parse-community · dblythy · Oct 28, 2020 · Oct 29, 2020 · Oct 30, 2020 · Nov 2, 2020
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,8 +1,42 @@
 ## Parse Server Changelog
 
 ### master
-[Full Changelog](https://github.com/parse-community/parse-server/compare/4.3.0...master)
+[Full Changelog](https://github.com/parse-community/parse-server/compare/4.4.0...master)
+
+### 4.4.0
+[Full Changelog](https://github.com/parse-community/parse-server/compare/4.3.0...4.4.0)
+- IMPROVE: Update PostgresStorageAdapter.js. [#6981](https://github.com/parse-community/parse-server/pull/6981). Thanks to [Vitaly Tomilov](https://github.com/vitaly-t)
+- NEW: skipWithMasterKey on Built-In Validator. [#6972](https://github.com/parse-community/parse-server/issues/6972). Thanks to [dblythy](https://github.com/dblythy).
+- NEW: Add fileKey rotation to GridFSBucketAdapter. [#6768](https://github.com/parse-community/parse-server/pull/6768). Thanks to [Corey Baker](https://github.com/cbaker6).
+- IMPROVE: Remove unused parameter in Cloud Function. [#6969](https://github.com/parse-community/parse-server/issues/6969). Thanks to [Diamond Lewis](https://github.com/dplewis).
+- IMPROVE: Validation Handler Update. [#6968](https://github.com/parse-community/parse-server/issues/6968). Thanks to [dblythy](https://github.com/dblythy).
+- FIX: (directAccess): Properly handle response status. [#6966](https://github.com/parse-community/parse-server/issues/6966). Thanks to [Diamond Lewis](https://github.com/dplewis).
+- FIX: Remove hostnameMaxLen for Mongo URL. [#6693](https://github.com/parse-community/parse-server/issues/6693). Thanks to [markhoward02](https://github.com/markhoward02).
+- IMPROVE: Show a message if cloud functions are duplicated. [#6963](https://github.com/parse-community/parse-server/issues/6963). Thanks to [dblythy](https://github.com/dblythy).
+- FIX: Pass request.query to afterFind. [#6960](https://github.com/parse-community/parse-server/issues/6960). Thanks to [dblythy](https://github.com/dblythy).
+- SECURITY FIX: Patch session vulnerability over Live Query. See [GHSA-2xm2-xj2q-qgpj](https://github.com/parse-community/parse-server/security/advisories/GHSA-2xm2-xj2q-qgpj) for more details about the vulnerability and [78b59fb](https://github.com/parse-community/parse-server/commit/78b59fb26b1c36e3cdbd42ba9fec025003267f58) for the fix. Thanks to [Antonio Davi Macedo Coelho de Castro](https://github.com/davimacedo).
+- IMPROVE: LiveQueryEvent Error Logging Improvements. [#6951](https://github.com/parse-community/parse-server/issues/6951). Thanks to [dblythy](https://github.com/dblythy).
+- IMPROVE: Include stack in Cloud Code. [#6958](https://github.com/parse-community/parse-server/issues/6958). Thanks to [dblythy](https://github.com/dblythy).
+- FIX: (jobs): Add Error Message to JobStatus Failure. [#6954](https://github.com/parse-community/parse-server/issues/6954). Thanks to [Diamond Lewis](https://github.com/dplewis).
+- NEW: Create Cloud function afterLiveQueryEvent. [#6859](https://github.com/parse-community/parse-server/issues/6859). Thanks to [dblythy](https://github.com/dblythy).
+- FIX: Update vkontakte API to the latest version. [#6944](https://github.com/parse-community/parse-server/issues/6944). Thanks to [Antonio Davi Macedo Coelho de Castro](https://github.com/davimacedo).
+- FIX: Use an empty object as default value of options for Google Sign in. [#6844](https://github.com/parse-community/parse-server/issues/6844). Thanks to [Kevin Kuang](https://github.com/kvnkuang).
+- FIX: Postgres: prepend className to unique indexes. [#6741](https://github.com/parse-community/parse-server/pull/6741). Thanks to [Corey Baker](https://github.com/cbaker6).
+- FIX: GraphQL: Transform input types also on user mutations. [#6934](https://github.com/parse-community/parse-server/pull/6934). Thanks to [Antoine Cormouls](https://github.com/Moumouls).
+- FIX: Set objectId into query for Email Validation. [#6930](https://github.com/parse-community/parse-server/pull/6930). Thanks to [Danaru](https://github.com/Danaru87).
+- FIX: GraphQL: Optimize queries, fixes some null returns (on object), fix stitched GraphQLUpload. [#6709](https://github.com/parse-community/parse-server/pull/6709). Thanks to [Antoine Cormouls](https://github.com/Moumouls).
+- FIX: Do not throw error if user provide a pointer like index onMongo. [#6923](https://github.com/parse-community/parse-server/pull/6923). Thanks to [Antoine Cormouls](https://github.com/Moumouls).
+- FIX: Hotfix instagram api. [#6922](https://github.com/parse-community/parse-server/issues/6922). Thanks to [Tim](https://github.com/timination).
+- FIX: (directAccess/cloud-code): Pass installationId with LogIn. [#6903](https://github.com/parse-community/parse-server/issues/6903). Thanks to [Diamond Lewis](https://github.com/dplewis).
+- FIX: Fix bcrypt binary incompatibility. [#6891](https://github.com/parse-community/parse-server/issues/6891). Thanks to [Manuel Trezza](https://github.com/mtrezza).
+- NEW: Keycloak auth adapter. [#6376](https://github.com/parse-community/parse-server/issues/6376). Thanks to [Rhuan](https://github.com/rhuanbarreto).
+- IMPROVE: Changed incorrect key name in apple auth adapter tests. [#6861](https://github.com/parse-community/parse-server/issues/6861). Thanks to [Manuel Trezza](https://github.com/mtrezza).
+- FIX: Fix mutating beforeSubscribe Query. [#6868](https://github.com/parse-community/parse-server/issues/6868). Thanks to [dblythy](https://github.com/dblythy).
+- FIX: Fix beforeLogin for users logging in with AuthData. [#6872](https://github.com/parse-community/parse-server/issues/6872). Thanks to [Kevin Kuang](https://github.com/kvnkuang).
+- FIX: Remove Facebook AccountKit auth. [#6870](https://github.com/parse-community/parse-server/issues/6870). Thanks to [Diamond Lewis](https://github.com/dplewis).
+- FIX: Updated TOKEN_ISSUER to 'accounts.google.com'. [#6836](https://github.com/parse-community/parse-server/issues/6836). Thanks to [Arjun Vedak](https://github.com/arjun3396).
 - IMPROVE: Optimized deletion of class field from schema by using an index if available to do an index scan instead of a collection scan. [#6815](https://github.com/parse-community/parse-server/issues/6815). Thanks to [Manuel Trezza](https://github.com/mtrezza).
+- IMPROVE: Enable MongoDB transaction test for MongoDB >= 4.0.4 [#6827](https://github.com/parse-community/parse-server/pull/6827). Thanks to [Manuel](https://github.com/mtrezza).
 
