parse-stack-next 4.5.0

data/lib/parse/client/authentication.rb

@@ -0,0 +1,97 @@
+# encoding: UTF-8
+# frozen_string_literal: true
+
+require "faraday"
+require "active_support"
+require "active_support/core_ext"
+
+require_relative "protocol"
+
+module Parse
+  module Middleware
+    # This middleware handles sending the proper authentication headers to the
+    # Parse REST API endpoint.
+    class Authentication < Faraday::Middleware
+      include Parse::Protocol
+      # @!visibility private
+      DISABLE_MASTER_KEY = "X-Disable-Parse-Master-Key".freeze
+      # @return [String] the application id for this Parse endpoint.
+      attr_accessor :application_id
+      # @return [String] the REST API Key for this Parse endpoint.
+      attr_accessor :api_key
+      # The Master key API Key for this Parse endpoint. This is optional. If
+      # provided, it will be sent in every request.
+      # @return [String]
+      attr_accessor :master_key
+
+      #
+      # @param adapter [Faraday::Adapter] An instance of the Faraday adapter
+      #  used for the connection. Defaults Faraday::Adapter::NetHttp.
+      # @param options [Hash] the options containing Parse authentication data.
+      # @option options [String] :application_id the application id.
+      # @option options [String] :api_key the REST API key.
+      # @option options [String] :master_key the Master Key for this application.
+      #  If it is set, it will be sent on every request unless this middleware sees
+      #  {DISABLE_MASTER_KEY} as an entry in the headers section.
+      # @option options [String] :content_type the content type format header. Defaults to
+      #  {Parse::Protocol::CONTENT_TYPE_FORMAT}.
+      def initialize(adapter, options = {})
+        super(adapter)
+        @application_id = options[:application_id]
+        @api_key = options[:api_key]
+        @master_key = options[:master_key]
+        @content_type = options[:content_type] || CONTENT_TYPE_FORMAT
+      end
+
+      # Thread-safety
+      # @!visibility private
+      def call(env)
+        dup.call!(env)
+      end
+
+      # @!visibility private
+      def call!(env)
+        # We add the main Parse protocol headers
+        headers = {}
+        raise ArgumentError, "No Parse Application Id specified for authentication." unless @application_id.present?
+        headers[APP_ID] = @application_id
+        headers[API_KEY] = @api_key unless @api_key.blank?
+
+        # Three sources can suppress the master key for this request:
+        #   1. The per-request `X-Disable-Parse-Master-Key` header (one-off
+        #      opt-out, kept for backwards compatibility).
+        #   2. Fiber-local state set by {Parse.without_master_key} (block-
+        #      scoped opt-out, also visible on Faraday retries because the
+        #      fiber persists across the retry loop — the header at (1)
+        #      gets stripped on first call and is gone by the retry).
+        #   3. A session-token-authenticated request (the existing check
+        #      below; session token wins over master key).
+        header_disable = env[:request_headers][DISABLE_MASTER_KEY].present?
+        fiber_disable  = Parse.master_key_disabled?
+        unless @master_key.blank? || header_disable || fiber_disable
+          headers[MASTER_KEY] = @master_key
+        end
+
+        env[:request_headers].delete(DISABLE_MASTER_KEY)
+
+        # delete the use of master key if we are using session token.
+        if env[:request_headers].key?(Parse::Protocol::SESSION_TOKEN)
+          headers.delete(MASTER_KEY)
+        end
+        # merge the headers with the current provided headers
+        env[:request_headers].merge! headers
+        # set the content type of the request if it was not provided already.
+        env[:request_headers][CONTENT_TYPE] ||= @content_type
+        # only modify header
+
+        @app.call(env).on_complete do |response_env|
+          # check for return code raise an error when authentication was a failure
+          # if response_env[:status] == 401
+          #   warn "Unauthorized Parse API Credentials for Application Id: #{@application_id}"
+          # end
+
+        end
+      end
+    end # Authenticator
+  end
+end

data/lib/parse/client/batch.rb

@@ -0,0 +1,234 @@
+# encoding: UTF-8
+# frozen_string_literal: true
+
+require_relative "request"
+require_relative "response"
+
+module Parse
+  # Create a new batch operation.
+  # @param reqs [Array<Parse::Request>] a set of requests to batch.
+  # @return [BatchOperation] a new {BatchOperation} with the given change requests.
+  def self.batch(reqs = nil)
+    BatchOperation.new(reqs)
+  end
+
+  # This class provides a standard way to submit, manage and process batch operations
+  # for Parse::Objects and associations.
