Can't save new objects in CloudCode triggers when directAccess=true using Postgres

[cbaker6]

New Issue Checklist

• I am not disclosing a vulnerability.
• I am not just asking a question.
• I have searched through existing issues.
• I can reproduce the issue with the latest version of Parse Server.

Issue Description

#6636 sets directAccess=true by default and seems to have introduced a breaking change that is prevalent saving a new object in a afterFind trigger using the masterKey on postgres. When I add a row in the Dashboard with alpha.3, I have the same issue.

I've tracked it to this PR 7593 and it's related issue #7579. 5.0.0-alpha.1 works for me, 5.0.0-alpha.2 I haven't tested yet, but it only adds a GraphQL change which I'm not using. Leaving PR 7597 in which my servers don't work anymore for 5.0.0-alpha.3. I've also tested beta.3 and the issue is still there.

Note, this completely crashes the server. Basically, when directAccess=true it can crash postgres in cloud code functions when saving a new object in cloud code (mongo works and the logs above are still relevant). This issue doesn't occur on my deployed servers that are reversed proxied and have an actual public URL. My initial thinking is useMasterKey may not be passed as I see the issue when triggering afterFind when clicking on a Parse class in the dashboard. This still needs some more investigation. I'm using the Swift SDK, but Query.and is implemented like the rest of the Client SDKs, so this a major breaking change. In addition, skimming the additions in this PR, I highly doubt the server wasn't handling $and before this PR. If I remove the code that uses triggers (see logs below), none of my client side queries work correctly because of the additions in 7593.

I'm using https://github.com/Blackburn-Labs/parse-auditor/ which audits and uses the CloudCode afterFind here: https://github.com/Blackburn-Labs/parse-auditor/blob/fc546406414b9408e8c84cb3dd20125fdc57753d/src/index.js#L69-L74. This has worked for earlier versions of ParseServer < 4.4.0 all the way up to alpha.1 (I didn't test 2).

Problem occurs on Postgres, seems to be working on Mongo.

Steps to reproduce

Login with a user and perform queries afterFind.

I'm still looking into how to replicate the problem as a test case.

Actual Outcome

Server crashes with the logs below.

It seems, the change in the linked PR causes the a problem around here:

parse-server/src/Adapters/Storage/Postgres/PostgresStorageAdapter.js

Line 1327 in 2602904

switch (schema.fields[fieldName].type) {

Expected Outcome

No crashing when directAccess=true and for the new object created in the trigger to be saved to the server.

Environment

Server

• Parse Server version: 5.0.0.alpha.3 and tested 5.0.0.beta.3
• Operating system: Linux
• Local or remote host (AWS, Azure, Google Cloud, Heroku, Digital Ocean, etc): Local docker

Database

• System (MongoDB or Postgres): Postgres
• Database version: Postgres 13
• Local or remote host (MongoDB Atlas, mLab, AWS, Azure, Google Cloud, etc): Local

Client

• SDK (iOS, Android, JavaScript, PHP, Unity, etc): Swift SDK, Also tried in the Dashboard (crashes when I add a row)
• SDK version: 2.0.0 - 2.2.6

Workaround

Set directAccess=false when configuring your server.

