0

I am creating a vue-single page application based on parse-server entirely and using its' javascript sdk for data manipulation in client end. For logging in/signing up i am using Parse.User.logIn/signUp and using the javascript key for authentication.

Now after logging in the browser is sending rest api request to parse-server with installationId and sessionToken. Which is alright but what if any user decides to create a bot to fill up the parse-server with garbage data? I checked that using/copying these security tokens/keys i can create objects easily by sending rest api request to parse server. I can prevent Class creation but how to prevent reusing session tokens from other medium?

Improve this question
2
  • how will the user know what his installationId/sessionToken is? Commented Aug 9, 2018 at 19:10
  • @LulzCow the user of the web application can easily see the session tokens from by inspecting network operation (using chrome developer tools or anything else) Commented Aug 10, 2018 at 2:05

3 Answers 3

Reset to default
2

If an attacker has access to the JavaScript Key he can do anything your vue app can do. He doesn’t even need the session token.

What you are describing is a Dos attack. A Dos attack is effective only if the attacker can generate high loads on the server without generating high loads on himself. In your case might be able to generate many objects but he won’t be able to overload your server (unless he has more processing power than you).

Additionally, if you just want to keep you db clean you might want to restrict creating users so it is not possible with only the JavaScript key. This way you give access only to users you trust. Problem with that is it doesn’t scale.

This dilemma is not special to Parse Server. Most web applications tackle this by not trusting the client side and limiting his actions to specific tables, exactly like CLP (Class level permissions) in Parse Server.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Disable Create permissions on your tables using CLPs.

https://docs.parseplatform.org/parse-server/guide/#class-level-permissions

With more information, this better solves your needs:

Parse.Cloud.beforeSave('Article', (req, res) => {
    let article = req.object;
    if( object.isNew() ) {
        let query = new Parse.Query('Article');
        let 5MinsAgo = //Calculate date
        query.greaterThan('createdAt', 5MinsAgo).equalTo('Author', article.get('Author');
        return query.count().then(
            count => { 
                if( count > max_allowed_count ) res.error('You've created too many articles.');
                else res.success();
            }
        );
    }
    else res.success(); //Or any other validation
});

You could also still remove create permissions from users and instead have them send the data to the cloud, and do validation there. This is often a great blanket security policy, as it leaves far fewer gaps on the client. You can also disable find permissions and do all your querying from cloud functions. These things obfuscate logic of your backend, which is nice.

Improve this answer

2 Comments

I want user to create object in table. Suppose the user is an article writer. Now he can add an article object in table by using the web application. What i am trying to prevent is any misuse of parse api. Suppose a user collect his session token and all the keys by using the developer console of the browser and decides to post garbage articles from a script and fill up the table automatically. I want to prevent this.
You could use a beforeSave trigger for new Articles
0

All the answers are valid ones. There are many ways to mitigate those kind of issues.

You can also use a requires authentication class level permissions (https://docs.parseplatform.org/parse-server/guide/#class-level-permissions)

You can put in place, between the load balancer and your parse-server, some tracking of the requests made by the clients by IP, session token etc... in order to block the requests if you believe they are fraudulous through a rate limiting proxy like nginx https://www.nginx.com/blog/rate-limiting-nginx/

There are many other possibilities and most of them apply to any kind of web app.

You should always remember to:

  • Keep your masterKey safe (and rotate it if necessary)
  • Always use HTTPS (do not serve on HTTP)
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.