当前位置: 动力学知识库 > 问答 > 编程问答 >

javascript - Parse Server Node.js SDK: Alternative to Parse.User.become?

问题描述:

I want to completely dissociate my client app from Parse server, to ease the switch to other Baas/custom backend in the future. As such, all client request will point to a node.js server who will make the request to Parse on behalf of the user.

Client <--> Node.js Server <--> Parse Server

As such, I need the node.js server to be able to switch between users so I can keep the context of their authentification.

I know how to authentificate, then keep the sessionToken of the user, and I ve seen during my research than the "accepted" solution to this problem was to call Parse.User.disableUnsafeCurrentUser, then using Parse.User.become() to switch the current user to the one making a request.

But that feels hackish, and I m pretty sure it will, sooner or later, lead to a race condition where the current user is switched before the request is made to Parse.

Another solution I found was to not care about Parse.User, and use the masterKey to save everything by the server, but that would make the server responsible of the ACL.

Is there a way to make request from different user other than thoses two?

网友答案:

Any request to the backend (query.find(), object.save(), etc) takes an optional options parameter as the final argument. This lets you specify extra permissions levels, such as forcing the master key or using a specific session token.

If you have the session token, your server code can make a request on behalf of that user, preserving ACL permissions.

Let's assume you have a table of Item objects, where we rely on ACLs to ensure that a user can only retrieve his own Items. The following code would use an explicit session token and only return the Items the user can see:

// fetch items visible to the user associate with `token`
fetchItems(token) {
  new Parse.Query('Item')
    .find({ sessionToken: token })
    .then((results) => {
      // do something with the items
    });
}

become() was really designed for the Parse Cloud Code environment, where each request lives in a sandbox, and you can rely on a global current user for each request. It doesn't really make sense in a Node.js app, and we'll probably deprecate it.

网友答案:

I recently wrote a NodeJS application and had the same problem. I found that the combination of Parse.User.disableUnsafeCurrentUser and Parse.User.become() was not only hackish, but also caused several other problems I wasn't able to anticipate. So here's what I did: I used Parse.Cloud.useMasterKey(); and then loaded the current user by session ID as if it was a regular user object. It looked something like this:

module.exports = function(req, res, next) {
  var Parse = req.app.locals.parse, query;
  res.locals.parse = Parse;
  if (req.session.userid === undefined) {
    res.locals.user = undefined;
    return next();
  }
  Parse.Cloud.useMasterKey();
  query = new Parse.Query(Parse.User); 
  query.equalTo("objectId", req.session.userid);
  query.first().then(function(result) {
    res.locals.user = result;
    return next();
  }, function(err) {
    res.locals.user = undefined;
    console.error("error recovering user " + req.session.userid);
    return next();
  });

};

This code can obviously be optimized, but you can see the general idea. Upside: It works! Downside: No more use of Parse.User.current(), and the need to take special care in the backend that no conditions occur where someone overwrites data without permission.

分享给朋友:
您可能感兴趣的文章:
随机阅读: