parse-server
parse-server copied to clipboard
master authentication using client certificate
New Feature / Enhancement Checklist
- [x] I am not disclosing a vulnerability.
- [x] I am not just asking a question.
- [x] I have searched through existing issues.
Current Limitation
Currently, masterKey access can only be verified using the request headers.
Feature / Enhancement Description
It would be good to have the option to require a client certificate to perform a masterKey request. Certificates can be generated by the server only.
Example Use Case
n/a
Alternatives / Workarounds
n/a
3rd Party References
https://medium.com/@sevcsik/authentication-using-https-client-certificates-3c9d270e8326
Thanks for opening this issue!
- 🎉 We are excited about your ideas for improvement!
Amazing idea! This would add an additional level of security to Parse Server. I assume the certificate would be a substitute for the master key, not an additional requirement?
Yep, it would be a substitute for a more secure way to connect as master
. This is inspired by mongoDB atlas' ability to use a X.509 cert instead of a password to authenticate a database user (maybe we could add a security check for that too).
I'm not sure how it would work though for Parse Server, as far I can tell it would have to be a combination of Parse's masterKey
middleware checking the client certificate, as well as the express server to be booted as a HTTPS server instead of HTTP, with the CA option. This is quite new to me so any expertise would be appreciated.
Ideally, I think it would be good to be able to configure the dashboard to require a signed cert, as well as any client code that wants to act as master.
@dblythy great idea. i've may be some question about how you see the usage into the Parse Dashboard. User drop and import the certificate ?
About the JS SDK, a new property will be added ? "masterCertificate"
In case of parse-server hosted behind many proxies, gateway systems, cloudflare firewall, does the certificate will play well out of the box ?
I'm not sure how it would work to be honest. The idea is similar to using X509 certificates with mongoDB. I'm not quite sure how it would be implemented.