parse-community
Server logs master key error even if it has been not used
New Issue Checklist
- [X] I am not disclosing a vulnerability.
- [X] I am not just asking a question.
- [X] I have searched through existing issues.
- [ ] I can reproduce the issue with the latest version of Parse Server.
Issue Description
If masterKeyIps is defined and I try to access data in a public class via REST API and if the request has X-Parse-Master-Key header then the server returns the needed response but also logs this error error: Request using master key rejected as the request IP address '::1' is not set in Parse Server option 'masterKeyIps'.
Request (Has Master-Key header) ->(Tries to access a public class) -> Server (Gives response but logs error for IP is not allowed for masterKey)
Request (Has Master-Key header) ->(Tries to access a masterKey only class) -> Server (denies and logs error for IP is not allowed for masterKey)
Steps to reproduce
Set your masterKeyIps , add X-Parse-Master-Key to your header in the request and try to access a public class
Actual Outcome
error: Request using master key rejected as the request IP address '::1' is not set in Parse Server option 'masterKeyIps'.
Expected Outcome
Server should not log that since I was not trying to use Master Key for my operation cause it was a access request to a public class data
Environment
"dependencies": { "axios": "1.6.0", "dotenv": "^16.3.1", "express": "4.18.2", "ip-range-check": "^0.2.0", "parse": "4.1.0", "parse-server": "6.3.1" }
Server
- Parse Server version:
6.3.1 - Operating system:
Windows 10 - Local or remote host (AWS, Azure, Google Cloud, Heroku, Digital Ocean, etc):
Localhost
Database
- System (MongoDB or Postgres):
MongoDB - Database version:
7.0.3 - Local or remote host (MongoDB Atlas, mLab, AWS, Azure, Google Cloud, etc):
local
Client
- SDK (iOS, Android, JavaScript, PHP, Unity, etc):
REST API - SDK version:
None
Logs
error: Request using master key rejected as the request IP address '::1' is not set in Parse Server option 'masterKeyIps'.
Thanks for opening this issue!
- 🚀 You can help us to fix this issue faster by opening a pull request with a failing test. See our Contribution Guide for how to make a pull request, or read our New Contributor's Guide if this is your first time contributing.
![parse-github-assistant[bot] avatar](https://avatars.githubusercontent.com/in/136195?v=4 "Published by a pub.dev verified publisher"){kind=small}
I rather think the expected outcome should be that the request is denied. Because strictly speaking the request header contains the master key, and masterKeyIps is restricts using the master key per IPs. So even if it's a public class, allowing the master key to access it would violate that rule. Setting the master key in the header means "make the request using the master key", not "use the master key optionally, in case the operation requires it".
