master authentication using client certificate

[dblythy]

New Feature / Enhancement Checklist

• I am not disclosing a vulnerability.
• I am not just asking a question.
• I have searched through existing issues.

Current Limitation

Currently, masterKey access can only be verified using the request headers.

Feature / Enhancement Description

It would be good to have the option to require a client certificate to perform a masterKey request. Certificates can be generated by the server only.

Example Use Case

n/a

Alternatives / Workarounds

n/a

3rd Party References

https://medium.com/@sevcsik/authentication-using-https-client-certificates-3c9d270e8326

[parse-github-assistant]

Thanks for opening this issue!

• 🎉 We are excited about your ideas for improvement!

[mtrezza]

Amazing idea! This would add an additional level of security to Parse Server. I assume the certificate would be a substitute for the master key, not an additional requirement?

[dblythy]

Yep, it would be a substitute for a more secure way to connect as master. This is inspired by mongoDB atlas' ability to use a X.509 cert instead of a password to authenticate a database user (maybe we could add a security check for that too).

I'm not sure how it would work though for Parse Server, as far I can tell it would have to be a combination of Parse's masterKey middleware checking the client certificate, as well as the express server to be booted as a HTTPS server instead of HTTP, with the CA option. This is quite new to me so any expertise would be appreciated.

Ideally, I think it would be good to be able to configure the dashboard to require a signed cert, as well as any client code that wants to act as master.

[Moumouls]

@dblythy great idea. i've may be some question about how you see the usage into the Parse Dashboard. User drop and import the certificate ?

About the JS SDK, a new property will be added ? "masterCertificate"

In case of parse-server hosted behind many proxies, gateway systems, cloudflare firewall, does the certificate will play well out of the box ?

[dblythy]

I'm not sure how it would work to be honest. The idea is similar to using X509 certificates with mongoDB. I'm not quite sure how it would be implemented.