解析服务器Node.js SDK：Parse.User.become的替代方案？

Question

I want to completely dissociate my client app from Parse server, to ease the switch to other Baas/custom backend in the future. As such, all client request will point to a node.js server who will make the request to Parse on behalf of the user.

Client <--> Node.js Server <--> Parse Server

As such, I need the node.js server to be able to switch between users so I can keep the context of their authentification.

I know how to authentificate, then keep the sessionToken of the user, and I ve seen during my research than the "accepted" solution to this problem was to call Parse.User.disableUnsafeCurrentUser , then using Parse.User.become() to switch the current user to the one making a request.

But that feels hackish, and I m pretty sure it will, sooner or later, lead to a race condition where the current user is switched before the request is made to Parse.

Another solution I found was to not care about Parse.User, and use the masterKey to save everything by the server, but that would make the server responsible of the ACL.

Is there a way to make request from different user other than thoses two?

Answer 1

Any request to the backend ( query.find() , object.save() , etc) takes an optional options parameter as the final argument. This lets you specify extra permissions levels, such as forcing the master key or using a specific session token.

If you have the session token, your server code can make a request on behalf of that user, preserving ACL permissions.

Let's assume you have a table of Item objects, where we rely on ACLs to ensure that a user can only retrieve his own Items. The following code would use an explicit session token and only return the Items the user can see:

// fetch items visible to the user associate with `token`
fetchItems(token) {
  new Parse.Query('Item')
    .find({ sessionToken: token })
    .then((results) => {
      // do something with the items
    });
}

become() was really designed for the Parse Cloud Code environment, where each request lives in a sandbox, and you can rely on a global current user for each request. It doesn't really make sense in a Node.js app, and we'll probably deprecate it.

Answer 2

I recently wrote a NodeJS application and had the same problem. I found that the combination of Parse.User.disableUnsafeCurrentUser and Parse.User.become() was not only hackish, but also caused several other problems I wasn't able to anticipate. So here's what I did: I used Parse.Cloud.useMasterKey(); and then loaded the current user by session ID as if it was a regular user object. It looked something like this:

module.exports = function(req, res, next) {
  var Parse = req.app.locals.parse, query;
  res.locals.parse = Parse;
  if (req.session.userid === undefined) {
    res.locals.user = undefined;
    return next();
  }
  Parse.Cloud.useMasterKey();
  query = new Parse.Query(Parse.User); 
  query.equalTo("objectId", req.session.userid);
  query.first().then(function(result) {
    res.locals.user = result;
    return next();
  }, function(err) {
    res.locals.user = undefined;
    console.error("error recovering user " + req.session.userid);
    return next();
  });

};

This code can obviously be optimized, but you can see the general idea. Upside: It works! Downside: No more use of Parse.User.current() , and the need to take special care in the backend that no conditions occur where someone overwrites data without permission.