build: Release (#3226)

Author: mtrezza

.github/workflows/ci-automated-check-environment.yml

@@ -17,7 +17,7 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@v4
         with:
-          node-version: 18
+          node-version: 20
           cache: npm
       - name: Install dependencies
         run: npm ci

.github/workflows/ci.yml

@@ -102,8 +102,6 @@ jobs:
     strategy:
       matrix:
         include:
-          - name: Node 18
-            NODE_VERSION: 18.20.4
           - name: Node 20
             NODE_VERSION: 20.18.0
           - name: Node 22

Parse-Dashboard/CLI/mfa.js

@@ -1,8 +1,11 @@
 const crypto = require('crypto');
-let inquirer = require('inquirer');
-if (inquirer.default) {
-  inquirer = inquirer.default;
-}
+let inquirer;
+const loadInquirer = async () => {
+  if (!inquirer) {
+    const mod = await import('inquirer');
+    inquirer = mod.default || mod;
+  }
+};
 const OTPAuth = require('otpauth');
 const { copy } = require('./utils.js');
 const phrases = {
@@ -11,9 +14,10 @@ const phrases = {
   enterAppName: 'Enter the app name:',
 }
 const getAlgorithm = async () => {
+  await loadInquirer();
   let { algorithm } = await inquirer.prompt([
     {
-      type: 'list',
+      type: 'select',
       name: 'algorithm',
       message: 'Which hashing algorithm do you want to use?',
       default: 'SHA1',
@@ -141,6 +145,7 @@ const showInstructions = ({ app, username, passwordCopied, encrypt, config }) =>
 
 module.exports = {
   async createUser() {
+    await loadInquirer();
     const data = {};
 
     console.log('');
@@ -210,6 +215,7 @@ module.exports = {
     showInstructions({ app: data.app, username, passwordCopied: true, encrypt, config });
   },
   async createMFA() {
+    await loadInquirer();
     console.log('');
     const { username, app } = await inquirer.prompt([
       {

Parse-Dashboard/app.js

@@ -158,7 +158,8 @@ module.exports = function(config, options) {
               }
 
               if (typeof app.masterKey === 'function') {
-                app.masterKey = await ConfigKeyCache.get(app.appId, 'masterKey', app.masterKeyTtl, app.masterKey);
+                const cacheKey = matchingAccess.readOnly ? 'readOnlyMasterKey' : 'masterKey';
+                app.masterKey = await ConfigKeyCache.get(app.appId, cacheKey, app.masterKeyTtl, app.masterKey);
               }
 
               return app;
@@ -197,9 +198,11 @@ module.exports = function(config, options) {
     // In-memory conversation storage (consider using Redis in future)
     const conversations = new Map();
 
-    // Agent API endpoint for handling AI requests - scoped to specific app
-    app.post('/apps/:appId/agent', async (req, res) => {
+    // Agent API endpoint handler
+    async function agentHandler(req, res) {
       try {
+        const authentication = req.user;
+
         const { message, modelName, conversationId, permissions } = req.body || {};
         const { appId } = req.params;
 
@@ -221,11 +224,40 @@ module.exports = function(config, options) {
         }
 
         // Find the app in the configuration
-        const app = config.apps.find(app => (app.appNameForURL || app.appName) === appId);
-        if (!app) {
+        const appConfig = config.apps.find(a => (a.appNameForURL || a.appName) === appId);
+        if (!appConfig) {
           return res.status(404).json({ error: `App "${appId}" not found` });
         }
 
