Refactor authData handling: streamline validation, enhance security, and improve efficiency

- Refactor authData processing to remove redundant logic and simplify code
- Replace deep-diff with native isDeepStrictEqual for better maintainability
- Enhance security: add strict provider name validation to prevent prototype pollution and NoSQL injection
- Harden diffAuthData against injection attacks with null-prototype objects
- Improve validation logic: remove unnecessary checks for unlink-only operations
- Fix dead code branches and redundant conditions
- Consolidate mockFetch calls in tests for better maintainability
- Update @semantic-release/github dependency (11.0.2 -> 11.0.3)
- Translate all Cyrillic comments to English
- Add comprehensive test coverage for edge cases and security scenarios

Author: SNtGog

package-lock.json

@@ -78,7 +78,7 @@
     "@semantic-release/changelog": "6.0.3",
     "@semantic-release/commit-analyzer": "13.0.1",
     "@semantic-release/git": "10.0.1",
-    "@semantic-release/github": "11.0.2",
+    "@semantic-release/github": "11.0.3",
     "@semantic-release/npm": "12.0.1",
     "@semantic-release/release-notes-generator": "14.0.3",
     "all-node-versions": "13.0.1",

package.json

@@ -34,7 +34,12 @@ describe('RestWrite.handleAuthData', () => {
         gpgames: {
           clientId: 'validClientId',
           clientSecret: 'validClientSecret',
-        }
+        },
+        instagram: {
+          clientId: 'validClientId',
+          clientSecret: 'validClientSecret',
+          redirectUri: 'https://example.com/callback',
+        },
       },
     });
   };
@@ -51,17 +56,54 @@ describe('RestWrite.handleAuthData', () => {
     const sessionToken = user.getSessionToken();
 
     await user.fetch({ sessionToken });
-    const currentAuthData = user.get('authData') || {};
+    const currentAuthData = user.get('authData');
+    expect(currentAuthData).toBeDefined();
+
+    // Add another provider to ensure gpgames removal doesn't delete all authData
+    mockFetch([
+      {
+        url: 'https://api.instagram.com/oauth/access_token',
+        method: 'POST',
+        response: {
+          ok: true,
+          json: () => Promise.resolve({ access_token: 'ig_token' }),
+        },
+      },
+      {
+        url: 'https://graph.instagram.com/me?fields=id&access_token=ig_token',
+        method: 'GET',
+        response: {
+          ok: true,
+          json: () => Promise.resolve({ id: 'I1' }),
+        },
+      },
+    ]);
 
     user.set('authData', {
       ...currentAuthData,
+      instagram: { id: 'I1', code: 'IC1' },
+    });
+    await user.save(null, { sessionToken });
+
+    await user.fetch({ sessionToken });
+    const authDataWithInstagram = user.get('authData');
+    expect(authDataWithInstagram).toBeDefined();
+    expect(authDataWithInstagram.gpgames).toBeDefined();
+    expect(authDataWithInstagram.instagram).toBeDefined();
+
+    // Now unlink gpgames
+    user.set('authData', {
+      ...authDataWithInstagram,
       gpgames: null,
     });
     await user.save(null, { sessionToken });
 
     const updatedUser = await new Parse.Query(Parse.User).get(user.id, { useMasterKey: true });
-    const finalAuthData = updatedUser.get('authData') || {};
+    const finalAuthData = updatedUser.get('authData');
 
+    expect(finalAuthData).toBeDefined();
     expect(finalAuthData.gpgames).toBeUndefined();
+    expect(finalAuthData.instagram).toBeDefined();
+    expect(finalAuthData.instagram.id).toBe('I1');
   });
 });

