parse-server icon indicating copy to clipboard operation
parse-server copied to clipboard
verified publisher icon parse-community

fix(auth): Treat authData[provider]=null as unlink; skip provider validation for unlink

Open SNtGog opened this issue 3 months ago • 7 comments

Pull Request

  • Report security issues [confidentially](https://github.com/parse-community/parse-server/security/policy).
  • Any contribution is under this [license](https://github.com/parse-community/parse-server/blob/alpha/LICENSE).
  • Link this pull request to an [issue](https://github.com/parse-community/parse-server/issues?q=is%3Aissue).

Issue

Closes: parse-community/parse-server#9855

Approach

Summary

A single, targeted fix in the auth path:

  • Before calling Auth.findUsersWithAuthData, build a filtered object that excludes providers with null or undefined values.
  • Apply unlink markers (authData[provider] = null) as part of the update without invoking the provider adapter.
  • No other behavior or API changes.

Behavior & Compatibility

  • Unlinking remains explicit via authData[provider] = null.
  • Non-null providers follow the existing validation and conflict checks.
  • No changes to session token handling, email verification flow, or public APIs.
  • No custom diff/equality logic introduced.

Security & Performance

  • Prevents accidental adapter calls (e.g., OAuth code→token exchange) during unlink.
  • Keeps the change surface minimal in a sensitive path; reduces unnecessary external validations.

Tests

  • (Added/updated) scenarios:

    • Unlink-only update: { provider: null } unlinks without adapter validation.

Release Notes (proposed)

fix(auth): Ignore null/undefined providers from authData during user lookup; unlink (provider = null) occurs without adapter validation. No other behavior changes.

Tasks

  • [x] Add tests
  • [ ] Add changes to documentation (guides, repository pages, code comments)
  • [ ] Add security checks

Summary by CodeRabbit

  • Bug Fixes

    • Unlinking third‑party auth providers now works reliably when setting a provider to null/undefined in auth data. Provider entries are correctly removed from user accounts, preventing stale linkage. Applies broadly (e.g., Google Play Games) with no API changes.

  • Tests

    • Added unit tests validating the unlink flow for Google Play Games, including successful login, unlinking via auth data update, and verification that provider data is cleared.

SNtGog avatar Sep 05 '25 18:09 SNtGog

I will reformat the title to use the proper commit message syntax.

parse-github-assistant[bot] avatar Sep 05 '25 18:09 parse-github-assistant[bot]

🚀 Thanks for opening this pull request!

parse-github-assistant[bot] avatar Sep 05 '25 18:09 parse-github-assistant[bot]

📝 Walkthrough

Walkthrough

The change updates RestWrite.handleAuthData to ignore null/undefined providers by filtering them out before calling Auth.findUsersWithAuthData. A new unit test verifies that setting authData.gpgames to null unlinks the provider without triggering validation or external calls.

Changes

Cohort / File(s) Summary of Edits
Auth unlink handling
src/RestWrite.js		 Filters null/undefined providers from incoming authData into a new object and passes it to Auth.findUsersWithAuthData; leaves remaining validation and ACL logic unchanged.
Unit tests for unlink
spec/RestWrite.handleAuthData.spec.js		 Adds tests ensuring authData.gpgames set to null unlinks without OAuth code/token validation, using mocked external endpoints and server config for gpgames.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Client
  participant RW as RestWrite.handleAuthData
  participant Auth as Auth API
  participant Prov as Provider Adapter

  Client->>RW: Save User with authData (may include provider=null)
  alt Has authData
    RW->>RW: Filter out null/undefined providers (unlink entries)
    RW->>Auth: findUsersWithAuthData(filteredAuthData, useMaster=true)
    Auth-->>RW: Matching users (ACL-filtered)
    alt Providers remain after filtering
      RW->>Prov: Validate remaining provider authData
      Prov-->>RW: Validation result
    else No providers remain (only unlinks)
      note over RW: Skip provider validation
    end
    RW-->>Client: Proceed with save (unlinked providers removed)
  else No authData
    RW-->>Client: Proceed with save
  end

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks (4 passed, 1 warning)

❌ Failed Checks (1 warning)
Check Name Status Explanation Resolution
Out of Scope Changes Check ⚠️ Warning Beyond the unlink fix, the PR introduces a generic diffAuthData/subsetEqual refactoring for multi-provider updates and refactors password policy validation code, which are not required by issue #9855’s scope and introduce unrelated changes. Split out the generic authData diff and password policy refactor into a separate PR, and keep this PR focused solely on the null-authData unlink handling and validation skip.
✅ Passed Checks (4 passed)
Check Name Status Explanation
Title Check ✅ Passed The title concisely describes the primary change: treating authData[provider] set to null as an explicit unlink operation and skipping provider validation during unlink, which matches the core modifications in the PR.
Linked Issues Check ✅ Passed The PR implements the expected explicit unlink semantics by filtering out null authData entries before validation, skipping adapter code/token exchanges for unlinked providers, and includes tests verifying the unlink behavior, thus satisfying the objectives of issue #9855.
Description Check ✅ Passed The description includes all required template sections (Pull Request with security/license links, Issue referencing the closed issue, Approach detailing the change, and Tasks checklist) and follows the prescribed structure without missing any mandatory information.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.

[!TIP]

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

  • Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
  • Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
		  - name: "Undocumented Breaking Changes"
			  mode: "warning"
			  instructions: |
				  Flag potential breaking changes that are not documented:
				  1. Identify changes to public APIs/exports, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints (including removed/renamed items and changes to types, required params, return values, defaults, or behavior).
				  2. Ignore purely internal/private changes (e.g., code not exported from package entry points or marked internal).
				  3. Verify documentation exists: a "Breaking Change" section in the PR description and updates to CHANGELOG.md.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot] avatar Sep 05 '25 18:09 coderabbitai[bot]

:tada: Snyk checks have passed. No issues have been found so far.

:white_check_mark: security/snyk check is complete. No issues have been found. (View Details)

parseplatformorg avatar Sep 05 '25 18:09 parseplatformorg

Codecov Report

:x: Patch coverage is 95.55556% with 6 lines in your changes missing coverage. Please review. :white_check_mark: Project coverage is 84.35%. Comparing base (82fdb0d) to head (7669bd9).

Files with missing lines Patch % Lines
src/Auth.js 88.37% 5 Missing :warning:
src/RestWrite.js 98.91% 1 Missing :warning:

:exclamation: There is a different number of reports uploaded between BASE (82fdb0d) and HEAD (7669bd9). Click for more details.

HEAD has 5 uploads less than BASE
Flag BASE (82fdb0d) HEAD (7669bd9)
10 5
Additional details and impacted files 
@@            Coverage Diff             @@
##            alpha    #9856      +/-   ##
==========================================
- Coverage   92.99%   84.35%   -8.65%     
==========================================
  Files         187      187              
  Lines       15096    15183      +87     
  Branches      174      174              
==========================================
- Hits        14039    12808    -1231     
- Misses       1045     2363    +1318     
  Partials       12       12

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

codecov[bot] avatar Sep 08 '25 14:09 codecov[bot]

I will reformat the title to use the proper commit message syntax.

parse-github-assistant[bot] avatar Sep 08 '25 23:09 parse-github-assistant[bot]

@SNtGog if you want to fix last details, and we should be good to go here :)

Moumouls avatar Sep 29 '25 15:09 Moumouls