Promote session token and clear password dirty

AdrianCurtin · AdrianCurtin · commit 566863a96bdd · 2026-05-17T22:39:50.000-04:00
Fix signup path by promoting the newly-issued session token into the in-flight auth context and clearing the password dirty state immediately after applying a signup response. This prevents an after_create callback (e.g. from parse_reference) from issuing an authenticated update that falls back to master-key authority, and avoids a Parse Server bcrypt crash caused by serializing password as a Delete op. Tests were added to cover the promotion, bounded scope of the promotion, and that password is not included in follow-up updates. Changelog and version bumped to 4.1.1.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,15 @@
 ## Parse-Stack Changelog
 
+### 4.1.1
+
+#### Bug Fixes
+
+- **FIXED**: `Parse::User#save` on a new user whose subclass declares `parse_reference` (with the default `precompute: false`) no longer crashes Parse Server with `Value is non of these types TypedArray<u8>, String` from `@node-rs/bcrypt`. `signup_create` now calls `changes_applied!` and `clear_partial_fetch_state!` immediately after applying the signup response, so by the time the `after_create _assign_<field>!` callback fires its follow-up `update!`, the dirty set no longer contains `password`. Previously, `attribute_updates` serialized the cleared password as `{ "__op": "Delete" }` and Parse Server's `_User` write path fed that hash to the rust bcrypt binding, which rejects anything that isn't a string or u8 buffer. The behavior mirrors the dirty-state clearing already performed by `signup!` and `login!` in 4.0.2, but timed inside the `:create` callback block so it lands before the after_create chain runs rather than after the surrounding `save` completes. (`lib/parse/model/classes/user.rb`)
+
+#### Hardening
+
+- **FIXED**: `Parse::User#signup_create` now promotes the newly-issued session token into `@_session_token` after applying the signup response, so any in-flight `after_create` callback that re-enters the SDK (notably `_assign_<field>!` installed by `parse_reference`) authenticates the follow-up `update!` as the just-signed-up user. Previously the auth context was `nil`, and `Parse::Client#request` (`lib/parse/client.rb:682-687`) only attaches the session-token header when the token is `present?` while never setting `DISABLE_MASTER_KEY` on the nil branch — so the after_create PUT silently fell back to master-key authority under the default client configuration. That bypassed CLP and `request.user` checks in `beforeSave` cloud code on writes to the new user's own row. The promotion is scoped to the in-flight save (the outer `Parse::Object#save` zeroes `@_session_token` at `lib/parse/model/core/actions.rb:830` after the callback chain returns) and does not widen the existing trust boundary around `SIGNUP_RESPONSE_APPLY_KEYS`. The bcrypt crash above made this auth path unreachable before 4.1.1, so there is no field-deployed exposure to remediate — this is correctness hardening surfaced during review of the bcrypt fix. (`lib/parse/model/classes/user.rb`)
+
 ### 4.1.0
 
 #### Rack-Mountable MCP Server
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    parse-stack (4.1.0)
+    parse-stack (4.1.1)
       activemodel (>= 6.1, < 9)
       activesupport (>= 6.1, < 9)
       faraday (~> 2.0)
diff --git a/lib/parse/model/classes/user.rb b/lib/parse/model/classes/user.rb
@@ -735,10 +735,46 @@ def signup_create
           @updated_at = result["updatedAt"] || result["createdAt"] || @updated_at
           # Plaintext password is no longer needed locally; the server
           # has it hashed. Direct ivar assignment avoids re-dirtying the
-          # field that the surrounding `save` will mark clean via
-          # `changes_applied!` in actions.rb after this method returns.
+          # field.
           @password = nil
           set_attributes!(result.slice(*SIGNUP_RESPONSE_APPLY_KEYS))
+          # Promote the freshly-applied session token into `@_session_token`
+          # so any in-flight after_create callback that calls back through
+          # the SDK authenticates as the just-signed-up user. Without this,
+          # the after_create `_assign_<field>!` callback installed by
+          # `parse_reference` (and any other after_create hook that issues
+          # an `update!`) reads `_session_token` (actions.rb:732) and finds
+          # nil — `client.update_object(..., session_token: nil)` then
+          # silently falls back to the master key under any configuration
+          # that supplies one (client.rb:682-687 only attaches the session
+          # token when `present?`; `DISABLE_MASTER_KEY` is not set on the
+          # nil branch). The result was a user-scoped PUT silently
+          # escalated to master-key authority, bypassing CLP and
+          # `request.user` checks in `beforeSave` cloud code. Promoting
+          # the new user's own session token here scopes the follow-up
+          # update to the just-created user — the appropriate authority
+          # for writes to their own row. The outer `save` zeroes
+          # `@_session_token` again at actions.rb:830, so the promotion
+          # is bounded by this in-flight save. The trust boundary here
+          # is identical to the existing `SIGNUP_RESPONSE_APPLY_KEYS`
+          # contract: the SDK already trusts `sessionToken` from a signup
+          # response (it has to, to honor the signup contract); this fix
+          # routes that same token to the in-flight auth context.
