diff --git a/spec/CloudCode.spec.js b/spec/CloudCode.spec.js
index c02999ad51..557c927a95 100644
--- a/spec/CloudCode.spec.js
+++ b/spec/CloudCode.spec.js
@@ -1962,6 +1962,14 @@ describe('cloud functions', () => {
Parse.Cloud.run('myFunction', {}).then(() => done());
});
+
+ it('should have request config', async () => {
+ Parse.Cloud.define('myConfigFunction', req => {
+ expect(req.config).toBeDefined();
+ return 'success';
+ });
+ await Parse.Cloud.run('myConfigFunction', {});
+ });
});
describe('beforeSave hooks', () => {
@@ -1985,6 +1993,16 @@ describe('beforeSave hooks', () => {
myObject.save().then(() => done());
});
+ it('should have request config', async () => {
+ Parse.Cloud.beforeSave('MyObject', req => {
+ expect(req.config).toBeDefined();
+ });
+
+ const MyObject = Parse.Object.extend('MyObject');
+ const myObject = new MyObject();
+ await myObject.save();
+ });
+
it('should respect custom object ids (#6733)', async () => {
Parse.Cloud.beforeSave('TestObject', req => {
expect(req.object.id).toEqual('test_6733');
@@ -2040,6 +2058,16 @@ describe('afterSave hooks', () => {
myObject.save().then(() => done());
});
+ it('should have request config', async () => {
+ Parse.Cloud.afterSave('MyObject', req => {
+ expect(req.config).toBeDefined();
+ });
+
+ const MyObject = Parse.Object.extend('MyObject');
+ const myObject = new MyObject();
+ await myObject.save();
+ });
+
it('should unset in afterSave', async () => {
Parse.Cloud.afterSave(
'MyObject',
@@ -2097,6 +2125,17 @@ describe('beforeDelete hooks', () => {
.then(myObj => myObj.destroy())
.then(() => done());
});
+
+ it('should have request config', async () => {
+ Parse.Cloud.beforeDelete('MyObject', req => {
+ expect(req.config).toBeDefined();
+ });
+
+ const MyObject = Parse.Object.extend('MyObject');
+ const myObject = new MyObject();
+ await myObject.save();
+ await myObject.destroy();
+ });
});
describe('afterDelete hooks', () => {
@@ -2125,6 +2164,17 @@ describe('afterDelete hooks', () => {
.then(myObj => myObj.destroy())
.then(() => done());
});
+
+ it('should have request config', async () => {
+ Parse.Cloud.afterDelete('MyObject', req => {
+ expect(req.ip).toBeDefined();
+ });
+
+ const MyObject = Parse.Object.extend('MyObject');
+ const myObject = new MyObject();
+ await myObject.save();
+ await myObject.destroy();
+ });
});
describe('beforeFind hooks', () => {
@@ -2381,6 +2431,19 @@ describe('beforeFind hooks', () => {
})
.then(() => done());
});
+
+ it('should have request config', async () => {
+ Parse.Cloud.beforeFind('MyObject', req => {
+ expect(req.config).toBeDefined();
+ });
+
+ const MyObject = Parse.Object.extend('MyObject');
+ const myObject = new MyObject();
+ await myObject.save();
+ const query = new Parse.Query('MyObject');
+ query.equalTo('objectId', myObject.id);
+ await Promise.all([query.get(myObject.id), query.first(), query.find()]);
+ });
});
describe('afterFind hooks', () => {
@@ -2712,6 +2775,19 @@ describe('afterFind hooks', () => {
.catch(done.fail);
});
+ it('should have request config', async () => {
+ Parse.Cloud.afterFind('MyObject', req => {
+ expect(req.ip).toBeDefined();
+ });
+
+ const MyObject = Parse.Object.extend('MyObject');
+ const myObject = new MyObject();
+ await myObject.save();
+ const query = new Parse.Query('MyObject');
+ query.equalTo('objectId', myObject.id);
+ await Promise.all([query.get(myObject.id), query.first(), query.find()]);
+ });
+
it('should validate triggers correctly', () => {
expect(() => {
Parse.Cloud.beforeSave('_Session', () => {});
@@ -3199,6 +3275,7 @@ describe('beforeLogin hook', () => {
expect(req.ip).toBeDefined();
expect(req.installationId).toBeDefined();
expect(req.context).toBeUndefined();
+ expect(req.config).toBeDefined();
});
await Parse.User.signUp('tupac', 'shakur');
@@ -3316,6 +3393,7 @@ describe('afterLogin hook', () => {
expect(req.ip).toBeDefined();
expect(req.installationId).toBeDefined();
expect(req.context).toBeUndefined();
+ expect(req.config).toBeDefined();
});
await Parse.User.signUp('testuser', 'p@ssword');
@@ -3510,6 +3588,15 @@ describe('saveFile hooks', () => {
}
});
+ it('beforeSaveFile should have config', async () => {
+ await reconfigureServer({ filesAdapter: mockAdapter });
