3

I am fairly new at using Parse Server (hosted in back4app) and would like to get some clarification on the pre-created 'users' table.

I am currently trying to develop a Web Application (Javascript) using Parse and I am using REST API calls to signup and login users. One thing I have noticed is that anyone can get a hold of my REST API key (through html source), but most importantly anyone can make a GET 'users' request to get all the users in the DB. These results include the username, email, and ObjectID. As a result of this anyone can make another REST call to the 'sessions' table with the ObjectID and retrieve the sessionToken (which I was planning to use as an authorization token for protected REST API calls)

I am not quite sure how this can be safely accomplish. I have search online but without much success. Any help or articles will be greatly appreciated.

Thank you

user1754960
  • 141
  • 1
  • 4

1 Answers1

2

The security access is made throuh the CLP (Class-Level-Permission) and/or ACL (on each each row). you should have a look here : https://parseplatform.github.io/docs/js/guide/#security

Note that : "Session objects can only be accessed by the user specified in the user field. All Session objects have an ACL that is read and write by that user only. You cannot change this ACL. This means querying for sessions will only return objects that match the current logged-in user."

REM : for a web application you should use the Parse "Javascript Key" which can be "public". Try to keep the REST API key more "private" by using it for i.e. only on "third party custom and private server" that could make REST request on your database.

ThierryC
  • 1,794
  • 3
  • 19
  • 34