The option "masterKeyIps" cannot be disabled

[alljinx]

New Issue Checklist

• I am not disclosing a vulnerability.
• I am not just asking a question.
• I have searched through existing issues.
• I can reproduce the issue with the latest version of Parse Server.

Issue Description

Parse-server 6.0.0 allow to restrict IPs than can use the MasterKey using the option "masterKeyIps".
The documentation says "Setting ['0.0.0.0/0'] means disabling the filter and the master key can be used from any IP address".
In fact, even localhost is blocked.

Steps to reproduce

Juste install and configure Parse-Server v6 with the last Parse-Dashboard on your local machine.
Try to launch without the "masterKeyIps" option. Parse dashboard should works well.
Try with masterKeyIps: ['0.0.0.0/0'], after login, Parse Dashboard should display "Server not reachable: unauthorized: master key is required" and the node console should display "error: Request using master key rejected as the request IP address '::1' is not set in Parse Server option 'masterKeyIps'."

Actual Outcome

MasterKey is not usable anywhere with masterKeyIps: ['0.0.0.0/0']

Expected Outcome

MasterKey should be usable everywhere with masterKeyIps: ['0.0.0.0/0']

Environment

parse-server 6.0.0
parse-dashboard 5.0.0

Server

• Parse Server version: 6.0.0
• Operating system: Windows 10
• Local or remote host (AWS, Azure, Google Cloud, Heroku, Digital Ocean, etc): Local

Database

• System (MongoDB or Postgres): Postgres
• Database version: 15
• Local or remote host (MongoDB Atlas, mLab, AWS, Azure, Google Cloud, etc): Local

Client

• SDK (iOS, Android, JavaScript, PHP, Unity, etc): JS
• SDK version: 4.0.0

Logs

error: Request using master key rejected as the request IP address '::1' is not set in Parse Server option 'masterKeyIps'.
Error: unauthorized: master key is required
at handler (C:\GitProjects\jdm\node_modules\parse-server\src\middlewares.js:459:19)
at C:\GitProjects\jdm\node_modules\parse-server\src\PromiseRouter.js:72:20
at processTicksAndRejections (node:internal/process/task_queues:95:5)

[parse-github-assistant]

Thanks for opening this issue!

• 🚀 You can help us to fix this issue faster by opening a pull request with a failing test. See our Contribution Guide for how to make a pull request, or read our New Contributor's Guide if this is your first time contributing.

[mtrezza]

I guess you'd need to specify IPv6 ranges separately. Could you try to set masterKeyIps: ['::/0']? In theory you should be able to set masterKeyIps: ['0.0.0.0/0', '::/0'], but I'm not sure the features supports a mix of IPv4 and IPv6.

[mtrezza]

@alljinx Were you able to resolve this issue?

[alljinx]

Oh sorry, forgot this topic. I was able to make it work using masterKeyIps: ['0.0.0.0/0', '::1']. So there is no bug and I can indeed close this issue. Maybe we should just update the documentation to add the IPv6. Thx !

[mtrezza]

Thanks for reporting back. I reopened to find out where this is actually a bug or only a docs issue.

There should be 2 working solutions for the issue you described:

• a) ['::1'] which is the IPv6 notation for localhost
• b) ['::/0'] which allows any IPv6 address.
• c) ['::'] which allows any IPv6 address, just a different notation from (b) with range omitted.

It seems you already verified that (a) works. Could you also verify (b), (c)?

[chillaxdev]

@mtrezza My original error was '::ffff:192.168.0.156' is not set in Parse Server option...

I was hosting the parse server on a LAN.

Adding masterKeyIps: ['::/0'] did not work for me.
Adding masterKeyIps: ['0.0.0.0/0'] fixed it.

[mtrezza]

Thanks, that's strange. It reports an IPv6 address to not be allow-listed, but then it required an IPv4 CIDR range to allow-list it.

If you don't mind trying it out:

• Does masterKeyIps: ['::'] work?
• Does masterKeyIps: ['::ffff:192.168.0.156'] work, or whatever is the IPv6 address that is logged in the server logs?

[chillaxdev]

'::' does not work.
'::ffff:192.168.0.156' works.

Also, this is my serverURL: http://192.168.0.156:1337/parse

Server is running on Windows 10 x86_64 Pro.

For testing the API, I used the postman client locally to send a request with X-Parse-Master-Key set in the header.

[mtrezza]

I'll leave this issue open as there seems to be a bug in the parsing of IP addresses in masterKeyIps.

[VKlapan]

Hi!

I try to use parse-server 6.0.0 in docker, but have the same problem:
Request using master key rejected as the request IP address '172.21.0.1' is not set in Parse Server option 'masterKeyIps'

which I can't resolve by adding maintenanceKeyIps: ['172.21.0.1'] to config.

Any other ideas?

[mtrezza]

@VKlapan masterKey and maintenanceKey are not the same.

[VKlapan]

@VKlapan masterKey and maintenanceKey are not the same.

Sorry, it is my misprint - of course, I had used masterKeyIps: [], but without effect.
So, I need any help yet.

