LiveQueries and Roles in v3.1.x

[pivanov]

Issue Description

If we use ACL Roles with Live Queries there is an issue where the records with ACL (latest created Role) doesn't work and after logout or restart of the server everything looks OK till next created Role then the issue popups again.

I found that in v3.0.0 everything works fine till commit Adds support for CLP in Live query (no support for roles yet)

Steps to reproduce

Here is a simple HTML test page where you can reproduce the issue with few clicks.

Here is the screen capture with the issue in action.

[ridem]

I've noticed the issue as well, which comes from the addition of authCache in ParseLiveQueryServer: https://github.com/parse-community/parse-server/blob/3.1.3/src/LiveQuery/ParseLiveQueryServer.js#L56

The authCache will remember the user ID and its roles based on a session token. So the only two ways to get fresh data (apart from restarting your server, lru-cache is in-memory) are:

• Getting a new session token (which is why it works when you log out / log in)
• Waiting 1h

This provides a much better performance, but we might want to provide a way to configure this cache. lru-cache is imported directly and its configuration is hardcoded.

[ridem]

@flovilmart I can make a PR if you point me to the approach you find most sensible.
Here are some things that could be done from what I understand:

• Don't use lru-cache directly in ParseLiveQueryServer but use the abstraction, allow for customizing max and maxAge. (This effectively lets people disable it in case that's what's wanted)
• [Maybe not a good idea] Support for role changes in ParseLiveQueryServer. I guess there you be some "master subscriber" listening for role changes of active client users. That process would delete outdated cache entries when role changes

[flovilmart]

@ridem I don’t participate in this project anymore. Check with @dplewis or @acinader

_{Sent with GitHawk}

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[ridem]

@dplewis @acinader are you interested in a PR covering this issue?

[dplewis]

I’m not really an expert in this area. If you can open a PR with failing cases that would be great.

There is a separate issue opened.

#5839

[mullwaden]

We are having an issue with this and @ridem has made a perfect analysis of what is wrong. Would be fun to make a PR on how to fix it but I am not sure how, I believe it could be quite tricky.

Why it is important to fix:

• When adding a user to a role it might take up to an hour before the cache is reset and live queries work again
• when removing a user from a role she might have access to data which she should not have access to which is a bit of a security issue

I made a small workaround it is not optimal but as long as we have the liveQueryServer and the parseServer on the same server it will work:

• create the server as usual const liveQueryServer = ParseServer.createLiveQueryServer(httpServer)
• In _Role add the following to beforeSave liveQueryServer.authCache.reset()

This clears the cache as soon as a role is changed. It could easily be made smarter by fetching the users that belong to that role and only removing or editing those rows in the authCache

[parse-github-assistant]

Thanks for opening this issue!

• ❌ Please edit your post and use the provided template when creating a new issue. This helps everyone to understand your post better and asks for essential information to quicker review the issue.

[dblythy]

Closing via #8026