parse-stack-next 5.2.1 → 5.4.0

data/lib/parse/stack.rb

@@ -548,6 +548,21 @@ module Parse
   #   PARSE_STRICT_POINTER_SHAPES=true
   @strict_pointer_shapes = ENV["PARSE_STRICT_POINTER_SHAPES"] == "true"
 
+  # Configuration for automatic pluralized class-name aliases. When enabled
+  # (the default), referencing the plural form of a {Parse::Object} subclass
+  # constant resolves to that class, so `Posts.where(...)` works for a class
+  # `Post`. The alias is created lazily on first reference via `const_missing`
+  # and points at the same class object, so every class method
+  # (`where`, `query`, `count`, `find`, `all`, scopes) works for free and
+  # `Posts.parse_class` still returns `"Post"`. Classes whose name already
+  # ends in `s` are skipped. Set to false to opt out globally.
+  # @example Opt out globally
+  #   Parse.pluralized_aliases = false
+  # @example ENV opt-out
+  #   PARSE_PLURALIZED_ALIASES=false
+  # @see Parse::Core::Querying#pluralized_alias!
+  @pluralized_aliases = ENV["PARSE_PLURALIZED_ALIASES"] != "false"
+
   # Tuning bundle for the synchronize-create lock. Per-call kwargs override.
   # Keys: :ttl (seconds, default 3, max 30), :wait (seconds, default 2.0,
   # max 30), :on_degraded (:warn, :warn_throttled, :raise, :proceed).
@@ -630,7 +645,8 @@ module Parse
                   :rewrite_lookups, :strict_property_redefinition,
                   :synchronize_create_default, :synchronize_create_options, :synchronize_create_secret,
                   :synchronize_create_store, :synchronize_classes,
-                  :strict_pointer_shapes, :suppress_server_version_warning
+                  :strict_pointer_shapes, :suppress_server_version_warning,
+                  :pluralized_aliases
 
     # Check whether the Parse Server version deprecation warning is
     # silenced. Returns true if either the in-process accessor or the
@@ -714,6 +730,140 @@ module Parse
       @strict_pointer_shapes == true
     end
 
