fix: Server internal error details leaking in error messages returned to clients

spec/AudienceRouter.spec.js

@@ -269,7 +269,7 @@ describe('AudiencesRouter', () => {
     }).then(
       () => {},
       error => {
-        expect(error.message).toEqual('unauthorized: master key is required');
+        expect(error.message).toEqual('Permission denied');
         done();
       }
     );
@@ -279,7 +279,7 @@ describe('AudiencesRouter', () => {
     Parse._request('GET', 'push_audiences', {}).then(
       () => {},
       error => {
-        expect(error.message).toEqual('unauthorized: master key is required');
+        expect(error.message).toEqual('Permission denied');
         done();
       }
     );
@@ -289,7 +289,7 @@ describe('AudiencesRouter', () => {
     Parse._request('GET', `push_audiences/someId`, {}).then(
       () => {},
       error => {
-        expect(error.message).toEqual('unauthorized: master key is required');
+        expect(error.message).toEqual('Permission denied');
         done();
       }
     );
@@ -301,7 +301,7 @@ describe('AudiencesRouter', () => {
     }).then(
       () => {},
       error => {
-        expect(error.message).toEqual('unauthorized: master key is required');
+        expect(error.message).toEqual('Permission denied');
         done();
       }
     );
@@ -311,7 +311,7 @@ describe('AudiencesRouter', () => {
     Parse._request('DELETE', `push_audiences/someId`, {}).then(
       () => {},
       error => {
-        expect(error.message).toEqual('unauthorized: master key is required');
+        expect(error.message).toEqual('Permission denied');
         done();
       }
     );

spec/LogsRouter.spec.js

@@ -61,7 +61,7 @@ describe_only(() => {
     }).then(fail, response => {
       const body = response.data;
       expect(response.status).toEqual(403);
-      expect(body.error).toEqual('unauthorized: master key is required');
+      expect(body.error).toEqual('Permission denied');
       done();
     });
   });

spec/ParseAPI.spec.js

@@ -1724,7 +1724,7 @@ describe('miscellaneous', () => {
         fail('Should not succeed');
       })
       .catch(response => {
-        expect(response.data.error).toEqual('unauthorized: master key is required');
+        expect(response.data.error).toEqual('Permission denied');
         done();
       });
   });

spec/ParseFile.spec.js

@@ -156,7 +156,7 @@ describe('Parse.File testing', () => {
         }).then(fail, response => {
           const del_b = response.data;
           expect(response.status).toEqual(403);
-          expect(del_b.error).toMatch(/unauthorized/);
+          expect(del_b.error).toBe('Permission denied');
           // incorrect X-Parse-Master-Key header
           request({
             method: 'DELETE',
@@ -169,7 +169,7 @@ describe('Parse.File testing', () => {
           }).then(fail, response => {
             const del_b2 = response.data;
             expect(response.status).toEqual(403);
-            expect(del_b2.error).toMatch(/unauthorized/);
+            expect(del_b2.error).toBe('Permission denied');
             done();
           });
         });
@@ -760,7 +760,7 @@ describe('Parse.File testing', () => {
         url: 'http://localhost:8378/1/files/invalid-id/invalid-file.txt',
       }).catch(e => e);
       expect(res1.status).toBe(403);
-      expect(res1.data).toEqual({ code: 119, error: 'Invalid application ID.' });
+      expect(res1.data).toEqual({ code: 119, error: 'Permission denied' });
       // Ensure server did not crash
       const res2 = await request({ url: 'http://localhost:8378/1/health' });
       expect(res2.status).toEqual(200);

spec/ParseGlobalConfig.spec.js

@@ -233,7 +233,7 @@ describe('a GlobalConfig', () => {
     }).then(fail, response => {
       const body = response.data;
       expect(response.status).toEqual(403);
-      expect(body.error).toEqual('unauthorized: master key is required');
+      expect(body.error).toEqual('Permission denied');
       done();
     });
   });

spec/ParseGraphQLServer.spec.js

@@ -3501,7 +3501,7 @@ describe('ParseGraphQLServer', () => {
             fail('should fail');
           } catch (e) {
             expect(e.graphQLErrors[0].extensions.code).toEqual(Parse.Error.OPERATION_FORBIDDEN);
-            expect(e.graphQLErrors[0].message).toEqual('unauthorized: master key is required');
+            expect(e.graphQLErrors[0].message).toEqual('Permission denied');
           }
         });
 
@@ -3871,7 +3871,7 @@ describe('ParseGraphQLServer', () => {
             fail('should fail');
           } catch (e) {
             expect(e.graphQLErrors[0].extensions.code).toEqual(Parse.Error.OPERATION_FORBIDDEN);
-            expect(e.graphQLErrors[0].message).toEqual('unauthorized: master key is required');
+            expect(e.graphQLErrors[0].message).toEqual('Permission denied');
           }
         });
 