+ Parse.Cloud.beforeSave(Parse.File, req => {
+ expect(req.config).toBeDefined();
+ });
+ const file = new Parse.File('popeye.txt', [1, 2, 3], 'text/plain');
+ await file.save({ useMasterKey: true });
+ });
+
it('beforeSaveFile should change values of uploaded file by editing fileObject directly', async () => {
await reconfigureServer({ filesAdapter: mockAdapter });
const createFileSpy = spyOn(mockAdapter, 'createFile').and.callThrough();
diff --git a/spec/requestContextMiddleware.spec.js b/spec/requestContextMiddleware.spec.js
new file mode 100644
index 0000000000..e086a8b415
--- /dev/null
+++ b/spec/requestContextMiddleware.spec.js
@@ -0,0 +1,56 @@
+const { ApolloClient, gql, InMemoryCache } = require('@apollo/client/core');
+const fetch = (...args) => import('node-fetch').then(({ default: fetch }) => fetch(...args));
+describe('requestContextMiddleware', () => {
+ const requestContextMiddleware = (req, res, next) => {
+ req.config.aCustomController = 'aCustomController';
+ next();
+ };
+
+ it('should support dependency injection on rest api', async () => {
+ let called;
+ Parse.Cloud.beforeSave('_User', request => {
+ expect(request.config.aCustomController).toEqual('aCustomController');
+ called = true;
+ });
+ await reconfigureServer({ requestContextMiddleware });
+ const user = new Parse.User();
+ user.setUsername('test');
+ user.setPassword('test');
+ await user.signUp();
+ expect(called).toBeTruthy();
+ });
+ it('should support dependency injection on graphql api', async () => {
+ let called = false;
+ Parse.Cloud.beforeSave('_User', request => {
+ expect(request.config.aCustomController).toEqual('aCustomController');
+ called = true;
+ });
+ await reconfigureServer({
+ requestContextMiddleware,
+ mountGraphQL: true,
+ graphQLPath: '/graphql',
+ });
+ const client = new ApolloClient({
+ uri: 'http://localhost:8378/graphql',
+ cache: new InMemoryCache(),
+ fetch,
+ headers: {
+ 'X-Parse-Application-Id': 'test',
+ 'X-Parse-Master-Key': 'test',
+ },
+ });
+
+ await client.mutate({
+ mutation: gql`
+ mutation {
+ createUser(input: { fields: { username: "test", password: "test" } }) {
+ user {
+ objectId
+ }
+ }
+ }
+ `,
+ });
+ expect(called).toBeTruthy();
+ });
+});
diff --git a/src/Controllers/HooksController.js b/src/Controllers/HooksController.js
index 9cc5f427e8..dc30aae417 100644
--- a/src/Controllers/HooksController.js
+++ b/src/Controllers/HooksController.js
@@ -188,6 +188,8 @@ function wrapToHTTPRequest(hook, key) {
return req => {
const jsonBody = {};
for (var i in req) {
+ // Parse Server config is not serializable
+ if (i === 'config') continue;
jsonBody[i] = req[i];
}
if (req.object) {
diff --git a/src/GraphQL/ParseGraphQLServer.js b/src/GraphQL/ParseGraphQLServer.js
index 44ea34f47b..017716fa8c 100644
--- a/src/GraphQL/ParseGraphQLServer.js
+++ b/src/GraphQL/ParseGraphQLServer.js
@@ -75,6 +75,19 @@ class ParseGraphQLServer {
);
}
+ /**
+ * @static
+ * Allow developers to customize each request with inversion of control/dependency injection
+ */
+ applyRequestContextMiddleware(api, options) {
+ if (options.requestContextMiddleware) {
+ if (typeof options.requestContextMiddleware !== 'function') {
+ throw new Error('requestContextMiddleware must be a function');
+ }
+ api.use(options.requestContextMiddleware);
+ }
+ }
+
applyGraphQL(app) {
if (!app || !app.use) {
requiredParameter('You must provide an Express.js app instance!');
@@ -83,6 +96,7 @@ class ParseGraphQLServer {
app.use(this.config.graphQLPath, corsMiddleware());
app.use(this.config.graphQLPath, handleParseHeaders);
app.use(this.config.graphQLPath, handleParseSession);
+ this.applyRequestContextMiddleware(app, this.parseServer.config);
app.use(this.config.graphQLPath, handleParseErrors);
app.use(this.config.graphQLPath, async (req, res) => {
const server = await this._getServer();
diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js
index b2f0542256..0af65647aa 100644
--- a/src/Options/Definitions.js
+++ b/src/Options/Definitions.js
@@ -435,6 +435,11 @@ module.exports.ParseServerOptions = {
env: 'PARSE_SERVER_READ_ONLY_MASTER_KEY',
help: 'Read-only key, which has the same capabilities as MasterKey without writes',
},
+ requestContextMiddleware: {
