Fetching users with react-moralis and masterkey not fetching complete collection

blockCh41ner · June 18, 2022, 6:03am

Hi everyone!

I am using react-moralis with the useMoralis() hook and start it with in the context of a MoralisContext.

const { Moralis } = useMoralis();

// Some function context after render (called with onClick event)
async function fetchUsers() {
    Moralis.start({
        appId: process.env.NEXT_PUBLIC_APP_ID,
        serverUrl: process.env.NEXT_PUBLIC_SERVER_URL, 
        masterKey: process.env.NEXT_PUBLIC_MASTER_KEY 
    }) 
        const query = new Moralis.Query("_User");
        const nUsers = await query.count({useMasterKey: true }) 
        console.log(`Found ${nUsers} users`)

        const users = await query.find({useMasterKey: true }) 
        console.log(users)
}

Observation:
Received only the current logged in user.(#1)

Expectation:
Receive all users in the _User collection.

Thank you for any hints on what went wrong.

I noticed a dangerouslyUseOfMasterKey in the MoralisProvider. Is it required for use with Moralis.start({...opts}), setting the dangerouslyUseOfMasterKey in the provider alone did not help.

ps: It would be nice to be able to exercise administrative tasks in the development context without creating cloud functions for it. But if it’s not possible I assume the only way to achieve administrative tasks is either using moralis/node as server side services or cloud functions?

cryptokid · June 18, 2022, 6:22am

Yes, you can not use master key in front end. If you could use master key in front end then any user could modify anything in the database.

blockCh41ner · June 18, 2022, 6:26am

I’m aware of this security implication and only run in in development with a statically build admin route.

It could be a nice feature if it would be admitted. Maybe adding some extra precautions to make the setup more difficult and avoiding accidental leakage, but nevertheless having the option to use it would make things much smoother from a development perspective.

Also, can you elaborate on the purpose of the dangerouslyUseOfMasterKey option. Is it just a residual, legacy parameter? Or can it be used somehow?

cryptokid · June 18, 2022, 6:50am

I don’t know about parameter. It must be something directly from parse server code.

blockCh41ner · June 18, 2022, 9:35am

I decided to use electron with a native nodejs framework to facilitate administrative operations.

Thanks for your fast response and help.

Cheers!