Using masterKey for Parse Security Issues

[iSamuelBarney]

This may be a dumb question but I'm wondering are there any issues using the masterKey in the config file or should I be trying a different key i.e. jsKey clientKey, restKey? Or is there no security concern using it?

[bartonhammond]

No. I made that a variable in case someone wanted a different name. There's nothing special about it - just a string of characters.

On Tue, Nov 15, 2016 at 5:56 PM, iSamuelBarney notifications@github.com wrote:

This may be a dumb question but I'm wondering are there any issues using the masterKey in the config file or should I be trying a different key i.e. jsKey clientKey, restKey? Or is there no security concern using it?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/bartonhammond/snowflake/issues/165, or mute the thread https://github.com/notifications/unsubscribe-auth/ABORPEnwCPyLl5NVeBG36Za8a4HbvwkIks5q-ka8gaJpZM4KzLRv .

[wookiem]

Yeah, that's a good catch @iSamuelBarney. I helped with adding parse-server support and I didn't pay close enough attention to this one.

The master key should be kept secret and used by admin only since it overrides all client-side security mechanisms. An admin running parse-dashboard will want to use master key to gain database-wide read/write permission.

We should definitely remove the master key from Snowflake's src/lib/config.js and src/lib/Parse.js files. I just checked with my app and it still connects fine to Parse just fine after dropping master key.

In terms of adding client-side key, parse-server chose not to by default, to emphasize that client-side keys should not be relied upon for security. Instead, they strongly recommend using one of the other built-in security features like ACLs. [http://blog.parse.com/learn/engineering/parse-security-i-are-you-the-key-master/]

However, many developers (especially new ones) may not get around to adding proper security until after their app is in-market. Maybe we could add something on this in both snowflake and snowflake-parse-heroku README.

[bartonhammond]

Thanks @wookiem, I misunderstood the question.

On Nov 15, 2016 7:33 PM, "wookiem" notifications@github.com wrote:

Yeah, that's a good catch @iSamuelBarney https://github.com/iSamuelBarney. I helped with adding parse-server support and I didn't pay close enough attention to this one.

The master key should be kept secret and used by admin only since it overrides all client-side security mechanisms. An admin running parse-dashboard will want to use master key to gain database-wide read/write permission.

We should definitely remove the master key from Snowflake's src/lib/config.js and src/lib/Parse.js files. I just checked with my app and it still connects fine to Parse just fine after dropping master key.

In terms of adding client-side key, parse-server chose not to by default, to emphasize that client-side keys should not be relied upon for security. Instead, they strongly recommend using one of the other built-in security features like ACLs. [http://blog.parse.com/learn/ engineering/parse-security-i-are-you-the-key-master/]

However, many developers (especially new ones) may not get around to adding proper security until after their app is in-market. Maybe we could add something on this in both snowflake and snowflake-parse-heroku README.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/bartonhammond/snowflake/issues/165#issuecomment-260826721, or mute the thread https://github.com/notifications/unsubscribe-auth/ABORPHut7NpWQB3mmKvGhsXEGytihv9hks5q-l10gaJpZM4KzLRv .

[iSamuelBarney]

Thanks for all the help on this!!