Accessing the Parse server in Android without a master key doesn't give authorization

Question

When I access my server with the following it works:

curl -X POST \
  -H "X-Parse-Application-Id: xxx" \
  -H "X-Parse-Master-Key: yyy" \
  -H "Content-Type: text/plain" \
  -d '{"score":1337,"playerName":"Sean Plott","cheatMode":false}' \
  http://xx.xx.xx.xx/parse/classes/Inventory

But when I use the following, it doesn't:

curl -X POST \
  -H "X-Parse-Application-Id: xxx" \
  -H "Content-Type: text/plain" \
  -d '{"score":1337,"playerName":"Sean Plott","cheatMode":false}' \
  http://xx.xx.xx.xx/parse/classes/Inventory

I get this error instead:

{"error":"unauthorized"}

It worked perfectly fine earlier. I had changed a few settings and updated to the latest Parse Server version and then it stopped working, along with all the other apps related to it.

The web version works, suggesting that the REST API key was fine. I can access everything perfectly through the Dashboard too. The only problem is when I access it with Android, which can only give an Application Id for identification.

Might I have changed a setting wrong that blocked this? I don't think I changed anything, though there is the small possibility I didn't close a bracket or commented something out on the server.js file.

Answer 1

It's brought up here: https://github.com/parse-community/parse-server

The client keys used with Parse are no longer necessary with Parse Server. If you wish to still require them, perhaps to be able to refuse access to older clients, you can set the keys at initialization time. Setting any of these keys will require all requests to provide one of the configured keys.

• clientKey
• javascriptKey
• restAPIKey
• dotNetKey

What happened was that I had restAPIKey inside my config file, so it required any one of the other four keys as well. The new update forced my app to use clientKey or remove restAPIKey from the config.