fix: feedbacks

coratgerl · coratgerl · commit 79bf5f5e5483 · 2025-11-18T22:38:12.000+01:00
diff --git a/src/Controllers/SchemaController.js b/src/Controllers/SchemaController.js
@@ -1406,10 +1406,10 @@ export default class SchemaController {
       // If aclGroup has * (public)
       if (!aclGroup || aclGroup.length == 0) {
         const detailedError = 'Permission denied, user needs to be authenticated.';
-        throw createSanitizedError(Parse.Error.OBJECT_NOT_FOUND, detailedError, defaultLogger);
+        throw createSanitizedError(Parse.Error.OBJECT_NOT_FOUND, detailedError);
       } else if (aclGroup.indexOf('*') > -1 && aclGroup.length == 1) {
         const detailedError = 'Permission denied, user needs to be authenticated.';
-        throw createSanitizedError(Parse.Error.OBJECT_NOT_FOUND, detailedError, defaultLogger);
+        throw createSanitizedError(Parse.Error.OBJECT_NOT_FOUND, detailedError);
       }
       // requiresAuthentication passed, just move forward
       // probably would be wise at some point to rename to 'authenticatedUser'
@@ -1424,7 +1424,7 @@ export default class SchemaController {
     // Reject create when write lockdown
     if (permissionField == 'writeUserFields' && operation == 'create') {
       const detailedError = `Permission denied for action ${operation} on class ${className}.`;
-      throw createSanitizedError(Parse.Error.OPERATION_FORBIDDEN, detailedError, defaultLogger);
+      throw createSanitizedError(Parse.Error.OPERATION_FORBIDDEN, detailedError);
     }
 
     // Process the readUserFields later
@@ -1445,7 +1445,7 @@ export default class SchemaController {
     }
 
     const detailedError = `Permission denied for action ${operation} on class ${className}.`;
-    throw createSanitizedError(Parse.Error.OPERATION_FORBIDDEN, detailedError, defaultLogger);
+    throw createSanitizedError(Parse.Error.OPERATION_FORBIDDEN, detailedError);
   }
 
   // Validates an operation passes class-level-permissions set in the schema
diff --git a/src/GraphQL/loaders/schemaMutations.js b/src/GraphQL/loaders/schemaMutations.js
@@ -7,7 +7,6 @@ import { transformToParse, transformToGraphQL } from '../transformers/schemaFiel
 import { enforceMasterKeyAccess } from '../parseGraphQLUtils';
 import { getClass } from './schemaQueries';
 import { createSanitizedError } from '../../SecurityError';
-import defaultLogger from '../../logger';
 
 const load = parseGraphQLSchema => {
   const createClassMutation = mutationWithClientMutationId({
@@ -35,11 +34,9 @@ const load = parseGraphQLSchema => {
         enforceMasterKeyAccess(auth, config);
 
         if (auth.isReadOnly) {
-          const loggerOrConfig = config || defaultLogger;
           throw createSanitizedError(
             Parse.Error.OPERATION_FORBIDDEN,
             "read-only masterKey isn't allowed to create a schema.",
-            loggerOrConfig
           );
         }
 
@@ -137,11 +134,9 @@ const load = parseGraphQLSchema => {
         enforceMasterKeyAccess(auth, config);
 
         if (auth.isReadOnly) {
-          const loggerOrConfig = config || defaultLogger;
           throw createSanitizedError(
             Parse.Error.OPERATION_FORBIDDEN,
             "read-only masterKey isn't allowed to delete a schema.",
-            loggerOrConfig
           );
         }
 
diff --git a/src/GraphQL/parseGraphQLUtils.js b/src/GraphQL/parseGraphQLUtils.js
@@ -1,15 +1,12 @@
 import Parse from 'parse/node';
 import { GraphQLError } from 'graphql';
 import { createSanitizedError } from '../SecurityError';
-import defaultLogger from '../logger';
 
