parse-community · dblythy · Apr 4, 2022 · Apr 4, 2022 · Feb 8, 2022 · Feb 10, 2022
diff --git a/Parse-Dashboard/app.js b/Parse-Dashboard/app.js
@@ -87,21 +87,29 @@ module.exports = function(config, options) {
         newFeaturesInLatestVersion: newFeaturesInLatestVersion,
       };
 
-      //Based on advice from Doug Wilson here:
-      //https://github.com/expressjs/express/issues/2518
-      const requestIsLocal =
-        req.connection.remoteAddress === '127.0.0.1' ||
-        req.connection.remoteAddress === '::ffff:127.0.0.1' ||
-        req.connection.remoteAddress === '::1';
-      if (!options.dev && !requestIsLocal) {
-        if (!req.secure && !options.allowInsecureHTTP) {
+      for (const key in options) {
+        if (options[key] != null && config[key] == null) {
+          config[key] = options[key];
+        }
+      }
+      if (!config.dev) {
+        if (!req.secure && !config.allowInsecureHTTP) {
           //Disallow HTTP requests except on localhost, to prevent the master key from being transmitted in cleartext
-          return res.send({ success: false, error: 'Parse Dashboard can only be remotely accessed via HTTPS' });
+          return res.send({
+            success: false,
+            error:
+              'Parse Dashboard can only be remotely accessed via HTTPS.',
+            log: 'Parse Dashboard can only be remotely accessed via HTTPS. If you are running locally, use the --dev parameter which will set allowInsecureHTTP to true.',
+          });
         }
 
-        if (!users) {
-          //Accessing the dashboard over the internet can only be done with username and password
-          return res.send({ success: false, error: 'Configure a user to access Parse Dashboard remotely' });
+        if (!users && config.allowAnonymousUser) {
+          //Accessing the dashboard requires users unless allowAnonymousUser is set to `true`
+          return res.send({
+            success: false,
+            error: 'Configure a user to access Parse Dashboard.',
+            log: 'Configure a user to access Parse Dashboard. If you are running locally, use the --dev parameter which will set allowAnonymousUser to true.',
+          });
         }
       }
       const authentication = req.user;
@@ -145,7 +153,7 @@ module.exports = function(config, options) {
 
       //They didn't provide auth, and have configured the dashboard to not need auth
       //(ie. didn't supply usernames and passwords)
-      if (requestIsLocal || options.dev) {
+      if (config.dev) {
         //Allow no-auth access on localhost only, if they have configured the dashboard to not need auth
         return res.json(response);
       }

diff --git a/Parse-Dashboard/index.js b/Parse-Dashboard/index.js
@@ -25,6 +25,7 @@ program.option('--host [host]', 'the host to run parse-dashboard');
 program.option('--port [port]', 'the port to run parse-dashboard');
 program.option('--mountPath [mountPath]', 'the mount path to run parse-dashboard');
 program.option('--allowInsecureHTTP [allowInsecureHTTP]', 'set this flag when you are running the dashboard behind an HTTPS load balancer or proxy with early SSL termination.');
+program.option('--allowAnonymousUser [allowAnonymousUser]', 'set this to true if you do not require defined users to login. DO NOT ENABLE IN PRODUCTION SERVERS.');
 program.option('--sslKey [sslKey]', 'the path to the SSL private key.');
 program.option('--sslCert [sslCert]', 'the path to the SSL certificate.');
 program.option('--trustProxy [trustProxy]', 'set this flag when you are behind a front-facing proxy, such as when hosting on Heroku.  Uses X-Forwarded-* headers to determine the client\'s connection and IP address.');
@@ -67,6 +68,7 @@ let configUserId = program.userId || process.env.PARSE_DASHBOARD_USER_ID;
 let configUserPassword = program.userPassword || process.env.PARSE_DASHBOARD_USER_PASSWORD;
 let configSSLKey = program.sslKey || process.env.PARSE_DASHBOARD_SSL_KEY;
 let configSSLCert = program.sslCert || process.env.PARSE_DASHBOARD_SSL_CERT;
+const allowAnonymousUser = program.allowAnonymousUser || process.env.PARSE_DASHBOARD_ALLOW_ANONYMOUS_USER
 