+    # Whether automatic pluralized class-name aliases are enabled. Defaults
+    # to true; opt out with `Parse.pluralized_aliases = false` or
+    # `PARSE_PLURALIZED_ALIASES=false`. See {Parse.pluralized_aliases}.
+    # @return [Boolean]
+    def pluralized_aliases?
+      @pluralized_aliases != false
+    end
+
+    # @!visibility private
+    # Resolve a (possibly plural) missing constant to its singular
+    # {Parse::Object} subclass and install the alias on the referencing
+    # module. Returns the class when an alias was created, otherwise nil so
+    # the caller (`const_missing`) can fall through to `super` and preserve
+    # normal `NameError` / autoloading behavior.
+    #
+    # Guards (fail-through to nil unless ALL hold):
+    #   - the feature is enabled,
+    #   - {Parse::Object} is loaded,
+    #   - the name singularizes to a *different* string (i.e. looks plural),
+    #   - the singular form does NOT already end in `s` (per design: classes
+    #     whose name ends in `s` are not auto-aliased),
+    #   - the singular constant is defined (searching ancestors so a
+    #     top-level model is visible from a nested reference) and is a
+    #     `Parse::Object` subclass,
+    #   - the plural is not already defined on the referencing module.
+    #
+    # @param mod [Module] the module/class on which `const_missing` fired.
+    # @param name [Symbol] the missing constant name.
+    # @return [Class, nil]
+    def __pluralized_alias_for(mod, name)
+      return nil unless pluralized_aliases?
+      return nil unless defined?(Parse::Object)
+      str = name.to_s
+      singular = str.singularize
+      return nil if singular == str
+      return nil if singular.end_with?("s")
+      sym = singular.to_sym
+      return nil unless mod.const_defined?(sym, true)
+      klass = mod.const_get(sym)
+      return nil unless klass.is_a?(Class) && klass < Parse::Object
+      return nil if mod.const_defined?(name, false)
+      mod.const_set(name, klass)
+      klass
+    rescue NameError, LoadError
+      # const_get/const_defined? can raise on malformed names or autoload
+      # failures; never let alias resolution mask the original lookup.
+      nil
+    end
+
+    # Verify that every association target across the loaded {Parse::Object}
+    # subclasses resolves to a known Parse class. Covers `belongs_to` and
+    # `property … as:` pointer targets (via each class's `references`),
+    # `has_many … through: :relation` targets (via `relations`), and the
+    # query- and array-backed `has_many` targets (via `has_many_associations`)
+    # — the bucket where an `as:` typo otherwise stays latent until the
+    # association is first traversed at call time.
+    #
+    # This is the deferred companion to the definition-time scalar guard in
+    # {Parse::Associations::BelongsTo::ClassMethods#belongs_to}: at declaration
+    # time a forward reference (a target class that is required later) is legal
+    # and indistinguishable from a typo, so the cross-class resolution check is
+    # run here — after all models are loaded. Intended to run once at boot, in
+    # CI, or from a rake task ("during the upgrade").
+    #
+    # A target resolves when it is a Parse system class (`_User`, `_Role`,
+    # `_Installation`, `_Session`, …) or a registered {Parse::Object} subclass
+    # (via {Parse::Model.find_class}). Note this checks against *loaded Ruby
+    # models*: if you intentionally point at a server-side class that has no
+    # Ruby model, define a stub model for it or exclude it via `classes:`.
+    #
+    # @param classes [Array<Class>, nil] optional subset of Parse::Object
+    #   subclasses to check; defaults to every loaded subclass.
+    # @raise [ArgumentError] if any target is unresolved, listing each
+    #   offending `Class#field -> 'Target'`.
+    # @return [true] when every association target resolves.
+    def validate_associations!(classes: nil)
+      models = classes || Parse::Object.descendants
+      problems = []
+      models.each do |klass|
+        next unless klass.respond_to?(:parse_class)
+        if klass.respond_to?(:references)
+          klass.references.each do |field, target|
+            next if _association_target_resolvable?(target)
+            # `references` is keyed by the remote (camelCase) column; report the
+            # declared Ruby accessor so the operator can find the offending line.
+            accessor = (klass.respond_to?(:field_map) && klass.field_map.key(field)) || field
+            problems << "#{klass}##{accessor} -> #{target.inspect} (no such Parse class)"
+          end
+        end
+        if klass.respond_to?(:relations)
+          klass.relations.each do |field, target|
+            next if _association_target_resolvable?(target)
+            problems << "#{klass}##{field} (relation) -> #{target.inspect} (no such Parse class)"
+          end
+        end
+        if klass.respond_to?(:has_many_associations)
+          klass.has_many_associations.each do |accessor, meta|
+            # `:relation`-storage has_many is mirrored into `relations` and is
+            # already reported above; only the `:query` and `:array` storage
+            # targets (which live nowhere else) need checking here. This is the
+            # branch where a `has_many … as:` typo hides, since a query-backed
+            # has_many resolves its target lazily at call time.
+            next if meta[:storage] == :relation
+            target = meta[:target_class]
+            next if target.nil? || _association_target_resolvable?(target)
+            problems << "#{klass}##{accessor} (has_many #{meta[:storage]}) -> " \
+                        "#{target.inspect} (no such Parse class)"
+          end
+        end
+      end
+      unless problems.empty?
+        raise ArgumentError,
+              "Unresolved Parse association targets:\n  " + problems.join("\n  ") +
+              "\nRequire/define the target class, or fix the `as:`/`class_name:` name."
+      end
+      true
+    end
+
+    # @!visibility private
+    # Whether an association target class name resolves to a known Parse
+    # class. Parse system classes resolve against {Parse::Model::SYSTEM_CLASS_MAP}
+    # — both the canonical `_`-prefixed value (`_User`) and the bare-name key
+    # (`User`) — even when their Ruby class is not loaded; everything else must
+    # resolve via {Parse::Model.find_class}. A leading underscore is NOT a
+    # blanket pass: a typo'd system name such as `_Usr` is neither in the map
+    # nor a registered model, so it is still surfaced as unresolved.
+    def _association_target_resolvable?(target)
+      name = target.to_s
+      return false if name.empty?
+      return true if Parse::Model::SYSTEM_CLASS_MAP.key?(name) ||
+                     Parse::Model::SYSTEM_CLASS_MAP.value?(name)
+      !Parse::Model.find_class(name).nil?
+    end
+
     # Check if MCP server feature is enabled
     # Requires PARSE_MCP_ENABLED=true in environment AND Parse.mcp_server_enabled = true
     # @return [Boolean]
@@ -790,6 +940,23 @@ module Parse
       end
       Parse.client.send_analytics(event_name, dimensions, **opts)
     end
+
+    # Capability probe against the connected Parse Server, delegated to the
+    # default client. Builds on the memoized `serverInfo` fetch — see
+    # {Parse::API::Server#server_supports?} for the capability table and the
+    # fail-open-to-modern semantics.
+    # @param feature [Symbol] a capability key.
+    # @return [Boolean] whether the connected server supports the feature.
+    def server_supports?(feature)
+      Parse.client.server_supports?(feature)
+    end
+
+    # The coarse `features` block advertised by `GET /serverInfo`, delegated
+    # to the default client. @see Parse::API::Server#server_features
+    # @return [Hash] the advertised features block, or `{}` if unavailable.
+    def server_features
+      Parse.client.server_features
+    end
   end
 
