parse-community · mtrezza · Feb 15, 2024 · Jan 2, 2024 · Feb 14, 2024
diff --git a/DEPRECATIONS.md b/DEPRECATIONS.md
@@ -11,7 +11,7 @@ The following is a list of deprecations, according to the [Deprecation Policy](h
 | DEPPS5 | Config option `allowClientClassCreation` defaults to `false` | [#7925](https://github.com/parse-community/parse-server/pull/7925) | 5.3.0 (2022) | 7.0.0 (2024) | deprecated | - |
 | DEPPS6 | Auth providers disabled by default | [#7953](https://github.com/parse-community/parse-server/pull/7953) | 5.3.0 (2022) | 7.0.0 (2024) | deprecated | - |
 | DEPPS7 | Remove file trigger syntax `Parse.Cloud.beforeSaveFile((request) => {})` | [#7966](https://github.com/parse-community/parse-server/pull/7966) | 5.3.0 (2022) | 7.0.0 (2024) | removed | - |
-| DEPPS8 | Login with expired 3rd party authentication token defaults to `false` | [#7079](https://github.com/parse-community/parse-server/pull/7079) | 5.3.0 (2022) | 7.0.0 (2024) | deprecated | - |
+| DEPPS8 | Login with expired 3rd party authentication token defaults to `false` | [#7079](https://github.com/parse-community/parse-server/pull/7079) | 5.3.0 (2022) | 7.0.0 (2024) | removed | - |
 | DEPPS9 | Rename LiveQuery `fields` option to `keys` | [#8389](https://github.com/parse-community/parse-server/issues/8389) | 6.0.0 (2023) | 7.0.0 (2024) | removed | - |
 | DEPPS10 | Config option `encodeParseObjectInCloudFunction` defaults to `true` | [#8634](https://github.com/parse-community/parse-server/issues/8634) | 6.2.0 (2023) | 8.0.0 (2025) | deprecated | - |
 

diff --git a/spec/ParseUser.spec.js b/spec/ParseUser.spec.js
@@ -15,51 +15,18 @@ const cryptoUtils = require('../lib/cryptoUtils');
 
 describe('allowExpiredAuthDataToken option', () => {
  it('should accept true value', async () => {
- const logger = require('../lib/logger').logger;
- const logSpy = spyOn(logger, 'warn').and.callFake(() => {});
  await reconfigureServer({ allowExpiredAuthDataToken: true });
  expect(Config.get(Parse.applicationId).allowExpiredAuthDataToken).toBe(true);
- expect(
- logSpy.calls
- .all()
- .filter(
- log =>
- log.args[0] ===
- `DeprecationWarning: The Parse Server option 'allowExpiredAuthDataToken' default will change to 'false' in a future version.`
- ).length
- ).toEqual(0);
  });
 
  it('should accept false value', async () => {
- const logger = require('../lib/logger').logger;
- const logSpy = spyOn(logger, 'warn').and.callFake(() => {});
  await reconfigureServer({ allowExpiredAuthDataToken: false });
  expect(Config.get(Parse.applicationId).allowExpiredAuthDataToken).toBe(false);
- expect(
- logSpy.calls
- .all()
- .filter(
- log =>
- log.args[0] ===
- `DeprecationWarning: The Parse Server option 'allowExpiredAuthDataToken' default will change to 'false' in a future version.`
- ).length
- ).toEqual(0);
- });
-
- it('should default true', async () => {
- const logger = require('../lib/logger').logger;
- const logSpy = spyOn(logger, 'warn').and.callFake(() => {});
+ });
+
+ it('should default false', async () => {
  await reconfigureServer({});
- expect(Config.get(Parse.applicationId).allowExpiredAuthDataToken).toBe(true);
- expect(
- logSpy.calls
- .all()
- .filter(
- log =>
- log.args[0] ===
- `DeprecationWarning: The Parse Server option 'allowExpiredAuthDataToken' default will change to 'false' in a future version.`
- ).length
- ).toEqual(1);
+ expect(Config.get(Parse.applicationId).allowExpiredAuthDataToken).toBe(false);
  });
 
  it('should enforce boolean values', async () => {
@@ -1878,7 +1845,7 @@ describe('Parse.User testing', () => {
  });
  });
 
