Disable anonymous API requests

[nitrag]

The Dashboard has a setting:
"Allow anonymous users".

How do we set this to false? I want to require that all API requests are from a logged in user (unless they are signing up or logging in).

[drew-gross]

Currently that is not available in parse-server. Want to submit a PR?

[nitrag]

I would be happy to take a stab at it. Someone needs to point me in the right direction though...haven't worked on a Node app before.

[drew-gross]

Sure. You can take a look at src/index.js to see how config parameters (args) are handled by parse-server. You will want to add an additional parameter for anonymous users. Then, in src/RestWrite.js you will have to check the status of that config parameter whenever creating an anonymous user. You can check the parameter in this.config. You will also need to add some tests in spec/ParseUser.spec.js which might be trickier. I can help you with that when you get there.

[nitrag]

I'm not understanding what you mean by "creating an anonymous user". So when a API request comes in, if there is no authentication info it tries to create an anonymous user? Where is that line of code?

I really don't understand the handleAnonymousAuthData of RestWrite. Where does "this.data.authData.anonymous" come from? What is an anonymous provider?

I'm also inferring based on your description that every API request requires a user object before API requests can be made and RestWrite occurs before RestQuery?

[drew-gross]

Looks like there is some additional discussion and work getting started in #218 and #341. Take at look at the PR to see how those are done (bugfixes for anonymous users), hopefully that can help you get started.

[nitrag]

@steven-supersolid since you just were messing around with PR #341 and anonymous users, maybe you can help me determine where to throw an error for this. I'm not sure at exactly which point in RestWrite the user is determined to be anonymous.

[flovilmart]

@drew-gross @nitrag I'll get a shot a this, adding enableAnonymousUser: false to the configuration.