+  #
+  # Batch requests are supported implicitly and intelligently through an
+  # extension of array. When an array of Parse::Object subclasses is saved,
+  # Parse-Stack will batch all possible save operations for the objects in the
+  # array that have changed. It will also batch save 50 at a time until all items
+  # in the array are saved. Note: Parse does not allow batch saving Parse::User objects.
+  #
+  #  songs = Songs.first 1000 #first 1000 songs
+  #  songs.each do |song|
+  #   # ... modify song ...
+  #  end
+  #
+  #  # will batch save 50 items at a time until all are saved.
+  #  songs.save
+  #
+  # The objects do not have to be of the same collection in order to be supported in the
+  # batch request.
+  # @see Array.save
+  # @see Array.destroy
+  class BatchOperation
+    include Enumerable
+
+    # Default number of threads used to dispatch batch segments concurrently.
+    # Raise via `Parse::BatchOperation.parallelism = N` (or pass `parallelism:`
+    # to `#submit`) for higher throughput on bulk writes; 2 is intentionally
+    # conservative to avoid overwhelming smaller Parse Server deployments.
+    DEFAULT_PARALLELISM = 2
+
+    class << self
+      attr_writer :parallelism
+
+      def parallelism
+        @parallelism || DEFAULT_PARALLELISM
+      end
+    end
+
+    # @!attribute requests
+    #  @return [Array] the set of requests in this batch.
+
+    # @!attribute responses
+    #  @return [Array] the set of responses from this batch.
+
+    # @!attribute transaction
+    #  @return [Boolean] whether this batch should be executed as a transaction.
+    attr_accessor :requests, :responses, :transaction
+
+    # @return [Parse::Client] the client to be used for the request.
+    def client
+      @client ||= Parse::Client.client
+    end
+
+    # @param reqs [Array<Parse::Request>] an array of requests.
+    # @param transaction [Boolean] whether to execute as a transaction.
+    def initialize(reqs = nil, transaction: false)
+      @requests = []
+      @responses = []
+      @transaction = transaction
+      reqs = [reqs] unless reqs.is_a?(Enumerable)
+      reqs.each { |r| add(r) } if reqs.is_a?(Enumerable)
+    end
+
+    # Add an additional request to this batch.
+    # @overload add(req)
+    #  @param req [Parse::Request] the request to append.
+    #  @return [Array<Parse::Request>] the set of requests.
+    # @overload add(batch)
+    #  @param req [Parse::BatchOperation] add all the requests from this batch operation.
+    #  @return [Array<Parse::Request>] the set of requests.
+    def add(req)
+      if req.respond_to?(:change_requests)
+        requests = req.change_requests.select { |r| r.is_a?(Parse::Request) }
+        @requests += requests
+      elsif req.is_a?(Array)
+        requests = req.select { |r| r.is_a?(Parse::Request) }
+        @requests += requests
+      elsif req.is_a?(BatchOperation)
+        @requests += req.requests if req.is_a?(BatchOperation)
+      else
+        @requests.push(req) if req.is_a?(Parse::Request)
+      end
+      @requests
+    end
+
+    # This method is for interoperability with Parse::Object instances.
+    # @see Parse::Object#change_requests
+    def change_requests
+      @requests
+    end
+
+    # @return [Array]
+    def each(&block)
+      return enum_for(:each) unless block_given?
+      @requests.each(&block)
+    end
+
+    # @return [Hash] a formatted payload for the batch request.
+    def as_json(*args)
+      payload = { requests: requests }
+      payload[:transaction] = true if @transaction
+      payload.as_json
+    end
+
+    # @return [Integer] the number of requests in the batch.
+    def count
+      @requests.count
+    end
+
+    # Remove all requests in this batch.
+    # @return [Array]
+    def clear!
+      @requests.clear
+    end
+
+    # @return [Boolean] true if the request was successful.
+    def success?
+      return false if @responses.empty?
+      @responses.compact.all?(&:success?)
+    end
+
+    # @return [Boolean] true if the request had an error.
+    def error?
+      return false if @responses.empty?
+      !success?
+    end
+
+    # Submit the batch operation in chunks until they are all complete. In general,
+    # Parse limits requests in each batch to 50 and it is possible that a {BatchOperation}
+    # instance contains more than 50 requests. This method will slice up the array of
+    # request and send them based on the `segment` amount until they have all been submitted.