[mtrezza]

Could you copy/paste the log entry and the respective config you've set for Parse Server? Just to make sure.

[VKlapan]

Could you copy/paste the log entry and the respective config you've set for Parse Server? Just to make sure.

Useful hint! I have to check more carefully if a correct config are using, because a server works in docker container

[mtrezza]

I understand that your issue has been resolved; we'll still keep this issue open since the OP issue still seems to exist.

[VKlapan]

Do you mean we can close the issue?

Yes! Thanks. All is ok

[dblythy]

@mtrezza what would be the fix here? Is the issue with the package ip-range-check?

[mtrezza]

It could be that the package doesn't interpret IPv6 ranges properly.

#8421 (comment) shows the log error mentions ::ffff:192.168.0.156, an IPv6 address. Adding that exact address works, but the IPv6 ranges should also work.

• Adding that exact IPv6 address to the options works.
• Adding '0.0.0.0/0' fixed it for the OP, which is expected, as IPv4 and IPv6 should be usable interchangeably for this "allow all" IP address.
• Adding ::/0 should work but doesn't.
• Adding :: should (maybe) work but doesn't.
• Not sure if adding ::1 should work as well, it's the IPv6 notation for "localhost", but we haven no evidence that ::ffff:192.168.0.156 is in fact localhost.

[chillaxdev]

@mtrezza ::ffff:192.168.0.156 is a localhost on my scenario as I ran the postman client on the same machine where the parse server is running.

[Artnforces]

I'm using dockers for dashboard and server, I tried to change this value with those you give here.
Set the env variable PARSE_SERVER_MASTER_KEY_IPS:

• in docker-compose file of dashboard app: any effect (maybe normal)
• in docker file of server app : error, indicate that the value that I put is not an IP adress. (I tried array, single IP but it doesn't work).
• I finally change the value in the code. work following what you indicate here.

[andreisucman]

After adding masterKeyIps: ["0.0.0.0/0", "::/0"] the error is gone, but the master key stopped working.

It gives no errors, just doesn't save with .save(null, { useMasterKey: true});

If I remove the masterKeyIps it gives the unauthorized error.

[mtrezza]

@andreisucman which PR branch did you try out and which commit of that branch exactly?

[andreisucman]

I guess it must be the release because I downloaded it from npm with npm install.

To clarify I haven't changed the package.json. I only deleted the package-lock.json and node modules and ran npm i.

So, normally nothing should've gone wrong.

[mtrezza]

The default is blocking all IPs except localhost. This makes sense since the masterkey should not be used outside of Cloud Cloud for security.

It seems to me that the feature is working, but the confusion comes from how to define the IP list as env var, see #8421 (comment).

So is this only a docs issue?

[nebitrams]

@nebitrams as a workaround you can set the allowed ips in the env as 0.0.0.0/0,::1. This should be ok for read operations in cloud functions. But for write operations you can use MongoDB nodejs driver if you use mongodb. This is how I do it.

Yes, I intend to disable this feature when I deploy my code to production, by setting masterKeyIps to 0.0.0.0/0,::1.

FYI, I don't use master key to perform write. I used it for read. For any new codes that I add, I will try to avoid using master key. I will relook at old code to see if I can remove the use of master key.

[mtrezza]

This should be ok for read operations in cloud functions. But for write operations you can use MongoDB nodejs driver if you use mongodb.

Do you mean masterKeyIps works for read operations but not for write operations? Is this a new issue?

[mtrezza]

I reported it like 2-3 months ago

Could you post the link here to the issue that you reported?

Moumouls then did some work

What do you mean with "some work" - are you referring to #8510 or has there been another PR?

[mtrezza]

@andreisucman Please see #8510 (comment), I believe we should separate the "write" issue from the "connection" issue. We can only track issues for which a specific GitHub issue has been created; comments are unlikely to be tracked and may just fall out of focus in the flow of the conversation.

[mtrezza]

@andreisucman We will try to reproduce the write issue internally to fix it; but to track and follow up on this, could you please open a new issue with all details, as I've mentioned in #8510 (comment)?

[andreisucman]

@mtrezza My issue was related to some package I used for caching. I deleted my comments to avoid confusion. The ip detection works.

[mtrezza]

Thanks, I'll reply in #8510.

[mtrezza]

@alljinx @nebitrams @VKlapan @Artnforces @andreisucman @chillaxdev

We would like to bring this issue to a closing. Could you please let us know:

• Do you still experience a connection issue? If yes, what is the version of Parse Server and does the issue still occur if you use the branch of PR perf: Improved IP validation performance for masterKeyIPs, maintenanceKeyIPs #8510?
• If you solved the issue and it was based on a misunderstanding, do you have any suggestions for how we can improve the documentation of masterKeyIps? For example there were some comments about setting the environment variable incorrectly.

[mtrezza]

For anyone who wants to allow any IP address to use the master key:

• The current Parse Server option masterKeyIps cannot compare IPv4 and IPv6 against each other. Each IP version range needs to be defined separately. For example, masterKeyIps: ['0.0.0.0/0'] allows any IPv4 address, but no IPv6 address to use the master key. Conversely, masterKeyIps: ['::/0'] allows any IPv6 address, but no IPv4 address.