   # Error raised when {Parse::CreateLock#synchronize} cannot acquire the
@@ -851,4 +1018,9 @@ end
 # the setter on load.
 Parse._attach_slow_query_subscriber! if Parse.slow_query_threshold_ms
 
+# Install the lazy pluralized class-name alias hook (Posts -> Post). Loaded
+# last so Parse::Object and the Parse.__pluralized_alias_for helper are
+# already defined. Gated at runtime on Parse.pluralized_aliases?.
+require_relative "model/core/pluralized_aliases"
+
 require_relative "stack/railtie" if defined?(::Rails)

data/lib/parse/two_factor_auth/user_extension.rb

@@ -155,7 +155,7 @@ module Parse
           },
         }
 
-        response = client.update_user(id, { authData: auth_data_payload }, opts: { session_token: session_token })
+        response = client.update_user(id, { authData: auth_data_payload }, session_token: session_token)
 
         if response.error?
           if response.result.to_s.include?("Invalid MFA")
@@ -208,7 +208,7 @@ module Parse
           },
         }
 
-        response = client.update_user(id, { authData: auth_data_payload }, opts: { session_token: session_token })
+        response = client.update_user(id, { authData: auth_data_payload }, session_token: session_token)
 
         if response.error?
           raise Parse::Client::ResponseError, response
@@ -245,7 +245,7 @@ module Parse
           },
         }
 
-        response = client.update_user(id, { authData: auth_data_payload }, opts: { session_token: session_token })
+        response = client.update_user(id, { authData: auth_data_payload }, session_token: session_token)
 
         if response.error?
           if response.result.to_s.include?("Invalid MFA token")
@@ -276,27 +276,60 @@ module Parse
         raise MFA::NotEnabledError, "MFA is not enabled for this user" unless mfa_enabled?
         raise ArgumentError, "Current token is required" if current_token.blank?
 
