refactor: Deprecate enableAnonymousUsers

[dblythy]

New Pull Request Checklist

• I am not disclosing a vulnerability.
• I am creating this PR in reference to an issue.

Issue Description

enableAnonymousUsers should default to false.

Related issue: #7923

Approach

Adds planned depreciation

TODOs before merging

• A changelog entry is created automatically using the pull request title (do not manually add a changelog entry)

[parse-github-assistant]

Thanks for opening this pull request!

• ❌ Please link an issue that describes the reason for this pull request, otherwise your pull request will be closed. Make sure to write it as Closes: #123 in the PR description, so I can recognize it.

[codecov]

Codecov Report

Base: 94.11% // Head: 94.11% // Increases project coverage by +0.00% 🎉

Coverage data is based on head (6d6acb2) compared to base (b10182f).
Patch coverage: 100.00% of modified lines in pull request are covered.

Additional details and impacted files

@@           Coverage Diff           @@
##            alpha    #7924   +/-   ##
=======================================
  Coverage   94.11%   94.11%           
=======================================
  Files         182      182           
  Lines       13621    13623    +2     
=======================================
+ Hits        12819    12821    +2     
  Misses        802      802           

Impacted Files	Coverage Δ
src/Security/CheckGroups/CheckGroupServerConfig.js	96.00% <100.00%> (+0.34%)	⬆️
src/RestWrite.js	94.30% <0.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[rhuanbarreto]

Great security improvement!

[mtrezza]

Curious about your thought process for adding a security warning.

I'm thinking that if someone has an application in which anonymous users are part of their use case, they will always get this warning, even though they may have restricted the permissions of anonymous users accordingly. After all, anonymous users is a regular feature of Parse Server:

Being able to associate data and objects with individual users is highly valuable, but sometimes you want to be able to do this without forcing a user to specify a username and password.

An anonymous user is a user that can be created without a username and password but still has all of the same capabilities as any other PFUser. After logging out, an anonymous user is abandoned, and its data is no longer accessible.

I understand that we disable them by default, as enabling them requires taking security implications into account, but I'm not sure it should be a permanent warning. What do you think?

[mtrezza]

Reading this again, maybe it actually makes sense to add that warning until we change the default in 2024, that's still a long time away. Once the deprecation ended, we could remove the warning.

To my previous comment, I think one should always be able to get down to 0 warnings by improving the configuration. Since anonymous user is a regular feature, any app that uses this would never be able to get to 0 warnings, always indicating that there was a potential security issue, which there is not if classes are properly secured. Or the warning could have additional conditions, e.g. anonymous users enabled + file upload enabled for anonymous user = real vulnerability that warrants a warning.

[mtrezza]

@dblythy what do you think?

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.