(req)
| 189 | } |
| 190 | |
| 191 | async handleMe(req) { |
| 192 | if (!req.info || !req.info.sessionToken) { |
| 193 | throw createSanitizedError(Parse.Error.INVALID_SESSION_TOKEN, 'Invalid session token', req.config); |
| 194 | } |
| 195 | const sessionToken = req.info.sessionToken; |
| 196 | // Query the session with master key to validate the session token, |
| 197 | // but do NOT include 'user' to avoid leaking user data via master context |
| 198 | const sessionResponse = await rest.find( |
| 199 | req.config, |
| 200 | Auth.master(req.config), |
| 201 | '_Session', |
| 202 | { sessionToken }, |
| 203 | {}, |
| 204 | req.info.clientSDK, |
| 205 | req.info.context |
| 206 | ); |
| 207 | if ( |
| 208 | !sessionResponse.results || |
| 209 | sessionResponse.results.length == 0 || |
| 210 | !sessionResponse.results[0].user |
| 211 | ) { |
| 212 | throw createSanitizedError(Parse.Error.INVALID_SESSION_TOKEN, 'Invalid session token', req.config); |
| 213 | } |
| 214 | const userId = sessionResponse.results[0].user.objectId; |
| 215 | // Re-fetch the user with the caller's auth context so that |
| 216 | // protectedFields, CLP, and auth adapter afterFind apply correctly |
| 217 | const userResponse = await rest.get( |
| 218 | req.config, |
| 219 | req.auth, |
| 220 | '_User', |
| 221 | userId, |
| 222 | {}, |
| 223 | req.info.clientSDK, |
| 224 | req.info.context |
| 225 | ); |
| 226 | if (!userResponse.results || userResponse.results.length == 0) { |
| 227 | throw createSanitizedError(Parse.Error.INVALID_SESSION_TOKEN, 'Invalid session token', req.config); |
| 228 | } |
| 229 | const user = userResponse.results[0]; |
| 230 | // Send token back on the login, because SDKs expect that. |
| 231 | user.sessionToken = sessionToken; |
| 232 | // Remove hidden properties. |
| 233 | UsersRouter.removeHiddenProperties(user); |
| 234 | return { response: user }; |
| 235 | } |
| 236 | |
| 237 | async handleLogIn(req) { |
| 238 | const user = await this._authenticateUserFromRequest(req); |
no test coverage detected