+    # @param segment [Integer] the number of requests to send in each batch. Default 50.
+    # @param parallelism [Integer] the number of segments dispatched in
+    #   parallel. Defaults to `Parse::BatchOperation.parallelism` (2).
+    # @return [Array<Parse::Response>] the corresponding set of responses for
+    #  each request in the batch.
+    def submit(segment = 50, parallelism: self.class.parallelism, &block)
+      @responses = []
+      @requests.uniq!(&:signature)
+      parallelism = 1 if parallelism.nil? || parallelism < 1
+      @responses = @requests.each_slice(segment).to_a.threaded_map(parallelism) do |slice|
+        client.batch_request(BatchOperation.new(slice))
+      end
+      @responses.flatten!
+      @requests.zip(@responses).each(&block) if block_given?
+      @responses
+    end
+
+    alias_method :save, :submit
+  end
+end
+
+class Array
+
+  # Submit a batch request for deleting a set of Parse::Objects.
+  # @example
+  #  # assume Post and Author are Parse models
+  #  author = Author.first
+  #  posts = Post.all author: author
+  #  posts.destroy # batch destroy request
+  # @return [Parse::BatchOperation] the batch operation performed.
+  # @see Parse::BatchOperation
+  def destroy
+    batch = Parse::BatchOperation.new
+    each do |o|
+      next unless o.respond_to?(:destroy_request)
+      r = o.destroy_request
+      batch.add(r) unless r.nil?
+    end
+    batch.submit
+    batch
+  end
+
+  # Do not alias method as :delete is already part of array.
+  # alias_method :delete, :destroy
+
+  # Submit a batch request for deleting a set of Parse::Objects.
+  # Batch requests are supported implicitly and intelligently through an
+  # extension of array. When an array of Parse::Object subclasses is saved,
+  # Parse-Stack will batch all possible save operations for the objects in the
+  # array that have changed. It will also batch save 50 at a time until all items
+  # in the array are saved. Note: Parse does not allow batch saving Parse::User objects.
+  # @note The objects of the array to be saved do not all have to be of the same collection.
+  # @param merge [Boolean] whether to merge the updated changes to the series of
+  #  objects back to the original ones submitted. If you don't need the original objects
+  #  to be updated with the changes, set this to false for improved performance.
+  # @param force [Boolean] Do not skip objects that do not have pending changes (dirty tracking).
+  # @example
+  #  # assume Post and Author are Parse models
+  #  author = Author.first
+  #  posts = Post.first 100
+  #  posts.each { |post| post.author = author }
+  #  posts.save # batch save
+  # @return [Parse::BatchOperation] the batch operation performed.
+  # @see Parse::BatchOperation
+  def save(merge: true, force: false)
+    batch = Parse::BatchOperation.new
+    objects = {}
+    each do |o|
+      next unless o.is_a?(Parse::Object)
+      objects[o.object_id] = o
+      batch.add o.change_requests(force)
+    end
+    if merge == false
+      batch.submit
+      return batch
+    end
+    #rebind updates
+    batch.submit do |request, response|
+      next unless request.tag.present? && response.present? && response.success?
+      o = objects[request.tag]
+      next unless o.is_a?(Parse::Object)
+      result = response.result
+      o.id = result["objectId"] if o.id.blank?
+      o.set_attributes!(result)
+      o.clear_changes!
+    end
+    batch
+  end #save!
+end

data/lib/parse/client/body_builder.rb

@@ -0,0 +1,240 @@
+# encoding: UTF-8
+# frozen_string_literal: true
+
+require "faraday"
+require_relative "response"
+require_relative "protocol"
+require "active_support"
+require "active_support/core_ext"
+require "active_model/serializers/json"
+require "json"
+require "set"
+
+module Parse
+
+  # @!attribute self.logging
+  # Sets {Parse::Middleware::BodyBuilder} logging.
+  # You may specify `:debug` for additional verbosity.
+  # @return (see Parse::Middleware::BodyBuilder.logging)
+  def self.logging
+    Parse::Middleware::BodyBuilder.logging
+  end
+  # @!visibility private
+  def self.logging=(value)
+    Parse::Middleware::BodyBuilder.logging = value
+  end
+
+  # Namespace for Parse-Stack related middleware.
+  module Middleware
+    # This middleware takes an incoming Parse response, after an outgoing request,
+    # and creates a Parse::Response object.
+    class BodyBuilder < Faraday::Middleware
+      include Parse::Protocol
+      # Header sent when a GET requests exceeds the limit.
