How to sanitize post request

Hi, if I use “api.use(’/access_token’, function(req, res) {}” to accept post request, how do I sanitize the post request? I saw “this.route(‘GET’, ‘/serverInfo’, middleware.promiseEnforceMasterKeyAccess, req => {}” to enforce the Master Key Access. But is this enough? Thanks

instead of api.use you can use api.post to only accept post request. And to check if request is made with master key you can use bodyparser and extract X-Parse-Master-Key header. İf the header exists and value is correct, request is made with master key.

@uzaysan I added the master key requirement to my path: api.post('/access_token', middlewares.promiseEnforceMasterKeyAccess, function (req, res) {}

My curl request becomes:

curl -X POST \
-H "X-Parse-Application-Id: xxxx" \
-H "X-Parse-Master-Key: yyyyy" \
-H "Content-Type: application/json" \
-d '{"uid":2882341273,"channelName":"7d72365eb983485397e3e3f9d460bdda"}' \
http://localhost:1337/parse/access_token

However, the curl request stops working now. It just stops and there are no errors and no reponse.
If my curl does not have the master key field, parse server will say “the master key is required”.
Any ideas why this happens? Thanks

Whats the code on this? middlewares.promiseEnforceMasterKeyAccess you have to either send a response in the middleware, or call next() in order to pass request to controllers. İf you don’t do any of this request will wait. You won’t get any response or error.

@uzaysan I think this is the reason for my problem. How do I send a response in the middleware, or call next() in order to pass request to controllers? Do you have an example? Thanks

express pass 3 parameters to functions. req, res and next. So in your case your middleware should look like this.

function(req, res, next) {
  const requestMasterKey = req.headers["x-parse-master-key"];
  if (yourMasterKey === requestMasterKey) {
    // Request is made with valid masterKey
    return next();
  }
  // No masterkey or masterkey is invalid.
  return res.status(403).send('Only master can use this function.')
}

You can use this in your route:

api.use(’/access_token’, function(req, res, next) {
  const requestMasterKey = req.headers["x-parse-master-key"];
  if (yourMasterKey === requestMasterKey) {
    // Request is made with valid masterKey
    return next();
  }
  // No masterkey or masterkey is invalid.
  return res.status(403).send('Only master can use this function.')
}, function(req, res) {
  // Your logic here
});

@uzaysan Thanks. It works. But if I want to use middleware.promiseEnforceMasterKeyAccess in this.route('GET', '/serverInfo', middleware.promiseEnforceMasterKeyAccess, req => {}, how should I write my code?

A problem of your approach is I have to hard code yourMasterKey === requestMasterKey, is it possible to read the MasterKey from env variables. My env variables are definited in config.json.

Thanks

Where do you want to put this code? İn which file? Can you point me the source on parse-server repo? Syntax is correct therefore it should work. But ıt doesnt. I’m not sure why. If you can give more information, that would be great.

You can read variable with the same way you read in index.js file when you construct your parse server.

Hi, I saw this example here: parse-server/FeaturesRouter.js at master · parse-community/parse-server · GitHub

Then, I want to add this to here: parse-server/ParseServer.js at master · parse-community/parse-server · GitHub

Thanks

You can use the option in my previous message. And instead of hardcoding master key you can get master key from options. app function takes options as parameter which is object. You can extract masterKey from there.

api.use(’/access_token’, function(req, res, next) {
  const requestMasterKey = req.headers["x-parse-master-key"];
  if (options.masterKey === requestMasterKey) {
    // Request is made with valid masterKey
    return next();
  }
  // No masterkey or masterkey is invalid.
  return res.status(403).send('Only master can use this function.')
}, function(req, res) {
  // Your logic here
});

@uzaysan Thanks. This works. But if I still want to use middleware.promiseEnforceMasterKeyAccess, is there a way to rewrite my code? I am just curious.

I don’t think you can use that in bare middleware. That function is written for router class

@uzaysan I understand now. Thanks