parse-dashboard icon indicating copy to clipboard operation
parse-dashboard copied to clipboard

Published 20 hours ago verified publisher icon parse-community

feat: add dashboard option `allowAnonymousUser`

Open dblythy opened this issue 2 years ago • 8 comments

New Pull Request Checklist

  • [x] I am not disclosing a vulnerability.
  • [x] I am creating this PR in reference to an issue.

Issue Description

Parse Dashboard assumes security if it detects a remote server, which is unreliable. This adds the option allowAnonymousUser which defaults to false.

Related issue: #2065

Approach

  • Adds a Parse Dashboard option allowAnonymousUser that defaults to false. Setting this to true allows Dashboard to run with no users.
  • Adds ability to specify options via command line or via config file
  • Adds console.error to frontend so solutions to errors can be identified by developers

This also add additional security for when dashboard is run on localhost with no options. Previously Dashboard was effectively assuming the dev parameter if localhost. This PR will only run Dashboard in dev mode if it's implicitly set. To get previous localhost behaviour, the dev parameter is required to be set.

TODOs before merging

  • [ ] Add changes to documentation (guides, repository pages, in-code descriptions)
  • [x] A changelog entry is created automatically using the pull request title (do not manually add a changelog entry)

dblythy avatar Mar 23 '22 03:03 dblythy

Thanks for opening this pull request!

  • 🎉 We are excited about your hands-on contribution!

parse-github-assistant[bot] avatar Mar 23 '22 03:03 parse-github-assistant[bot]

Still some checks failing. Please request another review once this is ready.

mtrezza avatar Mar 26 '22 20:03 mtrezza

Is this a breaking change? Does an existing deployment need a reconfiguration to maintain the same security?

mtrezza avatar Mar 28 '22 02:03 mtrezza

I would say so, an existing localhost configuration would need to be changed but remote servers should function the same as before

dblythy avatar Mar 28 '22 03:03 dblythy

I guess our deprecation policy should be (or is in practice already) extending to Parse Dashboard. So breaking changes should probably happen accumulated once a year only as well. Otherwise we may have a breaking change every other month.

Is there a way to make this non-breaking? For example, if the new option is not set, fall back to the old behavior.

mtrezza avatar Mar 28 '22 13:03 mtrezza

The only way I think is if we set dev to true by default, but that brings security implications

dblythy avatar Mar 31 '22 02:03 dblythy

Yes, I think we should avoid that

mtrezza avatar Apr 04 '22 00:04 mtrezza

Could you rebase this on alpha?

mtrezza avatar Apr 04 '22 00:04 mtrezza