-export function enforceMasterKeyAccess(auth, config = null) {
+export function enforceMasterKeyAccess(auth) {
   if (!auth.isMaster) {
-    const loggerOrConfig = config || defaultLogger;
     throw createSanitizedError(
       Parse.Error.OPERATION_FORBIDDEN,
       'unauthorized: master key is required',
-      loggerOrConfig
     );
   }
 }
diff --git a/src/RestQuery.js b/src/RestQuery.js
@@ -123,11 +123,9 @@ function _UnsafeRestQuery(
     if (this.className == '_Session') {
       if (!this.auth.user) {
         const detailedError = 'Invalid session token';
-        const log = (this.config && this.config.loggerController) || defaultLogger;
         throw createSanitizedError(
           Parse.Error.INVALID_SESSION_TOKEN,
           detailedError,
-          log
         );
       }
       this.restWhere = {
@@ -809,11 +807,9 @@ _UnsafeRestQuery.prototype.denyProtectedFields = async function () {
   for (const key of protectedFields) {
     if (this.restWhere[key]) {
       const detailedError = `This user is not allowed to query ${key} on class ${this.className}`;
-      const log = (this.config && this.config.loggerController) || defaultLogger;
       throw createSanitizedError(
         Parse.Error.OPERATION_FORBIDDEN,
         detailedError,
-        log
       );
     }
   }
diff --git a/src/RestWrite.js b/src/RestWrite.js
@@ -1455,11 +1455,9 @@ RestWrite.prototype.runDatabaseOperation = function () {
 
   if (this.className === '_User' && this.query && this.auth.isUnauthenticated()) {
     const detailedError = `Cannot modify user ${this.query.objectId}.`;
-    const log = (this.config && this.config.loggerController) || defaultLogger;
     throw createSanitizedError(
       Parse.Error.SESSION_MISSING,
       detailedError,
-      log
     );
   }
 
diff --git a/src/Routers/ClassesRouter.js b/src/Routers/ClassesRouter.js
@@ -114,8 +114,7 @@ export class ClassesRouter extends PromiseRouter {
       req.body.objectId.startsWith('role:')
     ) {
       const detailedError = 'Invalid object ID.';
-      const log = (req.config && req.config.loggerController) || defaultLogger;
-      throw createSanitizedError(Parse.Error.OPERATION_FORBIDDEN, detailedError, log);
+      throw createSanitizedError(Parse.Error.OPERATION_FORBIDDEN, detailedError);
     }
     return rest.create(
       req.config,
diff --git a/src/Routers/FilesRouter.js b/src/Routers/FilesRouter.js
@@ -6,7 +6,6 @@ import logger from '../logger';
 const triggers = require('../triggers');
 const Utils = require('../Utils');
 import { createSanitizedError } from '../SecurityError';
-import defaultLogger from '../logger';
 
 export class FilesRouter {
   expressRouter({ maxUploadSize = '20Mb' } = {}) {
@@ -46,9 +45,7 @@ export class FilesRouter {
     if (!config) {
       res.status(403);
       const detailedError = 'Invalid application ID.';
-      const log = defaultLogger;
-      log.error('Security error:', detailedError);
-      const err = createSanitizedError(Parse.Error.OPERATION_FORBIDDEN, detailedError, log);
+      const err = createSanitizedError(Parse.Error.OPERATION_FORBIDDEN, detailedError);
       res.json({ code: err.code, error: err.message });
       return;
     }
diff --git a/src/Routers/GlobalConfigRouter.js b/src/Routers/GlobalConfigRouter.js
@@ -4,7 +4,6 @@ import PromiseRouter from '../PromiseRouter';
 import * as middleware from '../middlewares';
 import * as triggers from '../triggers';
 import { createSanitizedError } from '../SecurityError';
-import defaultLogger from '../logger';
 
 const getConfigFromParams = params => {
   const config = new Parse.Config();
@@ -43,11 +42,9 @@ export class GlobalConfigRouter extends PromiseRouter {
 
   async updateGlobalConfig(req) {
     if (req.auth.isReadOnly) {
-      const log = (req.config && req.config.loggerController) || defaultLogger;
       throw createSanitizedError(
         Parse.Error.OPERATION_FORBIDDEN,
         "read-only masterKey isn't allowed to update the config.",
-        log
       );
     }
     const params = req.body.params || {};
diff --git a/src/Routers/GraphQLRouter.js b/src/Routers/GraphQLRouter.js
@@ -2,7 +2,6 @@ import Parse from 'parse/node';
 import PromiseRouter from '../PromiseRouter';
 import * as middleware from '../middlewares';
 import { createSanitizedError } from '../SecurityError';
-import defaultLogger from '../logger';
 
 const GraphQLConfigPath = '/graphql-config';
 
