parse-server 9.9.0-alpha.1 → 9.9.0-alpha.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/AuthDataLock.js +53 -0
- package/lib/RestWrite.js +16 -20
- package/lib/Routers/UsersRouter.js +6 -18
- package/package.json +1 -1
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
|
|
3
|
+
Object.defineProperty(exports, "__esModule", {
|
|
4
|
+
value: true
|
|
5
|
+
});
|
|
6
|
+
exports.applyAuthDataOptimisticLock = applyAuthDataOptimisticLock;
|
|
7
|
+
// Apply optimistic locking for authData provider field changes. For each lockable
|
|
8
|
+
// top-level field in the original authData whose value differs from the incoming
|
|
9
|
+
// value, add an equality constraint for the original value to the update WHERE
|
|
10
|
+
// clause. Concurrent requests racing the same single-use token will only allow the
|
|
11
|
+
// first update to match; subsequent updates miss and surface as OBJECT_NOT_FOUND.
|
|
12
|
+
//
|
|
13
|
+
// Only fields whose values round-trip cleanly through both storage adapters are
|
|
14
|
+
// locked: primitives (string, number, boolean) and arrays. Date values and nested
|
|
15
|
+
// objects are skipped because their JSON representation differs between the
|
|
16
|
+
// MongoDB and Postgres adapters, and because Parse Server's query-key validator
|
|
17
|
+
// rejects deeper paths containing characters like `+` (e.g. phone-number keys).
|
|
18
|
+
// Locking the consumed single-use credential (the MFA token string or the
|
|
19
|
+
// recovery-code array) is sufficient — its removal invalidates the WHERE clause
|
|
20
|
+
// for concurrent writers.
|
|
21
|
+
function applyAuthDataOptimisticLock(query, originalAuthData, newAuthData) {
|
|
22
|
+
if (!originalAuthData) {
|
|
23
|
+
return;
|
|
24
|
+
}
|
|
25
|
+
for (const provider of Object.keys(newAuthData)) {
|
|
26
|
+
const original = originalAuthData[provider];
|
|
27
|
+
if (!original || typeof original !== 'object') {
|
|
28
|
+
continue;
|
|
29
|
+
}
|
|
30
|
+
for (const [field, value] of Object.entries(original)) {
|
|
31
|
+
if (!isLockableAuthDataValue(value)) {
|
|
32
|
+
continue;
|
|
33
|
+
}
|
|
34
|
+
if (JSON.stringify(value) !== JSON.stringify(newAuthData[provider]?.[field])) {
|
|
35
|
+
query[`authData.${provider}.${field}`] = value;
|
|
36
|
+
}
|
|
37
|
+
}
|
|
38
|
+
}
|
|
39
|
+
}
|
|
40
|
+
function isLockableAuthDataValue(value) {
|
|
41
