Merge branch 'upstream/master' into moumouls/auth-adapter-spec

.github/ISSUE_TEMPLATE/---1-report-an-issue.md

@@ -8,7 +8,11 @@ assignees: ''
 ---
 
 ### New Issue Checklist
-<!-- Please check the following boxes [ ] -> [x] before submitting your issue. Click the "Preview" tab for better readability. Thanks for reporting issues back to Parse Server! -->
+<!--
+    Please check the following boxes [x] before submitting your issue.
+    Click the "Preview" tab for better readability.
+    Thanks for contributing to Parse Server!
+-->
 
 - [ ] I am not disclosing a [vulnerability](https://github.com/parse-community/parse-server/blob/master/SECURITY.md).
 - [ ] I am not just asking a [question](https://github.com/parse-community/.github/blob/master/SUPPORT.md).
@@ -27,6 +31,16 @@ assignees: ''
 ### Expected Outcome
 <!-- What outcome, for example query result, did you expect? -->
 
+### Failing Test Case / Pull Request
+<!--
+    Check one of the following boxes [x] if you added a PR and add the link.
+    See the contribution guide for how add a test cases:
+    https://github.com/parse-community/parse-server/blob/master/CONTRIBUTING.md
+-->
+
+- [ ] 🤩 I submitted a PR with a fix and a test case.
+- [ ] 🧐 I submitted a PR with a failing test case.
+
 ###  Environment
 <!-- Be specific with versions, don't use "latest" or semver ranges like "~x.y.z" or "^x.y.z". -->
 

.github/ISSUE_TEMPLATE/---2-feature-request.md

@@ -7,14 +7,28 @@ assignees: ''
 
 ---
 
-**Is your feature request related to a problem? Please describe.**
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+### New Feature / Enhancement Checklist
+<!--
+    Please check the following boxes [x] before submitting your issue.
+    Click the "Preview" tab for better readability.
+    Thanks for contributing to Parse Server!
+-->
 
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
+- [ ] I am not disclosing a [vulnerability](https://github.com/parse-community/parse-server/blob/master/SECURITY.md).
+- [ ] I am not just asking a [question](https://github.com/parse-community/.github/blob/master/SUPPORT.md).
+- [ ] I have searched through [existing issues](https://github.com/parse-community/parse-server/issues?q=is%3Aissue).
 
-**Describe alternatives you've considered**
-A clear and concise description of any alternative solutions or features you've considered.
+### Current Limitation
+<!-- Which current limitation is the feature or enhancement addressing? -->
 
-**Additional context**
-Add any other context or screenshots about the feature request here.
+### Feature / Enhancement Description
+<!-- What is the concept of the functionality and how should it be implemented? -->
+
+### Example Use Case
+<!-- What is an example use case in steps (1. / 2. / 3. / etc.) that describes the functionality? -->
+
+### Alternatives / Workarounds
+<!-- Which alternatives or workarounds exist currently? -->
+
+### 3rd Party References
+<!-- Have you seen a similar functionality provided somewhere else? -->

.github/pull_request_template.md

@@ -0,0 +1,30 @@
+### New Pull Request Checklist
+<!--
+    Please check the following boxes [x] before submitting your issue.
+    Click the "Preview" tab for better readability.
+    Thanks for contributing to Parse Server!
+-->
+
+- [ ] I am not disclosing a [vulnerability](https://github.com/parse-community/parse-server/blob/master/SECURITY.md).
+- [ ] I am creating this PR in reference to an [issue](https://github.com/parse-community/parse-server/issues?q=is%3Aissue).
+
+### Issue Description
+<!-- Add a brief description of the issue this PR solves. -->
+
+Related issue: FILL_THIS_OUT
+
+### Approach
+<!-- Add a description of the approach in this PR. -->
+
+### TODOs before merging
+<!--
+    Add TODOs that need to be completed before merging this PR.
+    Delete suggested TODOs that do not apply to this PR.
+-->
+
+- [ ] Add test cases
+- [ ] Add entry to changelog
+- [ ] Add changes to documentation (guides, repository pages, in-code descriptions)
+- [ ] Add [security check](https://github.com/parse-community/parse-server/blob/master/CONTRIBUTING.md#security-checks)
+- [ ] Add new Parse Error codes to Parse JS SDK <!-- no hard-coded error codes in Parse Server -->
+- [ ] ...

.github/workflows/release.yml

@@ -0,0 +1,63 @@
+name: release
+on:
+  release:
+    types: [published]
+jobs:
+  publish-npm:
+    runs-on: ubuntu-18.04
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v1
+        with:
+          node-version: '10.14'
+          registry-url: https://registry.npmjs.org/
+      - name: Cache Node.js modules
+        uses: actions/cache@v2
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+              ${{ runner.os }}-node-
+      - run: npm ci
+      - run: npm publish
+        env:
+          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
+  publish-docs:
+    runs-on: ubuntu-18.04
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@v2
+      - name: Use Node.js
+        uses: actions/setup-node@v1
+        with:
+          node-version: '10.14'
+      - name: Cache Node.js modules
+        uses: actions/cache@v2
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+              ${{ runner.os }}-node-
+      - name: Get Tag
+        uses: actions/github-script@v3
+        id: tag
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          result-encoding: string
+          script: |
+            const ref = process.env.GITHUB_REF
+            if(!ref.startsWith('refs/tags/'))
+              return ''
+            return ref.replace(/^refs\/tags\//, '')
+      - name: Generate Docs
+        run: |
+          echo $SOURCE_TAG
+          npm ci
+          ./release_docs.sh
+        env:
+          SOURCE_TAG: ${{ steps.tag.outputs.result }}
+      - name: Deploy
+        uses: peaceiris/[email protected]
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_dir: ./docs

