Bug in saving new users via Cloud Code

[drew-gross]

When saving a new PFUser on iOS, the SDK(?) throws this error:

Caught "NSInternalInconsistencyException" with reason "User cannot be saved unless they are already signed up. Call signUp first."
When saving a new PFUser via Cloud Code, it does not throw that error but simply mimics a "signUp", which creates a session token for the server... in Cloud Code! (actually, read #3 as this may be a bug with the pfuser handling)

For sake of flexibility and consistency (with PFObjects), I think there should be an option to "save" a PFUser without having a session token created, or restricting (iOS) apps to always use PFUser.signUp. There are many use-cases for such a feature, and I feel that it is a meaningless restriction.

Personal use-case: I have some special logic to replace the standard "signUp" flow, which has me creating a PFUser via Cloud Code + MasterKey. But with how the "save" function is behaving, it's creating a session token for the server!

Ref #1490

[DoneStuffGetting]

Session token bug --> #1497

[flovilmart]

Just investigate that one and:

let user = new Parse.User()
user.save();

// and
let user  = new Parse.Object('_Users')
user.save();

// and
let user = new Parse.User()
user.signUp("username","password")

all 3 make calls to the /users endpoints, so we can't really infer anything from that.

Another option would be to skip the session creation when using { useMasterKey: true }.
That seems reasonable as I can't think of a good reason to want to create a sessionToken as master.

[DoneStuffGetting]

Another option would be to skip the session creation when using { useMasterKey: true }.
That seems reasonable as I can't think of a good reason to want to create a sessionToken as master.

That sounds good. Would it apply to all SDKs that are connected with the masterkey as well?

[flovilmart]

Yeah REST, node etc...

[flovilmart]

@drew-gross is that reasonable? Or maybe we can check the request headers and make sure we don't generate a Session Token for Cloud Code, nor nodejs, nor REST etc... I tend to think the masterKey is a workaround.

We could use the User-Agent: https://github.com/ParsePlatform/Parse-SDK-JS/blob/master/src/RESTController.js#L129

[drew-gross]

Checking IS_NODE seems like a good solution. Sometime you want to make requests as a specific user even in Cloud Code so having that work as expected and not create session tokens is important.

[flovilmart]

ok so I'll check for the User-Agent somewhere

[flovilmart]

@drew-gross once again, we face an issue with parse.js being single minded. I overrode the InstallationsController to return 'parse-server' as the installationId (as it is in regular parse.com's cloud code). The problem being that it breaks all of our tests.

we could overcome that maybe by running the cloud endpoint in their own VM...

[drew-gross]

Which tests does it break and why? If parse-server is what Parse.com returns, we should try to do the same thing.

[pbmarcano]

Is there a work around for this I can write myself? I am running an app that uses a slightly modified version of AnyPhone and all my users are created and log in through Cloud Code.

This is the final barrier between my full migration off of parse.com.

[abhijeet-aressindia]

@flovilmart we have Google login implementation with Cloud code in Android. but now with the revocable sessions we are not able get the session token from cloud code when user trying to login/signup. then we have added bellow code:

var session;
var query = new Parse.Query("_Session");
query.equalTo('user', user);
query.first({ useMasterKey: true }).then(function(tokenData) {
res.success(tokenData.get("sessionToken"));
});

This will return Session token from _Session class but when user logged out and trying to login again the is no data in Session class as session get deleted after user logged out.

Now i am trying http://stackoverflow.com/a/36656209/3758024 this approach and getting error "can not modify user XXXXX".
Is there anything which i am missing? or Do you have any suggestions? We're on a really tight deadline and we can't seem to find a solution anywhere. Thanks!"

[pbmarcano]

@gopal-aressindia did you find a solution for this? I am trying to get back to this issue for a project migration before the upcoming deadline

[abhijeet-aressindia]

@pbmarcano No, I don't find any solution on this. I have changed this process and now removed cloud code and using the Third Party OAuth

[6thfdwp]

@pbmarcano seems AnyPhone link cannot be reached any more, can you still access it?

I just built some prototype for phone based login on self-hosted parse server, would be helpful to see original code repo to get the whole flow right

[6thfdwp]

@flovilmart I tried PARSE_SERVER_ENABLE_EXPERIMENTAL_DIRECT_ACCESS=1 on my local server ([email protected]), there is no session created when create a new user in the cloud function:

let user = new Parse.User()
user.save(attrs, {userMasterKey: true});

And then I tried to do cloud Parse.User.logIn later to generate associated session, it's created successfully, but installationId field missing, the data passed to RestWrite is

{
"sessionToken":"r:4bb82c33b53feec3eeb86e015c2e41d2",
"user":{"__type":"Pointer","className":"_User","objectId":"b8hDoi2j28"},
"createdWith":{"action":"login","authProvider":"password"},"restricted":false,
"expiresAt":{"__type":"Date","iso":"2018-03-25T01:36:32.146Z"}
}

If I get rid of PARSE_SERVER_ENABLE_EXPERIMENTAL_DIRECT_ACCESS=1, there is installationId passed in to create new session.

I called the same cloud function with same parameters, just changed the env setting to start parse server. Not sure if need to enable this, but duplicate session would exist without it

[flovilmart]

yoi should probably not call login from cloud code. Sessions are tied to the installationId.

Also, i believe you can pass the installationId that was passed to the cloud function call to the logIn options object https://github.com/ParsePlatform/Parse-SDK-JS/blob/master/src/ParseUser.js#L429

This will effectively create a session for the installationId that you gave.

But like I said, you should not call logIn in Cloud Code as it doesn't really make sense.

[6thfdwp]

Great, thanks for the explanation. I'll probably rethink the login flow again.

[montymxb]

@flovilmart with a PR submitted (and merged) is there anything else that needs to be squared away for the original issue here?

[flovilmart]

Nope! Everything is good, we need to setup direct access mainline at one point .