Merge 5385a48 into c3da290

Author: dblythy

package-lock.json

@@ -47,6 +47,7 @@
     "mime": "2.5.2",
     "mongodb": "3.6.11",
     "mustache": "4.2.0",
+    "otpauth": "7.0.6",
     "parse": "3.3.0",
     "pg-monitor": "1.4.1",
     "pg-promise": "10.11.0",

package.json

@@ -0,0 +1,178 @@
+const request = require('../lib/request');
+const TOTP = require('otpauth').TOTP;
+
+describe('Dashboard', () => {
+  const signup = (master, mfa) =>
+    request({
+      url: `${Parse.serverURL}/dashboardSignup`,
+      headers: {
+        'X-Parse-Application-Id': Parse.applicationId,
+        'X-Parse-Master-Key': master ? Parse.masterKey : null,
+        'Content-Type': 'application/json',
+      },
+      method: 'POST',
+      body: {
+        username: '[email protected]',
+        password: 'password',
+        mfa,
+        mfaOptions: {
+          algorithm: 'SHA1',
+          period: 30,
+          digits: 6,
+        },
+        features: {
+          globalConfig: {
+            create: true,
+            read: true,
+            update: true,
+            delete: true,
+          },
+          hooks: {
+            create: true,
+            read: true,
+            update: true,
+            delete: true,
+          },
+          cloudCode: {
+            jobs: true,
+          },
+          logs: {
+            level: true,
+            size: true,
+            order: true,
+            until: true,
+            from: true,
+          },
+          push: {
+            immediatePush: true,
+            pushAudiences: true,
+            localization: true,
+          },
+          schemas: {
+            addField: true,
+            removeField: true,
+            addClass: true,
+            removeClass: true,
+            clearAllDataFromClass: true,
+            exportClass: false,
+            editClassLevelPermissions: true,
+            editPointerPermissions: true,
+          },
+        },
+      },
+      followRedirects: false,
+    }).catch(e => e);
+
+  const login = (password, otp) =>
+    request({
+      url: `${Parse.serverURL}/dashboardLogin`,
+      headers: {
+        'X-Parse-Application-Id': Parse.applicationId,
+        'X-Parse-Master-Key': Parse.masterKey,
+        'Content-Type': 'application/json',
+      },
+      method: 'POST',
+      body: {
+        username: '[email protected]',
+        password,
+        otp,
+      },
+      followRedirects: false,
+    }).catch(e => e);
+  it('creating a user responds with 403 without masterKey', async () => {
+    const response = await signup();
+    expect(response.status).toBe(403);
+  });
+
+  it('creating a user responds with masterKey', async () => {
+    const response = await signup(true);
+    expect(response.status).toBe(201);
+    expect(response.text).toContain('[email protected]');
+  });
+
+  it('cannot query dashboard user class', async () => {
+    const response = await signup(true);
+    expect(response.status).toBe(201);
+    expect(response.text).toContain('[email protected]');
+    await expectAsync(new Parse.Query('_DashboardUser').first()).toBeRejectedWith(
+      new Parse.Error(
+        Parse.Error.OPERATION_FORBIDDEN,
+        "Clients aren't allowed to perform the find operation on the _DashboardUser collection."
+      )
+    );
+  });
+
+  it('can query dashboard user class with masterKey', async () => {
+    const response = await signup(true);
+    expect(response.status).toBe(201);
+    expect(response.text).toContain('[email protected]');
+    const [user] = await new Parse.Query('_DashboardUser').find({ useMasterKey: true });
+    expect(user).toBeDefined();
+    expect(user.get('password')).toBeUndefined();
+    expect(user.get('mfaOptions')).toBeUndefined();
+  });
+
+  it('dashboard can signup and then login', async () => {
+    const response = await signup(true, true);
+    expect(response.status).toBe(201);
+    expect(response.text).toContain('[email protected]');
+    const { mfaSecret } = JSON.parse(response.text);
+    const totp = new TOTP({
+      algorithm: 'SHA1',
+      digits: 6,
+      period: 30,
+      secret: mfaSecret,
+    });
+    const loginResponse = await login('password', totp.generate());
+    expect(loginResponse.status).toEqual(200);
+    const user = JSON.parse(loginResponse.text);
+    expect(user.username).toEqual('[email protected]');
+    expect(user.features).toBeDefined();
+    expect(user.features.globalConfig).toBeDefined();
+    expect(user.features.hooks).toBeDefined();
+    expect(user.features.cloudCode).toBeDefined();
+    expect(user.features.logs).toBeDefined();
+    expect(user.features.push).toBeDefined();
+    expect(user.features.schemas).toBeDefined();
+  });
+
+  it('dashboard can signup and then login without mfa', async () => {
+    const response = await signup(true, false);
+    expect(response.status).toBe(201);
+    expect(response.text).toContain('[email protected]');
+    const loginResponse = await login('password');
+    expect(loginResponse.status).toEqual(200);
+    const user = JSON.parse(loginResponse.text);
+    expect(user.username).toEqual('[email protected]');
+    expect(user.features).toBeDefined();
+    expect(user.features.globalConfig).toBeDefined();
+    expect(user.features.hooks).toBeDefined();
+    expect(user.features.cloudCode).toBeDefined();
+    expect(user.features.logs).toBeDefined();
+    expect(user.features.push).toBeDefined();
+    expect(user.features.schemas).toBeDefined();
+  });
+
+  it('dashboard can signup and rejects login with invalid password', async () => {
+    const response = await signup(true, false);
+    expect(response.status).toBe(201);
+    expect(response.text).toContain('[email protected]');
+    const loginResponse = await login('password2');
+    expect(loginResponse.status).toEqual(404);
+    expect(loginResponse.text).toEqual(`{"code":101,"error":"Invalid username/password."}`);
+  });
+
+  it('dashboard can signup and rejects login with invalid mfa', async () => {
+    const response = await signup(true, true);
+    expect(response.status).toBe(201);
+    expect(response.text).toContain('[email protected]');
+    const loginResponse = await login('password');
+    expect(loginResponse.status).toEqual(400);
+    expect(loginResponse.text).toEqual(
+      `{"code":211,"error":"Please specify a One Time password."}`
+    );
+    const invalidMFAResponse = await login('password', 123456);
+    expect(invalidMFAResponse.status).toEqual(400);
+    expect(invalidMFAResponse.text).toEqual(`{"code":210,"error":"Invalid One Time Password."}`);
+  });
+});

