Server logs master key error even if it has been not used

[suathh]

New Issue Checklist

• I am not disclosing a vulnerability.
• I am not just asking a question.
• I have searched through existing issues.
• I can reproduce the issue with the latest version of Parse Server.

Issue Description

If masterKeyIps is defined and I try to access data in a public class via REST API and if the request has X-Parse-Master-Key header then the server returns the needed response but also logs this error error: Request using master key rejected as the request IP address '::1' is not set in Parse Server option 'masterKeyIps'.

Request (Has Master-Key header) ->(Tries to access a public class) -> Server (Gives response but logs error for IP is not allowed for masterKey)

Request (Has Master-Key header) ->(Tries to access a masterKey only class) -> Server (denies and logs error for IP is not allowed for masterKey)

Steps to reproduce

Set your masterKeyIps , add X-Parse-Master-Key to your header in the request and try to access a public class

Actual Outcome

error: Request using master key rejected as the request IP address '::1' is not set in Parse Server option 'masterKeyIps'.

Expected Outcome

Server should not log that since I was not trying to use Master Key for my operation cause it was a access request to a public class data

Environment

"dependencies": {
"axios": "1.6.0",
"dotenv": "^16.3.1",
"express": "4.18.2",
"ip-range-check": "^0.2.0",
"parse": "4.1.0",
"parse-server": "6.3.1"
}

Server

• Parse Server version: 6.3.1
• Operating system: Windows 10
• Local or remote host (AWS, Azure, Google Cloud, Heroku, Digital Ocean, etc): Localhost

Database

• System (MongoDB or Postgres): MongoDB
• Database version: 7.0.3
• Local or remote host (MongoDB Atlas, mLab, AWS, Azure, Google Cloud, etc): local

Client

• SDK (iOS, Android, JavaScript, PHP, Unity, etc): REST API
• SDK version: None

Logs

error: Request using master key rejected as the request IP address '::1' is not set in Parse Server option 'masterKeyIps'.

[parse-github-assistant]

Thanks for opening this issue!

• 🚀 You can help us to fix this issue faster by opening a pull request with a failing test. See our Contribution Guide for how to make a pull request, or read our New Contributor's Guide if this is your first time contributing.

[mtrezza]

I rather think the expected outcome should be that the request is denied. Because strictly speaking the request header contains the master key, and masterKeyIps is restricts using the master key per IPs. So even if it's a public class, allowing the master key to access it would violate that rule. Setting the master key in the header means "make the request using the master key", not "use the master key optionally, in case the operation requires it".

[mtrezza]

This would be a breaking change, so ideal for Parse Server 7 release.

[suathh]

I will create a PR for fixing this