Search code examples
javascriptnode.jsparse-server

Parse Server Node.js SDK: Alternative to Parse.User.become?

I want to completely dissociate my client app from Parse server, to ease the switch to other Baas/custom backend in the future. As such, all client request will point to a node.js server who will make the request to Parse on behalf of the user.

Client <--> Node.js Server <--> Parse Server

As such, I need the node.js server to be able to switch between users so I can keep the context of their authentification.

I know how to authentificate, then keep the sessionToken of the user, and I ve seen during my research than the "accepted" solution to this problem was to call Parse.User.disableUnsafeCurrentUser, then using Parse.User.become() to switch the current user to the one making a request.

But that feels hackish, and I m pretty sure it will, sooner or later, lead to a race condition where the current user is switched before the request is made to Parse.

Another solution I found was to not care about Parse.User, and use the masterKey to save everything by the server, but that would make the server responsible of the ACL.

Is there a way to make request from different user other than thoses two?

Solution

  • Any request to the backend (query.find(), object.save(), etc) takes an optional options parameter as the final argument. This lets you specify extra permissions levels, such as forcing the master key or using a specific session token.

    If you have the session token, your server code can make a request on behalf of that user, preserving ACL permissions.

    Let's assume you have a table of Item objects, where we rely on ACLs to ensure that a user can only retrieve his own Items. The following code would use an explicit session token and only return the Items the user can see:

    // fetch items visible to the user associate with `token`
fetchItems(token) {
  new Parse.Query('Item')
    .find({ sessionToken: token })
    .then((results) => {
      // do something with the items
    });
}

    become() was really designed for the Parse Cloud Code environment, where each request lives in a sandbox, and you can rely on a global current user for each request. It doesn't really make sense in a Node.js app, and we'll probably deprecate it.