Use JWT to authenticate (workaround inside, but looking for a proper solution)

[sunshineo]

We need to support requests without Parse session token but a JWT from Auth0. We have a hack but wonder if there is a better way to do this. We don't like the part that we have to call db twice to find the user and then the session. We would have called the db even more times if the user or session does not exist. We had to give the session an insane long expiration time, but I hope that is not a problem. Lastly, we are not sure if setting the x-parse-session-token header is the right way to become that user on the server-side.

Here we share our hack

const express = require('express');
const app = express();
const ParseServer = require('parse-server').ParseServer;
const jwt = require('express-jwt');
const jwksRsa = require('jwks-rsa');

const jwtMiddleware = jwt({
  secret: jwksRsa.expressJwtSecret({
    cache: true,
    rateLimit: true,
    jwksRequestsPerMinute: 5,
    jwksUri: 'http://your-app.auth0.com/.well-known/jwks.json'
  }),

  // Validate the audience and the issuer.
  audience: 'https://api.your-domain.com/v1',
  issuer: 'https://your-app.auth0.com/',
  algorithms: ['RS256'],
  credentialsRequired: false,
})
app.use('/parse', jwtMiddleware)

const addParseSessionHeader = async (req) => {
  if (!req.user) {
    return
  }
  const username = req.user.sub
  const userQuery = new Parse.Query('_User')
  userQuery.equalTo('username', username)
  let users
  try {
    users = await userQuery.find()
  }
  catch(e) {
    console.log('Exception when search for user: ', e)
    return
  }
  if (!users || users.length === 0) {
    // TODO: need to creat user
    return
  }
  const user = users[0]
  const sessionQuery = new Parse.Query('_Session')
  sessionQuery.equalTo('user', user)
  let sessions
  try {
    sessions = await sessionQuery.find({ useMasterKey: true })
  }
  catch(e) {
    console.log('Exception when search session for user: ', e)
    return
  }
  if (!sessions || sessions.length === 0) {
    // TODO: need to login to create session
    return
  }
  const session = sessions[0]
  const sessionToken = session.get('sessionToken')
  req.headers['x-parse-session-token'] = sessionToken
}

app.use('/parse', async (req, res, next) => {
  await addParseSessionHeader(req, res)
  next()
})

const parseApi = new ParseServer({
 ...your configs
});
app.use('/parse', parseApi);

app.listen(port, () => console.log(`Listening on port ${port}`));

[davimacedo]

The best way would be writing a new auth adapter like these. It would be nice to have it here. Would you be willed to tackle this and send us a PR?

[sunshineo]

@davimacedo I could be wrong but I think the auth adapter is exactly the opposite. Using one of those adapter will get Parse server to log user in and issue a sessionToken to the client. Later requests will put that sessionToken in the header, and then it's business as usual.

But here we don't want to use the sessionToken at all, we want Parse to use the JWT issued by Auth0. And frankly, it is probably faster and more stable since that does not require a lookup from database or cache

[davimacedo]

Sorry. I've misunderstood your usage case. For your case case I think the middleware before Parse replacing jwt to session token is the way to go. You are not planning to use the SDKs, right?

[goshander]

With JWT use, you still need check token in fast database like redis to check forced token ban

[sunshineo]

@Dynan7 We do not have any kind of that check right now. We rely on the token to be very short-lived and constantly refreshed. We probably will eventually do that so users do not have to login too frequently. Do you think my way of having Parse handle JWT is OK? Was your point that even now I have to do a check from database or cache, it is not worse than JWT since if JWT was setup properly this check is needed anyway?

@davimacedo Is there a plan for Parse to replace session token with JWT? Will this be a small/medium/large project?

[sunshineo]

@Dynan7 On second thought, we are using 3rd party OAuth 2 service (Auth0). Users get a refresh token in their browser and the actual access token expires after a very short time (could be as low as 60s or so). The browser will receive 401 if the access token expired and then browser will call Auth0 with the refresh token to get a new access token. When we need to ban someone, we just invalidate the refresh token, and soon their access token expires and they lose access. In this flow, no database or cache check is needed at all especially on our server side. Auth0 need to valid refresh token, but that's their job when generating access token.

I think a proper solution for Parse to use JWT should NOT be what I did, but trust the JWT and have the permission attached to the request to access data with ACL working. Could be complicated.

[davimacedo]

@sunshineo I am not aware of any plans to replace current session token to jwt but I believe if it is something that the developers can opt-in or not it would be welcome. I'd need to learn more about jwt but I guess it would be medium project (I'm considering we can user some hack in order to not change all SDKs but definitively I'd need to learn more about jwt). @acinader @dplewis thoughts?

[sunshineo]

Thank you @davimacedo! Does anything come to your mind besides attach x-parse-session-token to request.headers ? Is it possible to create something else and attach it to the request that can achieve the same effect?

