Remove sensitive data from authData

rhuanbarreto · January 22, 2022, 7:00pm

After I save my user using a third party authentication, some sensitive data keeps saved in the user’s authData field, like the external auth token and id of the user. For security reasons, like to prevent exposing this info in a case where the DB leaks, I wanted to remove the authData value:

Parse.Cloud.afterSave(Parse.User, async request => {
  // This prevents an infinite loop from cleaning authdata from the user.
  if (!request.object.get("authData")) return;

  // Remove session sensitive data from third party auth
  request.object.set("authData", null);
  request.object.save(null, { useMasterKey: true });
});

Internal (Parse) session info is ok to keep. But external tokens and ids are dangerous.

In this code, I get the error:

Error: This authentication method is unsupported.

Is there a way to do this?

Manuel · January 23, 2022, 11:22am

The field authData does not actually exist in the DB, it is synthesized from the _auth_data_* fields in the DB, so direct manipulation does not work in all cases.

The correct way to delete authData is to either call ParseUser.unlink or via REST call:

body: {
    "authData": {
        "facebook": null
    }
}

Your expectation seems valid and intuitive, so Parse Server should probably interpret a request to set authData to null correctly as removing all authData entries. You could also try to unset the authData field, not sure if that works.

Moumouls · February 5, 2022, 11:59am

Hi @rhuanbarreto in Parse V5, you issue will be easy to solve.

I’ve worked on a new Auth Adapter system, and will be possible to control data saved/returned at login/register time ! https://github.com/parse-community/parse-server/pull/7079

You are right in many uses case if you do not need the 3rd party token to query 3rd party data; it’s a best practice to do not store these tokens.

rhuanbarreto · May 4, 2022, 7:17am

Amazing Job you did!

But it’s not clear in your PR how to do such thing. Did you make a PR for docs as well?

Moumouls · May 4, 2022, 8:56am

I @rhuanbarreto

With new handles like validateLogin/validateSignup or even with the validateAuthData

These functions will now be able to return an object that helps the parse-server know what to do with authData.

Ex:

async validateAuthData(authData){
   const id = authData.id
   // Do your validation stuff
   await validateToken(authData.token)
   return {
     // Only save the id into the DB
     save: { id }
     // Response object will be available on the login response under `authDataResponse`
     // Parse.User.get(‘authDataResponse’).myLoginProvider.message (for example)
     // this is optional
     response: { message: “Welcome back” }
   }
}

Also if you want to prevent authData to be updated on an already existing user

async validateLogin(authData){
   const id = authData.id
   // Do your validation stuff
   await validateToken(authData.token)
   return {
     // Parse Server will not update authData
     // By default Parse always update authData after login/signUp with the new fresh provided authData
     // If you implement a custom Auth Provider like an email/password, it could be useful to avoid Parse Server
     // to update the hashed password with the clear password provided at login time
     doNotSave: true
   }
}

rhuanbarreto · May 6, 2022, 3:30pm

So the only thing is when this is going to be released! Looking forward to update parse in order to use it!

Moumouls · May 7, 2022, 3:13pm

Yes @rhuanbarreto the PR is quite active: feat: new auth adapter and webauthn by Moumouls · Pull Request #7079 · parse-community/parse-server · GitHub

We need a last review check from other maintainers and this feature should be available under Parse Server 5.X.

Then I’ll be happy to get your feedback on this new feature to improve your app security