CHANGELOG.md

@@ -1,7 +1,35 @@
 ## Parse Server Changelog
 
 ### master
-[Full Changelog](https://github.com/parse-community/parse-server/compare/4.4.0...master)
+[Full Changelog](https://github.com/parse-community/parse-server/compare/4.5.0...master)
+
+__BREAKING CHANGES:__
+- NEW: Added file upload restriction. File upload is now only allowed for authenticated users by default for improved security. To allow file upload also for Anonymous Users or Public, set the `fileUpload` parameter in the [Parse Server Options](https://parseplatform.org/parse-server/api/master/ParseServerOptions.html). [#7071](https://github.com/parse-community/parse-server/pull/7071). Thanks to [dblythy](https://github.com/dblythy).
+___
+- IMPROVE: Optimize queries on classes with pointer permissions. [#7061](https://github.com/parse-community/parse-server/pull/7061). Thanks to [Pedro Diaz](https://github.com/pdiaz)
+- FIX: request.context for afterFind triggers. [#7078](https://github.com/parse-community/parse-server/pull/7078). Thanks to [dblythy](https://github.com/dblythy)
+
+### 4.5.0
+[Full Changelog](https://github.com/parse-community/parse-server/compare/4.4.0...4.5.0)
+
+__BREAKING CHANGES:__
+- FIX: Consistent casing for afterLiveQueryEvent. The afterLiveQueryEvent was introduced in 4.4.0 with inconsistent casing for the event names, which was fixed in 4.5.0. [#7023](https://github.com/parse-community/parse-server/pull/7023). Thanks to [dblythy](https://github.com/dblythy).
+___
+- FIX: Properly handle serverURL and publicServerUrl in Batch requests. [#7049](https://github.com/parse-community/parse-server/pull/7049). Thanks to [Zach Goldberg](https://github.com/ZachGoldberg).
+- IMPROVE: Prevent invalid column names (className and length). [#7053](https://github.com/parse-community/parse-server/pull/7053). Thanks to [Diamond Lewis](https://github.com/dplewis).
+- IMPROVE: GraphQL: Remove viewer from logout mutation. [#7029](https://github.com/parse-community/parse-server/pull/7029). Thanks to [Antoine Cormouls](https://github.com/Moumouls).
+- IMPROVE: GraphQL: Optimize on Relation. [#7044](https://github.com/parse-community/parse-server/pull/7044). Thanks to [Antoine Cormouls](https://github.com/Moumouls).
+- NEW: Include sessionToken in onLiveQueryEvent. [#7043](https://github.com/parse-community/parse-server/pull/7043). Thanks to [dblythy](https://github.com/dblythy).
+- FIX: Definitions for accountLockout and passwordPolicy. [#7040](https://github.com/parse-community/parse-server/pull/7040). Thanks to [dblythy](https://github.com/dblythy).
+- FIX: Fix typo in server definitions for emailVerifyTokenReuseIfValid. [#7037](https://github.com/parse-community/parse-server/pull/7037). Thanks to [dblythy](https://github.com/dblythy).
+- SECURITY FIX: LDAP auth stores password in plain text. See [GHSA-4w46-w44m-3jq3](https://github.com/parse-community/parse-server/security/advisories/GHSA-4w46-w44m-3jq3) for more details about the vulnerability and [da905a3](https://github.com/parse-community/parse-server/commit/da905a357d062ab4fea727a21eac231acc2ed92a) for the fix. Thanks to [Fabian Strachanski](https://github.com/fastrde).
+- NEW: Reuse tokens if they haven't expired. [#7017](https://github.com/parse-community/parse-server/pull/7017). Thanks to [dblythy](https://github.com/dblythy).
+- NEW: Add LDAPS-support to LDAP-Authcontroller. [#7014](https://github.com/parse-community/parse-server/pull/7014). Thanks to [Fabian Strachanski](https://github.com/fastrde).
+- FIX: (beforeSave/afterSave): Return value instead of Parse.Op for nested fields. [#7005](https://github.com/parse-community/parse-server/pull/7005). Thanks to [Diamond Lewis](https://github.com/dplewis).
+- FIX: (beforeSave): Skip Sanitizing Database results. [#7003](https://github.com/parse-community/parse-server/pull/7003). Thanks to [Diamond Lewis](https://github.com/dplewis).
+- FIX: Fix includeAll for querying a Pointer and Pointer array. [#7002](https://github.com/parse-community/parse-server/pull/7002). Thanks to [Corey Baker](https://github.com/cbaker6).
+- FIX: Add encryptionKey to src/options/index.js. [#6999](https://github.com/parse-community/parse-server/pull/6999). Thanks to [dblythy](https://github.com/dblythy).
+- IMPROVE: Update PostgresStorageAdapter.js. [#6989](https://github.com/parse-community/parse-server/pull/6989). Thanks to [Vitaly Tomilov](https://github.com/vitaly-t).
 