-        # To disable, we need to update authData.mfa with the old token for validation
-        # and then set it to null
-        auth_data_payload = {
-          mfa: {
-            old: current_token,
-            secret: nil,  # Setting to nil disables TOTP
-          },
-        }
-
-        response = client.update_user(id, { authData: auth_data_payload }, opts: { session_token: session_token })
-
-        if response.error?
-          if response.result.to_s.include?("Invalid MFA token")
-            raise MFA::VerificationError, response.result.to_s
-          end
-          raise Parse::Client::ResponseError, response
+        # Parse Server's TOTP adapter exposes no first-class "disable via authData
+        # update" path — its validateUpdate always re-runs setup, so a partial
+        # mfa payload is rejected outright. Disabling is therefore a two-step:
+        #
+        #   1. Prove possession of the current code by submitting it as
+        #      `{ mfa: { old: <token> } }`. In the *update* context (unlike a
+        #      fresh login) the adapter validates that code against the stored
+        #      secret. A WRONG code fails at validateLogin ("Invalid MFA token");
+        #      a CORRECT code passes validateLogin and is then blocked by the
+        #      re-setup requirement ("Invalid MFA data") — which is precisely the
+        #      signal that the code was accepted. (This re-entry of the current
+        #      code is the deliberate confirmation gate for turning MFA off.)
+        #   2. Disable MFA by unlinking the provider with `{ mfa: nil }`.
+        #
+        # This keeps self-disable gated on a valid current code even though the
+        # server offers no dedicated TOTP self-disable endpoint.
+        verify = client.update_user(id, { authData: { mfa: { old: current_token } } },
+                                    session_token: session_token)
+        # Classify the two-step response POSITIVELY instead of treating
+        # "anything that isn't success-or-one-magic-string" as a bad
+        # token. The current code is ACCEPTED iff the server either
+        # succeeds or rejects only the follow-on re-setup ("Invalid MFA
+        # data") — that block fires AFTER validateLogin has already
+        # accepted the code. A WRONG code fails earlier at validateLogin
+        # ("Invalid MFA token"). Any OTHER error (transport, session, 5xx)
+        # is a real fault surfaced as-is, not mislabeled a verification
+        # failure.
+        err = verify.error.to_s
+        code_rejected = err.match?(/Invalid MFA token/i)
+        code_accepted = verify.success? || err.match?(/Invalid MFA data/i)
+        if code_rejected
+          raise MFA::VerificationError, "Invalid MFA token"
+        elsif !code_accepted
+          raise Parse::Client::ResponseError, verify
         end
 
-        # Refresh auth_data
-        fetch
+        response = client.update_user(id, { authData: { mfa: nil } }, session_token: session_token)
+        raise Parse::Client::ResponseError, response if response.error?
+
+        # CONFIRM the disable took effect from the SERVER's own view — a
+        # positive post-condition rather than trusting the unlink response
+        # alone. We must read the server directly here, NOT lean on the
+        # in-memory #mfa_enabled? projection: Parse Server omits +authData+
+        # entirely for a user with no providers, so once MFA is unlinked an
+        # ordinary fetch carries no +authData+ key at all and therefore can
+        # never clear the +{ mfa: { status: "enabled" } }+ value pinned at
+        # enrollment. An enabled account's own (session-token) read returns
+        # +authData.mfa+; a disabled one omits it — so an absent/mfa-less
+        # authData on this trusted self-read is the authoritative signal.
+        if mfa_enabled_on_server?
+          raise MFA::VerificationError, "MFA disable did not take effect (still enabled after unlink)"
+        end
 
+        clear_local_mfa_projection!
         true
       end
 
@@ -315,20 +348,26 @@ module Parse
       #
       # @param authorized_by [Parse::User, Parse::Pointer] the operator
       #   performing the override. Required.
-      # @param admin_role [Parse::Role, String, nil] optional role (or role
-      #   name) that +authorized_by+ must belong to.
+      # @param admin_role [Parse::Role, String, nil] role (or role name)
+      #   that +authorized_by+ must belong to. Library-enforced. Either
+      #   this or +allow_unverified: true+ is REQUIRED (fail-closed).
+      # @param allow_unverified [Boolean] explicitly accept caller-side
+      #   authorization without a library role check. Defaults to +false+;
+      #   must be set deliberately to bypass MFA without an +admin_role+.
       # @return [Boolean] True if disabled successfully.
       # @raise [ArgumentError] when +authorized_by:+ is missing or not a User.
-      # @raise [Parse::MFA::ForbiddenError] when +admin_role+ is supplied
+      # @raise [Parse::MFA::ForbiddenError] when neither +admin_role+ nor
+      #   +allow_unverified:+ is supplied, or when +admin_role+ is supplied
       #   and the operator is not a member.
       #
-      # @example Caller-verified authorization
-      #   user.disable_mfa_master_key!(authorized_by: current_admin)
-      #
-      # @example Library-enforced role check
+      # @example Library-enforced role check (preferred)
       #   user.disable_mfa_master_key!(authorized_by: current_admin,
       #                                admin_role: "Admin")
-      def disable_mfa_master_key!(authorized_by:, admin_role: nil)
+      #
+      # @example Caller-verified authorization (explicit opt-out)
+      #   user.disable_mfa_master_key!(authorized_by: current_admin,
+      #                                allow_unverified: true)
+      def disable_mfa_master_key!(authorized_by:, admin_role: nil, allow_unverified: false)
         operator = authorized_by
         unless operator.is_a?(Parse::User) ||
                (operator.is_a?(Parse::Pointer) && operator.parse_class == Parse::User.parse_class)
@@ -340,6 +379,18 @@ module Parse
           raise ArgumentError, "authorized_by: User must be persisted (have an objectId)"
         end
 
