undefined | Better HN

0 pointsBinaryIdiot9y ago0 comments

It's geared towards legacy. I have used parse in 3 different projects (none of that was my choice, these were existing projects I had to take over) and I would NEVER recommend it for new projects.

The way everyone seems to use it, in my experience, is giving the client credentials to manipulate the full database which is absolutely insane. Obviously this is not good practice but every single parse project I've gotten thrown into already did this and it was a significant amount of work to move it to be more secure and NOT do that. I think the way it's created makes it very, very easy to make bad security choices.

It's also basically a RESTful CRUD. That's mostly it minus some, mostly minor, bells and whistles. You can already do this with about 20 different open source stacks very easily and you're not stuck using this parse technology.

I can't articulate just how much trouble parse has given me. I even took an app and re-wrote its entire backend away from parse significantly faster than doing a handful of updates.

0 comments

ShaneWilton9y ago

> I think the way it's created makes it very, very easy to make bad security choices.

I can sympathize with this. I work on a dynamic API security scanner, and the vast majority of the Parse APIs I've scanned have either used API keys with full read/write permissions on the DB, or have left the database in development mode, essentially allowing anyone with an API key to modify the schema of the database.

Parse was a very cool product, but most setups I've seen didn't take advantage of the (sometimes hard to find) security features Parse provides.

jkestner9y ago

Later versions don't let you easily give the client full access. You instead have to do it through Cloud Code (another facet of Parse), so the key never leaves the server.

Not to disagree with your overall assessment. I'm generally wary of these swiss-knife frameworks - they're written for a particular use case in mind, and if your project doesn't fit that, you may go through contortions to get things working smoothly.

BinaryIdiotOP9y ago

> Later versions don't let you easily give the client full access. You instead have to do it through Cloud Code (another facet of Parse), so the key never leaves the server.

That's fantastic! I never kept track of which version(s) I worked on but I had transitioned one project from Parse to Parse Server and it was still able to work this way but I'm glad they made progress to try and force better security.

wapz9y ago

I just noticed the app I used with parse did exactly what you said (gave the client full access to database writes). My app only held "public" data and no passwords, emails, or sensitive data, but I was wondering how you manage to secure the DB writes. Wouldn't you need another server to send the write requests that would validate them before sending them to parse? Or is there another way?

BinaryIdiotOP9y ago

To secure code with parse I believe the most common way is to basically move everything behind cloud code.

So instead of making HTTP calls to directly modify the DB you make HTTP calls to cloud code functions you wrote which then verify who you are and only modify what you should be able to modify.

j / k navigate · click thread line to collapse

0 pointsBinaryIdiot9y ago0 comments

It's geared towards legacy. I have used parse in 3 different projects (none of that was my choice, these were existing projects I had to take over) and I would NEVER recommend it for new projects.

I can't articulate just how much trouble parse has given me. I even took an app and re-wrote its entire backend away from parse significantly faster than doing a handful of updates.

0 comments

ShaneWilton9y ago

> I think the way it's created makes it very, very easy to make bad security choices.

Parse was a very cool product, but most setups I've seen didn't take advantage of the (sometimes hard to find) security features Parse provides.

jkestner9y ago

Later versions don't let you easily give the client full access. You instead have to do it through Cloud Code (another facet of Parse), so the key never leaves the server.

BinaryIdiotOP9y ago

> Later versions don't let you easily give the client full access. You instead have to do it through Cloud Code (another facet of Parse), so the key never leaves the server.

wapz9y ago

BinaryIdiotOP9y ago

To secure code with parse I believe the most common way is to basically move everything behind cloud code.

So instead of making HTTP calls to directly modify the DB you make HTTP calls to cloud code functions you wrote which then verify who you are and only modify what you should be able to modify.

j / k navigate · click thread line to collapse