Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: add info about --dev parameter #1842

Merged
merged 3 commits into from
Oct 7, 2021
Merged

docs: add info about --dev parameter #1842

merged 3 commits into from
Oct 7, 2021

Conversation

cyb3rko
Copy link
Contributor

@cyb3rko cyb3rko commented Oct 6, 2021

New Pull Request Checklist

Issue Description

Added a brief explanation of what the --dev parameter exactly does to be able to better evaluate if you really need it.

Related issue: #1826

Approach

n/a

TODOs before merging

  • A changelog entry is created automatically using the pull request title (do not manually add a changelog entry)

@parse-github-assistant
Copy link

parse-github-assistant bot commented Oct 6, 2021
edited
Loading

Thanks for opening this pull request!

  • 🎉 We are excited about your hands-on contribution!

@mtrezza
Copy link
Member

mtrezza commented Oct 6, 2021

Also see this: #962

@cyb3rko
Copy link
Contributor Author

cyb3rko commented Oct 6, 2021

Fits to what I added I think. It just means that the security bypasses only work if having the same IP as the dashboard.

@mtrezza
Copy link
Member

mtrezza commented Oct 6, 2021
edited
Loading

Maybe we can restyle this paragraph as a whole, how about this:

The --dev parameter disables production-ready security features. This parameter is useful when running Parse Dashboard on Docker. Using this parameter will:

  • allow insecure http connections from anywhere, bypassing the option allowInsecureHTTP
  • allow the Parse Server masterKey to be transmitted in cleartext without encryption
  • allow dashboard access without user authentication

⚠️ Do not use this parameter when deploying Parse Dashboard in a production environment.

This is how I read the changes from #962:

parse-dashboard/Parse-Dashboard/app.js

Lines 91 to 101 in 7c56b75

if (!options.dev && !requestIsLocal) {
if (!req.secure && !options.allowInsecureHTTP) {
//Disallow HTTP requests except on localhost, to prevent the master key from being transmitted in cleartext
return res.send({ success: false, error: 'Parse Dashboard can only be remotely accessed via HTTPS' });
}
if (!users) {
//Accessing the dashboard over the internet can only be done with username and password
return res.send({ success: false, error: 'Configure a user to access Parse Dashboard remotely' });
}
}

parse-dashboard/Parse-Dashboard/app.js

Lines 141 to 146 in 7c56b75

//They didn't provide auth, and have configured the dashboard to not need auth
//(ie. didn't supply usernames and passwords)
if (requestIsLocal || options.dev) {
//Allow no-auth access on localhost only, if they have configured the dashboard to not need auth
return res.json(response);
}

That means the dev param bypasses allowInsecureHTTP and allows insecure http connections from anywhere, regardless whether from localhost or remote address. That seems to be exactly the intended fix for Docker, because in the PR, they say:

when running with docker, as the local IP address is different from the dashboard, all the security features would light up

@mtrezza mtrezza changed the title docs: Add info about --dev parameter docs: add info about --dev parameter Oct 6, 2021
@cyb3rko
Copy link
Contributor Author

cyb3rko commented Oct 7, 2021

I see, so insecure http connections and non-auth access is always allowed on localhost and the --dev parameter is only for docker deployment. Alright.

Added your paragraph to the README.

mtrezza
mtrezza approved these changes Oct 7, 2021
View reviewed changes
Copy link
Member

@mtrezza mtrezza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Thanks for making the docs more understandable!

@mtrezza mtrezza merged commit fc86e10 into parse-community:alpha Oct 7, 2021
@mtrezza mtrezza mentioned this pull request Oct 7, 2021
Closed
3 tasks
@cyb3rko cyb3rko deleted the cyb3rko-dev-parameter-readme branch October 7, 2021 14:11
@parseplatformorg
Copy link
Contributor

🎉 This pull request has been released in version 3.2.1-alpha.1

@parse-github-assistant
Copy link

The label state:released on @alpha cannot be used here.

mtrezza added a commit to mtrezza/parse-dashboard that referenced this pull request Oct 8, 2021
@mtrezza
Merge branch 'alpha' into merge-alpha
3761778 
* alpha:
  chore(release): 3.2.1-alpha.1 [skip ci]
  fix: enabling context menu for read-only cells (parse-community#1844)
  docs: add info about --dev parameter (parse-community#1842)
  docs: fix release changelog filename
  docs: reword changelog quote
  docs: fix changelog branch names (parse-community#1837)
  refactor: simplify reading dashboard config from a json file (parse-community#1828)
@parseplatformorg
Copy link
Contributor

🎉 This pull request has been released in version 3.2.1-beta.1

@parseplatformorg parseplatformorg added the state:released-beta Released as beta version label Oct 8, 2021
@parseplatformorg
Copy link
Contributor

🎉 This pull request has been released in version 3.2.1

@parseplatformorg parseplatformorg added the state:released Released as stable version label Oct 8, 2021
@mtrezza mtrezza added the state:released-alpha Released as alpha version label Oct 8, 2021
beiguancyc pushed a commit to beiguancyc/parse-dashboard that referenced this pull request Oct 9, 2021
@cycqitianwushuge
Merge branch 'source'
5c09465 
* source: (53 commits)
  chore(release): 3.2.1 [skip ci]
  chore(release): 3.2.1-beta.1 [skip ci]
  ci: fix prerelease labels
  chore(release): 3.2.1-alpha.1 [skip ci]
  fix: enabling context menu for read-only cells (parse-community#1844)
  docs: add info about --dev parameter (parse-community#1842)
  build: merge beta (parse-community#1841)
  build: merge alpha (parse-community#1840)
  docs: fix release changelog filename
  docs: reword changelog quote
  docs: fix changelog branch names (parse-community#1837)
  refactor: simplify reading dashboard config from a json file (parse-community#1828)
  ci: update release branch names
  chore(release): 3.2.0 [skip ci]
  feat: add ctrl + arrow key to jump to first/last cell; fix left/right key navigation with hidden columns (parse-community#1827)
  refactor: upgrade inquirer from 8.1.2 to 8.1.3 (parse-community#1829)
  refactor: upgrade otpauth from 7.0.5 to 7.0.6 (parse-community#1830)
  refactor: replace create-react-class with ES6 classes (parse-community#1818)
  refactor: replace query-string with URLSearchParams (parse-community#1819)
  docs: fix typo in refactor changelog entry
  ...

# Conflicts:
#	package-lock.json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtrezza mtrezza mtrezza approved these changes

Assignees
No one assigned
Labels
state:released Released as stable version state:released-alpha Released as alpha version state:released-beta Released as beta version
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cyb3rko @mtrezza @parseplatformorg