|
+
if (value === null || value === undefined) {
|
|
42
|
+
return false;
|
|
43
|
+
}
|
|
44
|
+
const t = typeof value;
|
|
45
|
+
if (t === 'string' || t === 'number' || t === 'boolean') {
|
|
46
|
+
return true;
|
|
47
|
+
}
|
|
48
|
+
if (Array.isArray(value)) {
|
|
49
|
+
return true;
|
|
50
|
+
}
|
|
51
|
+
return false;
|
|
52
|
+
}
|
|
53
|
+
//# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjozLCJuYW1lcyI6WyJhcHBseUF1dGhEYXRhT3B0aW1pc3RpY0xvY2siLCJxdWVyeSIsIm9yaWdpbmFsQXV0aERhdGEiLCJuZXdBdXRoRGF0YSIsInByb3ZpZGVyIiwiT2JqZWN0Iiwia2V5cyIsIm9yaWdpbmFsIiwiZmllbGQiLCJ2YWx1ZSIsImVudHJpZXMiLCJpc0xvY2thYmxlQXV0aERhdGFWYWx1ZSIsIkpTT04iLCJzdHJpbmdpZnkiLCJ1bmRlZmluZWQiLCJ0IiwiQXJyYXkiLCJpc0FycmF5Il0sInNvdXJjZXMiOlsiLi4vc3JjL0F1dGhEYXRhTG9jay5qcyJdLCJzb3VyY2VzQ29udGVudCI6WyIvLyBBcHBseSBvcHRpbWlzdGljIGxvY2tpbmcgZm9yIGF1dGhEYXRhIHByb3ZpZGVyIGZpZWxkIGNoYW5nZXMuIEZvciBlYWNoIGxvY2thYmxlXG4vLyB0b3AtbGV2ZWwgZmllbGQgaW4gdGhlIG9yaWdpbmFsIGF1dGhEYXRhIHdob3NlIHZhbHVlIGRpZmZlcnMgZnJvbSB0aGUgaW5jb21pbmdcbi8vIHZhbHVlLCBhZGQgYW4gZXF1YWxpdHkgY29uc3RyYWludCBmb3IgdGhlIG9yaWdpbmFsIHZhbHVlIHRvIHRoZSB1cGRhdGUgV0hFUkVcbi8vIGNsYXVzZS4gQ29uY3VycmVudCByZXF1ZXN0cyByYWNpbmcgdGhlIHNhbWUgc2luZ2xlLXVzZSB0b2tlbiB3aWxsIG9ubHkgYWxsb3cgdGhlXG4vLyBmaXJzdCB1cGRhdGUgdG8gbWF0Y2g7IHN1YnNlcXVlbnQgdXBkYXRlcyBtaXNzIGFuZCBzdXJmYWNlIGFzIE9CSkVDVF9OT1RfRk9VTkQuXG4vL1xuLy8gT25seSBmaWVsZHMgd2hvc2UgdmFsdWVzIHJvdW5kLXRyaXAgY2xlYW5seSB0aHJvdWdoIGJvdGggc3RvcmFnZSBhZGFwdGVycyBhcmVcbi8vIGxvY2tlZDogcHJpbWl0aXZlcyAoc3RyaW5nLCBudW1iZXIsIGJvb2xlYW4pIGFuZCBhcnJheXMuIERhdGUgdmFsdWVzIGFuZCBuZXN0ZWRcbi8vIG9iamVjdHMgYXJlIHNraXBwZWQgYmVjYXVzZSB0aGVpciBKU09OIHJlcHJlc2VudGF0aW9uIGRpZmZlcnMgYmV0d2VlbiB0aGVcbi8vIE1vbmdvREIgYW5kIFBvc3RncmVzIGFkYXB0ZXJzLCBhbmQgYmVjYXVzZSBQYXJzZSBTZXJ2ZXIncyBxdWVyeS1rZXkgdmFsaWRhdG9yXG4vLyByZWplY3RzIGRlZXBlciBwYXRocyBjb250YWluaW5nIGNoYXJhY3RlcnMgbGlrZSBgK2AgKGUuZy4gcGhvbmUtbnVtYmVyIGtleXMpLlxuLy8gTG9ja2luZyB0aGUgY29uc3VtZWQgc2luZ2xlLXVzZSBjcmVkZW50aWFsICh0aGUgTUZBIHRva2VuIHN0cmluZyBvciB0aGVcbi8vIHJlY292ZXJ5LWNvZGUgYXJyYXkpIGlzIHN1ZmZpY2llbnQg4oCUIGl0cyByZW1vdmFsIGludmFsaWRhdGVzIHRoZSBXSEVSRSBjbGF1c2Vcbi8vIGZvciBjb25jdXJyZW50IHdyaXRlcnMuXG5leHBvcnQgZnVuY3Rpb24gYXBwbHlBdXRoRGF0YU9wdGltaXN0aWNMb2NrKHF1ZXJ5LCBvcmlnaW5hbEF1dGhEYXRhLCBuZXdBdXRoRGF0YSkge1xuICBpZiAoIW9yaWdpbmFsQXV0aERhdGEpIHtcbiAgICByZXR1cm47XG4gIH1cbiAgZm9yIChjb25zdCBwcm92aWRlciBvZiBPYmplY3Qua2V5cyhuZXdBdXRoRGF0YSkpIHtcbiAgICBjb25zdCBvcmlnaW5hbCA9IG9yaWdpbmFsQXV0aERhdGFbcHJvdmlkZXJdO1xuICAgIGlmICghb3JpZ2luYWwgfHwgdHlwZW9mIG9yaWdpbmFsICE9PSAnb2JqZWN0Jykge1xuICAgICAgY29udGludWU7XG4gICAgfVxuICAgIGZvciAoY29uc3QgW2ZpZWxkLCB2YWx1ZV0gb2YgT2JqZWN0LmVudHJpZXMob3JpZ2luYWwpKSB7XG4gICAgICBpZiAoIWlzTG9ja2FibGVBdXRoRGF0YVZhbHVlKHZhbHVlKSkge1xuICAgICAgICBjb250aW51ZTtcbiAgICAgIH1cbiAgICAgIGlmIChKU09OLnN0cmluZ2lmeSh2YWx1ZSkgIT09IEpTT04uc3RyaW5naWZ5KG5ld0F1dGhEYXRhW3Byb3ZpZGVyXT8uW2ZpZWxkXSkpIHtcbiAgICAgICAgcXVlcnlbYGF1dGhEYXRhLiR7cHJvdmlkZXJ9LiR7ZmllbGR9YF0gPSB2YWx1ZTtcbiAgICAgIH1cbiAgICB9XG4gIH1cbn1cblxuZnVuY3Rpb24gaXNMb2NrYWJsZUF1dGhEYXRhVmFsdWUodmFsdWUpIHtcbiAgaWYgKHZhbHVlID09PSBudWxsIHx8IHZhbHVlID09PSB1bmRlZmluZWQpIHtcbiAgICByZXR1cm4gZmFsc2U7XG4gIH1cbiAgY29uc3QgdCA9IHR5cGVvZiB2YWx1ZTtcbiAgaWYgKHQgPT09ICdzdHJpbmcnIHx8IHQgPT09ICdudW1iZXInIHx8IHQgPT09ICdib29sZWFuJykge1xuICAgIHJldHVybiB0cnVlO1xuICB9XG4gIGlmIChBcnJheS5pc0FycmF5KHZhbHVlKSkge1xuICAgIHJldHVybiB0cnVlO1xuICB9XG4gIHJldHVybiBmYWxzZTtcbn1cbiJdLCJtYXBwaW5ncyI6Ijs7Ozs7O0FBQUE7QUFDQTtBQUNBO0FBQ0E7QUFDQTtBQUNBO0FBQ0E7QUFDQTtBQUNBO0FBQ0E7QUFDQTtBQUNBO0FBQ0E7QUFDQTtBQUNPLFNBQVNBLDJCQUEyQkEsQ0FBQ0MsS0FBSyxFQUFFQyxnQkFBZ0IsRUFBRUMsV0FBVyxFQUFFO0VBQ2hGLElBQUksQ0FBQ0QsZ0JBQWdCLEVBQUU7SUFDckI7RUFDRjtFQUNBLEtBQUssTUFBTUUsUUFBUSxJQUFJQyxNQUFNLENBQUNDLElBQUksQ0FBQ0gsV0FBVyxDQUFDLEVBQUU7SUFDL0MsTUFBTUksUUFBUSxHQUFHTCxnQkFBZ0IsQ0FBQ0UsUUFBUSxDQUFDO0lBQzNDLElBQUksQ0FBQ0csUUFBUSxJQUFJLE9BQU9BLFFBQVEsS0FBSyxRQUFRLEVBQUU7TUFDN0M7SUFDRjtJQUNBLEtBQUssTUFBTSxDQUFDQyxLQUFLLEVBQUVDLEtBQUssQ0FBQyxJQUFJSixNQUFNLENBQUNLLE9BQU8sQ0FBQ0gsUUFBUSxDQUFDLEVBQUU7TUFDckQsSUFBSSxDQUFDSSx1QkFBdUIsQ0FBQ0YsS0FBSyxDQUFDLEVBQUU7UUFDbkM7TUFDRjtNQUNBLElBQUlHLElBQUksQ0FBQ0MsU0FBUyxDQUFDSixLQUFLLENBQUMsS0FBS0csSUFBSSxDQUFDQyxTQUFTLENBQUNWLFdBQVcsQ0FBQ0MsUUFBUSxDQUFDLEdBQUdJLEtBQUssQ0FBQyxDQUFDLEVBQUU7UUFDNUVQLEtBQUssQ0FBQyxZQUFZRyxRQUFRLElBQUlJLEtBQUssRUFBRSxDQUFDLEdBQUdDLEtBQUs7TUFDaEQ7SUFDRjtFQUNGO0FBQ0Y7QUFFQSxTQUFTRSx1QkFBdUJBLENBQUNGLEtBQUssRUFBRTtFQUN0QyxJQUFJQSxLQUFLLEtBQUssSUFBSSxJQUFJQSxLQUFLLEtBQUtLLFNBQVMsRUFBRTtJQUN6QyxPQUFPLEtBQUs7RUFDZDtFQUNBLE1BQU1DLENBQUMsR0FBRyxPQUFPTixLQUFLO0VBQ3RCLElBQUlNLENBQUMsS0FBSyxRQUFRLElBQUlBLENBQUMsS0FBSyxRQUFRLElBQUlBLENBQUMsS0FBSyxTQUFTLEVBQUU7SUFDdkQsT0FBTyxJQUFJO0VBQ2I7RUFDQSxJQUFJQyxLQUFLLENBQUNDLE9BQU8sQ0FBQ1IsS0FBSyxDQUFDLEVBQUU7SUFDeEIsT0FBTyxJQUFJO0VBQ2I7RUFDQSxPQUFPLEtBQUs7QUFDZCIsImlnbm9yZUxpc3QiOltdfQ==
|