Custom middleware

pc-cesar · July 14, 2020, 6:46pm

Hello,
In middleware on parse serve it is possible intercept request if this use master key? i try put middleware,but in req body/headers not have any args(app id or master key).

i suspect what this data is encoded,but not have idea whats the name for get.

Thanks for all…

jadsonlourenco · July 15, 2020, 10:10pm

In middleware I don’t remember, but on cloud code function is "req.master".

pc-cesar · July 16, 2020, 1:57pm

it’s true,but i need verification before enter in parse server,for apply custom limited use in my masterkey.
thankss for your answer!!

jadsonlourenco · July 16, 2020, 2:15pm

Well, you can use express as middleware and verify the req.headers for the master key, using your master key as system ENV, in this way just the server side will have access of your master key. If the key is correct the request can next() to your Parse Server.

pc-cesar · July 16, 2020, 4:08pm

i try, but in request headers not have this arg.

My test using my dashboard, and in your reqs not contain this args,and trying search in parse server background code ,how this args is get, but i not have success.
thanks for your time!!!

jadsonlourenco · July 16, 2020, 5:13pm

Ok, but for security reason you can’t send the master key to the client side, the dashboard is a client side app.

Maybe you need “useMasterKey” option, so, you can use the “before/after” methods to check if is the master key, like this:

Parse.Cloud.beforeSave('ClasseName', async (req) => {  
  const { master } = req

  if (!master) {
    throw 'Only master key has permission to change this class.'
  }
})

pc-cesar · July 16, 2020, 5:58pm

how server know what app have master key permission?for exemplo dashboard, i have permission for alter all fields.

jadsonlourenco · July 16, 2020, 7:36pm

You can use Parse Dashboard with master key, but not public dashboards.

I think you should have a “Role” like “admin”, that users on this role will be granted to run some “cloud functions” (from parse SDK/API), the server check if the user has this role, if has go ahead and run the function, for example:

/// Check if user is on the Role
/// ---------------------------------------------------------------------------------------
async function userInRole({ roleName, user }) {
  const query = new Parse.Query(Parse.Role)
  query.equalTo('name', roleName)
  query.equalTo('users', user)
  return await query.first({ useMasterKey: true })
}

/// Cloud code function
/// ---------------------------------------------------------------------------------------
Parse.Cloud.define('runMasterKeyQuery', async (req) => {
  // get user from request
  const { user } = req
  
  // check if the user are on the admin role
  const isAdmin = await userInRole({ roleName: 'admin', user.id })
  if (!isAdmin) {
    throw `You don't have permission to continue.`
  }
  
  // rest of the code that require "useMasterKey" or not, but only run by the server side, by admin users.
  ...
})

pc-cesar · July 16, 2020, 8:07pm

i go to explaim my case using more details, need limited acess for masterkey,but i need garanted acess for SDks,i try use masterKeyIps for limited acess using ip,but when i call clound funciontion in any device, i get error(“no have permission”),now my plan is use middleware for check when req use masterkey(for exemplo dashboard) and check if ip is valid, but in req params not have masterkey,i read code in parse serve but not find how masterkey is deconded by request.

for exemple when i use:

parse-dashboard --dev --appId yourAppId --masterKey yourMasterKey --serverURL "https://example.com/parse" --appName optionalName

i need limited access in my serve for some ips

thanks a lot for you time!!!

jadsonlourenco · July 16, 2020, 8:28pm

So, Parse Server has it by default, just a config: https://github.com/parse-community/parse-server/blob/3bd5684f67a16ec96907b50ab5fc9daa9e4fa8e0/src/Options/Definitions.js#L222

Before you try to understand or change Parse code, look at this options, has a lot that solve many issues.

pc-cesar · July 16, 2020, 8:31pm

i try this,but i get error when android sdk call clound functions,for exemple:

new ParseServer({
masterKeyIps: [‘xx.xx.xxxx’]
});

but when call functions in device,crash !

jadsonlourenco · July 16, 2020, 9:40pm

Can you share the error message?

pc-cesar · July 17, 2020, 11:54am

when i use clound in my apps:

end point /parse/functions/login

{“error”:“unauthorized”}

jadsonlourenco · July 17, 2020, 1:53pm

Now I understand your point, your question (sorry the delay, hahaha).
But the answer to get if the request are using the master key on login for examples you just use the triggers that Parse has: Cloud Code Guide | Parse

Parse.Cloud.beforeLogin(async (req) => {
  const { master }  = req
  console.log('master', master)
})

About this error: the endpoint to login is “/login”, POST request. Works fine on my tests here, even using master key.

teddysbeach · October 12, 2021, 2:06am

Need to change user.id to user
It helped me a lot. Thank you!