 ### 4.3.0
 [Full Changelog](https://github.com/parse-community/parse-server/compare/4.2.0...4.3.0)

diff --git a/README.md b/README.md
@@ -92,14 +92,22 @@ $ parse-server --appId APPLICATION_ID --masterKey MASTER_KEY --databaseURI mongo
 
 
 ### Inside a Docker container
+
 ```bash
 $ git clone https://github.com/parse-community/parse-server
 $ cd parse-server
 $ docker build --tag parse-server .
 $ docker run --name my-mongo -d mongo
-$ docker run --name my-parse-server -v cloud-code-vol:/parse-server/cloud -v config-vol:/parse-server/config -p 1337:1337 --link my-mongo:mongo -d parse-server --appId APPLICATION_ID --masterKey MASTER_KEY --databaseURI mongodb://mongo/test
 ```
 
+#### Running the Parse Server Image
+
+```bash
+$ docker run --name my-parse-server -v config-vol:/parse-server/config -p 1337:1337 --link my-mongo:mongo -d parse-server --appId APPLICATION_ID --masterKey MASTER_KEY --databaseURI mongodb://mongo/test
+```
+
+***Note:*** *If you want to use [Cloud Code](https://docs.parseplatform.org/cloudcode/guide/) feature, please add `-v cloud-code-vol:/parse-server/cloud --cloud /parse-server/cloud/main.js` to command above. Make sure the `main.js` file is available in the `cloud-code-vol` directory before run this command. Otherwise, an error will occur.*
+
 You can use any arbitrary string as your application id and master key. These will be used by your clients to authenticate with the Parse Server.
 
 That's it! You are now running a standalone version of Parse Server on your machine.
@@ -206,7 +214,7 @@ var app = express();
 
