Anonymous Users with Parse SDK

Question

I'm aware that Parse.com does not support Anonymous Users for the Javascript SDK which is what I'm using now. I've asked a Parse staff member what an alternative for those using the Parse Javascript SDK and want to have something like the Anonymous User feature offered for the Parse ios SDK might be. I was told by the Parse staff member: "This is not officially supported yet, but you might be able to implement something similar by generating a random username and password that is stored in localStorage for this user". Now, right now, the following code allows me to save information to my Parse database

var MYObject = Parse.Object.extend("MYObject");      
var myObject = new MYObject(); 
var SomeStuff = "Test"; 

myObject.set("RECORD",SomeStuff); 
myObject.save(null, { success: function(myObject) 
{ //alert alert('New object created  with objectId: ' + myObject.id); } 

This creates a new class then adds "RECORD" and "Test". It works. Yet this is saved without needing a username or password at all. I'm wondering why just allowing users to save data like that can't be sufficient instead of having the Anonymous User feature Parse offers or in my case, an alternative solution for the Anonymous User feature since Anonymous User is not supported by the Parse Javascript SDK which is what I'm using. Is the reason the Anonymous User feature offered in the first place a matter of security? Should I resort to the alternative solution given to me by Parse staff or is it unnecessary?

Answer 1

I know this answer is very late, but it's relevant because nothing has changed. There is no Class for Anonymous users in the Parse JS SDK.

The reason why you can create, save, edit and delete objects without having an User Session is because you can create objects that anyone can use; I.E, "Public Objects". You can set ACL credentials on these objects as well, but you will not be associating new objectsIds with userObjectIds and therefore will only be able to update said objects in Cloud Code using your apps MasterKey.

var Foo = Parse.Object.extend("Foo");
var foo = new Foo();

foo.set("message", "Hello Foo");
foo.save().then(function(foo){
  //foo was saved
  //anyone can edit it right now
  //make it disappear into a black hole
  //in other words, nobody can edit without Master Key
  var acl = new Parse.ACL();
  acl.setPublicReadAccess(false); //nobody can read it
  acl.setPublicWriteAccess(false);//nobody can write it
  foo.setACL(acl); 
  return foo.save();
}).then(function(foo){
  //since foo was returned, we can still read it, but 
  //we cannot edit it anymore...
  foo.set("message", "cannot update without Master Key");
  return foo.save();
}).then(function(foo){
  //this will not run
}, function(error){
  //catch error for cannot update foo 
  log(error);
});

In this example, I start off by creating the Foo object. Then I update the message column and save it. The saved object is returned and I create an ACL that will prevent anyone for reading and writing to Foo. Then I set Foos ACL and save it again. The saved object is returned and I try to update the message column again. This time an error occurs and the error callback logs the error. This happens because I cannot update foo anyone, unless I use the Master Key and that must take place in Cloud Code.

Parse.Cloud.useMasterKey();
foo.save().then.... //after second return of foo.save() above

Answer 2

can you just generate a 'random' or a 'guid' and then plug that into User.username with password&email undefined... On the insert of that user, you have a valid Parse.User object that is anonymous. The return from the User.insert() is 'token' which never expire. You can use cookie to store the {"token":val, "username":val}.

Without a passwd, you never log the user in and will always be forced to call cloudcode where you can pass in the user's token (-H "X-Parse-Session-Token: rcid...") in place of a validated session established with 'login'.

I've used this technique in REST API where i want to onboard users without any input to text fields. They provide no info , only agreeing to use an anonymous cloud account.