parse-server: The option "masterKeyIps" cannot be disabled

New Issue Checklist

Issue Description

Parse-server 6.0.0 allow to restrict IPs than can use the MasterKey using the option “masterKeyIps”. The documentation says “Setting ['0.0.0.0/0'] means disabling the filter and the master key can be used from any IP address”. In fact, even localhost is blocked.

Steps to reproduce

Juste install and configure Parse-Server v6 with the last Parse-Dashboard on your local machine. Try to launch without the “masterKeyIps” option. Parse dashboard should works well. Try with masterKeyIps: [‘0.0.0.0/0’], after login, Parse Dashboard should display “Server not reachable: unauthorized: master key is required” and the node console should display “error: Request using master key rejected as the request IP address ‘::1’ is not set in Parse Server option ‘masterKeyIps’.”

Actual Outcome

MasterKey is not usable anywhere with masterKeyIps: [‘0.0.0.0/0’]

Expected Outcome

MasterKey should be usable everywhere with masterKeyIps: [‘0.0.0.0/0’]

Environment

parse-server 6.0.0 parse-dashboard 5.0.0

Server

  • Parse Server version: 6.0.0
  • Operating system: Windows 10
  • Local or remote host (AWS, Azure, Google Cloud, Heroku, Digital Ocean, etc): Local

Database

  • System (MongoDB or Postgres): Postgres
  • Database version: 15
  • Local or remote host (MongoDB Atlas, mLab, AWS, Azure, Google Cloud, etc): Local

Client

  • SDK (iOS, Android, JavaScript, PHP, Unity, etc): JS
  • SDK version: 4.0.0

Logs

error: Request using master key rejected as the request IP address ‘::1’ is not set in Parse Server option ‘masterKeyIps’. Error: unauthorized: master key is required at handler (C:\GitProjects\jdm\node_modules\parse-server\src\middlewares.js:459:19) at C:\GitProjects\jdm\node_modules\parse-server\src\PromiseRouter.js:72:20 at processTicksAndRejections (node:internal/process/task_queues:95:5)

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Reactions: 2
  • Comments: 61 (35 by maintainers)

Most upvoted comments

For anyone who wants to allow any IP address to use the master key:

  • The current Parse Server option masterKeyIps cannot compare IPv4 and IPv6 against each other. Each IP version range needs to be defined separately. For example, masterKeyIps: ['0.0.0.0/0'] allows any IPv4 address, but no IPv6 address to use the master key. Conversely, masterKeyIps: ['::/0'] allows any IPv6 address, but no IPv4 address.

  • Keep in mind that the IP version in use depends on the network stack of the environment in which Parse Server runs. A local test may use a different IP version than a remote test. It’s possible that locally masterKeyIps: ['0.0.0.0/0'] works because it’s using IPv4, but when the app is deployed remotely, it doesn’t allow to use the master key because it’s using IPv6.

  • To allow any IPv4 and IPv6 address to use the master key, and effectively “disable” the IP filter, use masterKeyIps: ['0.0.0.0/0', '::/0'].

  • Note that ['0.0.0.0/0', '::/1'] is not the same as ['0.0.0.0/0', '::/0']. I mention this because this combination has been posted here and elsewhere with the false expectation to allow any IP address.

  • IPv6 addresses with a zone index (% suffix) may not be supported by this feature, for example 2001:db8:3333:4444:5555:6666:7777:8888%12.

  • When setting the option via environment variable the notation is a comma-separated string, for example PARSE_SERVER_MASTER_KEY_IPS = "0.0.0.0/0,::/0".

  • To deny the use of master key for every IP address, even from within Cloud Code for localhost, set an empty array masterKeyIps: []. This is currently not possible via environment variable, as there is no way to pass an empty array to Parse Server via an environment variable. For example, PARSE_SERVER_MASTER_KEY_IPS = "[]" will just be ignored.

  • Check the correct spelling of the option, which is masterKeyIps and not for example masterKeyIPs.

I’ve condensed this and amended the Parse Server options docs in https://github.com/parse-community/parse-server/pull/8814.

If anyone is still facing issues after considering the above, please let us know. Otherwise we’ll consider this just a documentation issue and close this via #8814.

+11
mtrezza on Feb 22, 2024

For anyone still experiencing this issue, please try masterKeyIps: ['0.0.0.0/0', '::/0'] to effectively allow any IPv4 and IPv6 address. The comment above contained a typo and did not contain the slash in the IPv6 address (::0), which has been corrected now.

+2
mtrezza on Feb 22, 2024

@parse-community/server Bringing some attention to this issue; there are several reports of the feature not working and PR’s that have seemingly unsuccessfully attempted to fix the issue (see PRs linked to this issue). If we cannot fix the bug we may need to remove the feature.

+2
mtrezza on Oct 7, 2023

I guess you’d need to specify IPv6 ranges separately. Could you try to set masterKeyIps: ['::/0']? In theory you should be able to set masterKeyIps: ['0.0.0.0/0', '::/0'], but I’m not sure the features supports a mix of IPv4 and IPv6.

+2
mtrezza on Feb 3, 2023

@mtrezza My issue was related to some package I used for caching. I deleted my comments to avoid confusion. The ip detection works.

+1
andreisucman on Oct 23, 2023

@mtrezza ::ffff:192.168.0.156 is a localhost on my scenario as I ran the postman client on the same machine where the parse server is running.

+1
chillaxdev on Apr 2, 2023

Do you mean we can close the issue?

Yes! Thanks. All is ok

+1
VKlapan on Mar 23, 2023

Could you copy/paste the log entry and the respective config you’ve set for Parse Server? Just to make sure.

+1
mtrezza on Mar 23, 2023

@VKlapan masterKey and maintenanceKey are not the same.

Sorry, it is my misprint - of course, I had used masterKeyIps: [], but without effect. So, I need any help yet.

+1
VKlapan on Mar 21, 2023

@VKlapan masterKey and maintenanceKey are not the same.

+1
mtrezza on Mar 20, 2023

Hi!

I try to use parse-server 6.0.0 in docker, but have the same problem: Request using master key rejected as the request IP address ‘172.21.0.1’ is not set in Parse Server option ‘masterKeyIps’

which I can’t resolve by adding maintenanceKeyIps: [‘172.21.0.1’] to config.

Any other ideas?

+1
VKlapan on Mar 20, 2023

'::' does not work. '::ffff:192.168.0.156' works.

Also, this is my serverURL: http://192.168.0.156:1337/parse

Server is running on Windows 10 x86_64 Pro.

For testing the API, I used the postman client locally to send a request with X-Parse-Master-Key set in the header.

+1
chillaxdev on Mar 5, 2023

Thanks for reporting back. I reopened to find out where this is actually a bug or only a docs issue.

There should be 2 working solutions for the issue you described:

  • a) ['::1'] which is the IPv6 notation for localhost
  • b) ['::/0'] which allows any IPv6 address.
  • c) ['::'] which allows any IPv6 address, just a different notation from (b) with range omitted.

It seems you already verified that (a) works. Could you also verify (b), ©?

+1
mtrezza on Mar 1, 2023
Read more comments on GitHub
← parse-server: Support wildcard classname in cloud triggers
parse-server: throw Parse.Error in Custom Authentication Module doesn't get treated as Parse.Error →