 var api = new ParseServer({
   databaseURI: 'mongodb://localhost:27017/dev', // Connection string for your MongoDB database
-  cloud: '/home/myApp/cloud/main.js', // Absolute path to your Cloud Code
+  cloud: './cloud/main.js', // Path to your Cloud Code
   appId: 'myAppId',
   masterKey: 'myMasterKey', // Keep this key secret!
   fileKey: 'optionalFileKey',
@@ -472,9 +480,16 @@ $ git clone https://github.com/parse-community/parse-server
 $ cd parse-server
 $ docker build --tag parse-server .
 $ docker run --name my-mongo -d mongo
-$ docker run --name my-parse-server --link my-mongo:mongo -v cloud-code-vol:/parse-server/cloud -v config-vol:/parse-server/config -p 1337:1337 -d parse-server --appId APPLICATION_ID --masterKey MASTER_KEY --databaseURI mongodb://mongo/test --publicServerURL http://localhost:1337/parse --mountGraphQL --mountPlayground
 ```
 
+#### Running the Parse Server Image
+
+```bash
+$ docker run --name my-parse-server --link my-mongo:mongo -v config-vol:/parse-server/config -p 1337:1337 -d parse-server --appId APPLICATION_ID --masterKey MASTER_KEY --databaseURI mongodb://mongo/test --publicServerURL http://localhost:1337/parse --mountGraphQL --mountPlayground
+```
+
+***Note:*** *If you want to use [Cloud Code](https://docs.parseplatform.org/cloudcode/guide/) feature, please add `-v cloud-code-vol:/parse-server/cloud --cloud /parse-server/cloud/main.js` to command above. Make sure the `main.js` file is available in the `cloud-code-vol` directory before run this command. Otherwise, an error will occur.*
+
 After starting the server, you can visit http://localhost:1337/playground in your browser to start playing with your GraphQL API.
 
 ***Note:*** Do ***NOT*** use --mountPlayground option in production. [Parse Dashboard](https://github.com/parse-community/parse-dashboard) has a built-in GraphQL Playground and it is the recommended option for production apps.

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "parse-server",
-  "version": "4.3.0",
+  "version": "4.4.0",
   "description": "An express module providing a Parse-compatible API server",
   "main": "lib/index.js",
   "repository": {
@@ -48,7 +48,7 @@
     "mime": "2.4.6",
     "mongodb": "3.6.2",
     "parse": "2.17.0",
-    "pg-promise": "10.6.2",
+    "pg-promise": "10.7.0",
     "pluralize": "8.0.0",
     "redis": "3.0.2",
     "semver": "7.3.2",

diff --git a/resources/buildConfigDefinitions.js b/resources/buildConfigDefinitions.js
@@ -55,6 +55,9 @@ function getENVPrefix(iface) {
   if (iface.id.name === 'IdempotencyOptions') {
     return 'PARSE_SERVER_EXPERIMENTAL_IDEMPOTENCY_';
   }
+  if (iface.id.name === 'FileUploadOptions') {
+    return 'PARSE_SERVER_FILE_UPLOAD_';
+  }
 }
 
 function processProperty(property, iface) {
@@ -173,7 +176,7 @@ function parseDefaultValue(elt, value, t) {
       });
       literalValue = t.objectExpression(props);
     }
-    if (type == 'IdempotencyOptions') {
+    if (type == 'IdempotencyOptions' || type == 'FileUploadOptions') {
       const object = parsers.objectParser(value);
       const props = Object.keys(object).map((key) => {
         return t.objectProperty(key, object[value]);

diff --git a/spec/ParseFile.spec.js b/spec/ParseFile.spec.js
@@ -860,4 +860,126 @@ describe('Parse.File testing', () => {
       });
     });
   });
+
+  describe('file upload restrictions', () => {
+    it('can reject file upload with unspecified', async () => {
+      await reconfigureServer({
+        fileUpload: {},
+      });
+      try {
+        const file = new Parse.File('hello.txt', data, 'text/plain');
+        await file.save();
+        fail('should not have been able to save file.');
