Create a session token in cloud code without password

[davbeck]

I'm trying to login a user from a cloud function. The idea is to return a session token and then have the client use PFUser.become. According to the documentation for getSessionToken should work if using the master key:

Returns the session token for this user, if the user has been logged in, or if it is the result of a query with the master key. Otherwise, returns undefined.

But this doesn't seem to work. It still returns undefined using the following code:

const user = await new Parse.Query(User)
    .equalTo('username', phoneNumber)
    .first({ useMasterKey: true })
console.log('user', user, user.getSessionToken())

Similarly trying to call login without a username or password fails:

await user.logIn({ useMasterKey: true })

I could set a new password and login that way, but it feels like there should be a better solution?

[dplewis]

I think you should pass in an installationId. See my #6636 (comment) to see why it wouldn't work (similar concept).

I did a PR a while ago for this exact issue parse-community/Parse-SDK-JS#1031

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[sadortun]

@davbeck did you get it to work ?

[Chocolladin]

@sadortun @davbeck you managed to find a solution ? i tried passing and installationId also, still gettting undefined ...

[mtrezza]

Reopening as there has been recent activity and the issue still seems to exist.

[mtrezza]

@Chocolladin Would you want to submit a PR with a failing test so we can look into it?

[Chocolladin]

@mtrezza

Dear Manuel, that you for your quick response.

I'am not very familiar with PR and github, not being a dev in the first place, i will try though to be as precise as possible. Here is what i am trying to achieve :

Client side (react-native),

1. login with Firebase, getting an authentified Token and sending this Token to parse server.

On parse server,
2. Verify this token, and if OK,
3. sign corresponding parse user in cloud code.
4. Then getsessionToken, send back to client,
5. and finally on client use Parse.User.become(token).

Step 3 isnt working and here is the code i am using :

const query = new Parse.Query(Parse.User);
query.equalTo('fuid', fuid); //in parse user i have a field with the uid corresponding to firebase user.
	const user = await query.first({useMasterKey: true});
	let installationId ='13245678';
        //await user.logIn({useMasterKey: true, installationId: installationId}); //fails.
        const parseUserSessionToken = await user.getSessionToken({useMasterKey: true, installationId: installationId}); //returns undefined
        console.log('parseUserSessionToken: ', parseUserSessionToken);

NB: Moreover, i am not using the parse-server-firebase authentication module because of 2 reasons :

• I dont want to store tokens in DB,
• Verification against provider (in our case Firebase), is made only on first login and no more. (Consequence for ex: someone can login with an expired firebase token if its this one stored in the authData in DB.)
• See How to validate third party auth token on server? #6443 (comment)

Can this be enough for now ?

Thank you,

Regards,

Bertrand

[Yurgal]

Hi @Chocolladin

Did you find any solution ?
I want to switch the session of a client without using a password.
In a cloud function, I am trying to do the exact same thing that you do in your step 3, then send to the client it's new session.
As you, using user.login or user.getSessionToken doesn't work for me.

Regards,

Killian

[mtrezza]

On parse server,
2. Verify this token, and if OK,
3. sign corresponding parse user in cloud code.
4. Then getsessionToken, send back to client,
5. and finally on client use Parse.User.become(token).

This should be possible.

If we can get a failing test, that would be a first step to solve this. If you need any guidance for how to write a test, please feel free to ask, it should be fairly simple in this case.

[Yurgal]

Hi @mtrezza,

Can you explain me how to write a test ? I should be able to do it.

[mtrezza]

Sure, we do have a contribution guide but unfortunately it is very verbose and needs refactoring, so I will just mention the main steps here:

1. Set up your local test environment as described in Setting up your local machine.
2. Choose a test files in /spec to add your test to; each .spec.js file has a different topic, as you can see in the file name.
3. Choose a describe section within the spec file to add your test to; each section deals with a sub-topic as you can see in describe('<sub-topic>, ....
4. Just copy / paste an existing test that closely matches what you want to test.
5. Modify the copied test to test what you want to test.
6. Change the test to start with fit instead of it, which will test only your specific test when you run the following test command.
7. Run npm test spec/<filename>.spec.js and see the output; the test should fail, because you did fix the issue in Parse Server yet.
8. Make a new branch and submit this as PR to the Parse Server repo.
9. Make the fix in Parse Server until the test passes.
10. The PR will be reviewed and merged into Parse Server.

Additionally, see this blog post for a step-by-step guide, it may not be 100% what you need, but it is a good guidance.

[Yurgal]

@mtrezza
I created the PR above.
I don't understand why there is so many failed check in the CI.

[IceDev-xyz]

So, on paper this should already be possible?
Login a user without credentials (password) using masterKey.

[Yurgal]

on paper, getting the session token on a user queried using the master key should work (I added the failing test), and I'm trying to use the logIn function to see if I can use an alternative, but it's not working ether

[Yurgal]

Hi everyone,

I really need this behavior to work for my application, does anyone have a way to fix it?

[Chocolladin]

Dear Killian @Yurgal ,

I am using a workaround for the time being to achieve what i am trying to.

As the user authentication is based on a third party service (In my case, firebase), i managed to force the login in cloud code by setting a random password and logging in with it. See function below :

async function login(user) {
	var randomPassword = (Math.floor(Math.random() * 20)).toString();
	user.setPassword(randomPassword);
	await user.save(null,{useMasterKey:true});
	await user.logIn(user.get('username'),randomPassword);
return user;
}

The resulting user can then be passed back to client and .getSessionToken() can be called on it.

Hoping this can be of any help to you,

Best Regards,

Bertrand.

[Yurgal]

Thanks @Chocolladin, but in my case it doesn't work.

I want a user to be able to login as another user (if he has the right rights) with the username/email/id and without changing his password.

[sadortun]

Little note @Chocolladin , Math.random is no t secure to be use for passwords.

You should use:
https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues

[GormanFletcher]

I've submitted a pull request (#7406) adding a Parse Server REST endpoint for master key clients to create user sessions without access to the user's credentials.

It's my first PR to the project, so please let me know if I need to do anything differently, especially security.

✔️ Add /loginAs REST endpoint to Parse Server - merged!

[dblythy]

Nicely done @GormanFletcher! Do you plan to add this to the JS SDK so it can be easily used in cloud code without needing to use the REST API?

[dblythy]

Can this be closed? @mtrezza?

[mtrezza]

Closing via #7406