Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Session token is generated even if user and session table is locked down via CLP. #1497

Closed
drew-gross opened this issue Apr 14, 2016 · 2 comments · Fixed by #1561
Closed

Session token is generated even if user and session table is locked down via CLP. #1497

drew-gross opened this issue Apr 14, 2016 · 2 comments · Fixed by #1561

Comments

@drew-gross
Copy link
Contributor

Steps to reproduce (in iOS SDK or Cloud Code):

  1. Lockdown User table (and session table if you want.. doesn't change outcome) in Server v2.2.6 Dashboard v1.0.8
  2. In iOS or Cloud Code, try to sign a new PFUser up (in Cloud Code, you can use .signUp or .save)
  3. Get error response
  4. Check dashboard
  5. See a new session token
@drew-gross
Copy link
Contributor Author

For this one as well, @skimgosu, can you check what happens in Parse.com?

@DoneStuffGetting
Copy link

DoneStuffGetting commented Apr 15, 2016
edited
Loading

Parse.com behaves normally.

A few more tests with Parse Server (v2.2.6):

  1. No schema + login doesn't create session tokens (insanity check)
  2. Schema created but no documents/objects in the table + signUp + locked CLP = session token created but no user object
  3. Schema created but no objects in tables + login + locked CLP = nothing at all
  4. Create user (CLP fully open and normal results/behavior) -> then try to signUp with the same username -> error thrown but session token created (CLP fully open). Here is the falsely created session token:
{
    "_id": "BRZMaklr3P",
    "_session_token": "r:b730aff13dc5088c06128c96f3084c42",
    "_p_user": "_User$iGi0IlBsjf", (points to non-existent user)
    "createdWith": {
        "action": "signup",
        "authProvider": "password"
    },
    "restricted": false,
    "installationId": "4b724eb2-ff57-4dd0-9cee-dd60a3e40675", (consistent with real token)
    "expiresAt": {
        "$date": "2017-04-15T06:17:52.207Z"
    },
    "_updated_at": {
        "$date": "2016-04-15T06:17:52.207Z"
    },
    "_created_at": {
        "$date": "2016-04-15T06:17:52.207Z"
    }
}

Actually, this bug has been around for a long time, now that I remember/realize. A month back, I recall logging a user in (without logging out) a few times, and a session token would be created every time.

I just checked with Parse.com and repeatedly logging in does not create multiple session tokens. It even throws this error if you spam the SDK :D

[Error]: object not found for delete (Code: 101, Version: 1.13.0)
Optional(Error Domain=Parse Code=101 "object not found for delete" UserInfo={code=101, temporary=0, error=object not found for delete, NSLocalizedDescription=object not found for delete})

@DoneStuffGetting DoneStuffGetting mentioned this issue Apr 15, 2016
Closed
@flovilmart flovilmart mentioned this issue Apr 20, 2016
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Defers the session creation after DB operation parse-community/parse-server
3 participants
@flovilmart @drew-gross @DoneStuffGetting