 function handleSIGs(server) {
   const signals = {
@@ -174,7 +176,7 @@ const app = express();
 if (allowInsecureHTTP || trustProxy || dev) app.enable('trust proxy');
 
 config.data.trustProxy = trustProxy;
-let dashboardOptions = { allowInsecureHTTP, cookieSessionSecret, dev };
+let dashboardOptions = { allowInsecureHTTP, cookieSessionSecret, dev, allowAnonymousUser};
 app.use(mountPath, parseDashboard(config.data, dashboardOptions));
 let server;
 if(!configSSLKey || !configSSLCert){

diff --git a/Parse-Dashboard/parse-dashboard-config.json b/Parse-Dashboard/parse-dashboard-config.json
@@ -10,5 +10,6 @@
       "secondaryBackgroundColor": ""
     }
   ],
-  "iconsFolder": "icons"
+  "iconsFolder": "icons",
+  "dev": true
 }
diff --git a/README.md b/README.md
@@ -78,9 +78,9 @@ You may set the host, port and mount path by supplying the `--host`, `--port` an
 
 The `--dev` parameter disables production-ready security features. This parameter is useful when running Parse Dashboard on Docker. Using this parameter will:
 
-- allow insecure http connections from anywhere, bypassing the option `allowInsecureHTTP`
+- allow insecure http connections from anywhere, setting the option `allowInsecureHTTP` to true
 - allow the Parse Server `masterKey` to be transmitted in cleartext without encryption
-- allow dashboard access without user authentication
+- allow dashboard access without user authentication, setting the option `allowAnonymousUser` to true
 
 > ⚠️ Do not use this parameter when deploying Parse Dashboard in a production environment.
 
@@ -328,7 +328,7 @@ If you have classes with a lot of columns and you filter them often with the sam
           {
             "name": "email",
             "filterSortToTop": true
-          }          
+          }
         ]
       }
     }
@@ -451,7 +451,7 @@ With MFA enabled, a user must provide a one-time password that is typically boun
 
 The user requires an authenticator app to generate the one-time password. These apps are provided by many 3rd parties and mostly for free.
 
-If you create a new user by running `parse-dashboard --createUser`, you will be  asked whether you want to enable MFA for the new user. To enable MFA for an existing user, 
+If you create a new user by running `parse-dashboard --createUser`, you will be  asked whether you want to enable MFA for the new user. To enable MFA for an existing user,
 run `parse-dashboard --createMFA` to generate a `mfa` secret that you then add to the existing user configuration, for example:
 
 ```json

diff --git a/changelogs/CHANGELOG_alpha.md b/changelogs/CHANGELOG_alpha.md
@@ -1,3 +1,11 @@
+## [4.1.1-alpha.1](https://github.com/ParsePlatform/parse-dashboard/compare/4.1.0...4.1.1-alpha.1) (2022-04-04)
+
+
+### Bug Fixes
+
+* security upgrade js-beautify from 1.14.0 to 1.14.1 ([#2077](https://github.com/ParsePlatform/parse-dashboard/issues/2077)) ([e4ea787](https://github.com/ParsePlatform/parse-dashboard/commit/e4ea7879d88173b02d66b1339ba98805255ba82c))
+* security vulnerability bump minimist from 1.2.5 to 1.2.6 ([#2070](https://github.com/ParsePlatform/parse-dashboard/issues/2070)) ([3d0407e](https://github.com/ParsePlatform/parse-dashboard/commit/3d0407ebd75051bbbe6f0a2aba87b26475e901b9))
+
 # [4.1.0-alpha.3](https://github.com/ParsePlatform/parse-dashboard/compare/4.1.0-alpha.2...4.1.0-alpha.3) (2022-03-30)