* This allows master-key clients to create user sessions without access to * user credentials. This enables systems that can authenticate access another * way (API key, app administrators) to act on a user's behalf. * * We create a new session rather than looking for an existing session;
(req)
| 403 | * different reasons from /login |
| 404 | */ |
| 405 | async handleLogInAs(req) { |
| 406 | if (!req.auth.isMaster) { |
| 407 | throw createSanitizedError( |
| 408 | Parse.Error.OPERATION_FORBIDDEN, |
| 409 | 'master key is required', |
| 410 | req.config |
| 411 | ); |
| 412 | } |
| 413 | if (req.auth.isReadOnly) { |
| 414 | throw createSanitizedError( |
| 415 | Parse.Error.OPERATION_FORBIDDEN, |
| 416 | "read-only masterKey isn't allowed to login as another user.", |
| 417 | req.config |
| 418 | ); |
| 419 | } |
| 420 | |
| 421 | const userId = req.body?.userId || req.query.userId; |
| 422 | if (!userId) { |
| 423 | throw new Parse.Error( |
| 424 | Parse.Error.INVALID_VALUE, |
| 425 | 'userId must not be empty, null, or undefined' |
| 426 | ); |
| 427 | } |
| 428 | |
| 429 | const queryResults = await req.config.database.find('_User', { objectId: userId }); |
| 430 | const user = queryResults[0]; |
| 431 | if (!user) { |
| 432 | throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'user not found'); |
| 433 | } |
| 434 | |
| 435 | this._sanitizeAuthData(user); |
| 436 | |
| 437 | const { sessionData, createSession } = RestWrite.createSession(req.config, { |
| 438 | userId, |
| 439 | createdWith: RestWrite.buildCreatedWith('login', 'masterkey'), |
| 440 | installationId: req.info.installationId, |
| 441 | }); |
| 442 | |
| 443 | user.sessionToken = sessionData.sessionToken; |
| 444 | |
| 445 | await createSession(); |
| 446 | |
| 447 | return { response: user }; |
| 448 | } |
| 449 | |
| 450 | handleVerifyPassword(req) { |
| 451 | return this._authenticateUserFromRequest(req) |
no test coverage detected