feat: Upgrade to Parse JS SDK 5

[mtrezza]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.
• Link this pull request to an issue.

Issue

Upgrade parse to 5 alpha; needs to be upgrade to stable release version of parse js sdk before parse server beta release

Closes: #8818

[parse-github-assistant]

Thanks for opening this pull request!

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 87.56%. Comparing base (2760381) to head (ecabfd7).
Report is 1 commits behind head on alpha.

❗ Current head ecabfd7 differs from pull request most recent head cb33371. Consider uploading reports for the commit cb33371 to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha    #8816      +/-   ##
==========================================
- Coverage   94.14%   87.56%   -6.58%     
==========================================
  Files         186      186              
  Lines       14677    14677              
==========================================
- Hits        13817    12852     -965     
- Misses        860     1825     +965     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[mtrezza]

Upgrading to Parse 4.3.1 breaks a test:

1. Security Advisory GHSA-8w3j-g983-8jh5 should validate credentials first and check if account already linked afterwards ()

• Expected 208 to equal 206.

The test specifically expects 206 instead of 208 (as commented in the test), so it doesn't seem to be a deliberate change but rather a bug.

[mtrezza]

The test fails with upgrading the Parse JS SDK because it seems that #8156 refactored the auth logic in Parse Server so that a vulnerability that was previously fixed was re-introduced.

The test fails because:

• The new Parse JS SDK removes the anonymous part from the auth data with fix: ParseUser.linkWith doesn't remove anonymous auth data Parse-SDK-JS#2007, so that the auth payload in the request contains only 1 instead of 2 auth providers, specifically, it doesn't contain the anonymous auth provider anymore.
• The Parse Server auth logic has been refactored with feat: Improve authentication adapter interface #8156 and the following code block doesn't get executed anymore:
  

  parse-server/src/RestWrite.js

  Lines 526 to 531 in c7b2068

  	if (results.length > 1) {
  	// To avoid https://github.com/parse-community/parse-server/security/advisories/GHSA-8w3j-g983-8jh5
  	// Let's run some validation before throwing
  	await Auth.handleAuthDataValidation(authData, this, results[0]);
  	throw new Parse.Error(Parse.Error.ACCOUNT_ALREADY_LINKED, 'this auth is already used');
  	}

• The code block that gets executed instead does not call Auth.handleAuthDataValidation which throws error 206. Instead, error 208 is thrown, which is what we do not want (see failing vulnerability test in ecabfd7):
  

  parse-server/src/RestWrite.js

  Lines 546 to 552 in c7b2068

  	if (results.length === 1) {
  	const userId = this.getUserId();
  	const userResult = results[0];
  	// Prevent duplicate authData id
  	if (userId && userId !== userResult.objectId) {
  	throw new Parse.Error(Parse.Error.ACCOUNT_ALREADY_LINKED, 'this auth is already used');
  	}

I tried to just add await Auth.handleAuthDataValidation(authData, this, results[0]); to the code block, but this additional validation makes a couple of other test fail, see 6f51080. So it would help if someone with deeper understanding of the auth adapter could take a look at this. @dblythy @Moumouls @EhsanParsania

[mtrezza]

Just a note that this is the only PR holding back the Parse Server 7 release, so it would be great if we could get this fixed.

[mtrezza]

Superseded by #9022