Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Version 2.2.24 and above breaks fetch() method - undefined, unauthorized #3051

Closed
MartinHerman opened this issue Nov 14, 2016 · 5 comments
Closed

Version 2.2.24 and above breaks fetch() method - undefined, unauthorized #3051

MartinHerman opened this issue Nov 14, 2016 · 5 comments

Comments

@MartinHerman
Copy link

Hi everyone,
I've discovered an error with v2.2.24 and above with the fetch() method. The same exact code worked with v2.2.23 and below - I've tested numerous lower versions and all worked. Parse SDK JS is v1.9.2 and changing to lower versions doesn't affect the error.

Here is my code:

Parse.Cloud.define("pretty_function", function(req, res){

    var MyClass = Parse.Object.extend("MyClass");
    var myObject = MyClass.createWithoutData(req.params.valid_object_id);

    myObject.fetch().then(function(obj){

      res.success(obj);

    }, function(error){

      res.error(error);
      
    });

});

Error log

2016-11-14T15:29:55.906447+00:00 app[web.1]: error: Failed running cloud function pretty_function for user Nhb05Y36Sc with:
2016-11-14T15:29:55.906458+00:00 app[web.1]:   Input: {"valid_object_id":"6gA8W9ivhe"}
2016-11-14T15:29:55.906462+00:00 app[web.1]:   Error: {"code":141,"message":{"message":"unauthorized"}} functionName=pretty_function, code=141, code=undefined, message=unauthorized, valid_object_id=6gA8W9ivhe, user=Nhb05Y36Sc
2016-11-14T15:29:56.089761+00:00 app[web.1]: error: Error generating response. ParseError {
2016-11-14T15:29:56.089765+00:00 app[web.1]:   code: 141,
2016-11-14T15:29:56.089767+00:00 app[web.1]:   message: ParseError { code: undefined, message: 'unauthorized' } } code=141, code=undefined, message=unauthorized
2016-11-14T15:29:56.118083+00:00 app[web.1]: [object Object]

I'm calling it from the Parse iOS SDK 1.14.2, with an authenticated user (other authenticated calls work fine). The permissions for the object I'm trying to fetch() are Public Read, Administrator (Role) Read/Write.

As I've said, the only thing I changed is the Parse-Server version, else than that everything stayed the same.

I've compared 2.2.23 and 2.2.24, and I'd guess the error will be somewhere in the spec/Middlewares.spec.js changes, however I can't figure it out.

I'm guessing this error appears elsewhere as well, therefore I'd consider this a critical error.
@MartinHerman MartinHerman changed the title Version 2.2.24 and above breaks fetch() method in some cases Version 2.2.24 and above breaks fetch() method Nov 14, 2016
@MartinHerman MartinHerman changed the title Version 2.2.24 and above breaks fetch() method Version 2.2.24 and above breaks fetch() method - unauthorized Nov 14, 2016
@MartinHerman MartinHerman changed the title Version 2.2.24 and above breaks fetch() method - unauthorized Version 2.2.24 and above breaks fetch() method - undefined, unauthorized Nov 14, 2016
@steven-supersolid
Copy link
Contributor

Just an idea, but there was a security fix in 2.2.24 that all configured keys are now checked. Previously if you specified 3 out of 4 client keys, then none were checked.

Could you clarify which keys you have configured and which keys you are passing when you call your cloud code function? If using curl then please post that with keys obfuscated or with test keys in place.

@MartinHerman
Copy link
Author

@steven-supersolid, while constructing the ParseServer, I'm passing a masterKey, clientKey and restApiKey. For my iOS app I only pass the clientKey (as described in the documentation).

I use the restApiKey for some debugging occasionally, however in the instance described, I was using the clientKey with my iOS app.

I'm also 100% sure the keys match, checked numerous times...

@steven-supersolid
Copy link
Contributor

OK so that should be fine. Prior to 2.2.24 if you were not also passing dotNetKey and javascriptKey to the constructor then none of the keys were being checked.

I notice the case for your rest key is different to in the constructor, is this just a typo in this issue? It should be restAPIKey. That would be something to look in to.

You may also have to specify javascriptKey to use cloud code. In the ParseServer constructor, the parse js sdk is initialized with this key (or 'unused' is missing) and mounted on the global Parse for access by cloud code. I didn't check but for queries that don't use the master key it could be using this key instead so there would be no matching keys.

Could you also post a server log with VERBOSE=1? That will shed more light on where the permission is failing.

@MartinHerman
Copy link
Author

MartinHerman commented Nov 15, 2016
edited
Loading

@steven-supersolid - the restAPIKey was a typo in this issue.

I've specified a javascriptKey, and I believe that fixes the problem.

Funny thing is, verbose will not return anything at all for this in 2.2.24, I still only get the output I've posted above. I'm doing process.env.VERBOSE = true; as the first line before the ParseServer constructor and I'm confident it works, because it verboses everything else.

I've just upgraded to the latest v2.2.25-beta.1 , and still continue to monitor for problems.

This needs to be fixed - or at least mentioned in the docs - ASAP. Could cause a lot of damage if people are not careful...

@steven-supersolid
Copy link
Contributor

#3070 should address this

@MartinHerman MartinHerman mentioned this issue Dec 5, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MartinHerman @steven-supersolid