+      } catch (e) {
+        expect(e.code).toBe(130);
+        expect(e.message).toBe('Public file upload is not enabled.');
+      }
+    });
+    it('disable file upload', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          enabledForPublic: false,
+          enabledForAnonymousUser: false,
+          enabledForAuthenticatedUser: false,
+        },
+      });
+      try {
+        const file = new Parse.File('hello.txt', data, 'text/plain');
+        await file.save();
+        fail('should not have been able to save file.');
+      } catch (e) {
+        expect(e.code).toBe(130);
+        expect(e.message).toBe('Public file upload is not enabled.');
+      }
+    });
+    it('disable for public', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          enabledForPublic: false,
+        },
+      });
+      try {
+        const file = new Parse.File('hello.txt', data, 'text/plain');
+        await file.save();
+        fail('should not have been able to save file.');
+      } catch (e) {
+        expect(e.code).toBe(130);
+        expect(e.message).toBe('Public file upload is not enabled.');
+      }
+    });
+
+    it('disable for public allow user', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          enabledForPublic: false,
+        },
+      });
+      try {
+        const user = await Parse.User.signUp('myUser', 'password');
+        const file = new Parse.File('hello.txt', data, 'text/plain');
+        await file.save({ sessionToken: user.getSessionToken() });
+      } catch (e) {
+        fail('should have allowed file to save.');
+      }
+    });
+
+    it('disable for anonymous', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          enabledForAnonymousUser: false,
+        },
+      });
+      try {
+        const user = await Parse.AnonymousUtils.logIn();
+        const file = new Parse.File('hello.txt', data, 'text/plain');
+        await file.save({ sessionToken: user.getSessionToken() });
+        fail('should not have been able to save file.');
+      } catch (e) {
+        expect(e.code).toBe(130);
+        expect(e.message).toBe('Anonymous file upload is not enabled.');
+      }
+    });
+
+    it('enable for anonymous', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          enabledForPublic: false,
+          enabledForAnonymousUser: true,
+        },
+      });
+      try {
+        const user = await Parse.AnonymousUtils.logIn();
+        const file = new Parse.File('hello.txt', data, 'text/plain');
+        await file.save({ sessionToken: user.getSessionToken() });
+      } catch (e) {
+        fail('should have allowed file to save.');
+      }
+    });
+
+    it('enable for anonymous but not authenticated', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          enabledForPublic: false,
+          enabledForAnonymousUser: true,
+          enabledForAuthenticatedUser: false,
+        },
+      });
+      try {
+        const user = await Parse.AnonymousUtils.logIn();
+        const file = new Parse.File('hello.txt', data, 'text/plain');
+        await file.save({ sessionToken: user.getSessionToken() });
+      } catch (e) {
+        fail('should have allowed file to save.');
+      }
+      try {
+        const user = await Parse.User.signUp('myUser', 'password');
+        const file = new Parse.File('hello.txt', data, 'text/plain');
+        await file.save({ sessionToken: user.getSessionToken() });
+        fail('should have not allowed file to save.');
+      } catch (e) {
+        expect(e.code).toBe(130);
+        expect(e.message).toBe('Authenticated file upload is not enabled.');
+      }
+    });
+  });
 });