+        # FAIL CLOSED: this method bypasses MFA verification entirely via
+        # the master key, so it refuses to run without SOME authorization
+        # signal. Either supply an `admin_role:` for the library to verify,
+        # or pass `allow_unverified: true` to deliberately assert that the
+        # caller has already authorized the operator out-of-band.
+        if admin_role.nil? && !allow_unverified
+          raise MFA::ForbiddenError,
+                "disable_mfa_master_key! refuses to bypass MFA without an authorization " \
+                "check: pass admin_role: to enforce role membership, or " \
+                "allow_unverified: true to explicitly accept caller-side authorization."
+        end
+
         if admin_role
           role = admin_role.is_a?(Parse::Role) ? admin_role : Parse::Role.find_by_name(admin_role.to_s)
           if role.nil?
@@ -357,14 +408,19 @@ module Parse
         end
 
         auth_data_payload = { mfa: nil }
-        response = client.update_user(id, { authData: auth_data_payload }, opts: { use_master_key: true })
+        response = client.update_user(id, { authData: auth_data_payload }, use_master_key: true)
 
         if response.error?
           raise Parse::Client::ResponseError, response
         end
 
-        # Refresh auth_data
+        # Refresh auth_data, then drop the in-memory MFA projection. As in
+        # #disable_mfa!, a disabled user's read omits +authData+, so the
+        # +{ mfa: { status: "enabled" } }+ value pinned at enrollment won't
+        # self-clear on fetch — clear it explicitly so #mfa_enabled? reports
+        # the truth after a master-key disable.
         fetch
+        clear_local_mfa_projection!
 
         true
       end
@@ -435,6 +491,42 @@ module Parse
         account_name = email.presence || username.presence || id
         MFA.qr_code(secret, account_name, issuer: issuer, format: format)
       end
+
+      private
+
+      # @!visibility private
+      # Authoritative server-side MFA check via a trusted self-read.
+      # Reads +authData.mfa+ straight from a fresh session-token fetch
+      # rather than the (possibly stale) in-memory projection. An enabled
+      # account returns +authData.mfa+ with a +status+/+secret+; a disabled
+      # one omits +authData+ — so absence (or an mfa-less authData) means
+      # disabled.
+      # @return [Boolean]
+      def mfa_enabled_on_server?
+        result = client.fetch_object(self.class.parse_class, id,
+                                     session_token: session_token).result
+        mfa = result.is_a?(Hash) ? result["authData"] : nil
+        mfa = mfa["mfa"] if mfa.is_a?(Hash)
+        mfa.is_a?(Hash) && (mfa["status"] == "enabled" || mfa["secret"].present?)
+      end
+
+      # @!visibility private
+      # Drop the in-memory MFA projection after a disable. A disabled user's
+      # server read omits +authData+ entirely, so an ordinary fetch can
+      # never clear the +{ mfa: { status: "enabled" } }+ value pinned at
+      # enrollment; do it explicitly here. Only the +mfa+ subkey is removed
+      # (any anonymous/OAuth authData is preserved), and the assignment runs
+      # through the non-dirtying hydration path inside a +with_authdata_trust+
+      # scope so it is neither stripped nor marked dirty — a later #save will
+      # not resend +authData+.
+      def clear_local_mfa_projection!
+        cleared = auth_data.is_a?(Hash) ? auth_data.dup : {}
+        cleared.delete("mfa")
+        cleared.delete(:mfa)
+        self.class.with_authdata_trust do
+          apply_attributes!({ "authData" => cleared }, dirty_track: false)
+        end
+      end
     end
 
     # Not enabled error