Deprecate no-user mode #3254
Description
New Feature / Enhancement
Problem
Parse Dashboard can be started without configuring any users. In this mode, the dashboard is accessible without authentication. While the /parse-dashboard-config.json endpoint blocks remote access in this mode with the message "Configure a user to access Parse Dashboard remotely", other endpoints such as /apps/:appId/agent do not apply the same restriction.
This inconsistency creates a defense-in-depth gap. The no-user mode inherently exposes sensitive configuration including the master key to any client without authentication. Rather than patching each new endpoint to handle this mode, the mode itself should be deprecated.
Proposal
- Deprecation warning: When no users are configured, log a prominent deprecation warning on startup indicating that no-user mode will be removed in a future major release.
- Consistent access control: Until removal, apply the same remote access restriction (localhost-only) that
/parse-dashboard-config.jsonuses to all sensitive endpoints, including/apps/:appId/agent, done in feat: Enforce remote access restrictions onagentendpoint #3255. - Removal: In a future major version, require at least one user to be configured. Remove no-user mode entirely.
Rationale
- No-user mode has no security boundary — the master key is served to any client without authentication.
- Every new endpoint must independently remember to handle the no-user case, which is error-prone.
- Requiring user configuration is a minimal operational burden and aligns with security best practices.
- This avoids recurring reports about endpoints being accessible without authentication in no-user mode.