• Keep in mind that the IP version in use depends on the network stack of the environment in which Parse Server runs. A local test may use a different IP version than a remote test. It's possible that locally masterKeyIps: ['0.0.0.0/0'] works because it's using IPv4, but when the app is deployed remotely, it doesn't allow to use the master key because it's using IPv6.

• To allow any IPv4 and IPv6 address to use the master key, and effectively "disable" the IP filter, use masterKeyIps: ['0.0.0.0/0', '::/0'].

• Note that ['0.0.0.0/0', '::/1'] is not the same as ['0.0.0.0/0', '::/0']. I mention this because this combination has been posted here and elsewhere with the false expectation to allow any IP address.

• IPv6 addresses with a zone index (% suffix) may not be supported by this feature, for example 2001:db8:3333:4444:5555:6666:7777:8888%12.

• When setting the option via environment variable the notation is a comma-separated string, for example PARSE_SERVER_MASTER_KEY_IPS = "0.0.0.0/0,::/0".

• To deny the use of master key for every IP address, even from within Cloud Code for localhost, set an empty array masterKeyIps: []. This is currently not possible via environment variable, as there is no way to pass an empty array to Parse Server via an environment variable. For example, PARSE_SERVER_MASTER_KEY_IPS = "[]" will just be ignored.

• Check the correct spelling of the option, which is masterKeyIps and not for example masterKeyIPs.

I've condensed this and amended the Parse Server options docs in #8814.

If anyone is still facing issues after considering the above, please let us know.
Otherwise we'll consider this just a documentation issue and close this via #8814.

[parseplatformorg]

🎉 This change has been released in version 6.5.0-alpha.2

[kantorcodes]

For anyone who wants to allow any IP address to use the master key:

• The current Parse Server option masterKeyIps cannot compare IPv4 and IPv6 against each other. Each IP version range needs to be defined separately. For example, masterKeyIPs: ['0.0.0.0/0'] allows any IPv4 address, but no IPv6 address to use the master key. Conversely, masterKeyIPs: ['::0'] allows any IPv6 address, but no IPv4 address.
• Keep in mind that the IP version in use depends on the network stack of the environment in which Parse Server runs. A local test may use a different IP version than a remote test. It's possible that locally masterKeyIPs: ['0.0.0.0/0'] works because it's using IPv4, but when the app is deployed remotely, it doesn't allow to use the master key because it's using IPv6.
• To allow any IPv4 and IPv6 address to use the master key, and effectively "disable" the IP filter, use masterKeyIPs: ['0.0.0.0/0', '::0'].
• Note that ['0.0.0.0/0', '::1'] is not the same as ['0.0.0.0/0', '::0']. I mention this because this combination has been posted here and elsewhere with the false expectation to allow any IP address.
• IPv6 addresses with a zone index (% suffix) may not be supported by this feature, for example 2001:db8:3333:4444:5555:6666:7777:8888%12.
• When setting the option via environment variable the notation is a comma-separated string, for example PARSE_SERVER_MASTER_KEY_IPS = "0.0.0.0/0,::0".
• To deny the use of master key for every IP address, even from within Cloud Code for localhost, set an empty array masterKeyIPs: []. This is currently not possible via environment variable, as there is no way to pass an empty array to Parse Server via an environment variable. For example, PARSE_SERVER_MASTER_KEY_IPS = "[]" will just be ignored.

I've condensed this and amended the Parse Server options docs in #8814.

If anyone is still facing issues after considering the above, please let us know. Otherwise we'll consider this just a documentation issue and close this via #8814.

Personally still experiencing this issue with the latest version. I honestly think an option to disable the check completely would be the way to go, passing in IPs in different formats just isn't intuitive at all.

[mtrezza]

@kantorcodes If you are experiencing any issues please open a new GitHub issue with a reference to this GitHub issue, and provide exact details so the issue can be reproduced. If it cannot be reproduced, then it cannot be fixed.

[kantorcodes]

@kantorcodes If you are experiencing any issues please open a new GitHub issue with a reference to this GitHub issue, and provide exact details so the issue can be reproduced. If it cannot be reproduced, then it cannot be fixed.

I followed the exact steps suggested for IPv4 and IPv6 and deployed. Got the "unauthorized: master key required". That's all.

Previous versions work fine. We should be able to turn this feature off. It is not intuitive at all.

[mtrezza]

For anyone still experiencing this issue, please try masterKeyIps: ['0.0.0.0/0', '::/0'] to effectively allow any IPv4 and IPv6 address. The comment above contained a typo and did not contain the slash in the IPv6 address (::0), which has been corrected now.

[parseplatformorg]

🎉 This change has been released in version 6.5.0

[parseplatformorg]

🎉 This change has been released in version 7.0.0-beta.1

[parseplatformorg]

🎉 This change has been released in version 7.0.0

[thphuccoder]

https://parseplatform.org/parse-server/api/master/ParseServerOptions.html

It looks like the doc is still not updated

[mtrezza]

@thphuc You need to use the correct API version 7.0.0.