@@ -4096,7 +4096,7 @@ describe('ParseGraphQLServer', () => {
             fail('should fail');
           } catch (e) {
             expect(e.graphQLErrors[0].extensions.code).toEqual(Parse.Error.OPERATION_FORBIDDEN);
-            expect(e.graphQLErrors[0].message).toEqual('unauthorized: master key is required');
+            expect(e.graphQLErrors[0].message).toEqual('Permission denied');
           }
         });
 
@@ -4137,7 +4137,7 @@ describe('ParseGraphQLServer', () => {
             fail('should fail');
           } catch (e) {
             expect(e.graphQLErrors[0].extensions.code).toEqual(Parse.Error.OPERATION_FORBIDDEN);
-            expect(e.graphQLErrors[0].message).toEqual('unauthorized: master key is required');
+            expect(e.graphQLErrors[0].message).toEqual('Permission denied');
           }
         });
 
@@ -4155,7 +4155,7 @@ describe('ParseGraphQLServer', () => {
             fail('should fail');
           } catch (e) {
             expect(e.graphQLErrors[0].extensions.code).toEqual(Parse.Error.OPERATION_FORBIDDEN);
-            expect(e.graphQLErrors[0].message).toEqual('unauthorized: master key is required');
+            expect(e.graphQLErrors[0].message).toEqual('Permission denied');
           }
         });
       });
@@ -6081,7 +6081,7 @@ describe('ParseGraphQLServer', () => {
             }
 
             await expectAsync(createObject('GraphQLClass')).toBeRejectedWith(
-              jasmine.stringMatching('Permission denied for action create on class GraphQLClass')
+              jasmine.stringMatching('Permission denied')
             );
             await expectAsync(createObject('PublicClass')).toBeResolved();
             await expectAsync(
@@ -6115,7 +6115,7 @@ describe('ParseGraphQLServer', () => {
                 'X-Parse-Session-Token': user4.getSessionToken(),
               })
             ).toBeRejectedWith(
-              jasmine.stringMatching('Permission denied for action create on class GraphQLClass')
+              jasmine.stringMatching('Permission denied')
             );
             await expectAsync(
               createObject('PublicClass', {

spec/ParseInstallation.spec.js

@@ -176,7 +176,7 @@ describe('Installations', () => {
       .catch(error => {
         expect(error.code).toBe(119);
         expect(error.message).toBe(
-          "Clients aren't allowed to perform the find operation on the installation collection."
+          'Permission denied'
         );
         done();
       });

spec/ParseQuery.Aggregate.spec.js

@@ -77,7 +77,7 @@ describe('Parse.Query Aggregate testing', () => {
     Parse._request('GET', `aggregate/someClass`, {}).then(
       () => {},
       error => {
-        expect(error.message).toEqual('unauthorized: master key is required');
+        expect(error.message).toEqual('Permission denied');
         done();
       }
     );

spec/ParseUser.spec.js

@@ -2661,7 +2661,7 @@ describe('Parse.User testing', () => {
           }).then(fail, response => {
             const b = response.data;
             expect(b.code).toEqual(209);
-            expect(b.error).toBe('Invalid session token');
+            expect(b.error).toBe('Permission denied');
             done();
           });
         });
@@ -3379,7 +3379,7 @@ describe('Parse.User testing', () => {
         done();
       })
       .catch(err => {
-        expect(err.message).toBe("Clients aren't allowed to manually update email verification.");
+        expect(err.message).toBe('Permission denied');
         done();
       });
   });
@@ -4393,7 +4393,7 @@ describe('login as other user', () => {
       done();
     } catch (err) {
       expect(err.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
-      expect(err.data.error).toBe('master key is required');
+      expect(err.data.error).toBe('Permission denied');
     }
 
     const sessionsQuery = new Parse.Query(Parse.Session);

spec/RestQuery.spec.js

@@ -165,9 +165,7 @@ describe('rest query', () => {
       },
       err => {
         expect(err.code).toEqual(Parse.Error.OPERATION_FORBIDDEN);
-        expect(err.message).toEqual(
-          'This user is not allowed to access ' + 'non-existent class: ClientClassCreation'
-        );
+        expect(err.message).toEqual('Permission denied');
         done();
       }
     );
@@ -243,7 +241,7 @@ describe('rest query', () => {
       expectAsync(new Parse.Query('Test').exists('zip').find()).toBeRejectedWith(
         new Parse.Error(
           Parse.Error.OPERATION_FORBIDDEN,
-          'This user is not allowed to query zip on class Test'
+          'Permission denied'
         )
       ),
     ]);

