stackoom
  简体   繁体   中英

Security with cloud functions using parse.com

 原文  2015-11-19 14:23:46       javascript/ security/ parse-platform

Question

I am working with parse.com and looking at making my app secure. I think I have understood well the basics principles of the ACL, CLP, and Cloud functions. My main question comes from the Part IV of the parse.com blog. . By using a cloud function, I should be securing my app, but what prevents someone to call this cloud function multiple time ? The example is the following define in the cloud : 

Parse.Cloud.define("like", function(request, response) {
  var post = new Parse.Object("Post");
  post.id = request.params.postId;
  post.increment("likes");
  post.save(null, { useMasterKey: true }).then(function() {
    response.success();
  }, function(error) {
    response.error(error);
  });
});

This should be used in my JS code as: 

 Parse.Cloud.run('like', {postId : theIdOfMyPost}).then(function(results){
        // ok
    }, function(err) {
      console.log(err);
    });

Now, if someone looks at my code, he will understand quite quickly what is going on, just call/run this cloud function multiple times, and likes on the post will raise. This is not much of a big deal here, but this could lead to a security breach in more complicated app I believe ?

1 answers

solution1
 0 ACCPTED  2015-11-19 15:18:54

Behind the scenes, Parse surely has load balancing measures in place to throttle consecutive requests from a single source, usually to increase quality of service as well as detecting and preventing DDos attacks.

The scenario you provided can be prevented using good design on your part. For dealing with having multiple likes from a single user, you restrict a user to be able to Like something only once. Generally you do not let anyone to manipulate your counter directly and increase/decrease this counter only as a by product of a user's action.

Lets say a user likes a photo in your app. In your database, every user object has a Like Relation (which acts kind of like a high-performance list) that keeps track of what photos he has like so far. Every time he likes a photo, you go through this list and if the photo is not in there, you add that photo to this Relation and then bump up the photo's Like counter. When he unlikes the photo, you perform the opposite. This way not only your app can scale up reliably, your counters will not be open to abuse by a malicious user.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Parse.com Cloud Code: Chaining functions? JavaScript async functions on parse.com cloud Sending push using parse.com Cloud Code Nested queries using javascript in cloud code (Parse.com) Send bulk email using Parse.com Cloud Code PARSE.COM - Help needed using the AnyMeme cloud code tutorial CreateAndSendInvoice using PayPal from Parse.com Cloud Code Parse.com security Role not saving User security in parse.com javascript Using Parse.com with Polymer
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM