Readonly trigger for _Session hook

[georgesjamous]

Allowing a ReadOnly trigger on the session targetting this workflow:

beforeSave: triggered whenever a session is created.
Thrown errors during signup are ignored; to cancel signup a hook on _User can be used.
Thrown errors during login prevent the user from login in, a session will no be created.
Any edits to the session object will be discarded.

beforeDelete: thrown errors are discarded.

no restrictions on afterSave or afterDelete.

beforeFind and afterFind are not allowed on _Session. (not changed from before)

@flovilmart does this seem okay?

[georgesjamous]

I did not really understand what is the purpose of this reduce.
Didn't touch it, but RestWrite.prototype.buildUpdatedObject = function(extraData) { could be fixed to have less duplicated code (like inflating twice in the case of session)

[flovilmart]

Please revert to const

[codecov]

Codecov Report

Merging #5155 into master will decrease coverage by 0.12%.
The diff coverage is 86.66%.

@@            Coverage Diff             @@
##           master    #5155      +/-   ##
==========================================
- Coverage   93.93%   93.81%   -0.13%     
==========================================
  Files         123      123              
  Lines        8975     8954      -21     
==========================================
- Hits         8431     8400      -31     
- Misses        544      554      +10

Impacted Files	Coverage Δ
src/triggers.js	93.15% <83.33%> (-1.17%)	⬇️
src/RestWrite.js	92.79% <91.66%> (-0.46%)	⬇️
src/LiveQuery/Client.js	97.43% <0%> (-2.57%)	⬇️
src/Adapters/Storage/Mongo/MongoStorageAdapter.js	91.48% <0%> (-0.73%)	⬇️
src/Adapters/Storage/Mongo/MongoCollection.js	97.29% <0%> (-0.14%)	⬇️
src/LiveQuery/ParseLiveQueryServer.js	87.46% <0%> (-0.12%)	⬇️
...dapters/Storage/Postgres/PostgresStorageAdapter.js	97.08% <0%> (-0.08%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2d7b992...999ac90. Read the comment docs.

[flovilmart]

Why do we treat session creation differently when singing up than in logging in?

[flovilmart]

I don’t recommend passing default paramètres as truths, as different implementations with bottom values will produce different results (undefined, null,false)

[georgesjamous]

i will set it to false by default, but didn't know if its being used somewhere else. Was afraid from breaking something. Tests will show anyhow.

[flovilmart]

False / undefined /null should be the default behavior. If true is passed, then we should use the new code path

[flovilmart]

Please revert to const

[flovilmart]

Please do an early return instead

[flovilmart]

What’s the point of keeping that? Perphas use ‘readOnlyClassNames’ instead

[georgesjamous]

no point, will remove it

[flovilmart]

If it’s a readOnlyTrigger, why would we perform additional checks?

If the trigger is a simple event based one errors should simply get ignored. So it should resolved always.

[georgesjamous]

I want to give the possibility to reject a login, rejecting all readOnlyTrigger events would get in the way of that.
I am thinking now of refactoring the name to sessionTrigger rather than readonlyTrigger, it seems more appropriate.

[georgesjamous]

Why do we treat session creation differently when singing up than in logging in?

Rejecting a session during signup will not prevent the RestWrite from creating the user, it will require a bit more refactoring to achieve this, since a user is created before the session.
We would need to roll back and delete the created user.

Rejecting a signup can be done on user triggers, while a session could be used to track logins and reject them for existing users, and maybe later on use them for 2fa capability.

Once a user is signed up (and an account is created _User) there seems to be no point in rejecting a session.

[flovilmart]

But still creating a user is one thing, creating a session is another thing. Either it is fully ignore or it isn’t.

[flovilmart]

Once a user is signed up (and an account is created _User) there seems to be no point in rejecting a session.

Preventing a logIn? Ensuring users have gone through a verification step before actually have credentials etc... lots of reasons actually to prevent session creation. Whicj is exactly the point no?

[georgesjamous]

So you think both should be independent ?

• Rejecting a session during signup should not rollback and delete the user,
  just prevent the session from being created. Let the user be created normally.
• Rejecting a session during login should prevent the user from being logged in.

[flovilmart]

What do you think?

[flovilmart]

And what are you trying to achieve with the PR, because if it’s simply having hooks in session, I believe there is an ulterior motive

[georgesjamous]

I think its good, i will look into it.

_{Sent with GitHawk}

[georgesjamous]

Yea, just that i need to cancel some logins easily. There are other ways though, but a session hook is the most direct way.

_{Sent with GitHawk}

[georgesjamous]

How about something like this ?
session hooks should now be following the workflow you suggested.

The only error that gets ignored is in beforeDelete.
On signup, the user will be created normally just without a session token.

[flovilmart]

Sorry for the late response! Sounds good then.

If errors are thrown in session’s before Delete, then we should probably indicate by a log that it will continue and proceed

[flovilmart]

Overall we’re very close. Just a few nits and we’ll be great!

[flovilmart]

This try / catch is not necessary

[flovilmart]

Unnecessary

[flovilmart]

You can also use a simple spy or counter to ensure the function has been called. This makes the test suite faster :)

[flovilmart]

I believe this function is declared at many places already, do you plan to reuse it everywhere?

[georgesjamous]

will check if i can consolidate them all here.

[flovilmart]

Not sure resolve supports two arguments as it is a native promise IIRC.

[georgesjamous]

Resolve here is a custom function, defined here. Its not the the promise resolve.

parse-server/src/triggers.js

Line 560 in 56dc2e4

(object, error) => {

[flovilmart]

If this line has changed, let’s replace var by const

[flovilmart]

Use const if we change this line as well

[georgesjamous]

Will look into the requested changes as soon as i can.

[georgesjamous]

@flovilmart i think I got them all.
Not sure about the space changes between my commits though.
Although, I am using two different machines but same VSC config.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.