sessionKey mistakenly returned on cloud code requests

[TylerBrock]

Running parse-server 2.2.6+ @master

npm list | grep parse shows [email protected] (JS SDK) for my front-end code.

When running parse-server with VERBOSE logging I see that some requests are returning a different session token than the one that was used for the request.

This seems to confuse the JS SDK and causes subsequent requests to use that token and fail as a result.

Interestingly, the session token returned seems to be the same, every time: 4yre10Sd7IYXWd0Q0Hn0WAGBF

I see this happen in the browser and copied the net request as Curl:

curl 'http://localhost:5100/parse/functions/getAdminsForRoleName' -H 'Content-Type: text/plain' --data-binary '{"roleName":"organization_5R7ONuhBPa_admin","_ApplicationId":"XXX","_JavaScriptKey":"XXX","_ClientVersion":"js1.7.0","_InstallationId":"123","_SessionToken":"r:5efa380a4046ae93183642a357585692"}'

When I curl it and pipe to jq I see this as the returned result from parse-server:

{
  "result": [
    {
      "sessionToken": "4yre10Sd7IYXWd0Q0Hn0WAGBF",
      "ACL": {
        "zgsLgx6I9P": {
          "read": true,
          "write": true
        }
      },
      "name": "Tyler Brock",
      "emailVerified": false,
      "email": "[email protected]",
      "fullname_lower": "tyler brock",
      "username": "tyler@XXX",
      "createdAt": "2016-01-16T00:33:32.280Z",
      "fullname": "Tyler J. Brock",
      "updatedAt": "2016-03-01T20:12:49.415Z",
      "phoneNumber": "+XXXX",
      "emailPreferences": {
        "dailyReminder": false,
        "weeklyUpdate": true
      },
      "objectId": "zgsLgx6I9P",
      "__type": "Object",
      "className": "_User"
    }
  ]
}

The very next cloud function request produced by the JS SDK has the session token that was returned by parse-server specified in the headers, which causes that request, and all subsequent requests to fail.

[flovilmart]

Thanks man!

[flovilmart]

This should be solved by #1450

[TylerBrock]

It didn't work for me running parse-server@master

Here are the logs, the request does an exact match on e-mail and we see the object returned has the sessionToken still.

10:30:11 api.1    | verbose: GET /parse/classes/_User { 'user-agent': 'node-XMLHttpRequest, Parse/js1.8.3 (NodeJS 5.10.0)',
10:30:11 api.1    |   accept: '*/*',
10:30:11 api.1    |   'content-type': 'text/plain',
10:30:11 api.1    |   host: 'localhost:5100',
10:30:11 api.1    |   'content-length': '262',
10:30:11 api.1    |   connection: 'close' } {
10:30:11 api.1    |   "where": {
10:30:11 api.1    |     "email": "[email protected]"
10:30:11 api.1    |   },
10:30:11 api.1    |   "limit": 1
10:30:11 api.1    | }
10:30:11 api.1    | verbose: {
10:30:11 api.1    |   "response": {
10:30:11 api.1    |     "results": [
10:30:11 api.1    |       {
10:30:11 api.1    |         "ACL": {
10:30:11 api.1    |           "WZPDbn3CmK": {
10:30:11 api.1    |             "read": true,
10:30:11 api.1    |             "write": true
10:30:11 api.1    |           }
10:30:11 api.1    |         },
10:30:11 api.1    |         "objectId": "WZPDbn3CmK",
10:30:11 api.1    |         "fullname": "Baller AOL",
10:30:11 api.1    |         "emailVerified": false,
10:30:11 api.1    |         "updatedAt": "2016-03-16T22:49:58.159Z",
10:30:11 api.1    |         "fullname_lower": "baller aol",
10:30:11 api.1    |         "username": "[email protected]",
10:30:11 api.1    |         "sessionToken": "t3kzGHS8PH0SxfcC62JyciGC7",
10:30:11 api.1    |         "createdAt": "2016-02-11T19:56:24.022Z",
10:30:11 api.1    |         "name": "Baller AOL",
10:30:11 api.1    |         "email": "[email protected]"
10:30:11 api.1    |       }
10:30:11 api.1    |     ]
10:30:11 api.1    |   }
10:30:11 api.1    | }