Hi, if I use āapi.use(ā/access_tokenā, function(req, res) {}ā to accept post request, how do I sanitize the post request? I saw āthis.route(āGETā, ā/serverInfoā, middleware.promiseEnforceMasterKeyAccess, req => {}ā to enforce the Master Key Access. But is this enough? Thanks
instead of api.use you can use api.post to only accept post request. And to check if request is made with master key you can use bodyparser and extract X-Parse-Master-Key header. Ä°f the header exists and value is correct, request is made with master key.
@uzaysan I added the master key requirement to my path: api.post('/access_token', middlewares.promiseEnforceMasterKeyAccess, function (req, res) {}
My curl request becomes:
curl -X POST \
-H "X-Parse-Application-Id: xxxx" \
-H "X-Parse-Master-Key: yyyyy" \
-H "Content-Type: application/json" \
-d '{"uid":2882341273,"channelName":"7d72365eb983485397e3e3f9d460bdda"}' \
http://localhost:1337/parse/access_token
However, the curl request stops working now. It just stops and there are no errors and no reponse.
If my curl does not have the master key field, parse server will say āthe master key is requiredā.
Any ideas why this happens? Thanks
Whats the code on this? middlewares.promiseEnforceMasterKeyAccess you have to either send a response in the middleware, or call next() in order to pass request to controllers. Ä°f you donāt do any of this request will wait. You wonāt get any response or error.
@uzaysan I think this is the reason for my problem. How do I send a response in the middleware, or call next() in order to pass request to controllers? Do you have an example? Thanks
express pass 3 parameters to functions. req, res and next. So in your case your middleware should look like this.
function(req, res, next) {
const requestMasterKey = req.headers["x-parse-master-key"];
if (yourMasterKey === requestMasterKey) {
// Request is made with valid masterKey
return next();
}
// No masterkey or masterkey is invalid.
return res.status(403).send('Only master can use this function.')
}
You can use this in your route:
api.use(ā/access_tokenā, function(req, res, next) {
const requestMasterKey = req.headers["x-parse-master-key"];
if (yourMasterKey === requestMasterKey) {
// Request is made with valid masterKey
return next();
}
// No masterkey or masterkey is invalid.
return res.status(403).send('Only master can use this function.')
}, function(req, res) {
// Your logic here
});
@uzaysan Thanks. It works. But if I want to use middleware.promiseEnforceMasterKeyAccess in this.route('GET', '/serverInfo', middleware.promiseEnforceMasterKeyAccess, req => {}, how should I write my code?
A problem of your approach is I have to hard code yourMasterKey === requestMasterKey, is it possible to read the MasterKey from env variables. My env variables are definited in config.json.
Thanks
Where do you want to put this code? Ä°n which file? Can you point me the source on parse-server repo? Syntax is correct therefore it should work. But ıt doesnt. Iām not sure why. If you can give more information, that would be great.
You can read variable with the same way you read in index.js file when you construct your parse server.
Hi, I saw this example here: parse-server/FeaturesRouter.js at master Ā· parse-community/parse-server Ā· GitHub
Then, I want to add this to here: parse-server/ParseServer.js at master Ā· parse-community/parse-server Ā· GitHub
Thanks
You can use the option in my previous message. And instead of hardcoding master key you can get master key from options. app function takes options as parameter which is object. You can extract masterKey from there.
api.use(ā/access_tokenā, function(req, res, next) {
const requestMasterKey = req.headers["x-parse-master-key"];
if (options.masterKey === requestMasterKey) {
// Request is made with valid masterKey
return next();
}
// No masterkey or masterkey is invalid.
return res.status(403).send('Only master can use this function.')
}, function(req, res) {
// Your logic here
});
@uzaysan Thanks. This works. But if I still want to use middleware.promiseEnforceMasterKeyAccess, is there a way to rewrite my code? I am just curious.
I donāt think you can use that in bare middleware. That function is written for router class