 ### 4.4.0
 [Full Changelog](https://github.com/parse-community/parse-server/compare/4.3.0...4.4.0)

CONTRIBUTING.md

@@ -101,7 +101,18 @@ If you want to make changes to [Parse Server Configuration][config] add the desi
 
 To view docs run `npm run docs` and check the `/out` directory.
 
-### Code of Conduct
+## Feature Considerations
+### Security Checks
+
+The Parse Server security checks feature warns developers about weak security settings in their Parse Server deployment.
+
+A security check needs to be added for every new feature or enhancement that allows the developer to configure it in a way that weakens security mechanisms or exposes functionality which creates a weak spot for malicious attacks. If you are not sure whether your feature or enhancements requires a security check, feel free to ask.
+
+For example, allowing public read and write to a class may be useful to simplify development but should be disallowed in a production environment.
+
+Security checks are added in [SecurityChecks.js](https://github.com/parse-community/parse-server/blob/master/src/SecurityChecks.js).
+
+## Code of Conduct
 
 This project adheres to the [Contributor Covenant Code of Conduct](https://github.com/parse-community/parse-server/blob/master/CODE_OF_CONDUCT.md). By participating, you are expected to honor this code.
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "parse-server",
-  "version": "4.4.0",
+  "version": "4.5.0",
   "description": "An express module providing a Parse-compatible API server",
   "main": "lib/index.js",
   "repository": {

release_docs.sh

@@ -1,11 +1,11 @@
 #!/bin/sh -e
 set -x
-if [ "${TRAVIS_REPO_SLUG}" = "" ];
+if [ "${GITHUB_ACTIONS}" = "" ];
 then
-  echo "Cannot release docs without TRAVIS_REPO_SLUG set"
+  echo "Cannot release docs without GITHUB_ACTIONS set"
   exit 0;
 fi
-REPO="https://github.com/${TRAVIS_REPO_SLUG}"
+REPO="https://github.com/parse-community/parse-server"
 
 rm -rf docs
 git clone -b gh-pages --single-branch $REPO ./docs
@@ -15,9 +15,9 @@ cd ..
 
 DEST="master"
 
-if [ "${TRAVIS_TAG}" != "" ];
+if [ "${SOURCE_TAG}" != "" ];
 then
-  DEST="${TRAVIS_TAG}"
+  DEST="${SOURCE_TAG}"
   # change the default page to the latest
   echo "<meta http-equiv='refresh' content='0; url=/parse-server/api/${DEST}'>" > "docs/api/index.html"
 fi

resources/buildConfigDefinitions.js

@@ -47,7 +47,8 @@ function getENVPrefix(iface) {
     'LiveQueryOptions' : 'PARSE_SERVER_LIVEQUERY_',
     'IdempotencyOptions' : 'PARSE_SERVER_EXPERIMENTAL_IDEMPOTENCY_',
     'AccountLockoutOptions' : 'PARSE_SERVER_ACCOUNT_LOCKOUT_',
-    'PasswordPolicyOptions' : 'PARSE_SERVER_PASSWORD_POLICY_'
+    'PasswordPolicyOptions' : 'PARSE_SERVER_PASSWORD_POLICY_',
+    'FileUploadOptions' : 'PARSE_SERVER_FILE_UPLOAD_'
   }
   if (options[iface.id.name]) {
     return options[iface.id.name]
@@ -163,14 +164,8 @@ function parseDefaultValue(elt, value, t) {
     if (type == 'NumberOrBoolean') {
       literalValue = t.numericLiteral(parsers.numberOrBoolParser('')(value));
     }
-    if (type == 'CustomPagesOptions') {
-      const object = parsers.objectParser(value);
-      const props = Object.keys(object).map((key) => {
-        return t.objectProperty(key, object[value]);
-      });
-      literalValue = t.objectExpression(props);
-    }
-    if (type == 'IdempotencyOptions') {
+    const literalTypes = ['IdempotencyOptions','FileUploadOptions','CustomPagesOptions'];
+    if (literalTypes.includes(type)) {
       const object = parsers.objectParser(value);
       const props = Object.keys(object).map((key) => {
         return t.objectProperty(key, object[value]);

spec/CloudCode.spec.js

@@ -3157,4 +3157,14 @@ describe('afterLogin hook', () => {
 
     await Parse.Cloud.run('contextTest', {}, { context: { a: 'a' } });
   });
+
+  it('afterFind should have access to context', async () => {
+    Parse.Cloud.afterFind('TestObject', req => {
+      expect(req.context.a).toEqual('a');
+    });
+    const obj = new TestObject();
+    await obj.save();
+    const query = new Parse.Query(TestObject);
+    await query.find({ context: { a: 'a' } });
+  });
 });