Custom middleware

Hello,
In middleware on parse serve it is possible intercept request if this use master key? i try put middleware,but in req body/headers not have any args(app id or master key).

i suspect what this data is encoded,but not have idea whats the name for get.

Thanks for all…

In middleware I don’t remember, but on cloud code function is "req.master".

1 Like

it’s true,but i need verification before enter in parse server,for apply custom limited use in my masterkey.
thankss for your answer!!

Well, you can use express as middleware and verify the req.headers for the master key, using your master key as system ENV, in this way just the server side will have access of your master key. If the key is correct the request can next() to your Parse Server.
:+1:

1 Like

i try, but in request headers not have this arg.

My test using my dashboard, and in your reqs not contain this args,and trying search in parse server background code ,how this args is get, but i not have success.
thanks for your time!!!

Ok, but for security reason you can’t send the master key to the client side, the dashboard is a client side app.

Maybe you need “useMasterKey” option, so, you can use the “before/after” methods to check if is the master key, like this:

Parse.Cloud.beforeSave('ClasseName', async (req) => {  
  const { master } = req

  if (!master) {
    throw 'Only master key has permission to change this class.'
  }
})
1 Like

how server know what app have master key permission?for exemplo dashboard, i have permission for alter all fields.

You can use Parse Dashboard with master key, but not public dashboards.

I think you should have a “Role” like “admin”, that users on this role will be granted to run some “cloud functions” (from parse SDK/API), the server check if the user has this role, if has go ahead and run the function, for example:

/// Check if user is on the Role
/// ---------------------------------------------------------------------------------------
async function userInRole({ roleName, user }) {
  const query = new Parse.Query(Parse.Role)
  query.equalTo('name', roleName)
  query.equalTo('users', user)
  return await query.first({ useMasterKey: true })
}

/// Cloud code function
/// ---------------------------------------------------------------------------------------
Parse.Cloud.define('runMasterKeyQuery', async (req) => {
  // get user from request
  const { user } = req
  
  // check if the user are on the admin role
  const isAdmin = await userInRole({ roleName: 'admin', user.id })
  if (!isAdmin) {
    throw `You don't have permission to continue.`
  }
  
  // rest of the code that require "useMasterKey" or not, but only run by the server side, by admin users.
  ...
})

i go to explaim my case using more details, need limited acess for masterkey,but i need garanted acess for SDks,i try use masterKeyIps for limited acess using ip,but when i call clound funciontion in any device, i get error(“no have permission”),now my plan is use middleware for check when req use masterkey(for exemplo dashboard) and check if ip is valid, but in req params not have masterkey,i read code in parse serve but not find how masterkey is deconded by request.

for exemple when i use:

parse-dashboard --dev --appId yourAppId --masterKey yourMasterKey --serverURL "https://example.com/parse" --appName optionalName

i need limited access in my serve for some ips

thanks a lot for you time!!!

So, Parse Server has it by default, just a config: https://github.com/parse-community/parse-server/blob/3bd5684f67a16ec96907b50ab5fc9daa9e4fa8e0/src/Options/Definitions.js#L222

Before you try to understand or change Parse code, look at this options, has a lot that solve many issues. :+1:

i try this,but i get error when android sdk call clound functions,for exemple:

new ParseServer({
masterKeyIps: [‘xx.xx.xxxx’]
});

but when call functions in device,crash !

Can you share the error message?

when i use clound in my apps:

end point /parse/functions/login

{“error”:“unauthorized”}

Now I understand your point, your question (sorry the delay, hahaha).
But the answer to get if the request are using the master key on login for examples you just use the triggers that Parse has: http://docs.parseplatform.org/cloudcode/guide/#beforelogin-triggers

Parse.Cloud.beforeLogin(async (req) => {
  const { master }  = req
  console.log('master', master)
})

About this error: the endpoint to login is “/login”, POST request. Works fine on my tests here, even using master key.

1 Like