search

parse-community / Parse-SDK-iOS-OSX

The Apple SDK for Parse Platform (iOS, macOS, watchOS, tvOS)
https://parseplatform.org
Other
2.81k stars 872 forks source link

resend verification eMail feature request. #1531

Closed jaysonng closed 4 years ago

jaysonng commented 4 years ago

I've been working on a way to resend verification email and have come up with a solution to access the REST API of the parse-server /verificationEmailRequest.

Through testing, I've got it working to basically run when the button is pressed. The thing however is it uses the client key for authorization. 

let url = URL(string: "\(Parse.currentConfiguration?.server ?? "")/verificationEmailRequest")! 
var request = URLRequest(url: url)
request.httpMethod = "POST"
request.setValue("\(String(describing: jsonData?.count))", forHTTPHeaderField: "Content-Length")
request.setValue("application/json", forHTTPHeaderField: "Content-Type")
request.setValue(Parse.currentConfiguration?.applicationId, forHTTPHeaderField: "X-Parse-Application-Id")
request.setValue(Parse.currentConfiguration?.clientKey, forHTTPHeaderField: "X-Parse-Client-Key")

// insert json data to the request
let task = URLSession.shared.dataTask(with: request) { data, response, error in
    guard let data = data, error == nil else {
    print("error here: \(error?.localizedDescription ?? "No data")")
        return
    }
    let responseJSON = try? JSONSerialization.jsonObject(with: data, options: [])
       if let responseJSON = responseJSON as? [String: Any] {
      print("successful response: \(responseJSON)") //Code after Successfull POST Request
        }
}

task.resume()

however in this documentation on REST API: https://docs.parseplatform.org/rest/guide/#calling-from-client-apps it mentions

You should not use the REST API Key in client apps (i.e. code you distribute to your customers). If the Parse SDK is available for your client platform, we recommend using our SDK instead of the REST API. If you must call the REST API directly from the client, you should use the corresponding client-side Parse key for that plaform (e.g. Client Key for iOS/Android, or .NET Key for Windows/Xamarin/Unity)

but also right after says:

If there is no Parse SDK for your client platform, please use your app’s Client Key to call the REST API. Requests made with the Client Key, JavaScript Key, or Windows Key are restricted by client-side app settings that you configure in your Parse Dashboard app dashboard. These settings make your app more secure.

Is there any security issues doing it this way? (placing the client key in the function hardcoded) Seeing as the client key is in already in SceneDelegate, I don't see why this would be an issue?

Can I ask for a feature request for this? pretty sure this is a feature a lot could use after all the sifting through posts in StackOverflow and here on Github I've seen.

thanks,

stale[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. If you believe it should stay open, please let us know! As always, we encourage contributions, check out the Contributing Guide

starkdmi commented 3 years ago

@jaysonng, In your case no need for the Client Key at all:


curl -X POST \
-H "X-Parse-Application-Id: APP_ID" \
-H "Content-Type: application/json" \
-d '{"email":"name@example.com"}' \
http://macpro.local:1337/parse/verificationEmailRequest```