spec/Schema.spec.js

@@ -283,7 +283,7 @@ describe('SchemaController', () => {
             fail('Class permissions should have rejected this query.');
           },
           err => {
-            expect(err.message).toEqual('Permission denied for action count on class Stuff.');
+            expect(err.message).toEqual('Permission denied');
             done();
           }
         )
@@ -1462,7 +1462,7 @@ describe('Class Level Permissions for requiredAuth', () => {
           done();
         },
         e => {
-          expect(e.message).toEqual('Permission denied, user needs to be authenticated.');
+          expect(e.message).toEqual('Permission denied');
           done();
         }
       );
@@ -1561,7 +1561,7 @@ describe('Class Level Permissions for requiredAuth', () => {
           done();
         },
         e => {
-          expect(e.message).toEqual('Permission denied, user needs to be authenticated.');
+          expect(e.message).toEqual('Permission denied');
           done();
         }
       );
@@ -1649,7 +1649,7 @@ describe('Class Level Permissions for requiredAuth', () => {
           done();
         },
         e => {
-          expect(e.message).toEqual('Permission denied, user needs to be authenticated.');
+          expect(e.message).toEqual('Permission denied');
           done();
         }
       );
@@ -1694,7 +1694,7 @@ describe('Class Level Permissions for requiredAuth', () => {
           done();
         },
         e => {
-          expect(e.message).toEqual('Permission denied, user needs to be authenticated.');
+          expect(e.message).toEqual('Permission denied');
           done();
         }
       );

spec/features.spec.js

@@ -32,7 +32,7 @@ describe('features', () => {
       done.fail('The serverInfo request should be rejected without the master key');
     } catch (error) {
       expect(error.status).toEqual(403);
-      expect(error.data.error).toEqual('unauthorized: master key is required');
+      expect(error.data.error).toEqual('Permission denied');
       done();
     }
   });

spec/rest.spec.js

@@ -324,9 +324,7 @@ describe('rest create', () => {
       },
       err => {
         expect(err.code).toEqual(Parse.Error.OPERATION_FORBIDDEN);
-        expect(err.message).toEqual(
-          'This user is not allowed to access ' + 'non-existent class: ClientClassCreation'
-        );
+        expect(err.message).toEqual('Permission denied');
         done();
       }
     );
@@ -783,7 +781,7 @@ describe('rest create', () => {
     const query = new Parse.Query('TestObject');
     query.include('pointer');
     await expectAsync(query.get(obj2.id)).toBeRejectedWithError(
-      "Clients aren't allowed to perform the get operation on the _PushStatus collection."
+      'Permission denied'
     );
   });
 
@@ -799,7 +797,7 @@ describe('rest create', () => {
     const query = new Parse.Query('TestObject');
     query.include('globalConfigPointer');
     await expectAsync(query.get(obj2.id)).toBeRejectedWithError(
-      "Clients aren't allowed to perform the get operation on the _GlobalConfig collection."
+      'Permission denied'
     );
   });
 
@@ -953,7 +951,7 @@ describe('read-only masterKey', () => {
     }).toThrow(
       new Parse.Error(
         Parse.Error.OPERATION_FORBIDDEN,
-        `read-only masterKey isn't allowed to perform the create operation.`
+        'Permission denied'
       )
     );
     expect(() => {
@@ -983,7 +981,7 @@ describe('read-only masterKey', () => {
     } catch (res) {
       expect(res.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
       expect(res.data.error).toBe(
-        "read-only masterKey isn't allowed to perform the create operation."
+        'Permission denied'
       );
     }
     await reconfigureServer();
@@ -1037,7 +1035,7 @@ describe('read-only masterKey', () => {
       .then(done.fail)
       .catch(res => {
         expect(res.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
-        expect(res.data.error).toBe("read-only masterKey isn't allowed to create a schema.");
+        expect(res.data.error).toBe('Permission denied');
         done();
       });
   });
@@ -1056,7 +1054,7 @@ describe('read-only masterKey', () => {
       .then(done.fail)
       .catch(res => {
         expect(res.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
-        expect(res.data.error).toBe("read-only masterKey isn't allowed to create a schema.");
+        expect(res.data.error).toBe('Permission denied');
         done();
       });
   });
@@ -1075,7 +1073,7 @@ describe('read-only masterKey', () => {
       .then(done.fail)
       .catch(res => {
         expect(res.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
-        expect(res.data.error).toBe("read-only masterKey isn't allowed to update a schema.");
+        expect(res.data.error).toBe('Permission denied');
         done();
       });
   });
@@ -1094,7 +1092,7 @@ describe('read-only masterKey', () => {
       .then(done.fail)
       .catch(res => {
         expect(res.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
-        expect(res.data.error).toBe("read-only masterKey isn't allowed to delete a schema.");
+        expect(res.data.error).toBe('Permission denied');
         done();
       });
   });
@@ -1113,7 +1111,7 @@ describe('read-only masterKey', () => {
       .then(done.fail)
       .catch(res => {
         expect(res.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
-        expect(res.data.error).toBe("read-only masterKey isn't allowed to update the config.");
+        expect(res.data.error).toBe('Permission denied');
         done();
       });
   });
@@ -1133,7 +1131,7 @@ describe('read-only masterKey', () => {
       .catch(res => {
         expect(res.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
         expect(res.data.error).toBe(
-          "read-only masterKey isn't allowed to send push notifications."
+          'Permission denied'
         );
         done();
       });