Merge branch 'master' into master

Author: pdiaz

.github/ISSUE_TEMPLATE/---1-report-an-issue.md

@@ -8,7 +8,11 @@ assignees: ''
 ---
 
 ### New Issue Checklist
-<!-- Please check the following boxes [ ] -> [x] before submitting your issue. Click the "Preview" tab for better readability. Thanks for reporting issues back to Parse Server! -->
+<!--
+    Please check the following boxes [x] before submitting your issue.
+    Click the "Preview" tab for better readability.
+    Thanks for contributing to Parse Server!
+-->
 
 - [ ] I am not disclosing a [vulnerability](https://github.com/parse-community/parse-server/blob/master/SECURITY.md).
 - [ ] I am not just asking a [question](https://github.com/parse-community/.github/blob/master/SUPPORT.md).
@@ -27,6 +31,16 @@ assignees: ''
 ### Expected Outcome
 <!-- What outcome, for example query result, did you expect? -->
 
+### Failing Test Case / Pull Request
+<!--
+    Check one of the following boxes [x] if you added a PR and add the link.
+    See the contribution guide for how add a test cases:
+    https://github.com/parse-community/parse-server/blob/master/CONTRIBUTING.md
+-->
+
+- [ ] 🤩 I submitted a PR with a fix and a test case.
+- [ ] 🧐 I submitted a PR with a failing test case.
+
 ###  Environment
 <!-- Be specific with versions, don't use "latest" or semver ranges like "~x.y.z" or "^x.y.z". -->
 

.github/ISSUE_TEMPLATE/---2-feature-request.md

@@ -7,14 +7,28 @@ assignees: ''
 
 ---
 
-**Is your feature request related to a problem? Please describe.**
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+### New Feature / Enhancement Checklist
+<!--
+    Please check the following boxes [x] before submitting your issue.
+    Click the "Preview" tab for better readability.
+    Thanks for contributing to Parse Server!
+-->
 
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
+- [ ] I am not disclosing a [vulnerability](https://github.com/parse-community/parse-server/blob/master/SECURITY.md).
+- [ ] I am not just asking a [question](https://github.com/parse-community/.github/blob/master/SUPPORT.md).
+- [ ] I have searched through [existing issues](https://github.com/parse-community/parse-server/issues?q=is%3Aissue).
 
-**Describe alternatives you've considered**
-A clear and concise description of any alternative solutions or features you've considered.
+### Current Limitation
+<!-- Which current limitation is the feature or enhancement addressing? -->
 
-**Additional context**
-Add any other context or screenshots about the feature request here.
+### Feature / Enhancement Description
+<!-- What is the concept of the functionality and how should it be implemented? -->
+
+### Example Use Case
+<!-- What is an example use case in steps (1. / 2. / 3. / etc.) that describes the functionality? -->
+
+### Alternatives / Workarounds
+<!-- Which alternatives or workarounds exist currently? -->
+
+### 3rd Party References
+<!-- Have you seen a similar functionality provided somewhere else? -->

.github/PULL_REQUEST_TEMPLATE/pull_request_template.md

@@ -0,0 +1,30 @@
+### New Pull Request Checklist
+<!--
+    Please check the following boxes [x] before submitting your issue.
+    Click the "Preview" tab for better readability.
+    Thanks for contributing to Parse Server!
+-->
+
+- [ ] I am not disclosing a [vulnerability](https://github.com/parse-community/parse-server/blob/master/SECURITY.md).
+- [ ] I am creating this PR in reference to an [issue](https://github.com/parse-community/parse-server/issues?q=is%3Aissue).
+
+### Issue Description
+<!-- Add a brief description of the issue this PR solves. -->
+
+Related issue: FILL_THIS_OUT
+
+### Approach
+<!-- Add a description of the approach in this PR. -->
+
+### TODOs before merging
+<!--
+    Add TODOs that need to be completed before merging this PR.
+    Delete suggested TODOs that do not apply to this PR.
+-->
+
+- [ ] Add test cases
+- [ ] Add entry to changelog
+- [ ] Add changes to documentation (guides, repository pages, in-code descriptions)
+- [ ] Add [security check](https://github.com/parse-community/parse-server/blob/master/CONTRIBUTING.md#security-checks)
+- [ ] Add new Parse Error codes to Parse JS SDK <!-- no hard-coded error codes in Parse Server -->
+- [ ] ...

