feat: Add option to disable sanitizedError

[coratgerl]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.
• Link this pull request to an issue.

This PR introduces a new configuration option, disableSanitizeError, to the ParseServerOptions interface. When enabled (disableSanitizeError: true), the server will return detailed error messages to clients instead of the generic "Permission denied" message. This can be useful for debugging or development environments where detailed feedback is required.

Summary by CodeRabbit

• New Features

  • Added disableSanitizeError option to control whether detailed error messages are returned (default: sanitized "Permission denied").

• Tests

  • Added tests covering sanitized vs. detailed error behavior under different configuration scenarios.

• Bug Fixes

  • File endpoint now returns a clearer "Invalid application ID." response for invalid app ID requests.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

🚀 Thanks for opening this pull request!

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new ParseServer option disableSanitizeError and threads request/server config through error-construction helpers so sanitized errors can return detailed messages when configured; call sites and a few signatures (internal) updated to pass config to sanitization helpers.

Changes

Cohort / File(s)	Summary
Configuration & Options src/Options/Definitions.js, src/Options/docs.js, src/Options/index.js	Introduces disableSanitizeError option (env PARSE_SERVER_DISABLE_SANITIZE_ERROR, default false) and documents it in options/docs.
Error Construction Core src/Error.js	createSanitizedError and createSanitizedHttpError now accept optional config and use config.disableSanitizeError to decide whether to return detailed messages or the generic "Permission denied".
GraphQL utilities & loaders src/GraphQL/parseGraphQLUtils.js, src/GraphQL/loaders/schemaQueries.js, src/GraphQL/loaders/schemaMutations.js, src/GraphQL/loaders/usersQueries.js	enforceMasterKeyAccess signature extended to accept config; callers updated to pass config so errors include config-driven sanitization context.
REST routers (read-only/master/session paths) src/Routers/ClassesRouter.js, src/Routers/FilesRouter.js, src/Routers/GlobalConfigRouter.js, src/Routers/GraphQLRouter.js, src/Routers/PurgeRouter.js, src/Routers/PushRouter.js, src/Routers/SchemasRouter.js, src/Routers/UsersRouter.js	Many createSanitizedError call sites updated to pass req.config. FilesRouter now returns an inline JSON response for invalid app IDs (message changed to "Invalid application ID.") instead of using createSanitizedError.
REST request handlers & role/security checks src/RestQuery.js, src/RestWrite.js, src/SharedRest.js, src/rest.js	enforceRoleSecurity extended to accept config; calls and error constructions updated to propagate config through role/security and protected-field error paths.
Controllers & middleware src/Controllers/SchemaController.js, src/middlewares.js	Schema controller retrieves Config.get(Parse.applicationId) and passes config into sanitized-error creation; master-key enforcement/middleware now passes request config to createSanitizedHttpError.
Tests spec/ParseFile.spec.js, spec/Utils.spec.js	Tests updated: invalid app ID message assertion changed to "Invalid application ID."; added tests for createSanitizedError/createSanitizedHttpError behavior when sanitization is enabled/disabled; Utils import path adjusted to lib and Error helpers imported for tests.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant Router as Router / Middleware
  participant AppConfig as req.config
  participant ErrorHelper as createSanitizedError

  Client->>Router: request (auth/session)
  Router->>AppConfig: obtain req.config
  alt unauthorized / forbidden
    Router->>ErrorHelper: createSanitizedError(code, detailedMsg, req.config)
    ErrorHelper-->>Router: error with message = (req.config.disableSanitizeError ? detailedMsg : "Permission denied")
    Router-->>Client: HTTP error response (sanitized per config)
  else allowed
    Router-->>Client: normal response
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20–30 minutes

• Breadth: many call-site edits are repetitive (propagating config), but must verify consistency.
• Focus review on:
  • src/Error.js sanitization conditional and logging behavior.
  • Signature change for enforceMasterKeyAccess / enforceRoleSecurity and all updated callers.
  • FilesRouter change that replaced sanitized error with inline JSON.
  • Tests in spec/Utils.spec.js and spec/ParseFile.spec.js for correctness of both sanitize modes.

Possibly related PRs

• fix: Server internal error details leaking in error messages returned to clients #9937 — Prior work on sanitized-error handling; overlapping changes to error construction and call sites.
• feat: Add request context middleware for config and dependency injection in hooks #8480 — Related propagation of request config (req.config) via middleware and routers.