+          @_session_token = @session_token if @session_token.present?
+          # Clear dirty state BEFORE the `after_create` callback chain
+          # fires. If a subclass declares `parse_reference` (default
+          # field name with `precompute: false`), the after_create
+          # `_assign_<field>!` callback issues an `update!` from inside
+          # this `run_callbacks :create` block — and `attribute_updates`
+          # would otherwise still carry `password` as dirty with a nil
+          # current value, serializing as `password: { __op: "Delete" }`.
+          # Parse Server's `_User` write path feeds that hash to
+          # `@node-rs/bcrypt`, which raises
+          # `Value is non of these types TypedArray<u8>, String`. Same
+          # cleanup as `signup!`, just timed so the after_create
+          # callbacks see a clean dirty set.
+          changes_applied!
+          clear_partial_fetch_state!
         end
         puts "Error creating #{self.parse_class}: #{res.error}" if res.error?
         res.success?
diff --git a/lib/parse/stack/version.rb b/lib/parse/stack/version.rb
@@ -6,6 +6,6 @@ module Parse
   # The Parse Server SDK for Ruby
   module Stack
     # The current version.
-    VERSION = "4.1.0"
+    VERSION = "4.1.1"
   end
 end
diff --git a/test/lib/parse/models/user_save_signup_test.rb b/test/lib/parse/models/user_save_signup_test.rb
@@ -626,6 +626,81 @@ def test_existing_user_save_without_session_arg_sends_no_session_token
                "no explicit session: => update_object must be invoked with session_token: nil"
   end
 
+  # --------------------------------------------------------------------
+  # 4.1.1: after_create from `parse_reference` (or any other after_create
+  # hook that re-enters the SDK) must run as the just-signed-up user, not
+  # as master-key (which is what `session_token: nil` falls back to under
+  # the default client config — see client.rb:682-687). Without the
+  # signup_create promotion, the follow-up `update!` triggered by
+  # `_assign_parse_reference!` runs with master-key authority, silently
+  # bypassing CLP and `beforeSave` `request.user` gates on the new user's
+  # own row.
+  # --------------------------------------------------------------------
+  class SignupParseReferenceUser < Parse::User
+    parse_class Parse::Model::CLASS_USER
+    # Parse::Object#fields is copied from Parse::Object on first access,
+    # not from the immediate superclass, so a User subclass does not
+    # auto-inherit username/password/email property declarations.
+    # Re-declare them so `attribute_updates` produces a real signup body.
+    property :auth_data, :object
+    property :email
+    property :password
+    property :username
+    parse_reference
+  end
+
+  def test_signup_create_promotes_new_session_token_for_after_create_update
+    client = StubClient.new
+    user = SignupParseReferenceUser.new(username: "umi", password: "p4ss!")
+    user.define_singleton_method(:client) { client }
+
+    assert user.save
+
+    update_calls = client.calls_to(:update_object)
+    assert_equal 1, update_calls.size,
+                 "after_create _assign_parse_reference! must fire a single update"
+    update_call = update_calls.first
+    assert_equal "r:stub-session-token", update_call.last,
+                 "after_create update_object must be authenticated with the new user's session token, " \
+                 "not nil (which silently falls back to master_key)"
+  end
+
+  def test_signup_create_after_create_update_does_not_leak_caller_session
+    # When the caller passes save(session: admin_token), the signup POST
+    # itself uses that token (so it's authorized for whatever admin
+    # workflow is happening), but the after_create update on the new
+    # user's row must still authenticate as the new user — they own
+    # their own row, not the admin who provisioned them.
+    client = StubClient.new
+    user = SignupParseReferenceUser.new(username: "vince", password: "p4ss!")
+    user.define_singleton_method(:client) { client }
+
+    assert user.save(session: "r:admin-provisioner")
+
+    create_call = client.calls_to(:create_user).first
+    assert_equal "r:admin-provisioner", create_call.last,
+                 "signup POST itself should carry the caller-supplied admin token"
+
+    update_call = client.calls_to(:update_object).first
+    assert_equal "r:stub-session-token", update_call.last,
+                 "after_create update should authenticate as the new user, not the admin"
+  end
+
+  def test_signup_create_session_token_promotion_is_bounded_by_save
+    # The @_session_token promotion must NOT outlive the in-flight save.
+    # actions.rb:830 zeros @_session_token at the end of save; this test
+    # asserts the user is not left in a state where subsequent saves
+    # carry the new user's token as the auth context.
+    client = StubClient.new
+    user = SignupParseReferenceUser.new(username: "wren", password: "p4ss!")
