Don't require all keys to be configured to enable key checks (#2816) (#2941)

* Add tests. Fail request if any of the 4 optional keys does not match

* Only require one key to be supplied in the request, except when no keys are configured

* Use const over let, var

Author: steven-supersolid

spec/Middlewares.spec.js

@@ -17,6 +17,7 @@ describe('middlewares', () => {
                 return fakeReq.headers[key.toLowerCase()]
             }
         };
+        fakeRes = jasmine.createSpyObj('fakeRes', ['end', 'status']);
         AppCache.put(fakeReq.body._ApplicationId, {});
     });
 
@@ -35,6 +36,59 @@ describe('middlewares', () => {
         });
     });
 
+    it('should give invalid response when keys are configured but no key supplied', () => {
+        AppCache.put(fakeReq.body._ApplicationId, {
+            masterKey: 'masterKey',
+            restAPIKey: 'restAPIKey'
+        });
+        middlewares.handleParseHeaders(fakeReq, fakeRes);
+        expect(fakeRes.status).toHaveBeenCalledWith(403);
+    });
+
+    it('should give invalid response when keys are configured but supplied key is incorrect', () => {
+        AppCache.put(fakeReq.body._ApplicationId, {
+            masterKey: 'masterKey',
+            restAPIKey: 'restAPIKey'
+        });
+        fakeReq.headers['x-parse-rest-api-key'] = 'wrongKey';
+        middlewares.handleParseHeaders(fakeReq, fakeRes);
+        expect(fakeRes.status).toHaveBeenCalledWith(403);
+    });
+
+    it('should give invalid response when keys are configured but different key is supplied', () => {
+        AppCache.put(fakeReq.body._ApplicationId, {
+            masterKey: 'masterKey',
+            restAPIKey: 'restAPIKey'
+        });
+        fakeReq.headers['x-parse-client-key'] = 'clientKey';
+        middlewares.handleParseHeaders(fakeReq, fakeRes);
+        expect(fakeRes.status).toHaveBeenCalledWith(403);
+    });
+
+
+    it('should succeed when any one of the configured keys supplied', (done) => {
+        AppCache.put(fakeReq.body._ApplicationId, {
+            clientKey: 'clientKey',
+            masterKey: 'masterKey',
+            restAPIKey: 'restAPIKey'
+        });
+        fakeReq.headers['x-parse-rest-api-key'] = 'restAPIKey';
+        middlewares.handleParseHeaders(fakeReq, fakeRes, () => {
+            expect(fakeRes.status).not.toHaveBeenCalled();
+            done();
+        });
+    });
+
+    it('should succeed when no keys are configured and none supplied', (done) => {
+        AppCache.put(fakeReq.body._ApplicationId, {
+            masterKey: 'masterKey'
+        });
+        middlewares.handleParseHeaders(fakeReq, fakeRes, () => {
+            expect(fakeRes.status).not.toHaveBeenCalled();
+            done();
+        });
+    });
+
     const BodyParams = {
         clientVersion: '_ClientVersion',
         installationId: '_InstallationId',

src/middlewares.js

@@ -120,20 +120,15 @@ export function handleParseHeaders(req, res, next) {
 
   // Client keys are not required in parse-server, but if any have been configured in the server, validate them
   //  to preserve original behavior.
-  let keys = ["clientKey", "javascriptKey", "dotNetKey", "restAPIKey"];
-
-  // We do it with mismatching keys to support no-keys config
-  var keyMismatch = keys.reduce(function(mismatch, key){
-
-    // check if set in the config and compare
-    if (req.config[key] && info[key] !== req.config[key]) {
-      mismatch++;
-    }
-    return mismatch;
-  }, 0);
-
-  // All keys mismatch
-  if (keyMismatch == keys.length) {
+  const keys = ["clientKey", "javascriptKey", "dotNetKey", "restAPIKey"];
+  const oneKeyConfigured = keys.some(function(key) {
+    return req.config[key];
+  });
+  const oneKeyMatches = keys.some(function(key){
+    return req.config[key] && info[key] == req.config[key];
+  });
+
+  if (oneKeyConfigured && !oneKeyMatches) {
     return invalidRequest(req, res);
   }