include health endpoint

Author: mtrezza

spec/RouteAllowList.spec.js

@@ -249,10 +249,6 @@ describe('routeAllowList', () => {
       const request = require('../lib/request');
       try {
         await request({
-          headers: {
-            'X-Parse-Application-Id': 'test',
-            'X-Parse-REST-API-Key': 'rest',
-          },
           method: 'GET',
           url: 'http://localhost:8378/1/health',
         });

src/ParseServer.ts

@@ -311,6 +311,7 @@ class ParseServer {
     //api.use("/apps", express.static(__dirname + "/public"));
     api.use(middlewares.allowCrossDomain(appId));
     api.use(middlewares.allowDoubleForwardSlash);
+    api.use(middlewares.handleParseAuth(appId));
     // File handling needs to be before the default JSON body parser because file
     // uploads send binary data that should not be parsed as JSON.
     api.use(
@@ -320,6 +321,8 @@ class ParseServer {
       })
     );
 
+    api.use('/health', middlewares.enforceRouteAllowList, middlewares.handleParseHealth(options));
+
     api.use(
       '/',
       express.urlencoded({ extended: false }),
@@ -331,16 +334,6 @@ class ParseServer {
     api.use(middlewares.handleParseHeaders);
     api.use(middlewares.enforceRouteAllowList);
     api.set('query parser', 'extended');
-
-    api.use('/health', function (req, res) {
-      res.status(options.state === 'ok' ? 200 : 503);
-      if (options.state === 'starting') {
-        res.set('Retry-After', 1);
-      }
-      res.json({
-        status: options.state,
-      });
-    });
     const routes = Array.isArray(rateLimit) ? rateLimit : [rateLimit];
     for (const route of routes) {
       middlewares.addRateLimit(route, options);

src/middlewares.js

@@ -241,70 +241,22 @@ export async function handleParseHeaders(req, res, next) {
   req.config.ip = clientIp;
   req.info = info;
 
-  const isMaintenance =
-    req.config.maintenanceKey && info.maintenanceKey === req.config.maintenanceKey;
-  if (isMaintenance) {
-    if (checkIp(clientIp, req.config.maintenanceKeyIps || [], req.config.maintenanceKeyIpsStore)) {
-      req.auth = new auth.Auth({
-        config: req.config,
-        installationId: info.installationId,
-        isMaintenance: true,
-      });
-      next();
-      return;
-    }
-    const log = req.config?.loggerController || defaultLogger;
-    log.error(
-      `Request using maintenance key rejected as the request IP address '${clientIp}' is not set in Parse Server option 'maintenanceKeyIps'.`
-    );
-  }
-
-  const masterKey = await req.config.loadMasterKey();
-  let isMaster = info.masterKey === masterKey;
-
-  if (isMaster && !checkIp(clientIp, req.config.masterKeyIps || [], req.config.masterKeyIpsStore)) {
-    const log = req.config?.loggerController || defaultLogger;
-    log.error(
-      `Request using master key rejected as the request IP address '${clientIp}' is not set in Parse Server option 'masterKeyIps'.`
-    );
-    isMaster = false;
-    const error = new Error();
-    error.status = 403;
-    error.message = `unauthorized`;
-    throw error;
-  }
-
-  if (isMaster) {
-    req.auth = new auth.Auth({
+  // Skip key detection if already resolved by handleParseAuth (header-based).
+  // Only resolve here for body-based _MasterKey (info.masterKey may come from body).
+  if (!req.auth || (!req.auth.isMaster && !req.auth.isMaintenance)) {
+    const resolved = await resolveKeyAuth({
       config: req.config,
+      keyValue: info.masterKey,
+      maintenanceKeyValue: info.maintenanceKey,
       installationId: info.installationId,
-      isMaster: true,
+      clientIp,
     });
-    return handleRateLimit(req, res, next);
+    if (resolved) {
+      req.auth = resolved;
+    }
   }
 
