Yesterday I tried executing a cloud function from a device without an authenticated user and the function got executed. This is a huge security loophole.
Is there a way to restrict execution of cloud functions to only authenticated users, maybe an option similar to requiresAuthentication?
You can check for request.user as stated in the docs for this purpose. THis is not a 'security loophole'. You can even check for request.master if you wanna ensure only a masterKey authenticated call is made.
By default, your API allows communications from any SDK with valid applicationId / clientKey pair. (and applicationId / clientKey are not considered security features but merely routing artifacts).
For more informations, don't hesitate to check on the docs and api docs: http://parseplatform.org/Parse-SDK-JS/api/v1.11.1/Parse.Cloud.html#.FunctionRequest