+    user.define_singleton_method(:client) { client }
+
+    assert user.save
+
+    assert_nil user.instance_variable_get(:@_session_token),
+               "@_session_token must be cleared by the outer save() after the create callbacks run"
+  end
+
   def test_existing_user_save_with_signup_on_save_false_still_preserves_session_token
     # Belt-and-suspenders: even with the new flag off, the update path
     # must behave identically. Confirms the flag does not gate the
diff --git a/test/lib/parse/user_save_signup_integration_test.rb b/test/lib/parse/user_save_signup_integration_test.rb
@@ -238,4 +238,98 @@ def test_password_change_does_invalidate_session
       end
     end
   end
+
+  # --------------------------------------------------------------------
+  # 4.1.1: signup-on-save + parse_reference (default precompute: false)
+  # used to crash Parse Server 9 with
+  #   Value is non of these types TypedArray<u8>, String
+  # at password.js:18 in @node-rs/bcrypt. The after_create
+  # `_assign_parse_reference!` callback issues an `update!` from inside
+  # the `run_callbacks :create` block, and `attribute_updates` carried
+  # `password` as dirty with a nil current value — serialized as
+  # `{ password: { "__op": "Delete" } }`. Parse Server's _User write
+  # path fed that hash to the rust bcrypt binding, which rejects
+  # anything that isn't a string or u8 buffer.
+  #
+  # Fix in 4.1.1: signup_create runs `changes_applied!` +
+  # `clear_partial_fetch_state!` right after applying the response, so
+  # by the time the after_create chain runs the dirty set is empty and
+  # the follow-up PUT only carries `parseReference`.
+  # --------------------------------------------------------------------
+  class UserWithParseReference < Parse::User
+    parse_class Parse::Model::CLASS_USER
+    # Parse::Object#fields is a class-instance variable that is copied
+    # from Parse::Object on first access (not from the immediate
+    # superclass), so a User subclass does not auto-inherit the
+    # username/password/email property declarations. Re-declare them so
+    # `attribute_updates` produces a real signup body.
+    property :auth_data, :object
+    property :email
+    property :password
+    property :username
+    parse_reference
+  end
+
+  def test_signup_on_save_with_parse_reference_subclass_succeeds
+    skip "Docker integration tests require PARSE_TEST_USE_DOCKER=true" unless ENV["PARSE_TEST_USE_DOCKER"] == "true"
+
+    with_parse_server do
+      with_timeout(15, "signup-on-save + parse_reference subclass") do
+        username = "su_pref_#{SecureRandom.hex(4)}"
+        user = UserWithParseReference.new(
+          username: username,
+          password: "p4ssw0rd!",
+          email: "#{username}@test.com",
+        )
+        # Pre-4.1.1 this raised Parse::Client::ResponseError carrying the
+        # bcrypt rust binding TypeError. After the fix, the after_create
+        # update!  sends only parseReference and the save succeeds.
+        assert user.save!, "save! on parse_reference User subclass must succeed"
+        @test_context.track(user)
+
+        refute_nil user.id, "user must have an objectId after signup"
+        refute_nil user.session_token, "signup-on-save must populate session_token"
+        assert session_token_valid?(user.session_token),
+               "session token must remain live (no bcrypt rehash path triggered)"
+
+        expected_ref = "#{Parse::Model::CLASS_USER}$#{user.id}"
+        assert_equal expected_ref, user.parse_reference,
+                     "parse_reference must be populated via the after_create update!"
+
+        # Confirm Parse Server actually persisted the reference column.
+        # Read the raw row back through the client (the Parse::User
+        # subclass redispatches to plain Parse::User on build because
+        # parse_class is shared, so query through the raw fetch path).
+        raw = Parse.client.fetch_object("_User", user.id, opts: { use_master_key: true })
+        assert raw.success?, "master-key fetch of new user must succeed"
+        assert_equal expected_ref, raw.result["parseReference"],
+                     "parseReference column must be persisted server-side"
+      end
+    end
+  end
+
+  def test_signup_on_save_with_parse_reference_clears_password_dirty_state
+    skip "Docker integration tests require PARSE_TEST_USE_DOCKER=true" unless ENV["PARSE_TEST_USE_DOCKER"] == "true"
+
+    with_parse_server do
+      with_timeout(15, "signup-on-save clears password dirty state") do
+        username = "su_pref_clean_#{SecureRandom.hex(4)}"
+        user = UserWithParseReference.new(
+          username: username,
+          password: "p4ssw0rd!",
+          email: "#{username}@test.com",
+        )
+        assert user.save!
+        @test_context.track(user)
+
+        # The after_create update! must NOT include password under any
+        # form (raw value, nil, or { __op: "Delete" }).
+        refute_includes user.changed, "password",
+                        "password must not be in the dirty set after signup-on-save"
+        updates = user.attribute_updates
+        refute(updates.key?(:password) || updates.key?("password"),
+               "attribute_updates must not contain password after signup-on-save")
+      end
+    end
+  end
 end