Suggested reviewers

• mtrezza

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description fails to include the required 'Issue' section with a link to close an issue. It describes the approach but omits the mandatory Closes field that the template requires.	Add the 'Closes: #ISSUE_NUMBER' field to link this PR to the relevant GitHub issue as specified in the template.
Docstring Coverage	⚠️ Warning	Docstring coverage is 64.29% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main feature: adding an option to disable sanitized error messages. It directly reflects the core objective of the PR.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coratgerl]

@mtrezza @Moumouls Here is the PR :)

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

src/RestWrite.js (1)

193-214: User/class permission errors now obey disableSanitizeError

Using createSanitizedError(this.config) in:

• validateClientClassCreation (non-existent client classes),
• checkRestrictedFields (manual emailVerified updates), and
• runDatabaseOperation (unauthenticated _User updates)

keeps the default behavior but allows detailed messages when disableSanitizeError is true. Note that, with the flag enabled, these messages will expose class names, field names, and user objectIds; that’s fine for debugging but should be documented as dev/debug-only guidance for production operators.

Also applies to: 659-671, 1457-1463

src/RestQuery.js (1)

414-435: Query-time OPERATION_FORBIDDEN errors now use createSanitizedError with config

In _UnsafeRestQuery.validateClientClassCreation and denyProtectedFields, switching to createSanitizedError(..., this.config) brings read-side permission failures (non-existent classes, querying protected fields) in line with write-side behavior. With disableSanitizeError = true, clients will see which class/field was blocked, so it’s worth calling out in docs that this flag is intended for development/debugging rather than locked-down production environments.

Also applies to: 789-812

src/Error.js (2)

3-10: Update Error helper JSDoc for the new config / disableSanitizeError behavior

The docblocks for createSanitizedError and createSanitizedHttpError still describe only two parameters and don’t mention the config argument or that config.disableSanitizeError controls whether the detailed message is returned. Updating the JSDoc to document the third parameter and its effect will avoid confusion for contributors reading this file.

Also applies to: 22-29

---

1-44: Ensure disableSanitizeError is exposed in Options and regenerated definitions

Since this module now relies on config.disableSanitizeError, please double‑check that:

• src/Options/index.js exposes a disableSanitizeError Parse Server option, and
• npm run definitions has been run so src/Options/docs.js and src/Options/Definitions.js include it.

README.md documentation for the new option is optional but would be helpful for users enabling detailed errors in development. Based on learnings, this is the expected process for new Parse Server options.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 73e7812 and 50592d7.

📒 Files selected for processing (24)

• spec/ParseFile.spec.js (1 hunks)
• spec/Utils.spec.js (2 hunks)
• src/Controllers/SchemaController.js (3 hunks)
• src/Error.js (3 hunks)
• src/GraphQL/loaders/schemaMutations.js (3 hunks)
• src/GraphQL/loaders/schemaQueries.js (2 hunks)
• src/GraphQL/loaders/usersQueries.js (2 hunks)
• src/GraphQL/parseGraphQLUtils.js (1 hunks)
• src/Options/Definitions.js (1 hunks)
• src/Options/docs.js (1 hunks)
• src/Options/index.js (1 hunks)
• src/RestQuery.js (4 hunks)
• src/RestWrite.js (4 hunks)
• src/Routers/ClassesRouter.js (1 hunks)
• src/Routers/FilesRouter.js (1 hunks)
• src/Routers/GlobalConfigRouter.js (1 hunks)
• src/Routers/GraphQLRouter.js (1 hunks)
• src/Routers/PurgeRouter.js (1 hunks)
• src/Routers/PushRouter.js (1 hunks)
• src/Routers/SchemasRouter.js (3 hunks)
• src/Routers/UsersRouter.js (3 hunks)
• src/SharedRest.js (2 hunks)
• src/middlewares.js (2 hunks)
• src/rest.js (7 hunks)

🧰 Additional context used

🧠 Learnings (10)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• src/Options/docs.js
• src/Options/index.js
• src/Options/Definitions.js

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Applied to files:

• src/Options/docs.js
• src/Options/index.js
• src/Options/Definitions.js

📚 Learning: 2025-10-16T19:27:05.311Z

Learnt from: Moumouls
Repo: parse-community/parse-server PR: 9883
File: spec/CloudCodeLogger.spec.js:410-412
Timestamp: 2025-10-16T19:27:05.311Z
Learning: In spec/CloudCodeLogger.spec.js, the test "should log cloud function triggers using the silent log level" (around lines 383-420) is known to be flaky and requires the extra `await new Promise(resolve => setTimeout(resolve, 100))` timeout after awaiting `afterSavePromise` for reliability, even though it may appear redundant.

