Do not create sessionToken when requests come from cloudCode #1495

flovilmart · flovilmart · commit e3098fc1189f · 2016-09-03T16:16:29.000-04:00
diff --git a/spec/ParseServerRESTController.spec.js b/spec/ParseServerRESTController.spec.js
@@ -92,7 +92,6 @@ describe('ParseServerRESTController', () => {
       userId = user.id;
       let sessionToken = user.getSessionToken();
       return Parse.User.logOut().then(() => {
-        console.log('Sending request');
         return RESTController.request("GET", "/classes/_User", undefined, {useMasterKey: true});
       });
     }).then((res) => {
@@ -104,4 +103,17 @@ describe('ParseServerRESTController', () => {
       done();
     });
   });
+
+  it('ensures no session token is created on creating users', (done) => {
+    RESTController.request("POST", "/classes/_User", {username: "hello", password: "world"}).then(() => {
+      let query = new Parse.Query('_Session');
+      return query.find({useMasterKey: true});
+    }).then(sessions => {
+      expect(sessions.length).toBe(0);
+      done();
+    }, (err) => {
+      jfail(err);
+      done();
+    });
+  });
 });
diff --git a/src/ParseServerRESTController.js b/src/ParseServerRESTController.js
@@ -13,17 +13,18 @@ function getSessionToken(options) {
 
 function getAuth(options, config) {
   if (options.useMasterKey) {
-      return Parse.Promise.as(new Auth.Auth({config, isMaster: true }));
+      return Parse.Promise.as(new Auth.Auth({config, isMaster: true, installationId: 'cloud' }));
   }
   return getSessionToken(options).then((sessionToken) => {
     if (sessionToken) {
       options.sessionToken = sessionToken;
       return Auth.getAuthForSessionToken({
         config,
-        sessionToken: sessionToken
+        sessionToken: sessionToken,
+        installationId: 'cloud'
       });
     } else {
-      return Parse.Promise.as(new Auth.Auth({ config }));
+      return Parse.Promise.as(new Auth.Auth({ config, installationId: 'cloud' }));
     }
   })
 }
diff --git a/src/RestWrite.js b/src/RestWrite.js
@@ -437,6 +437,11 @@ RestWrite.prototype.createSessionTokenIfNeeded = function() {
 }
 
 RestWrite.prototype.createSessionToken = function() {
+  // cloud installationId from Cloud Code,
+  // never create session tokens from there.
+  if (this.auth.installationId && this.auth.installationId === 'cloud') {
+    return;
+  }
   var token = 'r:' + cryptoUtils.newToken();
 
   var expiresAt = this.config.generateSessionExpiresAt();