spec/RestWrite.handleAuthData.spec.js

@@ -1856,6 +1856,211 @@ describe('AuthData Security Tests', () => {
         expect(error.code).toBeDefined();
       }
     });
+
+    it('should reject provider names with prototype pollution attempts', async () => {
+      mockFetch(mockGpgamesLogin());
+      const user = await Parse.User.logInWith('gpgames', {
+        authData: { id: MOCK_USER_ID, code: 'C1' },
+      });
+      const sessionToken = user.getSessionToken();
+
+      // Try to use constructor as provider name (enumerable by default)
+      try {
+        await user.save(
+          { authData: { constructor: { id: 'test' } } },
+          { sessionToken }
+        );
+        // If it doesn't throw, verify that constructor was not stored as malicious data
+        await user.fetch({ sessionToken });
+        const authData = user.get('authData');
+        // Constructor should not be in authData with our test data
+        // (either rejected or not configured, or stored but not as our test object)
+        if (authData && authData.constructor) {
+          const isOurTestData = typeof authData.constructor === 'object' && 
+                               authData.constructor.id === 'test';
+          expect(isOurTestData).toBe(false);
+        }
+      } catch (error) {
+        // Should reject with INVALID_KEY_NAME (either from validateAuthData or diffAuthData)
+        // If provider is not configured, may throw UNSUPPORTED_SERVICE, which is also acceptable
+        expect([Parse.Error.INVALID_KEY_NAME, Parse.Error.UNSUPPORTED_SERVICE]).toContain(error.code);
+        if (error.code === Parse.Error.INVALID_KEY_NAME) {
+          expect(error.message).toContain('Invalid provider name');
+        }
+      }
+
+      // Try to use prototype as provider name
+      try {
+        await user.save(
+          { authData: { prototype: { id: 'test' } } },
+          { sessionToken }
+        );
+        // If it doesn't throw, verify that prototype was not stored as malicious data
+        await user.fetch({ sessionToken });
+        const authData = user.get('authData');
+        // Prototype should not be in authData with our test data
+        // (either rejected or not configured, or stored but not as our test object)
+        if (authData && authData.prototype) {
+          const isOurTestData = typeof authData.prototype === 'object' && 
+                               authData.prototype.id === 'test';
+          expect(isOurTestData).toBe(false);
+        }
+      } catch (error) {
+        // Should reject with INVALID_KEY_NAME (either from validateAuthData or diffAuthData)
+        // If provider is not configured, may throw UNSUPPORTED_SERVICE, which is also acceptable
+        expect([Parse.Error.INVALID_KEY_NAME, Parse.Error.UNSUPPORTED_SERVICE]).toContain(error.code);
+        if (error.code === Parse.Error.INVALID_KEY_NAME) {
+          expect(error.message).toContain('Invalid provider name');
+        }
+      }
+
+      // Note: __proto__ is not enumerable by default in Object.keys(),
+      // so it won't be processed by diffAuthData. However, if it were
+      // enumerable (via Object.defineProperty with enumerable: true),
+      // it would be rejected by our validation. This is acceptable because
+      // normal object literals don't have enumerable __proto__.
+    });
+
+    it('should reject provider names with NoSQL injection attempts', async () => {
+      mockFetch(mockGpgamesLogin());
+      const user = await Parse.User.logInWith('gpgames', {
+        authData: { id: MOCK_USER_ID, code: 'C1' },
+      });
+      const sessionToken = user.getSessionToken();
+
+      // Try to use dots in provider name (NoSQL injection)
+      const maliciousProviders = [
+        'gpgames.id',
+        'gpgames.access_token',
+        'provider.name.field',
+        'test.test',
+      ];
+
+      for (const maliciousProvider of maliciousProviders) {
+        try {
+          await user.save(
+            { authData: { [maliciousProvider]: { id: 'test' } } },
+            { sessionToken }
+          );
+          fail(`Should have rejected provider name with dots: ${maliciousProvider}`);
+        } catch (error) {
+          expect(error.code).toBe(Parse.Error.INVALID_KEY_NAME);
+          expect(error.message).toContain('Invalid provider name');
+        }
+      }
+    });
+
+    it('should reject provider names with special characters', async () => {
+      mockFetch(mockGpgamesLogin());
+      const user = await Parse.User.logInWith('gpgames', {
+        authData: { id: MOCK_USER_ID, code: 'C1' },
+      });
+      const sessionToken = user.getSessionToken();
+
+      // Try various special characters
+      const maliciousProviders = [
+        'provider-name', // hyphen
+        'provider name', // space
+        'provider@name', // @
+        'provider#name', // #
+        'provider$name', // $
+        'provider[name]', // brackets
+        'provider{name}', // braces
+        'provider/name', // slash
+        'provider\\name', // backslash
+        'provider.name', // dot
+        '123provider', // starts with number
+        '', // empty string
+      ];
+
+      for (const maliciousProvider of maliciousProviders) {
+        try {
+          await user.save(
+            { authData: { [maliciousProvider]: { id: 'test' } } },
+            { sessionToken }
+          );
+          fail(`Should have rejected invalid provider name: ${maliciousProvider}`);
+        } catch (error) {
+          expect(error.code).toBe(Parse.Error.INVALID_KEY_NAME);
+          expect(error.message).toContain('Invalid provider name');
+        }
+      }
+    });
+
+    it('should accept valid provider names', async () => {
+      mockFetch(mockGpgamesLogin());
+      const user = await Parse.User.logInWith('gpgames', {
+        authData: { id: MOCK_USER_ID, code: 'C1' },
+      });
+      const sessionToken = user.getSessionToken();
+
+      // Valid provider names should work
+      const validProviders = [
+        'gpgames',
+        'instagram',
+        'provider_name',
+        'providerName',
+        'ProviderName',
+        'provider123',
+        'p',
+        'provider_name_123',
+      ];
+
+      for (const validProvider of validProviders) {
+        // Skip if provider is not configured (will fail with different error)
+        if (validProvider === 'gpgames' || validProvider === 'instagram') {
+          continue;
+        }
+
+        try {
+          await user.save(
+            { authData: { [validProvider]: { id: 'test' } } },
+            { sessionToken }
+          );
+          // Should not throw INVALID_KEY_NAME error
+          // May throw UNSUPPORTED_SERVICE if provider not configured, which is expected
+        } catch (error) {
+          // Should not be INVALID_KEY_NAME for valid provider names
+          expect(error.code).not.toBe(Parse.Error.INVALID_KEY_NAME);
+        }
+      }
+    });
+
+    it('should prevent injection when linking multiple providers', async () => {
+      mockFetch(mockGpgamesLogin());
+      const user = await Parse.User.logInWith('gpgames', {
+        authData: { id: MOCK_USER_ID, code: 'C1' },
+      });
+      const sessionToken = user.getSessionToken();
+
+      // Try to link malicious provider name
+      // Use constructor which should be enumerable
+      try {
+        await user.save(
+          {
+            authData: {
+              constructor: { id: 'test' },
+            },
+          },
+          { sessionToken }
+        );
+        // If it doesn't throw, verify that constructor was not stored
+        await user.fetch({ sessionToken });
+        const authData = user.get('authData');
+        // Constructor should not be in authData (either rejected or not configured)
+        const hasConstructor = authData && authData.constructor && 
+                              typeof authData.constructor === 'object' && 
+                              authData.constructor.id === 'test';
+        expect(hasConstructor).toBe(false);
+      } catch (error) {
+        // Should reject with INVALID_KEY_NAME (either from validateAuthData or diffAuthData)
+        // If provider is not configured, may throw UNSUPPORTED_SERVICE, which is also acceptable
+        expect([Parse.Error.INVALID_KEY_NAME, Parse.Error.UNSUPPORTED_SERVICE]).toContain(error.code);
+        if (error.code === Parse.Error.INVALID_KEY_NAME) {
+          expect(error.message).toContain('Invalid provider name');
+        }
+      }
+    });
   });
 });
 

