Error: It is not secure to become a user on a node.js server environment

Question

I've used the method

Parse.User.become("session-token-here").then(function (user) {
  // The current user is now set to user.
}, function (error) {
  // The token could not be validated.
});

This method will call back to Parse to validate the session token and fetch the associated user, then set the current user on the client like is explained in this website http://blog.parse.com/announcements/bring-your-own-login/

This method was working perfectly but I recently update the last version of npm parse 1.5.0 and now I got the following error:

Error: It is not secure to become a user on a node.js server environment.
    at Function.Parse.User.Parse.Object.extend.become (/home/...

Anybody has a solution for this problem?

Thanks in advance

Answer 1

Ran into the same issue. While bypassing the Javascript SDK may work, it appears that you can use Parse.User.enableUnsafeCurrentUser() help bypass this error within the SDK.

In the Parse 1.5.0 Javascript SDK section of their change log they provided the following update:

Removed the concept of the current user when running in node.js Current users can be enabled in node with Parse.User.enableUnsafeCurrentUser() Many requests now support passing an explicit session token as an option

There may be some unintended security issues with this method. In reading through the source code this will also allow you to also use Parse.User.current and other like features as well. Using .become is probably still the safest option while managing your own session information.

Answer 2

I've been having a lot of issues with Parse.User.become(), both between the error you mentioned, and it returning a 101 invalid user session. My workaround was to bypass the Javascript SDK and make a Parse REST API request.

var request  = require("request"),
    q        = require("q"),
    deferred = q.defer(),
    options  = {
        url: "https://api.parse.com/1/users/me",
        method: "GET",
        json: true,
        headers: {
            "X-Parse-Session-Token": token,
            "X-Parse-Application-Id": "PARSE_APPLICATION_ID",
            "X-Parse-REST-API-Key": "PARSE_RESET_API_KEY"
        }
    };

request(options, function (error, response, body) {
    if (!error && response.statusCode == 200) {
        return deferred.resolve(user);
    } else {
        return deferred.reject(error);
    }
});

return deferred.promise;