Create new Parse.Session programmatically for a user, without their password

philippea · June 12, 2021, 10:52am

Hi everyone!

I’m working on an existing Parse server, and I am currently adding an OAuth system, so that external apps can connect in the name of Parse.User.

I created different classes for codes and tokens, and now my external apps can send requests with an accessToken, corresponding to their application and user (who granted access).

I’m looking for a way to inform the Parse server that the “logged in user” in requests is the end user that authorized the OAuth application. For this, I have created an express middleware handling request before the Parse server middleware, extracting the access token from the request, getting the correct User and Application, and then I wanted to create a Parse.Session programmatically, get the token, and set it in the request as x-parse-session-token. This way, the next handler, Parse, would treat the request as authenticated and performed by the end user.

My problem here is that I cannot find a way to create a session programmatically, I’m aware of the Parse.User.logIn, but that works only with a password.

I’ve tried the following:

const oAuthSession = await new Parse.Session().save({
  user: user // user got from Parse.Query(Parse.User) with masterKey
}, { useMasterKey: true })

But get a Cannot modify readonly attribute user error.

Any hidden method to programmatically create a Parse.Session without a password ?

Thanks

davimacedo · June 14, 2021, 1:40am

I think you can use the middleware to set req.userFromJWT with the user object. Take a look in here: parse-server/middlewares.js at f6a41729a7a3adc6bd5310cefb3458835b4abb58 · parse-community/parse-server · GitHub

philippea · June 15, 2021, 2:29pm

Thanks a lot, it is working great:
const user = await new Parse.Query(Parse.User).get(‘idOfUser’);
req.userFromJWT = user;

davimacedo · June 15, 2021, 4:18pm

Cool. Thanks for the feedback.