+      HTTP_METHOD_OVERRIDE = "X-Http-Method-Override"
+      # Maximum url length for most server requests before HTTP Method Override is used.
+      MAX_URL_LENGTH = 2_000.freeze
+      # Fields that should be redacted from log output.
+      SENSITIVE_FIELDS = %w[
+        password token sessionToken session_token access_token authData
+        masterKey master_key apiKey api_key clientKey client_key
+        javascriptKey javascript_key refreshToken refresh_token
+      ].freeze
+      SENSITIVE_PATTERN = /(#{SENSITIVE_FIELDS.join("|")})(["']?\s*[=:>]\s*["']?)([^"&\s,}\]]+)/i
+      # Lookup set of sensitive field names for structural (JSON) redaction
+      # — case-insensitive match on the key, not the value. Walks the parsed
+      # structure so nested objects like {"password":{"nested":"value"}}
+      # and escaped-quote payloads (which the regex misses) are scrubbed.
+      SENSITIVE_FIELDS_SET = SENSITIVE_FIELDS.map(&:downcase).to_set.freeze
+      # Placeholder used in place of redacted values.
+      REDACTED_PLACEHOLDER = "[FILTERED]"
+      # Request headers that must never be printed verbatim in debug logs.
+      # Matched case-insensitively against Faraday header keys.
+      REDACTED_HEADERS = [
+        Parse::Protocol::MASTER_KEY,
+        Parse::Protocol::API_KEY,
+        Parse::Protocol::SESSION_TOKEN,
+        "X-Parse-JavaScript-Key",
+        "Authorization",
+        "Cookie",
+      ].map(&:downcase).freeze
+
+      class << self
+        # Allows logging. Set to `true` to enable logging, `false` to disable.
+        # You may specify `:debug` for additional verbosity.
+        # @return [Boolean]
+        attr_accessor :logging
+      end
+
+      # Redacts sensitive fields from a string for safe logging.
+      #
+      # Two passes run in sequence so that no payload shape leaks secrets:
+      #
+      # 1. **Structural pass.** If the body (after whitespace trim) parses as
+      #    JSON, the parsed structure is walked recursively. Any value whose
+      #    key matches +SENSITIVE_FIELDS_SET+ (case-insensitive) is replaced.
+      #    String values that themselves look like JSON are recursively
+      #    parsed and scrubbed — catches +{"body":"{\"password\":\"x\"}"}+
+      #    payloads.
+      #
+      # 2. **Regex pass.** The result of the structural pass (or the original
+      #    string if parsing failed) is always also run through the
+      #    +SENSITIVE_PATTERN+ regex as defense-in-depth. This catches form-
+      #    encoded bodies, partial JSON, escaped-quote payloads, and string
+      #    array elements like +["password=hunter2"]+ that the structural
+      #    walker can't redact in-place.
+      # @param str [String] the string to redact.
+      # @return [String] the redacted string.
+      def self.redact(str)
+        s = str.to_s
+        return s if s.empty?
+        after_structural = s
+        if (parsed = try_parse_json(s))
+          scrubbed = scrub_sensitive!(parsed)
+          begin
+            after_structural = scrubbed.to_json
+          rescue StandardError
+            after_structural = s
+          end
+        end
+        after_structural.gsub(SENSITIVE_PATTERN) do
+          key_part = $1
+          sep_part = $2
+          val_part = $3
+          # Skip values that the structural pass already redacted —
+          # otherwise the regex value-class +[^"&\s,}\]]+ stops at the
+          # bracket and we end up with +[FILTERED]]+ from the trailing
+          # close-bracket left over from +"[FILTERED]"+.
+          if val_part == "[FILTERED" || val_part == REDACTED_PLACEHOLDER
+            "#{key_part}#{sep_part}#{val_part}"
+          else
+            "#{key_part}#{sep_part}#{REDACTED_PLACEHOLDER}"
+          end
+        end
+      end
+
+      # @!visibility private
+      def self.try_parse_json(str)
+        # Find first non-whitespace byte; allow leading whitespace and BOM.
+        trimmed = str.byteslice(0, 16).to_s.dup
+        trimmed.force_encoding("BINARY")
+        trimmed.sub!(/\A\xEF\xBB\xBF/n, "")
+        first = trimmed.lstrip[0]
+        return nil unless first == "{" || first == "["
+        JSON.parse(str, max_nesting: 32)
+      rescue JSON::ParserError, JSON::NestingError
+        nil
+      end
+
+      # @!visibility private
+      # Recursively walks a parsed JSON structure replacing values under any
+      # sensitive key with the redaction placeholder. Returns the same node
+      # for chaining; mutates Hashes/Arrays in place.
