Session Token validation with NodeJS

I would need to see some code or something, can you setup a sandbox environment and pm me the details. I’m happy to help as I have been in this position with Parse and it’s frustrating as hell.

Can you post the code, where you are trying this: I validate the session token server side then send the response (this is where I’m stuck)?

That’s the code I posted above with the axios request. In postman it gives me a successful response but in node with axios, it gives me an 403 error.

I will message you about setting up a sandbox environment. Thank you.

I’m actually facing a similar situation with Nuxt when running on SSR. In Nuxt there’s a certain function (asyncData) that’s called on both server side and client side to initialize the data.

asyncData() {
  Parse.User.current();
}

When running on server side, it’s bound to error because there’s no access to the localStorage. I know I can ditch the Parse SDK and use REST API instead, it’ll be too much of wrapping codes to do.

Or, I could separate the codes depending if it’s running on server or client, but it’s going to duplicated everywhere.

I tried to set the RESTController to read the sessionToken from cookies.

Parse.CoreManager.setRESTController({
  ajax: (...args) => RESTController.ajax.apply(null, args),
  request(...args) {
    const token = getSessionToken(req.headers.cookie)
    return injectSessionToken(token, RESTController).apply(null, args);
  },
})

I was too naive, Parse SDK is a singleton, under race conditions, user A could access user B’s data.

My takeaway was that Parse is not a good choice for SSR, especially the data you’re trying to access is restricted. I guess I’m going to stick with SPA for now.

Instead of using Parse.User static methods, you’d need to send { sessionToken: “” } option in each of your queries.

The problem with sending is not an issue, the main our problem is that, server-side, there is no documented method of verifying a token for validity, e.g. like Firebase has https://firebase.google.com/docs/auth/admin/verify-id-tokens

I have the exact same questions and I can’t really get how a server may verify a client request of authenticity, without a token verification or any sort of checking. Session object is locked (even when master-key is present, why?!), and other methods are obsolete for token validation.

OK, so it took me a lot more time to figure it out, but I got a function that supposed to verify a token and returns the user ID in case it’s logged in or false otherwise. I want to use it server-side, for client-checks:

const verifyToken = token => {

  const query = new Parse.Query(Parse.Object.extend("_Session"));

  return query.equalTo("sessionToken", token).find({ useMasterKey:false, sessionToken:token })
.then( validSessionToken => {
  // There is at least one token
  let userID = false;

  try {
    userID = validSessionToken[0].attributes.user.id;
  }catch(e){}

  return userID;
})
.catch(function(error) {
  // No Suck token in Sessions
 return false;
   });

}

You can test it like:

const goodToken = 'r:6386f8902c5f0e46ea47b5e1f74af27b'
const falseToken = 'r:c799ca30b02a5d134e56850390ed095c';

verifyToken( goodToken ).then( res => {
  console.log('result', res);
});

Hope this will save someone’s time. Cheers!

1 Like

I use to check the session token and return the logged user using this function in the server side:

async function loggedUser(sessionToken) {
  const loggedUserSessionQuery = new Parse.Query(Parse.Session);
  loggedUserSessionQuery.equalTo('sessionToken', sessionToken);
  loggedUserSessionQuery.include('user');

  const loggedUserSession = await loggedUserSessionQuery.first({
    sessionToken
  });

  if (!loggedUserSession) {
    throw new Error('Invalid session token.');
  }

  return loggedUserSession.get('user');
}