+        // Cross-app access control — restrict to apps the authenticated user has access to
+        const appsUserHasAccess = authentication && authentication.appsUserHasAccessTo;
+        let isPerAppReadOnly = false;
+        if (appsUserHasAccess) {
+          const matchingAccess = appsUserHasAccess.find(access => access.appId === appConfig.appId);
+          if (!matchingAccess) {
+            return res.status(403).json({ error: 'Forbidden: you do not have access to this app' });
+          }
+          isPerAppReadOnly = !!matchingAccess.readOnly;
+        }
+
+        // Determine if the user is read-only (globally or per-app)
+        const isReadOnly = (authentication && authentication.isReadOnly) || isPerAppReadOnly;
+
+        // Build the app context — always shallow copy to avoid mutating the shared config
+        const appContext = { ...appConfig };
+        if (isReadOnly) {
+          if (!appConfig.readOnlyMasterKey) {
+            return res.status(400).json({ error: 'You need to provide a readOnlyMasterKey to use read-only features.' });
+          }
+          appContext.masterKey = appConfig.readOnlyMasterKey;
+        }
+
+        // Resolve function-typed masterKey (supports dynamic key rotation via ConfigKeyCache)
+        if (typeof appContext.masterKey === 'function') {
+          const cacheKey = isReadOnly ? 'readOnlyMasterKey' : 'masterKey';
+          appContext.masterKey = await ConfigKeyCache.get(appContext.appId, cacheKey, appContext.masterKeyTtl, appContext.masterKey);
+        }
+
         // Find the requested model
         const modelConfig = config.agent.models.find(model => model.name === modelName);
         if (!modelConfig) {
@@ -258,8 +290,12 @@ module.exports = function(config, options) {
         // Array to track database operations for this request
         const operationLog = [];
 
+        // Read-only users: override client permissions to deny all write operations,
+        // preventing privilege escalation via self-authorized permissions in the request body
+        const effectivePermissions = isReadOnly ? {} : (permissions || {});
+
         // Make request to OpenAI API with app context and conversation history
-        const response = await makeOpenAIRequest(message, model, apiKey, app, conversationHistory, operationLog, permissions);
+        const response = await makeOpenAIRequest(message, model, apiKey, appContext, conversationHistory, operationLog, effectivePermissions);
 
         // Update conversation history with user message and AI response
         conversationHistory.push(
@@ -280,7 +316,7 @@ module.exports = function(config, options) {
           conversationId: finalConversationId,
           debug: {
             timestamp: new Date().toISOString(),
-            appId: app.appId,
+            appId: appContext.appId,
             modelUsed: model,
             operations: operationLog
           }
@@ -291,7 +327,19 @@ module.exports = function(config, options) {
         const errorMessage = error.message || 'Provider error';
         res.status(500).json({ error: `Error: ${errorMessage}` });
       }
-    });
+    }
+
+    // Agent API endpoint — middleware chain: auth check (401) → CSRF validation (403) → handler
+    app.post('/apps/:appId/agent',
+      (req, res, next) => {
+        if (users && (!req.user || !req.user.isAuthenticated)) {
+          return res.status(401).json({ error: 'Unauthorized' });
+        }
+        next();
+      },
+      Authentication.csrfProtection,
+      agentHandler
+    );
 
     /**
      * Database function tools for the AI agent
@@ -1115,7 +1163,7 @@ You have direct access to the Parse database through function calls, so you can
     });
 
     // For every other request, go to index.html. Let client-side handle the rest.
-    app.get('{*splat}', function(req, res) {
+    app.get('{*splat}', Authentication.csrfProtection, function(req, res) {
       if (users && (!req.user || !req.user.isAuthenticated)) {
         const redirect = req.url.replace('/login', '');
         if (redirect.length > 1) {
@@ -1139,6 +1187,7 @@ You have direct access to the Parse database through function calls, so you can
         </head>
         <body>
           <div id="browser_mount"></div>
+          <script id="csrf" type="application/json">"${req.csrfToken()}"</script>
           <script src="${mountPath}bundles/dashboard.bundle.js"></script>
         </body>
       </html>

README.md

@@ -6,7 +6,7 @@
 [![Build Status](https://github.com/parse-community/parse-dashboard/workflows/ci/badge.svg?branch=release)](https://github.com/parse-community/parse-dashboard/actions?query=workflow%3Aci+branch%3Arelease)
 [![Snyk Badge](https://snyk.io/test/github/parse-community/parse-dashboard/badge.svg)](https://snyk.io/test/github/parse-community/parse-dashboard)
 