Logs

parse-hipaa-parse-1      | info: afterSave triggered for _User for user undefined:
parse-hipaa-parse-1      |   Input: {"authData":{"anonymous":{"id":"9601869f-2eef-4fff-8519-690a422310fa"}},"ACL":{"*":{"read":true,"write":false},"aAnt8JX15Q9vjix6kGdZgjRQWm5QGrPY":{"read":true,"write":true}},"createdAt":"2021-11-22T22:21:46.478Z","username":"YBBMbganzC1KGlFhhKXWFRjNn","sessionToken":"r:97d78ad4fac78246134dc96ed8c08cac","updatedAt":"2021-11-22T22:21:46.478Z","objectId":"aAnt8JX15Q9vjix6kGdZgjRQWm5QGrPY"}
parse-hipaa-parse-1      |   Result: undefined {"className":"_User","triggerType":"afterSave"}
parse-hipaa-parse-1      | /parse-server/lib/ParseServer.js:258
parse-hipaa-parse-1      |           throw err;
parse-hipaa-parse-1      |           ^
parse-hipaa-parse-1      | 
parse-hipaa-parse-1      | TypeError: Cannot read properties of undefined (reading 'type')
parse-hipaa-parse-1      |     at /parse-server/lib/Adapters/Storage/Postgres/PostgresStorageAdapter.js:1344:40
parse-hipaa-parse-1      |     at Array.forEach (<anonymous>)
parse-hipaa-parse-1      |     at PostgresStorageAdapter.createObject (/parse-server/lib/Adapters/Storage/Postgres/PostgresStorageAdapter.js:1303:25)
parse-hipaa-parse-1      |     at /parse-server/lib/Controllers/DatabaseController.js:782:29
parse-hipaa-parse-1      |     at processTicksAndRejections (node:internal/process/task_queues:96:5)
parse-hipaa-parse-1 exited with code 7

Enabling verbose and using Postgres:

parse-hipaa-parse-1      | verbose: REQUEST for [GET] /parse/classes/_User: {
parse-hipaa-parse-1      |   "where": {},
parse-hipaa-parse-1      |   "limit": 200,
parse-hipaa-parse-1      |   "order": "-createdAt"
parse-hipaa-parse-1      | } {"method":"GET","url":"/parse/classes/_User","headers":{"host":"localhost:1337","content-type":"text/plain","origin":"http://localhost:4040","accept-encoding":"gzip, deflate","connection":"keep-alive","accept":"*/*","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.1 Safari/605.1.15","referer":"http://localhost:4040/","content-length":"253","accept-language":"en-US,en;q=0.9"},"body":{"where":{},"limit":200,"order":"-createdAt"}}
parse-hipaa-parse-1      | info: afterFind triggered for _User for user undefined:
parse-hipaa-parse-1      |   Input: "AfterFind"
parse-hipaa-parse-1      |   Result: "[{\"objectId\":\"HU0tDkfarECUNFhISewoJTwFEyPpzxL5\",\"createdAt\":\"2021-11-22T23:54:00.615Z\",\"updatedAt\":\"2021-11-22T23:54:00.615Z\",\"username\":\"Hello\",\"ACL\":{\"*\":{\"read\":true},\"HU0tDkfarECUNFhISewoJTwFEyPpzxL5\":{\"read\":true,\"write\":true}}}]" {"className":"_User","triggerType":"afterFind"}
parse-hipaa-parse-1      | info: afterFind triggered for _User for user undefined:
parse-hipaa-parse-1      |   Input: "[{\"createdAt\":\"2021-11-22T23:54:00.615Z\",\"updatedAt\":\"2021-11-22T23:54:00.615Z\",\"username\":\"Hello\",\"ACL\":{\"*\":{\"read\":true},\"HU0tDkfarECUNFhISewoJTwFEyPpzxL5\":{\"read\":true,\"write\":true}},\"objectId\":\"HU0tDkfarECUNFhISewoJTwFEyPpzxL5\"}]" {"className":"_User","triggerType":"afterFind"}
parse-hipaa-parse-1      | verbose: RESPONSE from [GET] /parse/classes/_User: {
parse-hipaa-parse-1      |   "response": {
parse-hipaa-parse-1      |     "results": [
parse-hipaa-parse-1      |       {
parse-hipaa-parse-1      |         "createdAt": "2021-11-22T23:54:00.615Z",
parse-hipaa-parse-1      |         "updatedAt": "2021-11-22T23:54:00.615Z",
parse-hipaa-parse-1      |         "username": "Hello",
parse-hipaa-parse-1      |         "ACL": {
parse-hipaa-parse-1      |           "*": {
parse-hipaa-parse-1      |             "read": true
parse-hipaa-parse-1      |           },
parse-hipaa-parse-1      |           "HU0tDkfarECUNFhISewoJTwFEyPpzxL5": {
parse-hipaa-parse-1      |             "read": true,
parse-hipaa-parse-1      |             "write": true
parse-hipaa-parse-1      |           }
parse-hipaa-parse-1      |         },
parse-hipaa-parse-1      |         "objectId": "HU0tDkfarECUNFhISewoJTwFEyPpzxL5"
parse-hipaa-parse-1      |       }
parse-hipaa-parse-1      |     ]
parse-hipaa-parse-1      |   }
parse-hipaa-parse-1      | } {"result":{"response":{"results":[{"createdAt":"2021-11-22T23:54:00.615Z","updatedAt":"2021-11-22T23:54:00.615Z","username":"Hello","ACL":{"*":{"read":true},"HU0tDkfarECUNFhISewoJTwFEyPpzxL5":{"read":true,"write":true}},"objectId":"HU0tDkfarECUNFhISewoJTwFEyPpzxL5"}]}}}
parse-hipaa-parse-1      | /parse-server/lib/ParseServer.js:258
parse-hipaa-parse-1      |           throw err;
parse-hipaa-parse-1      |           ^
parse-hipaa-parse-1      | 
parse-hipaa-parse-1      | TypeError: Cannot read properties of undefined (reading 'type')
parse-hipaa-parse-1      |     at /parse-server/lib/Adapters/Storage/Postgres/PostgresStorageAdapter.js:1344:40
parse-hipaa-parse-1      |     at Array.forEach (<anonymous>)
parse-hipaa-parse-1      |     at PostgresStorageAdapter.createObject (/parse-server/lib/Adapters/Storage/Postgres/PostgresStorageAdapter.js:1303:25)
parse-hipaa-parse-1      |     at /parse-server/lib/Controllers/DatabaseController.js:782:29
parse-hipaa-parse-1      |     at processTicksAndRejections (node:internal/process/task_queues:96:5)
parse-hipaa-parse-1 exited with code 7