@@ -16,11 +15,9 @@ export class GraphQLRouter extends PromiseRouter {
 
   async updateGraphQLConfig(req) {
     if (req.auth.isReadOnly) {
-      const log = (req.config && req.config.loggerController) || defaultLogger;
       throw createSanitizedError(
         Parse.Error.OPERATION_FORBIDDEN,
         "read-only masterKey isn't allowed to update the GraphQL config.",
-        log
       );
     }
     const data = await req.config.parseGraphQLController.updateGraphQLConfig(req.body?.params || {});
diff --git a/src/Routers/PurgeRouter.js b/src/Routers/PurgeRouter.js
@@ -2,16 +2,13 @@ import PromiseRouter from '../PromiseRouter';
 import * as middleware from '../middlewares';
 import Parse from 'parse/node';
 import { createSanitizedError } from '../SecurityError';
-import defaultLogger from '../logger';
 
 export class PurgeRouter extends PromiseRouter {
   handlePurge(req) {
     if (req.auth.isReadOnly) {
-      const log = (req.config && req.config.loggerController) || defaultLogger;
       throw createSanitizedError(
         Parse.Error.OPERATION_FORBIDDEN,
         "read-only masterKey isn't allowed to purge a schema.",
-        log
       );
     }
     return req.config.database
diff --git a/src/Routers/PushRouter.js b/src/Routers/PushRouter.js
@@ -2,7 +2,6 @@ import PromiseRouter from '../PromiseRouter';
 import * as middleware from '../middlewares';
 import { Parse } from 'parse/node';
 import { createSanitizedError } from '../SecurityError';
-import defaultLogger from '../logger';
 
 export class PushRouter extends PromiseRouter {
   mountRoutes() {
@@ -11,11 +10,9 @@ export class PushRouter extends PromiseRouter {
 
   static handlePOST(req) {
     if (req.auth.isReadOnly) {
-      const log = (req.config && req.config.loggerController) || defaultLogger;
       throw createSanitizedError(
         Parse.Error.OPERATION_FORBIDDEN,
         "read-only masterKey isn't allowed to send push notifications.",
-        log
       );
     }
     const pushController = req.config.pushController;
diff --git a/src/Routers/SchemasRouter.js b/src/Routers/SchemasRouter.js
@@ -6,7 +6,6 @@ var Parse = require('parse/node').Parse,
 import PromiseRouter from '../PromiseRouter';
 import * as middleware from '../middlewares';
 import { createSanitizedError } from '../SecurityError';
-import defaultLogger from '../logger';
 
 function classNameMismatchResponse(bodyClass, pathClass) {
   throw new Parse.Error(
@@ -74,11 +73,9 @@ export const internalUpdateSchema = async (className, body, config) => {
 async function createSchema(req) {
   checkIfDefinedSchemasIsUsed(req);
   if (req.auth.isReadOnly) {
-    const log = (req.config && req.config.loggerController) || defaultLogger;
     throw createSanitizedError(
       Parse.Error.OPERATION_FORBIDDEN,
       "read-only masterKey isn't allowed to create a schema.",
-      log
     );
   }
   if (req.params.className && req.body?.className) {
@@ -98,11 +95,9 @@ async function createSchema(req) {
 function modifySchema(req) {
   checkIfDefinedSchemasIsUsed(req);
   if (req.auth.isReadOnly) {
-    const log = (req.config && req.config.loggerController) || defaultLogger;
     throw createSanitizedError(
       Parse.Error.OPERATION_FORBIDDEN,
       "read-only masterKey isn't allowed to update a schema.",
-      log
     );
   }
   if (req.body?.className && req.body.className != req.params.className) {
@@ -115,11 +110,9 @@ function modifySchema(req) {
 
 const deleteSchema = req => {
   if (req.auth.isReadOnly) {
-    const log = (req.config && req.config.loggerController) || defaultLogger;
     throw createSanitizedError(
       Parse.Error.OPERATION_FORBIDDEN,
       "read-only masterKey isn't allowed to delete a schema.",
-      log
     );
   }
   if (!SchemaController.classNameIsValid(req.params.className)) {
diff --git a/src/Routers/UsersRouter.js b/src/Routers/UsersRouter.js
@@ -17,7 +17,6 @@ import { promiseEnsureIdempotency } from '../middlewares';
 import RestWrite from '../RestWrite';
 import { logger } from '../logger';
 import { createSanitizedError } from '../SecurityError';
-import defaultLogger from '../logger';
 
 export class UsersRouter extends ClassesRouter {
   className() {
@@ -335,11 +334,9 @@ export class UsersRouter extends ClassesRouter {
    */
   async handleLogInAs(req) {
     if (!req.auth.isMaster) {
-      const log = (req.config && req.config.loggerController) || defaultLogger;
       throw createSanitizedError(
         Parse.Error.OPERATION_FORBIDDEN,
         'master key is required',
-        log
       );
     }
 
