fix: Parse Server OAuth2 authentication adapter account takeover via identity spoofing (GHSA-fr88-w35c-r596)

[mtrezza]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.

Issue

Approach

Parse Server OAuth2 authentication adapter account takeover via identity spoofing (GHSA-fr88-w35c-r596)

• Add tests
• Add changes to documentation (guides, repository pages, code comments)
• Add security check
• Add new Parse Error codes to Parse JS SDK

Summary by CodeRabbit

• Bug Fixes

  • Strengthened OAuth2 authentication to prevent account takeover; tokens are now validated against the correct user identifier and mismatches are rejected.
  • User identifier handling now defaults to the standard "sub" claim when not specified, improving validation consistency.

• Tests

  • Added end-to-end and unit tests covering account-takeover scenarios, missing introspection, inactive tokens, and invalid app IDs.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[coderabbitai]

📝 Walkthrough

Walkthrough

Defaulted OAuth2 adapter's useridField to 'sub' when omitted and added tests covering userid matching/mismatching, an account-takeover E2E scenario, and introspection/invalid-config edge cases.

Changes

Cohort / File(s)	Summary
OAuth2 Adapter Implementation src/Adapters/Auth/oauth2.js	Set useridField to default to 'sub' when not provided; JSDoc updated to reflect the default.
OAuth2 Adapter Tests spec/Adapters/Auth/oauth2.spec.js	Added tests (E2E + unit) validating default 'sub' behavior, matching vs. mismatching user IDs, account-takeover scenario (victim signup, attacker login with claimed victim ID), and edge cases: missing introspection endpoint, inactive tokens, and invalid app IDs.

Sequence Diagram(s)

sequenceDiagram
    participant Client as Client (Victim/Attacker)
    participant Server as App Server (OAuth2Adapter)
    participant IdP as Identity Provider (Introspection)
    participant DB as Database

    Client->>Server: Signup request with access token (victim token, claims sub=victimId)
    Server->>IdP: Introspect token
    IdP-->>Server: Active token, payload { sub: victimId, ... }
    Server->>DB: Create account for victimId
    DB-->>Server: Account created
    Server-->>Client: Signup success

    Client->>Server: Login request (attacker token) claiming userId=victimId
    Server->>IdP: Introspect attacker token
    IdP-->>Server: Active token, payload { sub: attackerId, ... }
    Server->>Server: Compare payload[sub] (attackerId) vs claimed userId (victimId)
    Server-->>Client: Reject — "OAuth2 access token is invalid for this user." / OBJECT_NOT_FOUND

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description follows the required template structure with all main sections present, but the Issue section is empty and lacks a clear description or link to the security issue being addressed.	Fill in the Issue section with a clear description or link to GHSA-fr88-w35c-r596. The Approach section should also provide more detail about the specific changes made to address the account takeover vulnerability.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The PR title clearly describes the main security fix: addressing an OAuth2 authentication account takeover vulnerability via identity spoofing (GHSA-fr88-w35c-r596).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.72%. Comparing base (70b7b07) to head (b120f83).
⚠️ Report is 3 commits behind head on alpha.

Additional details and impacted files

@@           Coverage Diff           @@
##            alpha   #10145   +/-   ##
=======================================
  Coverage   92.72%   92.72%           
=======================================
  Files         192      192           
  Lines       16098    16098           
  Branches      183      183           
=======================================
  Hits        14927    14927           
  Misses       1159     1159           
  Partials       12       12           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

🧹 Nitpick comments (1)

src/Adapters/Auth/oauth2.js (1)

8-8: Surface this default in the public auth docs too.

This JSDoc update helps, but the default is still only applied at runtime in the adapter, so operators will miss it unless it is also called out in the public auth config docs / README.md.

Based on learnings, for new Parse Server options a README update is optional rather than required.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Adapters/Auth/oauth2.js` at line 8, The JSDoc notes that
options.useridField defaults to 'sub' but the public docs/README don't mention
this default; update the public auth configuration documentation and README to
explicitly document the default for useridField (and any related oauth2 adapter
options) so operators see it without reading runtime code — add a short line
stating "useridField (string) — defaults to 'sub' per RFC 7662" alongside the
oauth2 adapter options and mirror that in any public examples or option tables
for the OAuth2 adapter.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/Adapters/Auth/oauth2.js`:
- Line 8: The JSDoc notes that options.useridField defaults to 'sub' but the
public docs/README don't mention this default; update the public auth
configuration documentation and README to explicitly document the default for
useridField (and any related oauth2 adapter options) so operators see it without
reading runtime code — add a short line stating "useridField (string) — defaults
to 'sub' per RFC 7662" alongside the oauth2 adapter options and mirror that in
any public examples or option tables for the OAuth2 adapter.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4e953798-1463-4f6d-a6b2-113b9c4d20bf

📥 Commits

Reviewing files that changed from the base of the PR and between 2f2eb13 and b120f83.

📒 Files selected for processing (1)

• src/Adapters/Auth/oauth2.js

[parseplatformorg]

🎉 This change has been released in version 9.5.2-alpha.9