Skip to content

Commit

Permalink
Remove hidden properties in handleLogin & handleMe (#4335)
Browse files Browse the repository at this point in the history
  • Loading branch information
gyratorycircus authored and montymxb committed Nov 10, 2017
1 parent 08ab1f4 commit 932a474
Show file tree
Hide file tree
Showing 2 changed files with 87 additions and 9 deletions.
69 changes: 68 additions & 1 deletion spec/ParseUser.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -3038,7 +3038,7 @@ describe('Parse.User testing', () => {
});
});

it('should not retrieve hidden fields', done => {
it('should not retrieve hidden fields on GET users/me (#3432)', done => {

var emailAdapter = {
sendVerificationEmail: () => {},
Expand Down Expand Up @@ -3073,6 +3073,34 @@ describe('Parse.User testing', () => {
expect(res.emailVerified).toBe(false);
expect(res._email_verify_token).toBeUndefined();
done()
}).catch((err) => {
fail(JSON.stringify(err));
done();
});
});

it('should not retrieve hidden fields on GET users/id (#3432)', done => {

var emailAdapter = {
sendVerificationEmail: () => {},
sendPasswordResetEmail: () => Promise.resolve(),
sendMail: () => Promise.resolve()
}

const user = new Parse.User();
user.set({
username: 'hello',
password: 'world',
email: "test@email.com"
})

reconfigureServer({
appName: 'unused',
verifyUserEmails: true,
emailAdapter: emailAdapter,
publicServerURL: "http://localhost:8378/1"
}).then(() => {
return user.signUp();
}).then(() => rp({
method: 'GET',
url: 'http://localhost:8378/1/users/' + Parse.User.current().id,
Expand All @@ -3091,6 +3119,45 @@ describe('Parse.User testing', () => {
});
});

it('should not retrieve hidden fields on login (#3432)', done => {

var emailAdapter = {
sendVerificationEmail: () => {},
sendPasswordResetEmail: () => Promise.resolve(),
sendMail: () => Promise.resolve()
}

const user = new Parse.User();
user.set({
username: 'hello',
password: 'world',
email: "test@email.com"
})

reconfigureServer({
appName: 'unused',
verifyUserEmails: true,
emailAdapter: emailAdapter,
publicServerURL: "http://localhost:8378/1"
}).then(() => {
return user.signUp();
}).then(() => rp.get({
url: 'http://localhost:8378/1/login?email=test@email.com&username=hello&password=world',
json: true,
headers: {
'X-Parse-Application-Id': Parse.applicationId,
'X-Parse-REST-API-Key': 'rest'
},
})).then((res) => {
expect(res.emailVerified).toBe(false);
expect(res._email_verify_token).toBeUndefined();
done();
}).catch((err) => {
fail(JSON.stringify(err));
done();
});
});

it('should not allow updates to hidden fields', done => {
var emailAdapter = {
sendVerificationEmail: () => {},
Expand Down
27 changes: 19 additions & 8 deletions src/Routers/UsersRouter.js
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,21 @@ export class UsersRouter extends ClassesRouter {
return '_User';
}

/**
* Removes all "_" prefixed properties from an object, except "__type"
* @param {Object} obj An object.
*/
static removeHiddenProperties (obj) {
for (var key in obj) {
if (obj.hasOwnProperty(key)) {
// Regexp comes from Parse.Object.prototype.validate
if (key !== "__type" && !(/^[A-Za-z][0-9A-Za-z_]*$/).test(key)) {
delete obj[key];
}
}
}
}

handleMe(req) {
if (!req.info || !req.info.sessionToken) {
throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'invalid session token');
Expand All @@ -35,14 +50,7 @@ export class UsersRouter extends ClassesRouter {
user.sessionToken = sessionToken;

// Remove hidden properties.
for (var key in user) {
if (user.hasOwnProperty(key)) {
// Regexp comes from Parse.Object.prototype.validate
if (key !== "__type" && !(/^[A-Za-z][0-9A-Za-z_]*$/).test(key)) {
delete user[key];
}
}
}
UsersRouter.removeHiddenProperties(user);

return { response: user };
}
Expand Down Expand Up @@ -125,6 +133,9 @@ export class UsersRouter extends ClassesRouter {
user.sessionToken = token;
delete user.password;

// Remove hidden properties.
UsersRouter.removeHiddenProperties(user);

// Sometimes the authData still has null on that keys
// https://github.com/parse-community/parse-server/issues/935
if (user.authData) {
Expand Down

0 comments on commit 932a474

Please sign in to comment.