Throw error when setting authData to null

[mtrezza]

Fixed authData field in DB overwriting synthesized authData field that contains values of _auth_data_* fields.

Fixed only for mongoDB & Postgres.

[dplewis]

Looks good. Can you add a test case?

[codecov]

Codecov Report

Merging #6154 into master will decrease coverage by <.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #6154      +/-   ##
==========================================
- Coverage   93.76%   93.75%   -0.01%     
==========================================
  Files         166      166              
  Lines       11271    11291      +20     
==========================================
+ Hits        10568    10586      +18     
- Misses        703      705       +2

Impacted Files	Coverage Δ
src/Adapters/Storage/Mongo/MongoTransform.js	88.67% <100%> (+0.21%)	⬆️
src/RestWrite.js	93.42% <100%> (-0.48%)	⬇️
src/Routers/FilesRouter.js	92.72% <0%> (-0.26%)	⬇️
src/Adapters/Files/FilesAdapter.js	100% <0%> (ø)	⬆️
src/ParseServer.js	97.59% <0%> (+0.05%)	⬆️
src/Adapters/Files/GridFSBucketAdapter.js	68.85% <0%> (+0.51%)	⬆️
src/Controllers/FilesController.js	93.02% <0%> (+0.52%)	⬆️
src/Adapters/Files/GridStoreAdapter.js	46.37% <0%> (+0.78%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ac4d9ed...a02fcd2. Read the comment docs.

[mtrezza]

Actually it would be better to test this on a higher level instead of MongoTransform, so the test would be automatically done for mongoDB and Postgres, right?

[dplewis]

Yes, a REST call will work. I’ll do some additional testing on my end.

[mtrezza]

Added a test on ParseUser that reproduces the exact same error:

[mtrezza]

Is there a way I can easily execute the test locally with Postgres? I only see the failing tests once I update the PR.

[dplewis]

Checkout the Contribution guide

https://github.com/parse-community/parse-server/blob/master/CONTRIBUTING.md#run-your-tests-against-postgres-optional

[dplewis]

@mtrezza @acinader Instead of ignoring should we throw and error similar to user.unset('authData').

The goal here is to prevent directly manipulating authData in favor of unlink and link

[mtrezza]

@dplewis Good point, throwing would create more awareness that there is something wrong than ignoring. Currently the server has an uncaught internal exception, so the benefit of this PR would be a proper error description.

_{Sent with GitHawk}

[dplewis]

@mtrezza @acinader How does this look?

[mtrezza]

@dplewis

• can’t see properly on mobile, but does this only throw for auth in _User class? Should be allowed for other classes.
• appears to me that the changes correctly disallow setting authData, but an existing authData field in the _User class will again throw an uncaught internal exception. So how about adding those cases again and throwing when there’s an authData field?

_{Sent with GitHawk}

[dplewis]

does this only throw for auth in _User class?

Yes here checks if user class or not

an existing authData field in the _User class will again throw

I don't believe it will throw again. This is a fail fast solution, doesn't matter what's in the DB. Can you write a failing test just in case?

[mtrezza]

@dplewis The test you removed from MongoTransform would be the failing test. Can you try with that enabled? I believe it will fail. The issue was that in the transform, the authData field from the DB overwrites the synthesized authData field for the User object. So I believe we should add the case again and throw right there in the tranform for Mongo and Postgres.

If that doesn’t make much sense I can add the changes when I’m not on mobile.

Regarding backwards compatibility, I believe it wouldn’t be worse than the current internal server exception if we throw there.

_{Sent with GitHawk}

[dplewis]

@mtrezza Oh I get what you are saying. My fix prevents setting authData. Your fix checks if authData field already exists and prevents it from overriding.

[mtrezza]

@dplewis Correct, I believe adding both makes sense. We could also ignore and log a warning when authData exists. Is that something we usually do for that level of severity?

_{Sent with GitHawk}

[dplewis]

@mtrezza I added back your changes and wrote more tests.

[mtrezza]

@dplewis I think we are getting close :)

[acinader]

this looks good.

[mtrezza]

(fighting with the review feature)

[dplewis]

@mtrezza Nice working with you, we should do this again sometime. 👍

[mtrezza]

@dplewis I agree, was my pleasure.