+      #
+      # When a value is itself a String that looks like JSON, attempt to
+      # parse-scrub-re-encode it so embedded-JSON payloads are also covered
+      # (e.g. +{"body":"{\"password\":\"x\"}"}+).
+      def self.scrub_sensitive!(node)
+        case node
+        when Hash
+          node.each do |key, value|
+            if key.is_a?(String) && SENSITIVE_FIELDS_SET.include?(key.downcase)
+              node[key] = REDACTED_PLACEHOLDER
+            elsif value.is_a?(Hash) || value.is_a?(Array)
+              scrub_sensitive!(value)
+            elsif value.is_a?(String)
+              redacted_string = maybe_scrub_embedded_json(value)
+              node[key] = redacted_string unless redacted_string.equal?(value)
+            end
+          end
+        when Array
+          node.each_with_index do |item, i|
+            if item.is_a?(Hash) || item.is_a?(Array)
+              scrub_sensitive!(item)
+            elsif item.is_a?(String)
+              redacted_string = maybe_scrub_embedded_json(item)
+              node[i] = redacted_string unless redacted_string.equal?(item)
+            end
+          end
+        end
+        node
+      end
+
+      # @!visibility private
+      # If +str+ parses as JSON (object or array), scrub structurally and
+      # re-encode. Otherwise return the original string unchanged.
+      def self.maybe_scrub_embedded_json(str)
+        return str unless (inner = try_parse_json(str))
+        scrub_sensitive!(inner)
+        begin
+          inner.to_json
+        rescue StandardError
+          str
+        end
+      end
+
+      # Thread-safety
+      # @!visibility private
+      def call(env)
+        dup.call!(env)
+      end
+
+      # @!visibility private
+      def call!(env)
+        # the maximum url size is ~2KB, so if we request a Parse API url greater than this
+        # (which is most likely a very complicated query), we need to override the request method
+        # to be POST instead of GET and send the query parameters in the body of the POST request.
+        # The standard maximum POST request (which is a server setting), is usually set to 20MBs
+        if env[:method] == :get && env[:url].to_s.length >= MAX_URL_LENGTH
+          env[:request_headers][HTTP_METHOD_OVERRIDE] = "GET"
+          env[:request_headers][CONTENT_TYPE] = "application/x-www-form-urlencoded"
+          # parse-sever looks for method overrides in the body under the `_method` param.
+          # so we will add it to the query string, which will now go into the body.
+          env[:body] = "_method=GET&" + env[:url].query
+          env[:url].query = nil
+          #override
+          env[:method] = :post
+          # else if not a get, always make sure the request is JSON encoded if the content type matches
+        elsif env[:request_headers][CONTENT_TYPE] == CONTENT_TYPE_FORMAT &&
+              (env[:body].is_a?(Hash) || env[:body].is_a?(Array))
+          env[:body] = env[:body].to_json
+        end
+
+        if self.class.logging
+          puts "[Request #{env.method.upcase}] #{self.class.redact(env[:url].to_s)}"
+          env[:request_headers].each do |k, v|
+            if REDACTED_HEADERS.include?(k.to_s.downcase)
+              puts "[Header] #{k} : [FILTERED]"
+            else
+              puts "[Header] #{k} : #{v}"
+            end
+          end
+
+          puts "[Request Body] #{self.class.redact(env[:body].to_s)}"
+        end
+        @app.call(env).on_complete do |response_env|
+          # on a response, create a new Parse::Response and replace the :body
+          # of the env
+          # @todo CHECK FOR HTTP STATUS CODES
+          if self.class.logging
+            puts "[[Response #{response_env[:status]}]] ----------------------------------"
+            puts self.class.redact(response_env.body.to_s)
+            puts "[[Response]] --------------------------------------\n"
+          end
+
+          begin
+            r = Parse::Response.new(response_env.body)
+          rescue => e
+            r = Parse::Response.new
+            r.code = response_env.status
+            r.error = "Invalid response for #{env[:method]} #{env[:url]}: #{e}"
+          end
+          r.http_status = response_env[:status]
+          r.headers = response_env[:response_headers]
+          r.code ||= response_env[:status] if r.error.present?
+          response_env[:body] = r
+        end
+      end
+    end
+  end #Middleware
+end