Unauthorized: master key is required

[andrewfelker]

Make sure these boxes are checked before submitting your issue -- thanks for reporting issues back to Parse Dashboard!

• [x ] You're running version >=1.0.19 of Parse Dashboard.

• [x ] You're running version >=2.2.24 of Parse Server.

• [x ] You've searched through existing issues. Chances are that your issue has been reported or resolved before.

Environment Setup

Running Parse Server on Heroku/mlab, trying to run Parse Server Dashboard locally.

Steps to reproduce

I'm now on day 3 of trying to figure out what's wrong with Parse Dashboard, so I'm submitting an issue. I've followed the steps outlined here: http://blog.parse.com/announcements/introducing-the-parse-server-dashboard/ and here: https://github.com/ParsePlatform/parse-dashboard. Both ways I end up with a dashboard that reads "Server not reachable: unauthorized: master key is required". I've checked the parse-server-config.json file many times, tried retyping by hand, validated the JSON, etc, and I still get the same issue. I've tried using both http and https for the serverURL... You get the picture. I've run out of ideas. What's going on here?

Logs/Trace

Note: If you get a browser JS error please run npm run dev. This will provide source maps and a much more useful stack trace.

[flovilmart]

What does your config look like?

[andrewfelker]

Replaced sensitive information with X's.
{
"apps":[
{
"serverURL":"https://appname.herokuapp.com/parse",
"appId":"XXXXXXXX",
"masterKey":"XXXXXXXXX",
"appName":"xxxxxx"
}
],
"iconsFolder":"icons"
}

[flovilmart]

That's odd indeed

[flovilmart]

What version are you running?

[andrewfelker]

1.0.19

[flovilmart]

Your config seem OK, did your try with a local parse-server and the dashboard referencing it?

[andrewfelker]

No, I didn't. What is the benefit of doing that?

[flovilmart]

Make sure you have a local working environment and pinpoint the potential problems

[andrewfelker]

Forgive me if I'm missing something. I started with Parse.com because I'm a front end developer and know very little about backend.

So I followed the instructions here to run a local parse-server.. https://github.com/ParsePlatform/parse-server-example

But now I don't know the next step for pointing the dashboard to my local parse-server.

[flovilmart]

Did you look here: https://github.com/parseplatform/parse-dashboard#local-installation

[akath19]

@flovilmart I'm also getting this with parse-server version 2.5.0 & parse-dashboard version 1.0.24 or 1.0.28, the following is the JSON error in the logs:

{"error":{"status":403,"message":"unauthorized: master key is required"},"level":"error","message":"Error generating response. { Error: unauthorized: master key is required\n at promiseEnforceMasterKeyAccess (/home/parse/node_modules/parse-server/lib/middlewares.js:299:17)\n at /home/parse/node_modules/parse-server/lib/PromiseRouter.js:132:22\n at <anonymous>\n at process._tickDomainCallback (internal/process/next_tick.js:208:7) status: 403, message: 'unauthorized: master key is required' }"} Error: unauthorized: master key is required at promiseEnforceMasterKeyAccess (/home/parse/node_modules/parse-server/lib/middlewares.js:299:17) at /home/parse/node_modules/parse-server/lib/PromiseRouter.js:132:22 at <anonymous> at process._tickDomainCallback (internal/process/next_tick.js:208:7) {"error":{"code":119,"message":"Clients aren't allowed to perform the find operation on the installation collection."},"level":"error","message":"Error handling request: ParseError {\n code: 119,\n message: 'Clients aren\\'t allowed to perform the find operation on the installation collection.' }"} {"code":119,"message":"Clients aren't allowed to perform the find operation on the installation collection.","level":"error"}

This is happening on my local clean install, an OpenShift instance & 2 different DO instances (all clean installs)

[flovilmart]

we're running 2.5.0 and dashboard 1.0.28 and don't have the issue, I'm not sure what's wrong @akath19 without more information. Is your master key correctly set on your dashboard config?

[akath19]

I'm calling it from command line like this:

Also, calling the server with REST API or iOS client works perfectly

[ksngits]

I am getting the same error. but the site we built is perfectly working fine and able to access the parse with the same master key.

[strandedcity]

I've been spinning on this problem for several days as well, but finally solved it. For me, the issue was that in my application config (nothing to do with dashboard) I had legacy configuration from Parse.com that specified a Client Key, REST Key, and JavaScript Key. Even though these are no longer required with parse-server, they are enforced if you supply them at application init time. At 2.2.22, that meant "if you supply a REST key at request time, it must match the one supplied at server init time". At 2.5.3 that meant "if you supply a REST key at server-init time, all requests must include it, too".

Somewhere between parse-server 2.22.2 and 2.5.3 the behavior changed with regards to the way permissions are handled when parse-server is configured with legacy REST, Client, or JS Keys. Supplying any of the keys (REST, Client, or JS) reproduces the behavior described here. Witholding them all fixes the bug. parse-dashboard never supplies these keys (it doesn't know about them), so the new behavior manifests as a parse-dashboard bug. The behavior works like this:

2.22.2
Supply Keys to app at init time > Create new class > Class is accessible normally via dashboard, and respects CLPs/ACLs

2.5.3
Supply Keys to app at init time > Create new class > Class is inaccessible via dashboard (403/unauthorized) except when master key is supplied.

There are also differences in the ACLs that I've observed, but I haven't pinned down exactly what the interactions there are.

Probably the most confusing aspect of this is this: my legacy parse.com apps were legacy-configured, but so are all my legacy front-ends. This means that the frontends using the parse sdks are actually sending appropriate rest/client/JS keys, so I never observe the "unauthorized" problem when I go through my code -- only when I go through the dashboard (or via a custom curl/REST call) -- even though the root cause has nothing to do with the dashboard.

So the problem here is ultimately configuration for parse-server (or, depending on your perspective, this is a bug in parse-server). If you can remove the legacy keys (rest, client, and JS), everything will work normally from there on.

Hope this is helpful!