fix: Rate limiter may reject requests that contain a session token (#8399)

Author: dblythy

spec/RateLimit.spec.js

@@ -19,6 +19,27 @@ describe('rate limit', () => {
     );
   });
 
+  it('can limit cloud functions with user session token', async () => {
+    await Parse.User.#('myUser', 'password');
+    Parse.Cloud.define('test', () => 'Abc');
+    await reconfigureServer({
+      rateLimit: [
+        {
+          requestPath: '/functions/*',
+          requestTimeWindow: 10000,
+          requestCount: 1,
+          errorResponseMessage: 'Too many requests',
+          includeInternalRequests: true,
+        },
+      ],
+    });
+    const response1 = await Parse.Cloud.run('test');
+    expect(response1).toBe('Abc');
+    await expectAsync(Parse.Cloud.run('test')).toBeRejectedWith(
+      new Parse.Error(Parse.Error.CONNECTION_FAILED, 'Too many requests')
+    );
+  });
+
   it('can add global limit', async () => {
     Parse.Cloud.define('test', () => 'Abc');
     await reconfigureServer({

src/middlewares.js

@@ -276,15 +276,21 @@ const handleRateLimit = async (req, res, next) => {
         if (pathExp.test(req.url)) {
           await limit.handler(req, res, err => {
             if (err) {
-              throw err;
+              if (err.code === Parse.Error.CONNECTION_FAILED) {
+                throw err;
+              }
+              req.config.loggerController.error(
+                'An unknown error occured when attempting to apply the rate limiter: ',
+                err
+              );
             }
           });
         }
       })
     );
   } catch (error) {
     res.status(429);
-    res.json({ code: Parse.Error.CONNECTION_FAILED, error });
+    res.json({ code: Parse.Error.CONNECTION_FAILED, error: error.message });
     return;
   }
   next();
@@ -477,7 +483,10 @@ export const addRateLimit = (route, config) => {
       max: route.requestCount,
       message: route.errorResponseMessage || RateLimitOptions.errorResponseMessage.default,
       handler: (request, response, next, options) => {
-        throw options.message;
+        throw {
+          code: Parse.Error.CONNECTION_FAILED,
+          message: options.message,
+        };
       },
       skip: request => {
         if (request.ip === '127.0.0.1' && !route.includeInternalRequests) {
@@ -498,7 +507,7 @@ export const addRateLimit = (route, config) => {
             }
           }
         }
-        return request.auth.isMaster;
+        return request.auth?.isMaster;
       },
       keyGenerator: request => {
         return request.config.ip;