parse-server: [2.3.2] Always unauthorized using sessionToken from user (request.user)
Issue Description
My instance of Parse Server always error out with error “ParseError { code: undefined, message: ‘unauthorized’ }” when using find({sessionToken: <the session token>}). The session token is retrieved with “request.user.getSessionToken()”.
Steps to reproduce
var token = request.user.getSessionToken(); // it is not null
var query = new Parse.Query(MyTable);
query.find({sessionToken: token}).then(function(results) {
...
});
Expected Results
No error
Actual Outcome
ParseError { code: undefined, message: ‘unauthorized’ }
Environment Setup
-
Server
- parse-server version (Be specific! Don’t say ‘latest’.) : 2.3.2
- Operating System: Ubuntu 14.04 LTS
- Hardware: Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Byte Order: Little Endian CPU(s): 6 On-line CPU(s) list: 0-5 Thread(s) per core: 1 Core(s) per socket: 1 Socket(s): 6 NUMA node(s): 1 Vendor ID: GenuineIntel CPU family: 6 Model: 63 Stepping: 2 CPU MHz: 2499.980 BogoMIPS: 5001.29 Hypervisor vendor: KVM Virtualization type: full L1d cache: 32K L1i cache: 32K L2 cache: 4096K NUMA node0 CPU(s): 0-5
- Localhost or remote server? (AWS, Heroku, Azure, Digital Ocean, etc): Linode
-
Database
- MongoDB version: 3.0.8
- Localhost or remote server? (AWS, mLab, ObjectRocket, Digital Ocean, etc): Local to the same machine
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Comments: 21 (7 by maintainers)
javascriptKeyis not optional if you are using javascript, e.g. cloud code. It should be safe to omit if you are just connecting to parse-server to perform queries from a REST or .Net client for example.The change in 2.2.24 is to enforce key security correctly. Previously if any key was omitted then none were checked, which removed the point of having keys and which led to an undesirable workaround of having to specify unused keys if you wanted key security.
You should be able to remove all client keys from config if you want to disable key security, although I’ve not tried how this works with cloud code.
This change does seem to cause a lot of issues so perhaps the documentation needs an update?
This is now solved!
Saw this issue https://github.com/ParsePlatform/parse-server/issues/3577, and I had done something similar. Previously I had configured my cloud code with
'unused'as the JAVASCRIPT_KEY, but this does not work anymore. So now I supply the configured JAVASCRIPT_KEY in my cloud code. I thought I could leave it empty or null, but that does not seem to work.I suppose this behaviour was introduced in https://github.com/ParsePlatform/parse-server/commit/e788d49af01b2e1ee09d29ce805300e0875a6322
I have the same problem since I attempted to upgrade yesterday. Last known good version for me (using sessionToken) was 2.2.23.