Relying only in Parse Cloud Code

[RafaRuiz]

Hello guys.

This is a question I've tried to find anywhere in StackOverflow or here but I haven't found.
Some of us, developers who use Parse for a backend solution, rely only on Parse Cloud Code to make requests. Sometimes we develop X-platform products which is really nice, but maybe we would like to avoid people to fiddle with the REST part (or from Javascript SDK for example). Is there any plan to be able to cut everything except some endpoints such as "http://parsehost/parse/functions/*" for the future?

Thank you very much in advance, and I'm sorry if this question is duplicated (I haven't found it).
Regards.

[flovilmart]

You can build an express app with a simple API if that's what you need.

[RafaRuiz]

@flovilmart thank you for your answer... is there any reference I can read or any idea?
Thank you again

[flovilmart]

What you want is actually just a web server, that is using parse as a backend right? you can use expressjs http://expressjs.com and then make an API client on your apps.

[RafaRuiz]

No, well, I would like to use Parse directly, but disabling Queries from clients of cURL. I use background jobs, push, and many more Parse features. What I want actually is being protected against calls like http://mywebserver:1337/parse/users and read every single field. I'm getting sensitive data (according to my structure) but I need Users to be public readable.

In Parse Cloud I use .select to retrieve the right fields.
I don't know if I explained well, is it clear?

[flovilmart]

You can use beforeFind calls to transform you query before it's executed. If you want to disable full endpoints you can also do

app.get('/parse/users', function(req, res) {
   res.send(404, 'Not found')
})
app.use('/parse', parseAPI)

[RafaRuiz]

@flovilmart that is gorgeous... thank you very much!

[RafaRuiz]

@flovilmart, I've been checking deeply, it wouldn't work to isolate only Parse Cloud for example.

I tried to isolate in this way:

app.all('/parse/*', function(req, res, next) {
   if (!req.url.startsWith("/parse/functions")) {
      res.send(404, 'Not found');
   } else {
      next();
   }
});

but Parse Cloud is using /parse/classes/_User for retrieving users, for example, and it wont work... do you have any other workaround or idea to work with? I'm still thinking but got no clue :(

[flovilmart]

Yeah because you need all of those still working because parse-server is well, parse-server... I'm not sure we're gonna go that route...

[RafaRuiz]

So what would you suggest for this?

"I have done a search on Google saying ' websites done with parse as backend '. I got one, I opened the Javascript console (or well, grab the REST-Api-Key from any cloud call and do the same job with cURL) and this happened:"

What could we do in this case?

[flovilmart]

put a CLP so you can't run a find...

[RafaRuiz]

so I can't run a find from Parse Cloud either :\ ?

[flovilmart]

you can run find with the master key

[RafaRuiz]

alright! let's try :)
thanks!

[steven-supersolid]

We do something similar to the suggestion: All classes have no read and write access via CLP (make sure to switch to advanced permissions mode to also unset Add Field) and our cloud code queries etc. all have useMasterKey: true

Perhaps it would be useful to have a special mode so it is like this out of the box but it is low priority for me as you can achieve this already using the above steps.