Adding a javasciptKey results in all requests failing as unauthorized

[benpackard]

I have a functioning Parse Server up and running and an iOS app successfully accessing it. Everything has been running well for a couple of years.

I didn't add a javascriptKey when setting up the server, but want to add one now to support some web development. However, adding this key to my server configuration via index.js results in all requests from the app failing as unauthorized. It is something specific about the javascriptKey property, since adding a javascriptKey2 instead does not produce the issue. It seems like the server is expecting some additional authorization to be sent by the iOS app when there is a javascriptKey set on the server, but the iOS app doesn't know or care about any javascriptKey. I'm not even sure it is possible to set a javascript key via the iOS SDK.

There is no logging from the server for this. I can run the server locally and nothing is logged when the failed request is returned.

Steps to reproduce:

1. Set up a Parse Server without a javascriptKey and confirm that your app can access it.
2. Add a javascriptKey to the server.

Expected: the app continues to access the server as before.

Actual: all requests fail as "unauthorized"

I am on Parse Server 4.2.0. I couldn't find any mention of this issue in any releases since (or previously) then so am hopeful there is
a common solution that doesn't involve upgrading to 5.x quite yet!

var api = new ParseServer({  
  databaseURI: databaseUri || 'mongodb://localhost:27017/dev',
  cloud: process.env.CLOUD_CODE_MAIN || __dirname + '/cloud/main.js',
  appId: process.env.APP_ID || 'myAppId',
  masterKey: process.env.MASTER_KEY || '',
  serverURL: process.env.SERVER_URL || 'http://localhost:1337/parse', 
  javascriptKey: '123',
  appName: '<App Name>',
  publicServerURL: process.env.SERVER_URL || 'http://localhost:1337/parse',
 
  ...

}

[parse-github-assistant]

Thanks for opening this issue!

• ❌ Please edit your post and use the provided template when creating a new issue. This helps everyone to understand your post better and asks for essential information to quicker review the issue.

[mtrezza]

It would make sense for Parse Server to enforce a key for every client type if any client key is set. Otherwise you could just use a different client and I don't think Parse Server has an option to disable certain client types.

From the docs:

However, you have the option to specify any of these four keys upon initialization. Upon doing so, Parse Server will enforce that any clients passing a key matches. The behavior is consistent with hosted Parse.

The docs may be ambiguous about that, but I think in hosted Parse that was the behavior, and the intention when open-sourcing was surely to replicate that behavior. Did you try setting a client key also for the iOS SDK?

[benpackard]

Yep adding a client key to each platform's app is what's required, many thanks. Unfortunately it probably means a long delay or cancelation for my web project since I will need all of my users to update first or else their apps will just stop working overnight.

I think the prevailing advice everywhere you look these days is "You don't need a client key anymore" so I guess not many people have tried adding one later. It might be better that we try to recommend always adding a client key for future-compatibility if this current behavior is going to be enforced by the server.

Alternatively, am I missing something and the javascript key should not be necessary either? My understanding is that we must provide it for server-side data fetching for our React web page. Perhaps a question for the web SDK team but maybe you know.

As for the docs specifically, I think this would be a helpful change:

Parse Server does not require the use of client-side keys. This includes the client key, JavaScript key, .NET key, and REST API key. The Application ID is sufficient to secure your app.

However, you have the option to specify any of these four keys upon initialization. Upon doing so, Parse Server will enforce that any client passing such a key matches. Note that if any one client uses a client-side key, all other clients must similarly use their own appropriate client-side key. The behavior is consistent with hosted Parse.

Let me know if you would like a PR for this.

[benpackard]

I just found this similar conversation which confirms your diagnosis: #159 (comment)

It is a good example of the 'prevailing advice' I mentioned:

The best option is to not set any client keys in parse-server. They are not necessary and do not increase security.

This is common advice when people ask about client keys. So one of these is true:

1. We should stop making this recommendation, since although there is no real security benefit to client keys, functionally they might be necessary and for future-compatibility so it is best to provide one.

Or,

2. There is no functional need to ever use a javascript key (i.e. I am mistaken about its necessity for my web project). <- I hope it is this one!