Default masterKeyIps does not work on localhost

[dblythy]

New Issue Checklist

• I am not disclosing a vulnerability.
• I am not just asking a question.
• I have searched through existing issues.
• I can reproduce the issue with the latest version of Parse Server.

Issue Description

Introduced in #8281, the new default does not allow local IPs.

This is due to the fact that getClientIp returns an ipv6 IP (::1), whereas the masterKeyIps default is 127.0.0.1

Steps to reproduce

Run a local instance of Parse Server alpha with Dashboard

Actual Outcome

Dashboard should load

Expected Outcome

"MasterKey is required"

Environment

Server

• Parse Server version: alpha
• Operating system: macos
• Local or remote host (AWS, Azure, Google Cloud, Heroku, Digital Ocean, etc): localhost

Database

• System (MongoDB or Postgres): mongo
• Database version: 5.0
• Local or remote host (MongoDB Atlas, mLab, AWS, Azure, Google Cloud, etc): atlas

Client

• SDK (iOS, Android, JavaScript, PHP, Unity, etc): js
• SDK version: 3.4.4

Logs

[parse-github-assistant]

Thanks for opening this issue!

• 🚀 You can help us to fix this issue faster by opening a pull request with a failing test. See our Contribution Guide for how to make a pull request, or read our New Contributor's Guide if this is your first time contributing.

[dblythy]

Solution is to change the default to ::1, or resolve getClientIp to an ipv4 address

[mtrezza]

Solution is to change the default to ::1

How would that work on a machine where IPv6 is not enabled? Can't we just add both values as default? ['::1','127.0.0.1']

[dblythy]

Yes, that would fix it also. Should masterKeyIps always allow localhost? Otherwise developer will have to configure masterKeyIps: ["::1", "127.0.0.1", "ip", "ip"],

I'm thinking internally it should be allowedIps = ["::1", "127.0.0.1", ...config.masterKeyIps],, masterKeyIps can default to [] (localhost only)

[mtrezza]

Should masterKeyIps always allow localhost?

Why?

[dblythy]

I think it would be expected that masterKeyIps is external ips, and that cloud code, code run on the same instance as Parse Server, should always be allowed.

[mtrezza]

How can the use of masterKey be completely disabled?

[dblythy]

Maybe by not setting a masterKey?

[mtrezza]

Does Parse Server start without masterkey?

[dblythy]

Not at the moment

[mtrezza]

Then setting masterKeyIps to an empty array is the only way at the moment. So I'd say we should not set localhost as a non-removable allow-entry.

[parseplatformorg]

🎉 This change has been released in version 6.0.0-alpha.11

[stewones]

Then setting masterKeyIps to an empty array is the only way at the moment. So I'd say we should not set localhost as a non-removable allow-entry.

it's not working currently @mtrezza

sent a PR to fix #8339

[dblythy]

So I'd say we should not set localhost as a non-removable allow-entry.

I think we missed that still though, as the default options are always concatenated to any additional set masterKeyIps

https://github.com/parse-community/parse-server/blob/alpha/src/ParseServer.js#L471-L473

[mtrezza]

Oh, did #8339 aim to fix that and remove the concatenation? I reopened.

[dblythy]

I don't think so, I think #8339 was designed to make masterKeyIps: [] === access from anywhere, which is incorrect. We can open a new PR fixing the concatenation

[stewones]

I don't think so, I think #8339 was designed to make masterKeyIps: [] === access from anywhere, which is incorrect. We can open a new PR fixing the concatenation

sort of, I misunderstood the idea initially but I think it's ok now. please take a 2nd look at the PR

[parseplatformorg]

🎉 This change has been released in version 6.0.0-beta.1

[parseplatformorg]

🎉 This change has been released in version 6.0.0