.github/workflows/release.yml

@@ -0,0 +1,63 @@
+name: release
+on:
+  release:
+    types: [published]
+jobs:
+  publish-npm:
+    runs-on: ubuntu-18.04
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v1
+        with:
+          node-version: '10.14'
+          registry-url: https://registry.npmjs.org/
+      - name: Cache Node.js modules
+        uses: actions/cache@v2
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+              ${{ runner.os }}-node-
+      - run: npm ci
+      - run: npm publish
+        env:
+          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
+  publish-docs:
+    runs-on: ubuntu-18.04
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@v2
+      - name: Use Node.js
+        uses: actions/setup-node@v1
+        with:
+          node-version: '10.14'
+      - name: Cache Node.js modules
+        uses: actions/cache@v2
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+              ${{ runner.os }}-node-
+      - name: Get Tag
+        uses: actions/github-script@v3
+        id: tag
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          result-encoding: string
+          script: |
+            const ref = process.env.GITHUB_REF
+            if(!ref.startsWith('refs/tags/'))
+              return ''
+            return ref.replace(/^refs\/tags\//, '')
+      - name: Generate Docs
+        run: |
+          echo $SOURCE_TAG
+          npm ci
+          ./release_docs.sh
+        env:
+          SOURCE_TAG: ${{ steps.tag.outputs.result }}
+      - name: Deploy
+        uses: peaceiris/[email protected]
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_dir: ./docs

CHANGELOG.md

@@ -1,9 +1,31 @@
 ## Parse Server Changelog
 
 ### master
-[Full Changelog](https://github.com/parse-community/parse-server/compare/4.4.0...master)
+[Full Changelog](https://github.com/parse-community/parse-server/compare/4.5.0...master)
 - IMPROVE: Optimize queries on classes with pointer permissions. [#7061](https://github.com/parse-community/parse-server/pull/7061). Thanks to [Pedro Diaz](https://github.com/pdiaz)
 