spec/DashboardRouter.spec.js

@@ -1704,6 +1704,13 @@ class DatabaseController {
       throw error;
     });
 
+    await this.adapter
+      .ensureUniqueness('_DashboardUser', requiredUserFields, ['username'])
+      .catch(error => {
+        logger.warn('Unable to ensure uniqueness for usernames: ', error);
+        throw error;
+      });
+
     await this.adapter
       .ensureIndex('_User', requiredUserFields, ['username'], 'case_insensitive_username', true)
       .catch(error => {

src/Controllers/DatabaseController.js

@@ -148,6 +148,13 @@ const defaultColumns: { [string]: SchemaFields } = Object.freeze({
     reqId: { type: 'String' },
     expire: { type: 'Date' },
   },
+  _DashboardUser: {
+    objectId: { type: 'String' },
+    username: { type: 'String' },
+    password: { type: 'String' },
+    mfaOptions: { type: 'Object' },
+    features: { type: 'Object' },
+  },
 });
 
 const requiredColumns = Object.freeze({
@@ -168,6 +175,7 @@ const systemClasses = Object.freeze([
   '_JobSchedule',
   '_Audience',
   '_Idempotency',
+  '_DashboardUser',
 ]);
 
 const volatileClasses = Object.freeze([
@@ -179,6 +187,7 @@ const volatileClasses = Object.freeze([
   '_JobSchedule',
   '_Audience',
   '_Idempotency',
+  '_DashboardUser',
 ]);
 
 // Anything that start with role
@@ -648,6 +657,15 @@ const _IdempotencySchema = convertSchemaToAdapterSchema(
     classLevelPermissions: {},
   })
 );
+
+const _DashboardUser = convertSchemaToAdapterSchema(
+  injectDefaultSchema({
+    className: '_DashboardUser',
+    fields: defaultColumns._DashboardUser,
+    classLevelPermissions: {},
+  })
+);
+
 const VolatileClassesSchemas = [
   _HooksSchema,
   _JobStatusSchema,
@@ -657,6 +675,7 @@ const VolatileClassesSchemas = [
   _GraphQLConfigSchema,
   _AudienceSchema,
   _IdempotencySchema,
+  _DashboardUser,
 ];
 
 const dbTypeMatchesObjectType = (dbType: SchemaField | string, objectType: SchemaField) => {

src/Controllers/SchemaController.js

@@ -17,6 +17,7 @@ import PromiseRouter from './PromiseRouter';
 import requiredParameter from './requiredParameter';
 import { AnalyticsRouter } from './Routers/AnalyticsRouter';
 import { ClassesRouter } from './Routers/ClassesRouter';
+import { DashboardRouter } from './Routers/DashboardRouter';
 import { FeaturesRouter } from './Routers/FeaturesRouter';
 import { FilesRouter } from './Routers/FilesRouter';
 import { FunctionsRouter } from './Routers/FunctionsRouter';
@@ -235,6 +236,7 @@ class ParseServer {
       new AudiencesRouter(),
       new AggregateRouter(),
       new SecurityRouter(),
+      new DashboardRouter(),
     ];
 
     const routes = routers.reduce((memo, router) => {

src/ParseServer.js

@@ -662,6 +662,12 @@ RestQuery.prototype.runFind = function (options = {}) {
           cleanResultAuthData(result);
         }
       }
+      if (this.className === '_DashboardUser') {
+        for (const result of results) {
+          delete result.password;
+          delete result.mfaOptions;
+        }
+      }
 
       this.config.filesController.expandFilesInObject(this.config, results);