Merge branch 'alpha' into moumouls/fixLRU

Author: mtrezza

changelogs/CHANGELOG_alpha.md

@@ -1,3 +1,10 @@
+# [5.3.0-alpha.16](https://github.com/parse-community/parse-server/compare/5.3.0-alpha.15...5.3.0-alpha.16) (2022-06-11)
+
+
+### Bug Fixes
+
+* live query role cache does not clear when a user is added to a role ([#8026](https://github.com/parse-community/parse-server/issues/8026)) ([199dfc1](https://github.com/parse-community/parse-server/commit/199dfc17226d85a78ab85f24362cce740f4ada39))
+
 # [5.3.0-alpha.15](https://github.com/parse-community/parse-server/compare/5.3.0-alpha.14...5.3.0-alpha.15) (2022-06-05)
 
 

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "parse-server",
-  "version": "5.3.0-alpha.15",
+  "version": "5.3.0-alpha.16",
   "description": "An express module providing a Parse-compatible API server",
   "main": "lib/index.js",
   "repository": {
@@ -20,9 +20,9 @@
   "license": "BSD-3-Clause",
   "dependencies": {
     "@graphql-yoga/node": "2.6.0",
-    "@graphql-tools/merge": "8.2.11",
-    "@graphql-tools/schema": "8.3.11",
-    "@graphql-tools/utils": "8.6.10",
+    "@graphql-tools/utils": "8.6.12",
+    "@graphql-tools/merge": "8.2.13",
+    "@graphql-tools/schema": "8.3.13",
     "@parse/fs-files-adapter": "1.2.2",
     "@parse/push-adapter": "4.1.2",
     "bcryptjs": "2.4.3",
@@ -38,7 +38,7 @@
     "graphql-relay": "0.10.0",
     "intersect": "1.0.1",
     "jsonwebtoken": "8.5.1",
-    "jwks-rsa": "2.1.2",
+    "jwks-rsa": "2.1.3",
     "ldapjs": "2.3.2",
     "lodash": "4.17.21",
     "lru-cache": "7.10.1",

package.json

@@ -836,6 +836,50 @@ describe('ParseLiveQuery', function () {
     }
   });
 
+  it('LiveQuery should work with changing role', async () => {
+    await reconfigureServer({
+      liveQuery: {
+        classNames: ['Chat'],
+      },
+      startLiveQueryServer: true,
+    });
+    const user = new Parse.User();
+    user.setUsername('username');
+    user.setPassword('password');
+    await user.signUp();
+
+    const role = new Parse.Role('Test', new Parse.ACL(user));
+    await role.save();
+
+    const chatQuery = new Parse.Query('Chat');
+    const subscription = await chatQuery.subscribe();
+    subscription.on('create', () => {
+      fail('should not call create as user is not part of role.');
+    });
+
+    const object = new Parse.Object('Chat');
+    const acl = new Parse.ACL();
+    acl.setRoleReadAccess(role, true);
+    object.setACL(acl);
+    object.set({ foo: 'bar' });
+    await object.save(null, { useMasterKey: true });
+    role.getUsers().add(user);
+    await new Promise(resolve => setTimeout(resolve, 1000));
+    await role.save();
+    await new Promise(resolve => setTimeout(resolve, 1000));
+    object.set('foo', 'yolo');
+    await Promise.all([
+      new Promise(resolve => {
+        subscription.on('update', obj => {
+          expect(obj.get('foo')).toBe('yolo');
+          expect(obj.getACL().toJSON()).toEqual({ 'role:Test': { read: true } });
+          resolve();
+        });
+      }),
+      object.save(null, { useMasterKey: true }),
+    ]);
+  });
+
   it('liveQuery on Session class', async done => {
     await reconfigureServer({
       liveQuery: { classNames: [Parse.Session] },

spec/ParseLiveQuery.spec.js

@@ -230,6 +230,15 @@ Auth.prototype.cacheRoles = function () {
   return true;
 };
 
