = require('express');
const { default: ParseServer, ParseGraphQLServer, S3Adapter } = require('parse-server');
const ParseDashboard = require('parse-dashboard');
const path = require('path');

module.exports = app => {
  const databaseUri = process.env.MONGOLAB_URI;

  const parseServer = new ParseServer({
    databaseURI: databaseUri || 'mongodb://localhost:27017/dev',
    appId: process.env.APP_ID,
    masterKey: process.env.MASTER_KEY,
    serverURL: process.env.SERVER_URL,
    fileKey: process.env.FILE_KEY,
    restAPIKey: process.env.REST_API_KEY,
    appName: 'Liquid Lesson',
    publicServerURL: process.env.SERVER_URL,
    filesAdapter: new S3Adapter(
      process.env.S3_ACCESS_KEY,
      process.env.S3_SECRET_KEY,
      process.env.S3_BUCKET,
      {directAccess: false}
    )
  });

  // Serve the Parse API on the /parse URL prefix
  const mountPath = process.env.PARSE_MOUNT || '/parse';
  app.use(mountPath, parseServer.app);

  // Create the GraphQL Server Instance
  const parseGraphQLServer = new ParseGraphQLServer(
    parseServer,
    {
      graphQLPath: '/graphql',
      playgroundPath: '/playground'
    }
  );

  // Mounts the GraphQL API using graphQLPath: '/graphql'
  parseGraphQLServer.applyGraphQL(app);

  // Load ParshDashboard and tests when running locally
  if (process.env.NODE_ENV != 'production') {
    const dashboard = new ParseDashboard({
      "apps": [
        {
          "serverURL": process.env.SERVER_URL,
          "appId": process.env.APP_ID,
          "masterKey": process.env.MASTER_KEY,
          "appName": 'Liquid Lesson Stage'
        },
        {
          "serverURL": 'http://liquidlesson.herokuapp.com/parse',
          "appId": process.env.PROD_APP_ID,
          "masterKey": process.env.PROD_MASTER_KEY,
          "appName": 'Liquid Lesson Production'
        }
      ]
    });

    app.use('/dashboard', dashboard);

    // (Optional) Mounts the GraphQL Playground - do NOT use in Production
    parseGraphQLServer.applyPlayground(app);
  }
}

With that setup I can run the playground and get make successful queries with the Master Key like this:

But the same query fails when I remove the Master Key, or try using the Session Token:

Here's the data being queried, as seen in the data browser:

...and the related object included in the query:

I also have the same problem if I remove the Master Key header in my client app:

import VueApollo from 'vue-apollo';
import ApolloClient from 'apollo-boost';

const appId = 'P4XwD379JlO3OJAA47XOLyV0Tvb3F2NWzTv7PQTY';

export const apolloClient = new ApolloClient({
  uri: 'http://localhost:5050/graphql',
  request: (operation) => {
    const token = window.localStorage.getItem('parse_token');
    operation.setContext({
      headers: {
        'X-Parse-Application-Id': appId,
        'X-Parse-Session-Token': token,
       // 'X-Parse-Master-Key': process.env.VUE_APP_MASTER_KEY,
      },
    });
  },
});

const apolloProvider = new VueApollo({
  defaultClient: apolloClient,
});

export default apolloProvider;

[Moumouls]

Since you are in a dev setup can you share the session token that you use ?
What is your GraphQL call to obtain the session token from parse server ?

Note: Master key should NEVER be used in a front app. Additional note you should not combine Session token with Master Key, since the master key take the lead and session token will be ignored .

[Moumouls]

Do you have some CLP on your classes ?

Since you get an unauthorized error, do you have some logs on parse server ?

[borekwa]

Yea, I will definitely remove the Master Key once I can successfully make requests without it.

The CLP for my classes are Public Read and Public Write.

Here's the session token I am using: "r:615c80c3993b5bbd3a2a9ce87a7a275f"

I'm getting the sessionToken from the from the Login mutation.

Here's my query:

export const LOGIN = gql`
  mutation logIn($username: String!, $password: String!) {
    logIn(input: { username: $username, password: $password }) {
      viewer {
        sessionToken
        user {
          username
          email
        }
      }
    }
  }
`;

Here's the call:

login: ({ commit }, params) => {
  apolloClient.mutate({
    mutation: LOGIN,
    variables: params,
  }).then((response) => {
    const { data: { logIn: { viewer: { sessionToken } } } } = response;
    commit('setToken', sessionToken);
    window.localStorage.setItem('parse_token', sessionToken);
  }).catch((error) => {
    console.log(error);
  });
},

[davimacedo]

@borekwa since you have initialized your Parse Server with restAPIKey option, could you please try again by sending X-Parse-Application-Id, X-Parse-Session-Token, and X-Parse-REST-API-Key headers?

[mtrezza]

Maybe related to #6842. Maybe the docs need some clarification regarding the client keys, or at least a more prominent note that setting them in the configuration requires them in the request.