change to RestWrite.createSession (+14 squashed commits)

semantic-release-bot · SebC99 · commit f96610a6e4d0 · 2022-05-29T14:47:26.000+02:00
Squashed commits: [1306da7] Merge pull request from GHSA-23r4-5mxp-c7g5 [3a5c38d] revert to version 4.5.0 for testing [a3483d8] fix changelog skip 4.5.1 [3c42584] 4.5.2 [97b1dca] revert to version 4.5.0 for testing [f3133ac] Release 4.10.1 (parse-community#7508) * bump parse 3.3.0 * Update CHANGELOG.md * update user test (PR parse-community#7464) * fix Twitter API oauth Error (PR parse-community#7370) * bumped dependencies * Revert "bumped dependencies" This reverts commit 97ad83d. * bump @parse/push-adapter 3.4.1 * bump jwks-rsa@1.12.3 * bump mongodb@3.6.11 * bump ws@7.5.3 * changed logging for circular obj (PR parse-community#7457) * Update CHANGELOG.md [7e1da90] added changelog [0e3cae5] audit fix [f0d5232] bumped version [4ac4b7f] Merge pull request from GHSA-7pr3-p5fm-8r9x * fix: LQ deletes session token * add 4.10.4 * add changes [ef2ec21] ci: update docker image building (parse-community#7553) * docker * Update docker-publish.yml * Update docker-publish.yml [6ae5835] Merge pull request from GHSA-xqp8-w826-hh6x * Backport the advisory fix * Added a 4.10.3 section to CHANGELOG [0bfa6b7] Release 4.10.2 (parse-community#7513) * move graphql-tag from devDependencies to dependencies (parse-community#7183) * bump version * Update CHANGELOG.md [0be0b87] bump version
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -0,0 +1,59 @@
+name: docker
+
+on:
+  schedule:
+    - cron: '19 17 * * *' # Nightly builds capture upstream updates to dependency images such as node.
+  push:
+    branches: [ master, 'release-*.*.*' ]
+    tags: [ '*.*.*' ]
+
+env:
+  REGISTRY: docker.io
+  IMAGE_NAME: parseplatform/parse-server
+
+jobs:
+  build:
+
+    runs-on: ubuntu-18.04
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Determine branch name
+        id: branch
+        run: echo ::set-output name=branch_name::${GITHUB_REF#refs/*/}        
+
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Set up QEMU
+        id: qemu
+        uses: docker/setup-qemu-action@v1
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Log into Docker Hub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v3
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          flavor: |
+            latest=${{ steps.branch.branch_name == 'master' }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64/v8
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/changelogs/CHANGELOG_release.md b/changelogs/CHANGELOG_release.md
@@ -1,3 +1,10 @@
+## [5.2.1](https://github.com/parse-community/parse-server/compare/5.2.0...5.2.1) (2022-05-01)
+
+
+### Bug Fixes
+
+* authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter (GHSA-qf8x-vqjv-92gr) ([#7962](https://github.com/parse-community/parse-server/issues/7962)) ([af4a041](https://github.com/parse-community/parse-server/commit/af4a0417a9f3c1e99b3793806b4b18e04d9fa999))
+
 # [5.2.0](https://github.com/parse-community/parse-server/compare/5.1.1...5.2.0) (2022-03-24)
 
 
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "parse-server",
-  "version": "5.2.0",
+  "version": "5.2.1",
   "description": "An express module providing a Parse-compatible API server",
   "main": "lib/index.js",
   "repository": {
diff --git a/src/RestWrite.js b/src/RestWrite.js
@@ -875,7 +875,7 @@ RestWrite.prototype.createSessionToken = async function () {
     this.storage['authProvider'] = Object.keys(this.data.authData).join(',');
   }
 
-  const { sessionData, createSession } = RestWrite.createSession(this.config, {
+  const { sessionData, createSession } = Auth.createSession(this.config, {
     userId: this.objectId(),
     createdWith: {
       action: this.storage['authProvider'] ? 'login' : 'signup',

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "parse-server",`
`3`		`- "version": "5.2.0",`
	`3`	`+ "version": "5.2.1",`
`4`	`4`	`"description": "An express module providing a Parse-compatible API server",`
`5`	`5`	`"main": "lib/index.js",`
`6`	`6`	`"repository": {`
Original file line number	Diff line number	Diff line change
`@@ -875,7 +875,7 @@ RestWrite.prototype.createSessionToken = async function () {`
`875`	`875`	`this.storage['authProvider'] = Object.keys(this.data.authData).join(',');`
`876`	`876`	`}`
`877`	`877`
`878`		`- const { sessionData, createSession } = RestWrite.createSession(this.config, {`
	`878`	`+ const { sessionData, createSession } = Auth.createSession(this.config, {`
`879`	`879`	`userId: this.objectId(),`
`880`	`880`	`createdWith: {`
`881`	`881`	`action: this.storage['authProvider'] ? 'login' : 'signup',`