-  var isReadOnlyMaster = info.masterKey === req.config.readOnlyMasterKey;
-  if (
-    typeof req.config.readOnlyMasterKey != 'undefined' &&
-    req.config.readOnlyMasterKey &&
-    isReadOnlyMaster
-  ) {
-    if (!checkIp(clientIp, req.config.readOnlyMasterKeyIps || [], req.config.readOnlyMasterKeyIpsStore)) {
-      const log = req.config?.loggerController || defaultLogger;
-      log.error(
-        `Request using read-only master key rejected as the request IP address '${clientIp}' is not set in Parse Server option 'readOnlyMasterKeyIps'.`
-      );
-      const error = new Error();
-      error.status = 403;
-      error.message = 'unauthorized';
-      throw error;
-    }
-    req.auth = new auth.Auth({
-      config: req.config,
-      installationId: info.installationId,
-      isMaster: true,
-      isReadOnly: true,
-    });
+  if (req.auth && (req.auth.isMaster || req.auth.isMaintenance)) {
     return handleRateLimit(req, res, next);
   }
 
@@ -491,6 +443,88 @@ export function allowMethodOverride(req, res, next) {
   next();
 }
 
+async function resolveKeyAuth({ config, keyValue, maintenanceKeyValue, installationId, clientIp }) {
+  if (maintenanceKeyValue && maintenanceKeyValue === config.maintenanceKey) {
+    if (checkIp(clientIp, config.maintenanceKeyIps || [], config.maintenanceKeyIpsStore)) {
+      return new auth.Auth({ config, installationId, isMaintenance: true });
+    }
+    const log = config.loggerController || defaultLogger;
+    log.error(
+      `Request using maintenance key rejected as the request IP address '${clientIp}' is not set in Parse Server option 'maintenanceKeyIps'.`
+    );
+  }
+  const masterKey = await config.loadMasterKey();
+  if (keyValue === masterKey) {
+    if (checkIp(clientIp, config.masterKeyIps || [], config.masterKeyIpsStore)) {
+      return new auth.Auth({ config, installationId, isMaster: true });
+    }
+    const log = config.loggerController || defaultLogger;
+    log.error(
+      `Request using master key rejected as the request IP address '${clientIp}' is not set in Parse Server option 'masterKeyIps'.`
+    );
+    const error = new Error();
+    error.status = 403;
+    error.message = 'unauthorized';
+    throw error;
+  }
+  if (
+    keyValue &&
+    typeof config.readOnlyMasterKey !== 'undefined' &&
+    config.readOnlyMasterKey &&
+    keyValue === config.readOnlyMasterKey
+  ) {
+    if (checkIp(clientIp, config.readOnlyMasterKeyIps || [], config.readOnlyMasterKeyIpsStore)) {
+      return new auth.Auth({ config, installationId, isMaster: true, isReadOnly: true });
+    }
+    const log = config.loggerController || defaultLogger;
+    log.error(
+      `Request using read-only master key rejected as the request IP address '${clientIp}' is not set in Parse Server option 'readOnlyMasterKeyIps'.`
+    );
+    const error = new Error();
+    error.status = 403;
+    error.message = 'unauthorized';
+    throw error;
+  }
+  return null;
+}
+
+export function handleParseAuth(appId) {
+  return async (req, res, next) => {
+    const mount = getMountForRequest(req);
+    const config = Config.get(appId, mount);
+    if (!config) {
+      return next();
+    }
+    req.config = config;
+    const clientIp = getClientIp(req);
+    req.config.ip = clientIp;
+    await config.loadKeys();
+    const resolved = await resolveKeyAuth({
+      config,
+      keyValue: req.get('X-Parse-Master-Key') || null,
+      maintenanceKeyValue: req.get('X-Parse-Maintenance-Key') || null,
+      installationId: req.get('X-Parse-Installation-Id') || 'cloud',
+      clientIp,
+    });
+    if (resolved) {
+      req.auth = resolved;
+    }
+    return next();
+  };
+}
+
+export function handleParseHealth(options) {
+  return (req, res) => {
+    res.status(options.state === 'ok' ? 200 : 503);
+    if (options.state === 'starting') {
+      res.set('Retry-After', 1);
+    }
+    res.json({
+      status: options.state,
+    });
+  };
+}
+
 export function enforceRouteAllowList(req, res, next) {
   const config = req.config;
   if (!config || config.routeAllowList === undefined || config.routeAllowList === null) {