+ env: 'PARSE_SERVER_REQUEST_CONTEXT_MIDDLEWARE',
+ help:
+ 'Options to customize the request context using inversion of control/dependency injection.',
+ },
requestKeywordDenylist: {
env: 'PARSE_SERVER_REQUEST_KEYWORD_DENYLIST',
help:
diff --git a/src/Options/docs.js b/src/Options/docs.js
index 1ab8c03d58..f22701b544 100644
--- a/src/Options/docs.js
+++ b/src/Options/docs.js
@@ -81,6 +81,7 @@
* @property {Any} push Configuration for push, as stringified JSON. See http://docs.parseplatform.org/parse-server/guide/#push-notifications
* @property {RateLimitOptions[]} rateLimit Options to limit repeated requests to Parse Server APIs. This can be used to protect sensitive endpoints such as `/requestPasswordReset` from brute-force attacks or Parse Server as a whole from denial-of-service (DoS) attacks.
ℹ️ Mind the following limitations:
- rate limits applied per IP address; this limits protection against distributed denial-of-service (DDoS) attacks where many requests are coming from various IP addresses
- if multiple Parse Server instances are behind a load balancer or ran in a cluster, each instance will calculate it's own request rates, independent from other instances; this limits the applicability of this feature when using a load balancer and another rate limiting solution that takes requests across all instances into account may be more suitable
- this feature provides basic protection against denial-of-service attacks, but a more sophisticated solution works earlier in the request flow and prevents a malicious requests to even reach a server instance; it's therefore recommended to implement a solution according to architecture and user case.
* @property {String} readOnlyMasterKey Read-only key, which has the same capabilities as MasterKey without writes
+ * @property {Function} requestContextMiddleware Options to customize the request context using inversion of control/dependency injection.
* @property {RequestKeywordDenylist[]} requestKeywordDenylist An array of keys and values that are prohibited in database read and write requests to prevent potential security vulnerabilities. It is possible to specify only a key (`{"key":"..."}`), only a value (`{"value":"..."}`) or a key-value pair (`{"key":"...","value":"..."}`). The specification can use the following types: `boolean`, `numeric` or `string`, where `string` will be interpreted as a regex notation. Request data is deep-scanned for matching definitions to detect also any nested occurrences. Defaults are patterns that are likely to be used in malicious requests. Setting this option will override the default patterns.
* @property {String} restAPIKey Key for REST calls
* @property {Boolean} revokeSessionOnPasswordReset When a user changes their password, either through the reset password email or while logged in, all sessions are revoked if this is true. Set to false if you don't want to revoke sessions.
diff --git a/src/Options/index.js b/src/Options/index.js
index a4d83f94fc..8d0ed91fc5 100644
--- a/src/Options/index.js
+++ b/src/Options/index.js
@@ -300,6 +300,8 @@ export interface ParseServerOptions {
/* Options to limit repeated requests to Parse Server APIs. This can be used to protect sensitive endpoints such as `/requestPasswordReset` from brute-force attacks or Parse Server as a whole from denial-of-service (DoS) attacks.
ℹ️ Mind the following limitations:
- rate limits applied per IP address; this limits protection against distributed denial-of-service (DDoS) attacks where many requests are coming from various IP addresses
- if multiple Parse Server instances are behind a load balancer or ran in a cluster, each instance will calculate it's own request rates, independent from other instances; this limits the applicability of this feature when using a load balancer and another rate limiting solution that takes requests across all instances into account may be more suitable
- this feature provides basic protection against denial-of-service attacks, but a more sophisticated solution works earlier in the request flow and prevents a malicious requests to even reach a server instance; it's therefore recommended to implement a solution according to architecture and user case.
