Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable anonymous API requests #327

Closed
nitrag opened this issue Feb 9, 2016 · 7 comments
Closed

Disable anonymous API requests #327

nitrag opened this issue Feb 9, 2016 · 7 comments

Comments

@nitrag
Copy link

nitrag commented Feb 9, 2016

The Dashboard has a setting:
"Allow anonymous users".

How do we set this to false? I want to require that all API requests are from a logged in user (unless they are signing up or logging in).
@drew-gross
Copy link
Contributor

Currently that is not available in parse-server. Want to submit a PR?

@nitrag
Copy link
Author

nitrag commented Feb 10, 2016

I would be happy to take a stab at it. Someone needs to point me in the right direction though...haven't worked on a Node app before.

@drew-gross
Copy link
Contributor

Sure. You can take a look at src/index.js to see how config parameters (args) are handled by parse-server. You will want to add an additional parameter for anonymous users. Then, in src/RestWrite.js you will have to check the status of that config parameter whenever creating an anonymous user. You can check the parameter in this.config. You will also need to add some tests in spec/ParseUser.spec.js which might be trickier. I can help you with that when you get there.

@nitrag
Copy link
Author

nitrag commented Feb 10, 2016

I'm not understanding what you mean by "creating an anonymous user". So when a API request comes in, if there is no authentication info it tries to create an anonymous user? Where is that line of code?

I really don't understand the handleAnonymousAuthData of RestWrite. Where does "this.data.authData.anonymous" come from? What is an anonymous provider?

I'm also inferring based on your description that every API request requires a user object before API requests can be made and RestWrite occurs before RestQuery?

@drew-gross
Copy link
Contributor

Looks like there is some additional discussion and work getting started in #218 and #341. Take at look at the PR to see how those are done (bugfixes for anonymous users), hopefully that can help you get started.

@nitrag
Copy link
Author

nitrag commented Feb 12, 2016

@steven-supersolid since you just were messing around with PR #341 and anonymous users, maybe you can help me determine where to throw an error for this. I'm not sure at exactly which point in RestWrite the user is determined to be anonymous.

@flovilmart
Copy link
Contributor

@drew-gross @nitrag I'll get a shot a this, adding enableAnonymousUser: false to the configuration.

@flovilmart flovilmart mentioned this issue Feb 16, 2016
Merged
@snyk-bot snyk-bot mentioned this issue Feb 18, 2022
Merged
@snyk-bot snyk-bot mentioned this issue Nov 2, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nitrag @flovilmart @drew-gross