fix: live query role cache does not clear when a user is added to a role

spec/ParseLiveQuery.spec.js

@@ -836,6 +836,50 @@ describe('ParseLiveQuery', function () {
     }
   });
 
+  it('LiveQuery should work with changing role', async () => {
+    await reconfigureServer({
+      liveQuery: {
+        classNames: ['Chat'],
+      },
+      startLiveQueryServer: true,
+    });
+    const user = new Parse.User();
+    user.setUsername('username');
+    user.setPassword('password');
+    await user.signUp();
+
+    const role = new Parse.Role('Test', new Parse.ACL(user));
+    await role.save();
+
+    const chatQuery = new Parse.Query('Chat');
+    const subscription = await chatQuery.subscribe();
+    subscription.on('create', () => {
+      fail('should not call create as user is not part of role.');
+    });
+
+    const object = new Parse.Object('Chat');
+    const acl = new Parse.ACL();
+    acl.setRoleReadAccess(role, true);
+    object.setACL(acl);
+    object.set({ foo: 'bar' });
+    await object.save(null, { useMasterKey: true });
+
+    role.getUsers().add(user);
+    await role.save();
+    await new Promise(resolve => setTimeout(resolve, 2000));
+    object.set('foo', 'yolo');
+    await Promise.all([
+      new Promise(resolve => {
+        subscription.on('update', obj => {
+          expect(obj.get('foo')).toBe('yolo');
+          expect(obj.getACL().toJSON()).toEqual({ 'role:Test': { read: true } });
+          resolve();
+        });
+      }),
+      object.save(null, { useMasterKey: true }),
+    ]);
+  });
+
   it('liveQuery on Session class', async done => {
     await reconfigureServer({
       liveQuery: { classNames: [Parse.Session] },

src/Auth.js

@@ -184,6 +184,7 @@ Auth.prototype.getRolesForUser = async function () {
 Auth.prototype._loadRoles = async function () {
   if (this.cacheController) {
     const cachedRoles = await this.cacheController.role.get(this.user.id);
+    console.log({ cachedRoles });
     if (cachedRoles != null) {
       this.fetchedRoles = true;
       this.userRoles = cachedRoles;
@@ -230,6 +231,17 @@ Auth.prototype.cacheRoles = function () {
   return true;
 };
 
+Auth.prototype.clearRoleCache = async function (sessionToken) {
+  if (!this.cacheController) {
+    return false;
+  }
+  this.cacheController.role.del(this.user.id);
+  this.cacheController.user.del(sessionToken);
+  console.log('clear', this.user.id);
+  console.log(await this.cacheController.role.get(this.user.id));
+  return true;
+};
+
 Auth.prototype.getRolesByIds = async function (ins) {
   const results = [];
   // Build an OR query across all parentRoles

src/Controllers/LiveQueryController.js

@@ -56,6 +56,13 @@ export class LiveQueryController {
     return false;
   }
 
+  clearCachedRoles(user: any) {
+    if (!user) {
+      return;
+    }
+    return this.liveQueryPublisher.onClearCachedRoles(user);
+  }
+
   _makePublisherRequest(currentObject: any, originalObject: any, classLevelPermissions: ?any): any {
     const req = {
       object: currentObject,

src/LiveQuery/ParseCloudCodePublisher.js

@@ -19,6 +19,13 @@ class ParseCloudCodePublisher {
     this._onCloudCodeMessage(Parse.applicationId + 'afterDelete', request);
   }
 
+  onClearCachedRoles(user: Parse.Object) {
+    this.parsePublisher.publish(
+      Parse.applicationId + 'clearCache',
+      JSON.stringify({ userId: user.id })
+    );
+  }
+
   // Request is the request object from cloud code functions. request.object is a ParseObject.
   _onCloudCodeMessage(type: string, request: any): void {
     logger.verbose(

src/LiveQuery/ParseLiveQueryServer.js

@@ -10,7 +10,13 @@ import { ParsePubSub } from './ParsePubSub';
 import SchemaController from '../Controllers/SchemaController';
 import _ from 'lodash';
 import { v4 as uuidv4 } from 'uuid';
-import { runLiveQueryEventHandlers, getTrigger, runTrigger, resolveError, toJSONwithObjects } from '../triggers';
+import {
+  runLiveQueryEventHandlers,
+  getTrigger,
+  runTrigger,
+  resolveError,
+  toJSONwithObjects,
+} from '../triggers';
 import { getAuthForSessionToken, Auth } from '../Auth';
 import { getCacheController } from '../Controllers';
 import LRU from 'lru-cache';
@@ -71,6 +77,7 @@ class ParseLiveQueryServer {
     this.subscriber = ParsePubSub.createSubscriber(config);
     this.subscriber.subscribe(Parse.applicationId + 'afterSave');
     this.subscriber.subscribe(Parse.applicationId + 'afterDelete');
+    this.subscriber.subscribe(Parse.applicationId + 'clearCache');
     // Register message handler for subscriber. When publisher get messages, it will publish message
     // to the subscribers and the handler will be called.
     this.subscriber.on('message', (channel, messageStr) => {
@@ -82,6 +89,11 @@ class ParseLiveQueryServer {
         logger.error('unable to parse message', messageStr, e);
         return;
       }
+      if (channel === Parse.applicationId + 'clearCache') {
+        this._clearCachedRoles(message.userId);
+        console.log('did clear cache...');
+        return;
+      }
       this._inflateParseObject(message);
       if (channel === Parse.applicationId + 'afterSave') {
         this._onAfterSave(message);
@@ -468,6 +480,35 @@ class ParseLiveQueryServer {
     return matchesQuery(parseObject, subscription.query);
   }
 
+  async _clearCachedRoles(userId: string) {
+    try {
+      const validTokens = await new Parse.Query(Parse.Session)
+        .equalTo('user', Parse.User.createWithoutData(userId))
+        .find({ useMasterKey: true });
+      console.log('clearing', userId);
+      await Promise.all(
+        validTokens.map(async token => {
+          const sessionToken = token.get('sessionToken');
+          const authPromise = this.authCache.get(sessionToken);
+          if (!authPromise) {
+            return;
+          }
+          const [auth1, auth2] = await Promise.all([
+            authPromise,
+            getAuthForSessionToken({ cacheController: this.cacheController, sessionToken }),
+          ]);
+          auth1.auth?.clearRoleCache(sessionToken);
+          auth2.auth?.clearRoleCache(sessionToken);
+          this.authCache.del(sessionToken);
+          console.log('DID Clear', sessionToken);
+        })
+      );
+    } catch (e) {
+      console.log(e);
+      logger.verbose(`Could not clear role cache. ${e}`);
+    }
+  }
+
   getAuthForSessionToken(sessionToken: ?string): Promise<{ auth: ?Auth, userId: ?string }> {
     if (!sessionToken) {
       return Promise.resolve({});
@@ -574,8 +615,8 @@ class ParseLiveQueryServer {
         if (!acl_has_roles) {
           return false;
         }
-
         const roleNames = await auth.getUserRoles();
+        console.log({ roleNames, token });
         // Finally, see if any of the user's roles allow them read access
         for (const role of roleNames) {
           // We use getReadAccess as `role` is in the form `role:roleName`

src/RestWrite.js

@@ -1326,6 +1326,7 @@ RestWrite.prototype.runDatabaseOperation = function () {
 
   if (this.className === '_Role') {
     this.config.cacheController.role.clear();
+    this.config.liveQueryController.clearCachedRoles(this.auth.user);
   }
 
   if (this.className === '_User' && this.query && this.auth.isUnauthenticated()) {