[英]Parse Server Node.js SDK: Alternative to Parse.User.become?
I want to completely dissociate my client app from Parse server, to ease the switch to other Baas/custom backend in the future. 我想完全将我的客户端应用程序与Parse服务器分离,以便在将来轻松切换到其他Baas /自定义后端。 As such, all client request will point to a node.js server who will make the request to Parse on behalf of the user.
因此,所有客户端请求都将指向node.js服务器,该服务器将代表用户向Parse发出请求。
Client <--> Node.js Server <--> Parse Server
As such, I need the node.js server to be able to switch between users so I can keep the context of their authentification. 因此,我需要node.js服务器能够在用户之间切换,以便我可以保持其身份验证的上下文。
I know how to authentificate, then keep the sessionToken of the user, and I ve seen during my research than the "accepted" solution to this problem was to call Parse.User.disableUnsafeCurrentUser
, then using Parse.User.become()
to switch the current user to the one making a request. 我知道如何验证,然后保持用户的sessionToken,我在研究期间看到的比这个问题的“接受”解决方案是调用
Parse.User.disableUnsafeCurrentUser
,然后使用Parse.User.become()
来切换当前用户发出请求的用户。
But that feels hackish, and I m pretty sure it will, sooner or later, lead to a race condition where the current user is switched before the request is made to Parse. 但是这感觉很乱,而且我很确定它迟早会导致竞争条件,当前用户在请求进入Parse之前被切换。
Another solution I found was to not care about Parse.User, and use the masterKey to save everything by the server, but that would make the server responsible of the ACL. 我发现的另一个解决方案是不关心Parse.User,并使用masterKey来保存服务器的所有内容,但这会使服务器负责ACL。
Is there a way to make request from different user other than thoses two? 除了两个以外,有没有办法向不同的用户提出请求?
Any request to the backend ( query.find()
, object.save()
, etc) takes an optional options
parameter as the final argument. 对后端的任何请求(
query.find()
, object.save()
等)都会将可选的options
参数作为最终参数。 This lets you specify extra permissions levels, such as forcing the master key or using a specific session token. 这允许您指定额外的权限级别,例如强制主密钥或使用特定的会话令牌。
If you have the session token, your server code can make a request on behalf of that user, preserving ACL permissions. 如果您有会话令牌,则您的服务器代码可以代表该用户发出请求,从而保留ACL权限。
Let's assume you have a table of Item
objects, where we rely on ACLs to ensure that a user can only retrieve his own Items. 假设您有一个
Item
对象表,我们依赖ACL来确保用户只能检索自己的Items。 The following code would use an explicit session token and only return the Items the user can see: 以下代码将使用显式会话令牌,并仅返回用户可以看到的Items:
// fetch items visible to the user associate with `token`
fetchItems(token) {
new Parse.Query('Item')
.find({ sessionToken: token })
.then((results) => {
// do something with the items
});
}
become()
was really designed for the Parse Cloud Code environment, where each request lives in a sandbox, and you can rely on a global current user for each request. become()
实际上是为Parse Cloud Code环境设计的,其中每个请求都存在于沙箱中,您可以依赖每个请求的全局当前用户。 It doesn't really make sense in a Node.js app, and we'll probably deprecate it. 它在Node.js应用程序中没有任何意义,我们可能会弃用它。
I recently wrote a NodeJS application and had the same problem. 我最近写了一个NodeJS应用程序并遇到了同样的问题。 I found that the combination of
Parse.User.disableUnsafeCurrentUser
and Parse.User.become()
was not only hackish, but also caused several other problems I wasn't able to anticipate. 我发现
Parse.User.disableUnsafeCurrentUser
和Parse.User.become()
的组合不仅是hackish,而且还引起了一些我无法预料到的其他问题。 So here's what I did: I used Parse.Cloud.useMasterKey();
所以这就是我所做的:我使用了
Parse.Cloud.useMasterKey();
and then loaded the current user by session ID as if it was a regular user object. 然后按会话ID加载当前用户,就像它是常规用户对象一样。 It looked something like this:
它看起来像这样:
module.exports = function(req, res, next) {
var Parse = req.app.locals.parse, query;
res.locals.parse = Parse;
if (req.session.userid === undefined) {
res.locals.user = undefined;
return next();
}
Parse.Cloud.useMasterKey();
query = new Parse.Query(Parse.User);
query.equalTo("objectId", req.session.userid);
query.first().then(function(result) {
res.locals.user = result;
return next();
}, function(err) {
res.locals.user = undefined;
console.error("error recovering user " + req.session.userid);
return next();
});
};
This code can obviously be optimized, but you can see the general idea. 显然可以优化此代码,但您可以看到一般的想法。 Upside: It works!
好处:它有效! Downside: No more use of
Parse.User.current()
, and the need to take special care in the backend that no conditions occur where someone overwrites data without permission. 缺点:不再使用
Parse.User.current()
,并且需要在后端特别注意,如果有人在未经许可的情况下覆盖数据,则不会出现任何情况。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.