1

I am running the open source parse-server and have well secured my database. However, my application requires administrator users which need to have the power to read and write nearly all the data. This is a security concern which I would like to address with two-factor authentication, though I am open to other ideas (IP whitelisting, cookies, or whatnot).

Setting this up on my client apps is straightforward enough and I have done that, but I would like to be even more secure so that if malicious agents have my Application ID (which is basically public) and somehow obtain an admin's credentials, they still cannot gain access.

I am puzzled as to how to accomplish this with the parse server as it is today. There are no Cloud Code triggers for User sign-in, so I can't enforce any MFA on the Parse server itself, as far as I can tell.

One possibility I see is to use check some MFA token in various Cloud Code routines, such as beforeSave, beforeDelete, and beforeFind, denying access to an admin user lacking proper MFA. Would that completely prevent a false admin from reading or writing all data?

The above option does not prevent the attacker from trying to brute force the MFA (assuming it's a 6-digit code). I also don't see any way of rate-limiting the login attempts of an attacker with the App ID and admin password. Any ideas here?

Thanks for any tips!

jasonm1
  • 11
  • 3

1 Answers1

1

I really like the idea of adding 2FA and a small script to manage user accounts on the dashboard. Can you open a feature request on https://github.com/parse-community/parse-dashboard ?

Also, for use authentication, you could probably use a custom auth adapter which would validate the username, email and 2FA token

flovilmart
  • 1,759
  • 1
  • 11
  • 18
  • Thanks! I will look into making a custom auth adapter. My initial concern with that was that I'd only want certain users (or Roles) to require 2FA, not everyone. Would a custom auth adapter make that possible without allowing circumvention by, say, just using the App ID, the SDK, and some scripts? Regarding the dashboard feature, do you mean for protecting the dashboard itself or for 2FA management via the dashboard? In my particular case, our dashboard only runs on local secure machines, not the cloud, but I can see how that would be useful in the hosted case. – jasonm1 Jul 10 '17 at 00:42
  • Followup question: Since I only care about my my admin user, it seems like I can accomplish my goal with the Google auth adapter. My question is, when the Parse User is created, what happens to that User's password when logging in with the auth adapter? I want to avoid a malicious agent from going around the Google auth path. Is that possible if the user is created by Google auth? Thanks! – jasonm1 Jul 14 '17 at 22:47
  • If you’re using the google auth adapter, then you need to reject login with email and password. We don’t provide an easy way to do it, but probably in a beforeSave call, whenever the object contains username / password you could reject it. If you want a feature request, let’s discuss it on the parse-server repo and find a good way to do it :) – flovilmart Jul 15 '17 at 16:02
  • for rejecting login and just allowing auth there is some answer for a question i asked long time ago, its dirty but do the works. https://serverfault.com/questions/906785/disable-default-user-authentication-in-parse-server – Osiris Dec 02 '18 at 22:51
  • and someone else also just another way https://stackoverflow.com/questions/49749745/disable-default-user-authentication-in-parse-server – Osiris Dec 02 '18 at 22:52