+Auth.prototype.clearRoleCache = function (sessionToken) {
+  if (!this.cacheController) {
+    return false;
+  }
+  this.cacheController.role.del(this.user.id);
+  this.cacheController.user.del(sessionToken);
+  return true;
+};
+
 Auth.prototype.getRolesByIds = async function (ins) {
   const results = [];
   // Build an OR query across all parentRoles

src/Auth.js

@@ -56,6 +56,13 @@ export class LiveQueryController {
     return false;
   }
 
+  clearCachedRoles(user: any) {
+    if (!user) {
+      return;
+    }
+    return this.liveQueryPublisher.onClearCachedRoles(user);
+  }
+
   _makePublisherRequest(currentObject: any, originalObject: any, classLevelPermissions: ?any): any {
     const req = {
       object: currentObject,

src/Controllers/LiveQueryController.js

@@ -19,6 +19,13 @@ class ParseCloudCodePublisher {
     this._onCloudCodeMessage(Parse.applicationId + 'afterDelete', request);
   }
 
+  onClearCachedRoles(user: Parse.Object) {
+    this.parsePublisher.publish(
+      Parse.applicationId + 'clearCache',
+      JSON.stringify({ userId: user.id })
+    );
+  }
+
   // Request is the request object from cloud code functions. request.object is a ParseObject.
   _onCloudCodeMessage(type: string, request: any): void {
     logger.verbose(

src/LiveQuery/ParseCloudCodePublisher.js

@@ -77,6 +77,7 @@ class ParseLiveQueryServer {
     this.subscriber = ParsePubSub.createSubscriber(config);
     this.subscriber.subscribe(Parse.applicationId + 'afterSave');
     this.subscriber.subscribe(Parse.applicationId + 'afterDelete');
+    this.subscriber.subscribe(Parse.applicationId + 'clearCache');
     // Register message handler for subscriber. When publisher get messages, it will publish message
     // to the subscribers and the handler will be called.
     this.subscriber.on('message', (channel, messageStr) => {
@@ -88,6 +89,10 @@ class ParseLiveQueryServer {
         logger.error('unable to parse message', messageStr, e);
         return;
       }
+      if (channel === Parse.applicationId + 'clearCache') {
+        this._clearCachedRoles(message.userId);
+        return;
+      }
       this._inflateParseObject(message);
       if (channel === Parse.applicationId + 'afterSave') {
         this._onAfterSave(message);
@@ -474,6 +479,32 @@ class ParseLiveQueryServer {
     return matchesQuery(parseObject, subscription.query);
   }
 
+  async _clearCachedRoles(userId: string) {
+    try {
+      const validTokens = await new Parse.Query(Parse.Session)
+        .equalTo('user', Parse.User.createWithoutData(userId))
+        .find({ useMasterKey: true });
+      await Promise.all(
+        validTokens.map(async token => {
+          const sessionToken = token.get('sessionToken');
+          const authPromise = this.authCache.get(sessionToken);
+          if (!authPromise) {
+            return;
+          }
+          const [auth1, auth2] = await Promise.all([
+            authPromise,
+            getAuthForSessionToken({ cacheController: this.cacheController, sessionToken }),
+          ]);
+          auth1.auth?.clearRoleCache(sessionToken);
+          auth2.auth?.clearRoleCache(sessionToken);
+          this.authCache.del(sessionToken);
+        })
+      );
+    } catch (e) {
+      logger.verbose(`Could not clear role cache. ${e}`);
+    }
+  }
+
   getAuthForSessionToken(sessionToken: ?string): Promise<{ auth: ?Auth, userId: ?string }> {
     if (!sessionToken) {
       return Promise.resolve({});
@@ -580,7 +611,6 @@ class ParseLiveQueryServer {
         if (!acl_has_roles) {
           return false;
         }
-
         const roleNames = await auth.getUserRoles();
         // Finally, see if any of the user's roles allow them read access
         for (const role of roleNames) {

src/LiveQuery/ParseLiveQueryServer.js

@@ -1326,6 +1326,9 @@ RestWrite.prototype.runDatabaseOperation = function () {
 
   if (this.className === '_Role') {
     this.config.cacheController.role.clear();
+    if (this.config.liveQueryController) {
+      this.config.liveQueryController.clearCachedRoles(this.auth.user);
+    }
   }
 
   if (this.className === '_User' && this.query && this.auth.isUnauthenticated()) {