[parse-github-assistant]

Thanks for opening this issue!

• 🚀 You can help us to fix this issue faster by opening a pull request with a failing test. See our Contribution Guide for how to make a pull request, or read our New Contributor's Guide if this is your first time contributing.

[mtrezza]

Could you please open a PR with a failing test to demonstrate the issue? The test should not have any DB type exclusion, i.e. it should be for Postgres and MongoDB. This looks like a major issue that we should fix urgently before 5.0 release.

[cbaker6]

It seems this was a false alarm as there was a deprecation warning related to promises the server was giving me pre-alpha 3 that I was missing. My guess is, beginning ~alpha-2/3 the warning switched to throwing an error which is what began crashing my server. I simply removed my code that created the warning in the first place. Sorry about this...

Related to PR 7593, I did find some minor issues with the placement of the test case (it's placed in an sendEmail test along with some incorrect variable names that are probably left over from a copy/paste in the DatabaseController. I'll submit a PR to clean up the code shortly.

[cbaker6]

@dplewis @mtrezza So I think I'm closer to where the issue actually is. It's related to the changes in directAccess. Basically, when this is enabled it can crash postgres in cloud code functions when saving a new object in cloud code (mongo works and the logs above are still relevant). This issue doesn't occur on my deployed servers that are reversed proxied and have an actual public URL. My initial thinking is useMasterKey may not be passed as I see the issue when triggering afterFind when clicking on a Parse class in the dashboard. This still needs some more investigation.

I haven’t tried it yet, but I think this can be replicated by turning on directAcess in the CloudCode.spec. I’m thinking a number of tests will fail when directAccess is enabled.

The remedy is to set directAccess=false when running into this situation.

[mtrezza]

Can you please open a new issue for this? It sounds quite different to what you described originally which you said was a "false alarm". It sounds like a bug with at least high severity. I'll go ahead and close this issue.

[cbaker6]

It’s the same exact issue as I originally described. The false alarm was blaming the PR I originally blamed. Everything I reported is still the same, it occurs when directAccess=true. So it doesn’t make sense to open a different issue

[mtrezza]

I see that you have edited your issue description instead of creating a new one, I will open this issue again.