search

taivo / parse-push-plugin

Push notification plugin for Cordova/Phonegap/ionic on Parse platform
118 stars 102 forks source link

Add ability to send Client Key to parse server. #57

Closed cleever closed 8 years ago

cleever commented 8 years ago

The client keys used with Parse are no longer necessary with Parse Server, however you could still require them.

The parse push plugin wasn't able to send the client key.

This pull request try to fix this issue.

taivo commented 8 years ago

Can you help me understand what this is for?

cleever commented 8 years ago

Sure.

The code assumed that Client Key is not needed anymore, but it is not true. It's optional. Actually you can configure your own parse server instance to require this key.

Now the push plugin could send the key to the server for correct authentication if the key is needed for your server.

taivo commented 8 years ago

I was hoping to understand your usecase. ParsePlatform docs/guide says that client keys provide no additional security. They mentioned that the client keys are now only useful to manually distinguish different clients. Since apps that use this plugin are Cordova javascript apps, using the js key for that purpose might be better.

I kept things simple and dropped the client key in native Parse initialization because this plugin doesn't interact with user cloud code at all and there isn't really a path where the client key is needed.

I could be wrong. Do your usecases require client keys for functions related to this plugin's API?

cleever commented 8 years ago

Sorry @taivo I could be wrong too.

There are some documentation about this; https://github.com/ParsePlatform/parse-server/wiki/Parse-Server-Guide#keys https://github.com/ParsePlatform/parse-server#client-key-options

In other words, if your server is configured to use them, the clients should provide them.

There are some test cases that demonstrated it: https://github.com/ParsePlatform/parse-server/pull/1789/files

Like you said, ClientKey doesn't provide additional security, because is easy do open the code and extract them. However we must remember that applicationId is sent by e-mail in reset password request and confirm account/email process.

If you are sure about the process of saving a installationId doesn't need the client key even if the server is configured to use them, you should ignore this pull request.

taivo commented 8 years ago

You're right on this! Thanks for this PR and the excellent discussion on issue #52.

cleever commented 8 years ago

Thank you @taivo for your excellent work and your great support.