-[![Node Version](https://img.shields.io/badge/nodejs-18,_20,_22,_24-green.svg?logo=node.js&style=flat)](https://nodejs.org/)
+[![Node Version](https://img.shields.io/badge/nodejs-20,_22,_24-green.svg?logo=node.js&style=flat)](https://nodejs.org/)
 [![auto-release](https://img.shields.io/badge/%F0%9F%9A%80-auto--release-9e34eb.svg)](https://github.com/parse-community/parse-dashboard/releases)
 
 [![npm latest version](https://img.shields.io/npm/v/parse-dashboard/latest.svg)](https://www.npmjs.com/package/parse-dashboard)
@@ -164,7 +164,6 @@ Parse Dashboard is continuously tested with the most recent releases of Node.js
 
 | Version    | Minimum version | End-of-Life | Compatible |
 |------------|----------------|-------------|------------|
-| Node.js 18 | 18.20.4        | May 2025    | ✅ Yes      |
 | Node.js 20 | 20.18.0        | April 2026  | ✅ Yes      |
 | Node.js 22 | 22.9.0         | April 2027  | ✅ Yes      |
 | Node.js 24 | 24.0.0         | April 2028  | ✅ Yes      |
@@ -1560,11 +1559,52 @@ A drop-down to select a single item from a list.
 | Parameter | Value  | Optional | Description                      |
 |-----------|--------|----------|----------------------------------|
 | `element`    | `String` | No       | Must be `"dropDown"`.         |
+| `name`       | `String` | No       | The key used in `formData`.   |
 | `label`     | `String` | No       | The display label shown next to the dropdown. |
+| `description` | `String` | Yes      | Secondary text below the label. |
 |  `items` | `Array` | No | The selectable options. |
 |  `items[].title` | `String` | No | The display text of the option. |
 |  `items[].value` | `String` | No | The value of the option. |
 
+###### Checkbox
+
+A checkbox for boolean input.
+
+| Parameter | Value  | Optional | Default | Description                      |
+|-----------|--------|----------|---------|----------------------------------|
+| `element`     | `String` | No       | -       | Must be `"checkbox"`.         |
+| `name`        | `String` | No       | -       | The key used in `formData`.   |
+| `label`       | `String` | No       | -       | The display label.            |
+| `description` | `String` | Yes      | -       | Secondary text below the label. |
+| `default`     | `Boolean`| Yes      | `false` | The initial checked state.    |
+
+###### Toggle
+
+A toggle switch for boolean input.
+
+| Parameter    | Value    | Optional | Default | Description                      |
+|-------------|----------|----------|---------|----------------------------------|
+| `element`      | `String` | No       | -       | Must be `"toggle"`.           |
+| `name`         | `String` | No       | -       | The key used in `formData`.   |
+| `label`        | `String` | No       | -       | The display label.            |
+| `description`  | `String` | Yes      | -       | Secondary text below the label. |
+| `default`      | `Boolean`| Yes      | `false` | The initial toggle state.     |
+| `labelTrue`    | `String` | Yes      | `"Yes"` | Label for the `true` side.    |
+| `labelFalse`   | `String` | Yes      | `"No"`  | Label for the `false` side.   |
+
+###### Text Input
+
+A single-line text input.
+
+| Parameter    | Value    | Optional | Default | Description                      |
+|-------------|----------|----------|---------|----------------------------------|
+| `element`      | `String` | No       | -       | Must be `"textInput"`.        |
+| `name`         | `String` | No       | -       | The key used in `formData`.   |
+| `label`        | `String` | No       | -       | The display label.            |
+| `description`  | `String` | Yes      | -       | Secondary text below the label. |
+| `placeholder`  | `String` | Yes      | `""`    | Placeholder text.             |
+| `default`      | `String` | Yes      | `""`    | The initial value.            |
+
 ### Graph
 
