Can someone help me understand how secure CloudCode is? Like who can access it? Is it publicly available / open like an API?
And if someone somehow knows the cloudcode functions, can they just start calling it and wreck havok if they have like the clientkey and applicationId?
Basically I’m trying to figure out what functions I can move to CloudCode and what should be kept off. Like I’m assuming deleteUser(with: userId) with a masterkey should be kept off CloudCode as someone can easily just send a call to that cloudcode function and delete a user but deleteUser with the proper ACL / CLP might be doable ?
What kind of security issues should I watch out for when creating / running cloudcode functions?
Cloud code is public available for anyone who knows that it exists and has the keys. In order to turn it secure, you have to implement your own logic on cloud code to check if the user calling it has access to perform the operation.
On cloud code if user is logged in request.user will be the user thats logged in in the client app. İf the not logged in, request.user will be undefined.
Parse.Cloud.define("someCloudCode", async (request) => {
if (request.user) {
// request.user is defined. User is logged in.
}
else {
// request.user is undefined or null. Not logged in.
}
});
You can query the session token and check that expiresAt is still valid. Here’s the starter, and you can figure out how to compare expiresAt to the current date:
I might be corrected, but isn’t request.user inferred internally from the request’s session token? It’s not possible for a hacker to set the requests’ user, they can only set the session token. Middleware auth then looks up this session token and then sets req.user, if the token is valid and not expired. Otherwise, req.user will be empty.