+### 4.5.0
+[Full Changelog](https://github.com/parse-community/parse-server/compare/4.4.0...4.5.0)
+
+__BREAKING CHANGES:__
+- FIX: Consistent casing for afterLiveQueryEvent. The afterLiveQueryEvent was introduced in 4.4.0 with inconsistent casing for the event names, which was fixed in 4.5.0. [#7023](https://github.com/parse-community/parse-server/pull/7023). Thanks to [dblythy](https://github.com/dblythy).
+___
+- FIX: Properly handle serverURL and publicServerUrl in Batch requests. [#7049](https://github.com/parse-community/parse-server/pull/7049). Thanks to [Zach Goldberg](https://github.com/ZachGoldberg).
+- IMPROVE: Prevent invalid column names (className and length). [#7053](https://github.com/parse-community/parse-server/pull/7053). Thanks to [Diamond Lewis](https://github.com/dplewis).
+- IMPROVE: GraphQL: Remove viewer from logout mutation. [#7029](https://github.com/parse-community/parse-server/pull/7029). Thanks to [Antoine Cormouls](https://github.com/Moumouls).
+- IMPROVE: GraphQL: Optimize on Relation. [#7044](https://github.com/parse-community/parse-server/pull/7044). Thanks to [Antoine Cormouls](https://github.com/Moumouls).
+- NEW: Include sessionToken in onLiveQueryEvent. [#7043](https://github.com/parse-community/parse-server/pull/7043). Thanks to [dblythy](https://github.com/dblythy).
+- FIX: Definitions for accountLockout and passwordPolicy. [#7040](https://github.com/parse-community/parse-server/pull/7040). Thanks to [dblythy](https://github.com/dblythy).
+- FIX: Fix typo in server definitions for emailVerifyTokenReuseIfValid. [#7037](https://github.com/parse-community/parse-server/pull/7037). Thanks to [dblythy](https://github.com/dblythy).
+- SECURITY FIX: LDAP auth stores password in plain text. See [GHSA-4w46-w44m-3jq3](https://github.com/parse-community/parse-server/security/advisories/GHSA-4w46-w44m-3jq3) for more details about the vulnerability and [da905a3](https://github.com/parse-community/parse-server/commit/da905a357d062ab4fea727a21eac231acc2ed92a) for the fix. Thanks to [Fabian Strachanski](https://github.com/fastrde).
+- NEW: Reuse tokens if they haven't expired. [#7017](https://github.com/parse-community/parse-server/pull/7017). Thanks to [dblythy](https://github.com/dblythy).
+- NEW: Add LDAPS-support to LDAP-Authcontroller. [#7014](https://github.com/parse-community/parse-server/pull/7014). Thanks to [Fabian Strachanski](https://github.com/fastrde).
+- FIX: (beforeSave/afterSave): Return value instead of Parse.Op for nested fields. [#7005](https://github.com/parse-community/parse-server/pull/7005). Thanks to [Diamond Lewis](https://github.com/dplewis).
+- FIX: (beforeSave): Skip Sanitizing Database results. [#7003](https://github.com/parse-community/parse-server/pull/7003). Thanks to [Diamond Lewis](https://github.com/dplewis).
+- FIX: Fix includeAll for querying a Pointer and Pointer array. [#7002](https://github.com/parse-community/parse-server/pull/7002). Thanks to [Corey Baker](https://github.com/cbaker6).
+- FIX: Add encryptionKey to src/options/index.js. [#6999](https://github.com/parse-community/parse-server/pull/6999). Thanks to [dblythy](https://github.com/dblythy).
+- IMPROVE: Update PostgresStorageAdapter.js. [#6989](https://github.com/parse-community/parse-server/pull/6989). Thanks to [Vitaly Tomilov](https://github.com/vitaly-t).
+
 ### 4.4.0
 [Full Changelog](https://github.com/parse-community/parse-server/compare/4.3.0...4.4.0)
 - IMPROVE: Update PostgresStorageAdapter.js. [#6981](https://github.com/parse-community/parse-server/pull/6981). Thanks to [Vitaly Tomilov](https://github.com/vitaly-t)

CONTRIBUTING.md

@@ -100,7 +100,18 @@ If you want to make changes to [Parse Server Configuration][config] add the desi
 
 To view docs run `npm run docs` and check the `/out` directory.
 
-### Code of Conduct
+## Feature Considerations
+### Security Checks
+
+The Parse Server security checks feature warns developers about weak security settings in their Parse Server deployment.
+
+A security check needs to be added for every new feature or enhancement that allows the developer to configure it in a way that weakens security mechanisms or exposes functionality which creates a weak spot for malicious attacks. If you are not sure whether your feature or enhancements requires a security check, feel free to ask.
+
+For example, allowing public read and write to a class may be useful to simplify development but should be disallowed in a production environment.
+
+Security checks are added in [SecurityChecks.js](https://github.com/parse-community/parse-server/blob/master/src/SecurityChecks.js).
+
+## Code of Conduct
 
 This project adheres to the [Contributor Covenant Code of Conduct](https://github.com/parse-community/parse-server/blob/master/CODE_OF_CONDUCT.md). By participating, you are expected to honor this code.
 

