How secure is Cloud Code?

Parse Server 📡 Cloud Code
#1

Can someone help me understand how secure CloudCode is? Like who can access it? Is it publicly available / open like an API?

And if someone somehow knows the cloudcode functions, can they just start calling it and wreck havok if they have like the clientkey and applicationId?

Basically I’m trying to figure out what functions I can move to CloudCode and what should be kept off. Like I’m assuming deleteUser(with: userId) with a masterkey should be kept off CloudCode as someone can easily just send a call to that cloudcode function and delete a user but deleteUser with the proper ACL / CLP might be doable ?

What kind of security issues should I watch out for when creating / running cloudcode functions?

thanks in advance.

#2

Cloud code is public available for anyone who knows that it exists and has the keys. In order to turn it secure, you have to implement your own logic on cloud code to check if the user calling it has access to perform the operation.

1 Like
#3

thanks @davimacedo !

something like this with a check if a user is logged in best way to do it you think?

or does anyone know of the proper way to check if a user requesting is logged in properly?

thanks in advance.

#4

On cloud code if user is logged in request.user will be the user thats logged in in the client app. İf the not logged in, request.user will be undefined.

Parse.Cloud.define("someCloudCode", async (request) => {
  if (request.user) {
    // request.user is defined. User is logged in.
  }
  else {
    // request.user is undefined or null. Not logged in.
  }
});
#5

Got it. thanks @uzaysan

Follow up question, wouldn’t the user object be easily spoofed by a skilled hacker?

With that in mind, I’ve been trying to see if it’s possible to check if the token I get back from

user.getSessionToken()

is a valid one just for that extra security but I can’t seem to find a way to check if the sessiontoken attached to the user object is valid.

Any ideas / leads?

thanks a bunch

#6

You can query the session token and check that expiresAt is still valid. Here’s the starter, and you can figure out how to compare expiresAt to the current date:

1 Like
#7

I might be corrected, but isn’t request.user inferred internally from the request’s session token? It’s not possible for a hacker to set the requests’ user, they can only set the session token. Middleware auth then looks up this session token and then sets req.user, if the token is valid and not expired. Otherwise, req.user will be empty.

4 Likes
#9

Looking into this now. I appreciate it a lot sir!

#10

thank you. that makes sense. :slight_smile:

beforeSave data validation
#11

I just found out that the starting Parse Server Cloud Code 4.4, there’s a new Cloud Code Validation feature that could work as well.

Link to Cloud Code Docs

Which basically allows checking of a variable and if a user is defined. There are also more advanced options mentioned in the document.

Here is the example from the link Cloud Code Documentation:

Parse.Cloud.define("averageStars", async (request) => {
  const query = new Parse.Query("Review");
  query.equalTo("movie", request.params.movie);
  const results = await query.find();
  let sum = 0;
  for (let i = 0; i < results.length; ++i) {
    sum += results[i].get("stars");
  }
  return sum / results.length;
},{
  fields : ['movie'],
  requireUser: true
});