spec/Users.authdata.security.spec.js

@@ -78,7 +78,7 @@ describe('AuthData Delta Behavior', () => {
       expect(authData.gpgames).toBeUndefined();
     });
 
-    // Level 1.1: Дополнительные способы создания пользователя
+    // Level 1.1: Additional user creation methods
     it('should create user with code only (without id)', async () => {
       // Note: gpgames adapter requires id for getUserFromAccessToken URL construction
       // This test documents that code-only login is not fully supported by gpgames adapter
@@ -191,7 +191,7 @@ describe('AuthData Delta Behavior', () => {
       expect(authData.instagram.id).toBe('I1');
     });
 
-    // Level 1.2: Тесты на удаление провайдеров
+    // Level 1.2: Provider unlinking tests
     it('should unlink provider when it\'s the only one', async () => {
       const user = await Parse.User.logInWith('gpgames', {
         authData: { id: MOCK_USER_ID, code: 'C1' },
@@ -305,7 +305,7 @@ describe('AuthData Delta Behavior', () => {
       expect(authData.gpgames && authData.gpgames.id).toBe(MOCK_USER_ID);
     });
 
-    // Level 2.1: Множественные провайдеры (3+)
+    // Level 2.1: Multiple providers (3+)
     it('should handle three providers: add, update, unlink', async () => {
       const user = await Parse.User.logInWith('gpgames', {
         authData: { id: MOCK_USER_ID, code: 'C1' },
@@ -398,7 +398,7 @@ describe('AuthData Delta Behavior', () => {
       expect(authData.other).toBeDefined();
     });
 
-    // Level 2.2: Частичные обновления
+    // Level 2.2: Partial updates
     it('should update only one provider when multiple exist', async () => {
       const user = await Parse.User.logInWith('gpgames', {
         authData: { id: MOCK_USER_ID, code: 'C1' },
@@ -646,7 +646,7 @@ describe('AuthData Delta Behavior', () => {
       expect(authData.instagram && authData.instagram.id).toBe('I1');
     });
 
-    // Level 4.1: Комбинации code/id
+    // Level 4.1: code/id combinations
     it('should handle code without id (merge from baseAuthData)', async () => {
       const user = await Parse.User.logInWith('gpgames', {
         authData: { id: MOCK_USER_ID, code: 'C1' },
@@ -780,7 +780,7 @@ describe('AuthData Delta Behavior', () => {
       mockHappyPath();
     });
 
-    // Level 4.2: Граничные случаи с пустым authData
+    // Level 4.2: Edge cases with empty authData
     it('should handle empty authData object', async () => {
       const user = await Parse.User.signUp(TEST_USERNAME, TEST_PASSWORD);
       const sessionToken = user.getSessionToken();
@@ -854,7 +854,7 @@ describe('AuthData Delta Behavior', () => {
       expect(authData.instagram).toBeUndefined();
     });
 
-    // Level 4.3: Последовательные обновления
+    // Level 4.3: Sequential updates
     it('should preserve unchanged providers across updates', async () => {
       const user = await Parse.User.logInWith('gpgames', {
         authData: { id: MOCK_USER_ID, code: 'C1' },
@@ -916,7 +916,7 @@ describe('AuthData Delta Behavior', () => {
       expect(authData.instagram).toBeDefined();
     });
 
-    // Level 4.4: Ошибки валидации
+    // Level 4.4: Validation errors
     it('should reject invalid code during update', async () => {
       const user = await Parse.User.logInWith('gpgames', {
         authData: { id: MOCK_USER_ID, code: 'C1' },