diff --git a/src/SecurityError.js b/src/SecurityError.js
@@ -9,19 +9,9 @@ import defaultLogger from './logger';
  * @param {Object} loggerOrConfig - Optional logger instance or config object (from req.config.loggerController or default)
  * @returns {Parse.Error} A Parse.Error with sanitized message
  */
-export function createSanitizedError(errorCode, detailedMessage, loggerOrConfig = null) {
-  let log = defaultLogger;
-  if (loggerOrConfig) {
-    if (loggerOrConfig.loggerController) {
-      log = loggerOrConfig.loggerController;
-    } else if (loggerOrConfig.error) {
-      // It's a logger instance
-      log = loggerOrConfig;
-    }
-  }
-
+export function createSanitizedError(errorCode, detailedMessage) {
   // Keep log on server side
-  log.error('Security error:', detailedMessage);
+  defaultLogger.error('Security error:', detailedMessage);
 
   return new Parse.Error(errorCode, 'Permission denied');
 }
@@ -35,18 +25,8 @@ export function createSanitizedError(errorCode, detailedMessage, loggerOrConfig
  * @param {Object} loggerOrConfig - Optional logger instance or config object
  * @returns {Error} An Error with sanitized message
  */
-export function createSanitizedHttpError(statusCode, detailedMessage, loggerOrConfig = null) {
-  let log = defaultLogger;
-  if (loggerOrConfig) {
-    if (loggerOrConfig.loggerController) {
-      log = loggerOrConfig.loggerController;
-    } else if (loggerOrConfig.error) {
-      log = loggerOrConfig;
-    }
-  }
-
-  // Keep log on server side
-  log.error('Security error:', detailedMessage);
+export function createSanitizedHttpError(statusCode, detailedMessage) {
+  defaultLogger.error('Security error:', detailedMessage);
 
   const error = new Error();
   error.status = statusCode;
diff --git a/src/SharedRest.js b/src/SharedRest.js
@@ -7,15 +7,13 @@ const classesWithMasterOnlyAccess = [
   '_Idempotency',
 ];
 const { createSanitizedError } = require('./SecurityError');
-const defaultLogger = require('./logger').default;
 
 // Disallowing access to the _Role collection except by master key
-function enforceRoleSecurity(method, className, auth, config = null) {
+function enforceRoleSecurity(method, className, auth) {
   if (className === '_Installation' && !auth.isMaster && !auth.isMaintenance) {
     if (method === 'delete' || method === 'find') {
       const detailedError = `Clients aren't allowed to perform the ${method} operation on the installation collection.`;
-      const loggerOrConfig = config || defaultLogger;
-      throw createSanitizedError(Parse.Error.OPERATION_FORBIDDEN, detailedError, loggerOrConfig);
+      throw createSanitizedError(Parse.Error.OPERATION_FORBIDDEN, detailedError);
     }
   }
 
@@ -26,15 +24,13 @@ function enforceRoleSecurity(method, className, auth, config = null) {
     !auth.isMaintenance
   ) {
     const detailedError = `Clients aren't allowed to perform the ${method} operation on the ${className} collection.`;
-    const loggerOrConfig = config || defaultLogger;
-    throw createSanitizedError(Parse.Error.OPERATION_FORBIDDEN, detailedError, loggerOrConfig);
+    throw createSanitizedError(Parse.Error.OPERATION_FORBIDDEN, detailedError);
   }
 
   // readOnly masterKey is not allowed
   if (auth.isReadOnly && (method === 'delete' || method === 'create' || method === 'update')) {
     const detailedError = `read-only masterKey isn't allowed to perform the ${method} operation.`;
-    const loggerOrConfig = config || defaultLogger;
-    throw createSanitizedError(Parse.Error.OPERATION_FORBIDDEN, detailedError, loggerOrConfig);
+    throw createSanitizedError(Parse.Error.OPERATION_FORBIDDEN, detailedError);
   }
 }
 
diff --git a/src/middlewares.js b/src/middlewares.js
@@ -502,8 +502,7 @@ export function handleParseErrors(err, req, res, next) {
 
 export function enforceMasterKeyAccess(req, res, next) {
   if (!req.auth.isMaster) {
-    const log = (req.config && req.config.loggerController) || defaultLogger;
-    const error = createSanitizedHttpError(403, 'unauthorized: master key is required', log);
+    const error = createSanitizedHttpError(403, 'unauthorized: master key is required');
     res.status(error.status);
     res.end(`{"error":"${error.message}"}`);
     return;
@@ -513,8 +512,7 @@ export function enforceMasterKeyAccess(req, res, next) {
 
 export function promiseEnforceMasterKeyAccess(request) {
   if (!request.auth.isMaster) {
-    const log = (request.config && request.config.loggerController) || defaultLogger;
-    throw createSanitizedHttpError(403, 'unauthorized: master key is required', log);
+    throw createSanitizedHttpError(403, 'unauthorized: master key is required');
   }
   return Promise.resolve();
 }
