How to set userSensitiveFields from env.

[majidhassan]

Hello,

I'm using pm2 to start parse-server and hence define all my parse-server attributes in the env of my ecosystem file. I can't figure out how to set the userSensitiveFields attribute from my ecosystem.

I checked here and found, that there's no "env" key for userSensitiveFields.

Any ideas?

[mrmarcsmith]

+1

[rsoffer]

+2

[flovilmart]

You should pass it though a configuration file or the CLI at the moment. Also note that this won’t override the default email sensitive field.

[majidhassan]

@flovilmart not sure I'm following. So, even if I ran parse with --userSensitiveFields it won't override the default?

[rsoffer]

@flovilmart I'm fairly certain most of us need this specifically to override the default email sensitive field. You don't need to highlight the security risks.

We have clients in the wild running queries that expect the email field to be present. For example, in my application we were using the email field existing to determine if the user was anonymous or not (not a good idea, but it is what it is.)

The email field not being included breaks our app in the wild. Do you know of any way to achieve this short of hacking the codebase?

Thanks.

[flovilmart]

The email field should always be present for the authenticated user so your usage should still be ok. As discussed many times, this is not something we’re willing to budge on as stated many times.

[rsoffer]

@flovilmart Ok, I respect the decision.

Unfortunately, this does indeed affect clients in the wild when you're querying for users who are not the authenticated user.

For those who need a temporary workaround until the clients catch up, this is what I've found to work:

In node_modules/parse-server/lib/ParseServer.js:

//userSensitiveFields = Array.from(new Set(userSensitiveFields.concat(_defaults2.default.userSensitiveFields, userSensitiveFields)));

userSensitiveFields = [];

[natanrolnik]

@rsoffer why not creating a cloud function that does the same query as the client, but with the master key, and updating the client to call the function instead?

[rsoffer]

@natanrolnik if I could magically make iOS clients in the wild use a new cloud function, I would.

For newer clients, I've moved away from depending on the email field. I just don't want this to break functionality for supported versions in the wild - if that makes any sense.

[natanrolnik]

@rsoffer Well, if you could magically update iOS clients, you probably wouldn't be asking for help here :)

As you can imagine, I referred to releasing updates (as you did) and drop support for older versions...