- it('should allow login with expired authData token by default', async () => {
+ it('should not allow login with expired authData token since allowExpiredAuthDataToken is set to false by default', async () => {
  const provider = {
  authData: {
  id: '12345',
@@ -1904,37 +1871,7 @@ describe('Parse.User testing', () => {
  // In this case, we want success as it was valid once.
  // If the client needs an updated token, do lock the user out
  defaultConfiguration.auth.shortLivedAuth.setValidAccessToken('otherToken');
- await Parse.User._logInWith('shortLivedAuth', {});
- });
-
- it('should not allow login with expired authData token when allowExpiredAuthDataToken is set to false', async () => {
- await reconfigureServer({ allowExpiredAuthDataToken: false });
- const provider = {
- authData: {
- id: '12345',
- access_token: 'token',
- },
- restoreAuthentication() {
- return true;
- },
- deauthenticate() {
- provider.authData = {};
- },
- authenticate(options) {
- options.success(this, provider.authData);
- },
- getAuthType() {
- return 'shortLivedAuth';
- },
- };
- defaultConfiguration.auth.shortLivedAuth.setValidAccessToken('token');
- Parse.User._registerAuthenticationProvider(provider);
- await Parse.User._logInWith('shortLivedAuth', {});
- // Simulate a remotely expired token (like a short lived one)
- // In this case, we want success as it was valid once.
- // If the client needs an updated token, do lock the user out
- defaultConfiguration.auth.shortLivedAuth.setValidAccessToken('otherToken');
- expectAsync(Parse.User._logInWith('shortLivedAuth', {})).toBeRejected();
+ await expectAsync(Parse.User._logInWith('shortLivedAuth', {})).toBeRejected();
  });
 
  it('should allow PUT request with stale auth Data', done => {

diff --git a/src/Deprecator/Deprecations.js b/src/Deprecator/Deprecations.js
@@ -17,6 +17,5 @@
  */
 module.exports = [
  { optionKey: 'allowClientClassCreation', changeNewDefault: 'false' },
- { optionKey: 'allowExpiredAuthDataToken', changeNewDefault: 'false' },
  { optionKey: 'encodeParseObjectInCloudFunction', changeNewDefault: 'true' },
 ];
diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js
@@ -70,9 +70,9 @@ module.exports.ParseServerOptions = {
  allowExpiredAuthDataToken: {
  env: 'PARSE_SERVER_ALLOW_EXPIRED_AUTH_DATA_TOKEN',
  help:
- 'Allow a user to log in even if the 3rd party authentication token that was used to sign in to their account has expired. If this is set to `false`, then the token will be validated every time the user signs in to their account. This refers to the token that is stored in the `_User.authData` field. Defaults to `true`.',
+ 'Allow a user to log in even if the 3rd party authentication token that was used to sign in to their account has expired. If this is set to `false`, then the token will be validated every time the user signs in to their account. This refers to the token that is stored in the `_User.authData` field. Defaults to `false`.',
  action: parsers.booleanParser,
- default: true,
+ default: false,
  },
  allowHeaders: {
  env: 'PARSE_SERVER_ALLOW_HEADERS',

diff --git a/src/Options/docs.js b/src/Options/docs.js
diff --git a/src/Options/index.js b/src/Options/index.js
@@ -320,8 +320,8 @@ export interface ParseServerOptions {
  /* Set to true if new users should be created without public read and write access.
  :DEFAULT: true */
  enforcePrivateUsers: ?boolean;
- /* Allow a user to log in even if the 3rd party authentication token that was used to sign in to their account has expired. If this is set to `false`, then the token will be validated every time the user signs in to their account. This refers to the token that is stored in the `_User.authData` field. Defaults to `true`.
- :DEFAULT: true */
+ /* Allow a user to log in even if the 3rd party authentication token that was used to sign in to their account has expired. If this is set to `false`, then the token will be validated every time the user signs in to their account. This refers to the token that is stored in the `_User.authData` field. Defaults to `false`.
+ :DEFAULT: false */
  allowExpiredAuthDataToken: ?boolean;
  /* An array of keys and values that are prohibited in database read and write requests to prevent potential security vulnerabilities. It is possible to specify only a key (`{"key":"..."}`), only a value (`{"value":"..."}`) or a key-value pair (`{"key":"...","value":"..."}`). The specification can use the following types: `boolean`, `numeric` or `string`, where `string` will be interpreted as a regex notation. Request data is deep-scanned for matching definitions to detect also any nested occurrences. Defaults are patterns that are likely to be used in malicious requests. Setting this option will override the default patterns.
  :DEFAULT: [{"key":"_bsontype","value":"Code"},{"key":"constructor"},{"key":"__proto__"}] */