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "parse-server",
-  "version": "4.4.0",
+  "version": "4.5.0",
   "description": "An express module providing a Parse-compatible API server",
   "main": "lib/index.js",
   "repository": {
@@ -105,7 +105,7 @@
     "posttest": "cross-env MONGODB_VERSION=${MONGODB_VERSION:=4.0.4} MONGODB_TOPOLOGY=${MONGODB_TOPOLOGY:=standalone} MONGODB_STORAGE_ENGINE=${MONGODB_STORAGE_ENGINE:=mmapv1} mongodb-runner stop",
     "coverage": "cross-env MONGODB_VERSION=${MONGODB_VERSION:=4.0.4} MONGODB_TOPOLOGY=${MONGODB_TOPOLOGY:=standalone} MONGODB_STORAGE_ENGINE=${MONGODB_STORAGE_ENGINE:=mmapv1} TESTING=1 nyc jasmine",
     "start": "node ./bin/parse-server",
-    "prettier": "prettier --write {src,spec}/{**/*,*}.js",
+    "prettier": "prettier --write '{src,spec}/{**/*,*}.js'",
     "prepare": "npm run build",
     "postinstall": "node -p 'require(\"./postinstall.js\")()'"
   },

package.json

@@ -1,11 +1,11 @@
 #!/bin/sh -e
 set -x
-if [ "${TRAVIS_REPO_SLUG}" = "" ];
+if [ "${GITHUB_ACTIONS}" = "" ];
 then
-  echo "Cannot release docs without TRAVIS_REPO_SLUG set"
+  echo "Cannot release docs without GITHUB_ACTIONS set"
   exit 0;
 fi
-REPO="https://github.com/${TRAVIS_REPO_SLUG}"
+REPO="https://github.com/parse-community/parse-server"
 
 rm -rf docs
 git clone -b gh-pages --single-branch $REPO ./docs
@@ -15,9 +15,9 @@ cd ..
 
 DEST="master"
 
-if [ "${TRAVIS_TAG}" != "" ];
+if [ "${SOURCE_TAG}" != "" ];
 then
-  DEST="${TRAVIS_TAG}"
+  DEST="${SOURCE_TAG}"
   # change the default page to the latest
   echo "<meta http-equiv='refresh' content='0; url=/parse-server/api/${DEST}'>" > "docs/api/index.html"
 fi

release_docs.sh

@@ -216,7 +216,7 @@ it('Should delete the password from authData after validation', done => {
     const options = {
       suffix: 'o=example',
       url: `ldap://localhost:${port}`,
-      dn: 'uid={{id}}, o=example'
+      dn: 'uid={{id}}, o=example',
     };
 
     const authData = { id: 'testuser', password: 'secret' };
@@ -237,22 +237,23 @@ it('Should not save the password in the user record after authentication', done
     const options = {
       suffix: 'o=example',
       url: `ldap://localhost:${port}`,
-      dn: 'uid={{id}}, o=example'
+      dn: 'uid={{id}}, o=example',
     };
     reconfigureServer({ auth: { ldap: options } }).then(() => {
       const authData = { authData: { id: 'testuser', password: 'secret' } };
-      Parse.User.logInWith('ldap', authData).then((returnedUser) => {
-        const query = new Parse.Query("User");
+      Parse.User.logInWith('ldap', authData).then(returnedUser => {
+        const query = new Parse.Query('User');
         query
-          .equalTo('objectId', returnedUser.id).first({ useMasterKey: true })
-          .then((user) => {
-            expect(user.get('authData')).toEqual({ ldap:{ id: 'testuser' }});
+          .equalTo('objectId', returnedUser.id)
+          .first({ useMasterKey: true })
+          .then(user => {
+            expect(user.get('authData')).toEqual({ ldap: { id: 'testuser' } });
             expect(user.get('authData').ldap.password).toBeUndefined();
             done();
           })
           .catch(done.fail)
-          .finally(() => server.close())
-      })
+          .finally(() => server.close());
+      });
     });
   });
 });