fix: Master key does not bypass protectedFields on various endpoints

[mtrezza]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.

Issue

Master key does not bypass protectedFields on /login, /verifyPassword, /sessions/me, and /upgradeToRevocableSession

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, code comments)
• Add security check
• Add new Parse Error codes to Parse JS SDK

Summary by CodeRabbit

• Bug Fixes

  • Fixed handling of restricted fields in session refresh and user operations when administrative keys are used
  • Ensured consistent field visibility behavior across different authentication methods

• Tests

  • Added verification tests for restricted field visibility with administrative authentication in login and session operations

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR updates session and user refetch logic in routers to conditionally reuse the caller's auth context (including master/maintenance access) instead of always creating a non-master context, and adds tests validating that protected fields are returned when master keys are used.

Changes

Cohort / File(s)	Summary
Protected Fields Master Key Tests spec/ProtectedFields.spec.js, spec/vulnerabilities.spec.js	Added test cases validating that protected _User and _Session fields are returned when endpoints are accessed with X-Parse-Master-Key header (login, verifyPassword, and /sessions/me).
Router Auth Context Refactoring src/Routers/SessionsRouter.js, src/Routers/UsersRouter.js	Updated session and user refetch logic to conditionally reuse the caller's auth context when master or maintenance keys are present, instead of always creating a non-master auth context. Applied in handleMe, handleUpdateToRevocableSession, and post-auth user refetch scenarios.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix: Endpoint /sessions/me bypasses _Session protectedFields (GHSA-g4v2-qx3q-4p64) #10406: Modifies SessionsRouter's /sessions/me logic to change auth context handling for protected fields, directly overlaps with this PR's session refetch changes.
• fix: Endpoint /upgradeToRevocableSession ignores _Session protectedFields #10408: Updates SessionsRouter's revocable-session flow refetch logic with the same auth context conditional pattern applied here.
• fix: Endpoints /login and /verifyPassword ignore _User protectedFields #10409: Modifies UsersRouter's login/verifyPassword auth context logic to affect protected fields behavior, mirrors the pattern applied to user refetch in this PR.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Engage In Review Feedback	❓ Inconclusive	GitHub PR review comments and discussions are not accessible through the git repository; only a single commit exists with no evidence of iterative updates addressing feedback.	Access to GitHub PR review comments and discussion history is required to properly assess engagement with review feedback.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title clearly and accurately summarizes the main change: fixing master key behavior with protected fields on various endpoints.
Description check	✅ Passed	The pull request description follows the repository template with Issue and Tasks sections completed; the Approach section is omitted but the changes are clear from the Issue statement and code summary.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Security Check	✅ Passed	PR implements proper conditional auth context reuse with safeguards for master/maintenance key authorization checks.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.39%. Comparing base (8a3db3b) to head (a1ea868).
⚠️ Report is 3 commits behind head on alpha.

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha   #10412      +/-   ##
==========================================
+ Coverage   83.99%   84.39%   +0.40%     
==========================================
  Files         192      192              
  Lines       16749    16749              
  Branches      229      229              
==========================================
+ Hits        14068    14136      +68     
+ Misses       2655     2591      -64     
+ Partials       26       22       -4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

🧹 Nitpick comments (2)

src/Routers/UsersRouter.js (1)

367-383: Good fix—consider centralizing the refetch-auth fallback.

This same privileged-caller-vs-user-auth branch now lives here twice and again in src/Routers/SessionsRouter.js. Since this regression came from the self-route refetch paths drifting from the regular handleGet behavior, keeping it inline in four places makes it easy to reintroduce later.

Also applies to: 470-486

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Routers/UsersRouter.js` around lines 367 - 383, Refactor the duplicated
privileged-caller vs user-auth refetch logic by extracting it into a single
helper (e.g., getRefetchAuth or Auth.getRefetchAuth) and use that helper from
UsersRouter (where refetchAuth is built) and SessionsRouter so the same branch
(req.auth.isMaster || req.auth.isMaintenance ? req.auth : new Auth.Auth({...
with Parse.Object.fromJSON(...)})) is implemented once; update call sites (the
code building refetchAuth, and where rest.get is invoked with refetchAuth) to
call the new helper with req and the target user object to avoid the inline
duplication across routes.

spec/ProtectedFields.spec.js (1)

2035-2047: Optional: extract duplicated user setup into a helper.

Both new tests repeat the same user creation + phone persistence flow; a tiny helper would reduce repetition and future drift.

♻️ Optional refactor sketch

+    async function createUserWithPhone(username = 'user1') {
+      const user = await Parse.User.signUp(username, 'password');
+      const sessionToken = user.getSessionToken();
+      user.set('phone', '555-1234');
+      await user.save(null, { sessionToken });
+      return user;
+    }

-      const user = await Parse.User.signUp('user1', 'password');
-      const sessionToken = user.getSessionToken();
-      user.set('phone', '555-1234');
-      await user.save(null, { sessionToken });
+      const user = await createUserWithPhone('user1');

Also applies to: 2063-2075

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@spec/ProtectedFields.spec.js` around lines 2035 - 2047, Extract the
duplicated user setup (server reconfiguration and user creation/persistence)
into a reusable helper function (e.g., createProtectedUser or
setupProtectedUser) that calls reconfigureServer with the same protectedFields
and protectedFieldsOwnerExempt options, signs up the user via
Parse.User.signUp('user1','password'), sets the phone field and saves with the
sessionToken (using user.save(null, { sessionToken })), then returns the created
user and sessionToken; replace the repeated blocks in the tests (the blocks
around Parse.User.signUp and user.save at both locations) with calls to this
helper to reduce duplication.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@spec/ProtectedFields.spec.js`:
- Around line 2035-2047: Extract the duplicated user setup (server
reconfiguration and user creation/persistence) into a reusable helper function
(e.g., createProtectedUser or setupProtectedUser) that calls reconfigureServer
with the same protectedFields and protectedFieldsOwnerExempt options, signs up
the user via Parse.User.signUp('user1','password'), sets the phone field and
saves with the sessionToken (using user.save(null, { sessionToken })), then
returns the created user and sessionToken; replace the repeated blocks in the
tests (the blocks around Parse.User.signUp and user.save at both locations) with
calls to this helper to reduce duplication.

In `@src/Routers/UsersRouter.js`:
- Around line 367-383: Refactor the duplicated privileged-caller vs user-auth
refetch logic by extracting it into a single helper (e.g., getRefetchAuth or
Auth.getRefetchAuth) and use that helper from UsersRouter (where refetchAuth is
built) and SessionsRouter so the same branch (req.auth.isMaster ||
req.auth.isMaintenance ? req.auth : new Auth.Auth({... with
Parse.Object.fromJSON(...)})) is implemented once; update call sites (the code
building refetchAuth, and where rest.get is invoked with refetchAuth) to call
the new helper with req and the target user object to avoid the inline
duplication across routes.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 83786319-f641-4855-af44-8742ccddd534

📥 Commits

Reviewing files that changed from the base of the PR and between 32680e3 and a1ea868.

📒 Files selected for processing (4)

• spec/ProtectedFields.spec.js
• spec/vulnerabilities.spec.js
• src/Routers/SessionsRouter.js
• src/Routers/UsersRouter.js

[parseplatformorg]

🎉 This change has been released in version 9.8.0-alpha.10