Parse-server: Relying only in Parse Cloud Code

You can build an express app with a simple API if that's what you need.

@flovilmart thank you for your answer... is there any reference I can read or any idea?
Thank you again

What you want is actually just a web server, that is using parse as a backend right? you can use expressjs http://expressjs.com and then make an API client on your apps.

No, well, I would like to use Parse directly, but disabling Queries from clients of cURL. I use background jobs, push, and many more Parse features. What I want actually is being protected against calls like http://mywebserver:1337/parse/users and read every single field. I'm getting sensitive data (according to my structure) but I need Users to be public readable.

In Parse Cloud I use .select to retrieve the right fields.
I don't know if I explained well, is it clear?

You can use beforeFind calls to transform you query before it's executed. If you want to disable full endpoints you can also do

app.get('/parse/users', function(req, res) {
   res.send(404, 'Not found')
})
app.use('/parse', parseAPI)

@flovilmart that is gorgeous... thank you very much!

@flovilmart, I've been checking deeply, it wouldn't work to isolate only Parse Cloud for example.

I tried to isolate in this way:

app.all('/parse/*', function(req, res, next) {
   if (!req.url.startsWith("/parse/functions")) {
      res.send(404, 'Not found');
   } else {
      next();
   }
});

but Parse Cloud is using /parse/classes/_User for retrieving users, for example, and it wont work... do you have any other workaround or idea to work with? I'm still thinking but got no clue :(

Yeah because you need all of those still working because parse-server is well, parse-server... I'm not sure we're gonna go that route...

So what would you suggest for this?

"I have done a search on Google saying ' websites done with parse as backend '. I got one, I opened the Javascript console (or well, grab the REST-Api-Key from any cloud call and do the same job with cURL) and this happened:"

What could we do in this case?

put a CLP so you can't run a find...

so I can't run a find from Parse Cloud either :\ ?

you can run find with the master key

alright! let's try :)
thanks!

We do something similar to the suggestion: All classes have no read and write access via CLP (make sure to switch to advanced permissions mode to also unset Add Field) and our cloud code queries etc. all have useMasterKey: true

Perhaps it would be useful to have a special mode so it is like this out of the box but it is low priority for me as you can achieve this already using the above steps.

I've tried to change CLP for User object, disabling Public GET and FIND.
But new users are unable to Signup without Public GET. Login works fine. (Javascript SDK)

@cleever I had faced this issue and got around it by creating a cloud function to sign users up

I think you need an ACL in this case. Whenever a user signs up, you should place an ACL on that user. This should avoid public queries to find this user.

@steven-supersolid I'm using the same thing as you where I disable access to all the tables and only use Cloud Code to access. I'm migrating off to Parse Server now and update all Cloud Code to use master key explicitly and removing the current user call but the queries don't return any data now. Seems like the useMasterKey is not working for some reason and I have been banging my head against the wall for the past 2 days. Is yours working?

@flovilmart any help or suggestion here? I google and read all the issue and it seems like it should be working but it's not for me. I using Heroku and mLab and running the latest version of Node 6.9.1 and the latest beta version of Parse Server.

Any help or direction would be greatly appreciated.

@kyvu probably best to ask on SO and provide a simple code sample and server logs as seems like an issue with your setup