 ▶️ *Core > Browser > Graph*

changelogs/CHANGELOG_alpha.md

@@ -1,3 +1,64 @@
+# [9.0.0-alpha.8](https://github.com/parse-community/parse-dashboard/compare/9.0.0-alpha.7...9.0.0-alpha.8) (2026-02-19)
+
+
+### Bug Fixes
+
+* Incomplete authentication on AI Agent endpoint ([GHSA-qwc3-h9mg-4582](https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-qwc3-h9mg-4582)) ([#3224](https://github.com/parse-community/parse-dashboard/issues/3224)) ([f92a9ef](https://github.com/parse-community/parse-dashboard/commit/f92a9ef5246d57e51696bd881a15f3b133b2bb50))
+
+# [9.0.0-alpha.7](https://github.com/parse-community/parse-dashboard/compare/9.0.0-alpha.6...9.0.0-alpha.7) (2026-02-19)
+
+
+### Features
+
+* Add option to block saving Cloud Config parameter if validation fails ([#3225](https://github.com/parse-community/parse-dashboard/issues/3225)) ([41691aa](https://github.com/parse-community/parse-dashboard/commit/41691aafbd516a3e63cf30a1739e30985e7ca4ea))
+
+# [9.0.0-alpha.6](https://github.com/parse-community/parse-dashboard/compare/9.0.0-alpha.5...9.0.0-alpha.6) (2026-02-17)
+
+
+### Features
+
+* Add Regex string validation when editing Cloud Config parameter ([#3222](https://github.com/parse-community/parse-dashboard/issues/3222)) ([067b9d1](https://github.com/parse-community/parse-dashboard/commit/067b9d114aa0f6de24940fa6d4a2b3e667c8b3b5))
+
+# [9.0.0-alpha.5](https://github.com/parse-community/parse-dashboard/compare/9.0.0-alpha.4...9.0.0-alpha.5) (2026-02-14)
+
+
+### Bug Fixes
+
+* Cloud Config parameter modal overlays non-printable character info box ([#3221](https://github.com/parse-community/parse-dashboard/issues/3221)) ([983253e](https://github.com/parse-community/parse-dashboard/commit/983253e85e5fe7aefeb34051bebee1ddd2fa4274))
+
+# [9.0.0-alpha.4](https://github.com/parse-community/parse-dashboard/compare/9.0.0-alpha.3...9.0.0-alpha.4) (2026-02-14)
+
+
+### Features
+
+* Add support for reversing info panel auto-scroll direction while holding Command+Option keys ([#3220](https://github.com/parse-community/parse-dashboard/issues/3220)) ([7ebd121](https://github.com/parse-community/parse-dashboard/commit/7ebd1210b47f483182da80b3f2fb31b1c1b4bf16))
+
+# [9.0.0-alpha.3](https://github.com/parse-community/parse-dashboard/compare/9.0.0-alpha.2...9.0.0-alpha.3) (2026-02-13)
+
+
+### Features
+
+* Add support for checkbox, toggle, text input elements to script form ([#3219](https://github.com/parse-community/parse-dashboard/issues/3219)) ([b9366bc](https://github.com/parse-community/parse-dashboard/commit/b9366bc9cf4b24650f991b0883c1ba1f2897969d))
+
+# [9.0.0-alpha.2](https://github.com/parse-community/parse-dashboard/compare/9.0.0-alpha.1...9.0.0-alpha.2) (2026-02-13)
+
+
+### Bug Fixes
+
+* Non-printable character box missing when editing Cloud Config parameter ([#3218](https://github.com/parse-community/parse-dashboard/issues/3218)) ([719ac09](https://github.com/parse-community/parse-dashboard/commit/719ac0948344c8956ccc9bbf8a0242131fc01962))
+
+# [9.0.0-alpha.1](https://github.com/parse-community/parse-dashboard/compare/8.5.0...9.0.0-alpha.1) (2026-02-12)
+
+
+### Features
+
+* Remove Node 18 support ([#3212](https://github.com/parse-community/parse-dashboard/issues/3212)) ([a5c1bb2](https://github.com/parse-community/parse-dashboard/commit/a5c1bb2d597df1e8670aa5f61640fa7961812530))
+
+
+### BREAKING CHANGES
+
+* Removes support for Node 18. ([a5c1bb2](a5c1bb2))
+
 # [8.5.0-alpha.7](https://github.com/parse-community/parse-dashboard/compare/8.5.0-alpha.6...8.5.0-alpha.7) (2026-02-10)