:DEFAULT: [] */
rateLimit: ?(RateLimitOptions[]);
+ /* Options to customize the request context using inversion of control/dependency injection.*/
+ requestContextMiddleware: ?(req: any, res: any, next: any) => void;
}
export interface RateLimitOptions {
diff --git a/src/ParseServer.js b/src/ParseServer.js
index 04379ecfd3..2af5e15edc 100644
--- a/src/ParseServer.js
+++ b/src/ParseServer.js
@@ -175,6 +175,18 @@ class ParseServer {
});
}
+ /**
+ * @static
+ * Allow developers to customize each request with inversion of control/dependency injection
+ */
+ static applyRequestContextMiddleware(api, options) {
+ if (options.requestContextMiddleware) {
+ if (typeof options.requestContextMiddleware !== 'function') {
+ throw new Error('requestContextMiddleware must be a function');
+ }
+ api.use(options.requestContextMiddleware);
+ }
+ }
/**
* @static
* Create an express app for the parse server
@@ -220,7 +232,7 @@ class ParseServer {
middlewares.addRateLimit(route, options);
}
api.use(middlewares.handleParseSession);
-
+ this.applyRequestContextMiddleware(api, options);
const appRouter = ParseServer.promiseRouter({ appId });
api.use(appRouter.expressRouter());
diff --git a/src/Routers/FunctionsRouter.js b/src/Routers/FunctionsRouter.js
index d239908103..1b42805647 100644
--- a/src/Routers/FunctionsRouter.js
+++ b/src/Routers/FunctionsRouter.js
@@ -67,6 +67,7 @@ export class FunctionsRouter extends PromiseRouter {
headers: req.config.headers,
ip: req.config.ip,
jobName,
+ config: req.config,
message: jobHandler.setMessage.bind(jobHandler),
};
@@ -123,6 +124,7 @@ export class FunctionsRouter extends PromiseRouter {
params = parseParams(params);
const request = {
params: params,
+ config: req.config,
master: req.auth && req.auth.isMaster,
user: req.auth && req.auth.user,
installationId: req.info.installationId,
diff --git a/src/cloud-code/Parse.Cloud.js b/src/cloud-code/Parse.Cloud.js
index 5540e8d719..d6913fdc59 100644
--- a/src/cloud-code/Parse.Cloud.js
+++ b/src/cloud-code/Parse.Cloud.js
@@ -791,6 +791,7 @@ module.exports = ParseCloud;
* @property {String} triggerName The name of the trigger (`beforeSave`, `afterSave`, ...)
* @property {Object} log The current logger inside Parse Server.
* @property {Parse.Object} original If set, the object, as currently stored.
+ * @property {Object} config The Parse Server config.
*/
/**
@@ -805,6 +806,7 @@ module.exports = ParseCloud;
* @property {Object} headers The original HTTP headers for the request.
* @property {String} triggerName The name of the trigger (`beforeSaveFile`, `afterSaveFile`)
* @property {Object} log The current logger inside Parse Server.
+ * @property {Object} config The Parse Server config.
*/
/**
@@ -842,6 +844,7 @@ module.exports = ParseCloud;
* @property {String} triggerName The name of the trigger (`beforeSave`, `afterSave`, ...)
* @property {Object} log The current logger inside Parse Server.
* @property {Boolean} isGet wether the query a `get` or a `find`
+ * @property {Object} config The Parse Server config.
*/
/**
@@ -855,6 +858,7 @@ module.exports = ParseCloud;
* @property {Object} headers The original HTTP headers for the request.
* @property {String} triggerName The name of the trigger (`beforeSave`, `afterSave`, ...)
* @property {Object} log The current logger inside Parse Server.
+ * @property {Object} config The Parse Server config.
*/
/**
@@ -863,12 +867,14 @@ module.exports = ParseCloud;
* @property {Boolean} master If true, means the master key was used.
* @property {Parse.User} user If set, the user that made the request.
* @property {Object} params The params passed to the cloud function.
+ * @property {Object} config The Parse Server config.
*/
/**
* @interface Parse.Cloud.JobRequest
* @property {Object} params The params passed to the background job.
* @property {function} message If message is called with a string argument, will update the current message to be stored in the job status.
+ * @property {Object} config The Parse Server config.
*/
/**
diff --git a/src/triggers.js b/src/triggers.js
index b5f11435df..d4eb3619db 100644
--- a/src/triggers.js
+++ b/src/triggers.js
@@ -260,6 +260,7 @@ export function getRequestObject(
log: config.loggerController,
headers: config.headers,
ip: config.ip,
+ config,
};
if (originalParseObject) {
@@ -304,6 +305,7 @@ export function getRequestQueryObject(triggerType, auth, query, count, config, c
headers: config.headers,
ip: config.ip,
context: context || {},
+ config,
};
if (!auth) {
@@ -955,6 +957,7 @@ export function getRequestFileObject(triggerType, auth, fileObject, config) {
log: config.loggerController,
headers: config.headers,
ip: config.ip,
+ config,
};
if (!auth) {