[goshander]

@Dynan7 On second thought, we are using 3rd party OAuth 2 service (Auth0). Users get a refresh token in their browser and the actual access token expires after a very short time (could be as low as 60s or so). The browser will receive 401 if the access token expired and then browser will call Auth0 with the refresh token to get a new access token. When we need to ban someone, we just invalidate the refresh token, and soon their access token expires and they lose access. In this flow, no database or cache check is needed at all especially on our server side. Auth0 need to valid refresh token, but that's their job when generating access token.

I think a proper solution for Parse to use JWT should NOT be what I did, but trust the JWT and have the permission attached to the request to access data with ACL working. Could be complicated.

That sounds good, if you update token so often, you really no need check it in the any storage.
I just thought you have access token with long time expiring
In our project we too save permissions in JWT, it's fast and usefull.

[sunshineo]

@Dynan7 Thank you for sharing! How do you use the permissions from JWT in Parse? How does that work with Parse ACL?

[davimacedo]

@sunshineo you can look at this file to see how the session token is handled. Observe that you can also send it in the body on a post request instead of in the header.

[sunshineo]

Thank you @davimacedo . It seems that I can create an Parse.Auth object myself from that user. I do not need to log the user in then get the session. I do not need to have never expired sessions in my database. This also saves a couple database calls. I'll try it and report back.

[sunshineo]

After reading the code my conclusion is that the middleware will overwrite req.auth based on the fact that there is no sessionToken. So I believe my workaround is the only workaround without modify the Parse code. The good news is I'm feeling this is not going to be that hard. I'll try to do a fork and try something.

[sunshineo]

I was able to add this simple change that allows me to pass down the Parse user I mapped from JWT on the request to the Parse middleware. sunshineo@2dcafa3

if (req.userFromJWT) {
    req.auth = new auth.Auth({
      config: req.config,
      installationId: info.installationId,
      isMaster: false,
      user: req.userFromJWT,
    });
    next();
    return;
  }

This saves one or two database call, and we are no longer messing with the Parse sessions. No more insane long expiration session.

This workaround still requires user to wrap Parse server in express and map the JWT to a Parse server themselves before pass it down to Parse middleware. But is this the final stop? Should Parse take over the JWT decoding and user mapping? I can see that introduce a ton of configurations to support all the different decoding usecases? And I'm not even sure if the user mapping is possible without code. I'd like to hear your thoughts.

Here is what our code looks like now with the hack above

const express = require('express');
const app = express();
const ParseServer = require('parse-server').ParseServer;
const jwt = require('express-jwt');
const jwksRsa = require('jwks-rsa');

const jwtMiddleware = jwt({
  secret: jwksRsa.expressJwtSecret({
    cache: true,
    rateLimit: true,
    jwksRequestsPerMinute: 5,
    jwksUri: 'http://your-app.auth0.com/.well-known/jwks.json'
  }),

  // Validate the audience and the issuer.
  audience: 'https://api.your-domain.com/v1',
  issuer: 'https://your-app.auth0.com/',
  algorithms: ['RS256'],
  credentialsRequired: false,
})
app.use('/parse', jwtMiddleware)

const rejectInvalidToken = (err, req, res, next) => {
  // this means no token was provided, using other auth methods
  if (err.code === 'credentials_required') {
    return next()
  }
  res.statusCode = 401;
  res.send(err);  
}
app.use('/parse', rejectInvalidToken)

const getUser = async (jwtUser) => {
  const username = jwtUser.sub
  const userQuery = new Parse.Query('_User')
  userQuery.equalTo('username', username)
  let users
  try {
    users = await userQuery.find({ useMasterKey: true })
  }
  catch(e) {
    console.log('Exception when search for user: ', e)
    return
  }
  if (!users || users.length === 0) {
    return
  }
  return users[0]
}
const createUser = async (jwtUser) => {
  const username = jwtUser.sub
  const user = new Parse.User()
  user.set('username', username)
  user.set('password', username)
  try {
    await user.save(null, { useMasterKey: true })
  }
  catch(e) {
    console.log('Exception when create user: ', e)
    return
  }
  return user
}
const mapJWT2ParseUserHelper = async (req) => {
  const jwtUser = req.user
  if (!jwtUser) {
    return
  }
  req.userFromJWT = await getUser(jwtUser) || await createUser(jwtUser)
}
const mapJWT2ParseUser = async (req, res, next) => {
  await mapJWT2ParseUserHelper(req)
  next()
}
app.use('/parse', mapJWT2ParseUser)

const parseApi = new ParseServer({
 ...your configs
});
app.use('/parse', parseApi);

app.listen(port, () => console.log(`Listening on port ${port}`));