0

I use Node.js and back4app.com

I try to update the user object. Therefore I have read a lot and found this promissing documentation:

let progressId = "xyz";
let userId = "12354"; //aka objectId
const User = new Parse.User();
const query = new Parse.Query(User);


// Finds the user by its ID
query.get(userId).then((user) => {
    // Updates the data we want
    user.set('progressId', progressId);
   // Saves the user with the updated data
   user.save()
       .then((response) => {
           console.log('Updated user', response);
       })
       .catch((error) => {
           console.error('Error while updating user', error);
       });
   });

But there also is a warning. It states:

The Parse.User class is secured by default, you are not able to invoke save method unless the Parse.User was obtained using an authenticated method, like logIn, signUp or current

How would this look like in code?

My solution

Well, I got it to work. While I figured it out, I have found some small show stoppers. I list it for anyone it may concern.

Thanks @RamosCharles I added the Master Key in Parse._initialize. Only with that .save(null, {useMasterKey: true}) works. Take notice, without null it also won't work.

That's my working code:

let progressId = "xyz";
const User = Parse.Object.extend('User'); //instead of const User = new Parse.User();
const query = new Parse.Query(User);

query.equalTo("objectId", '123xyz');
query.get(userId).then((userObj) => {
    // Updates the data we want
    userObj.set('progressId', progressId);

    // Saves the user with the updated data
    userObj.save(null, {useMasterKey: true}).then((response) => {
        console.log('Updated user', response);
    }).catch((error) => {
        console.error('Error while updating user', error);
    });
});

Now I'm wondering

  • why my working code is different from documentation?

  • how secure is my code? And what is to do to get it more secure?

listener
  • 47
  • 7
  • There's not a unique way to do a thing, so, if your code is different from the documentation and is working, you don't need to worry. :) About the security, they have a Best Practices guide that might help you: https://blog.back4app.com/2017/11/09/parse-server-best-practices/ One of the tips is related to the Master Key on the frontend which is not recommendable. – Charles Oct 03 '19 at 21:06

1 Answers1

0

Yes, their API Reference is very helpful! On this section, there's a "try on JSFiddle" button, have you already seen that?

To update a user object, you must use the Master Key. On the frontend, it's not recommended, and it's better to create a cloud code function and call it on your frontend. However, for test purposes, you can keep using the API Reference, but on JSFiddle, you need to do some changes, here is their sample code, but with the adjustments:

Parse.serverURL = 'https://parseapi.back4app.com';
Parse._initialize('<your-appID-here>', '<your-JSKey-here>', '<Your-MasterKey-here>');

const MyCustomClass = Parse.Object.extend('User');
const query = new Parse.Query(MyCustomClass);

query.equalTo("objectId", "<object-ID-here>");
query.find({useMasterKey: true}).then((results) => {

  if (typeof document !== 'undefined') document.write(`ParseObjects found: ${JSON.stringify(results)}`);
  console.log('ParseObjects found:', results);
}, (error) => {
  if (typeof document !== 'undefined') document.write(`Error while fetching ParseObjects: ${JSON.stringify(error)}`);

  console.error('Error while fetching ParseObjects', error);
});

You'll need to insert the "_" before the "initialize" in your "Parse._initialize" and insert the Master Key in your query as I did on the query.find.

Charles
  • 531
  • 2
  • 11
  • Thanks @RamosCharles. I have added the Master Key and I get the user object. But how can I update it? And how I have to create a cloud code function? – listener Oct 02 '19 at 06:40
  • Hi! This is just an example showing how you can query the user, to update it, you must put the parameters that you want, but don't forget the master key and the underline in your Parse._initialize. – Charles Oct 03 '19 at 00:15