Applied to files:

• spec/ParseFile.spec.js
• spec/Utils.spec.js

📚 Learning: 2025-09-21T15:43:32.265Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

Applied to files:

• src/GraphQL/parseGraphQLUtils.js
• src/Routers/GraphQLRouter.js

📚 Learning: 2025-08-27T12:33:06.237Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: src/triggers.js:467-477
Timestamp: 2025-08-27T12:33:06.237Z
Learning: In the Parse Server codebase, maybeRunAfterFindTrigger is called in production with Parse.Query objects constructed via withJSON(), so the plain object query handling bug only affects tests, not production code paths.

Applied to files:

• src/RestQuery.js

📚 Learning: 2025-04-30T19:31:35.344Z

Learnt from: RahulLanjewar93
Repo: parse-community/parse-server PR: 9744
File: spec/ParseLiveQuery.spec.js:0-0
Timestamp: 2025-04-30T19:31:35.344Z
Learning: In the Parse Server codebase, the functions in QueryTools.js are typically tested through end-to-end behavior tests rather than direct unit tests, even though the functions are exported from the module.

Applied to files:

• spec/Utils.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

• spec/Utils.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.

Applied to files:

• spec/Utils.spec.js

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.

Applied to files:

• spec/Utils.spec.js

🧬 Code graph analysis (8)

src/GraphQL/loaders/usersQueries.js (2)

src/Routers/GlobalConfigRouter.js (1)

• config (9-9)

src/middlewares.js (3)

• config (208-208)
• config (642-642)
• config (644-644)

src/RestWrite.js (3)

src/Controllers/SchemaController.js (1)

• config (724-724)

src/middlewares.js (3)

• config (208-208)
• config (642-642)
• config (644-644)

src/cloud-code/Parse.Cloud.js (2)

• config (602-602)
• config (690-690)

src/GraphQL/parseGraphQLUtils.js (1)

src/middlewares.js (4)

• enforceMasterKeyAccess (503-511)
• config (208-208)
• config (642-642)
• config (644-644)

src/Options/Definitions.js (1)

resources/buildConfigDefinitions.js (1)

• parsers (12-12)

src/Controllers/SchemaController.js (2)

src/Routers/GlobalConfigRouter.js (1)

• config (9-9)

src/Config.js (1)

• Config (40-829)

src/SharedRest.js (2)

src/Controllers/SchemaController.js (2)

• config (724-724)
• Parse (18-18)

src/middlewares.js (3)

• config (208-208)
• config (642-642)
• config (644-644)

src/GraphQL/loaders/schemaQueries.js (2)

src/GraphQL/parseGraphQLUtils.js (1)

• enforceMasterKeyAccess (5-13)

src/middlewares.js (4)

• enforceMasterKeyAccess (503-511)
• config (208-208)
• config (642-642)
• config (644-644)

src/GraphQL/loaders/schemaMutations.js (1)

src/GraphQL/parseGraphQLUtils.js (1)

• enforceMasterKeyAccess (5-13)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (16)

• GitHub Check: Redis Cache
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: Node 22
• GitHub Check: Node 18
• GitHub Check: Node 20
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: Docker Build
• GitHub Check: Code Analysis (javascript)
• GitHub Check: Benchmarks

🔇 Additional comments (29)

src/Controllers/SchemaController.js (4)

1402-1402: LGTM! Config retrieval pattern is appropriate.

Retrieving the config via Config.get(Parse.applicationId) is the correct pattern for this static method context where instance state is not available. The config is then properly propagated to all error construction calls below.

---

1408-1418: LGTM! Error construction properly includes config context.

Both error paths correctly pass the config as the third argument to createSanitizedError, enabling the new disableSanitizeError option to control error sanitization for authentication-related permission failures.

---

1432-1436: LGTM! Operation forbidden error properly includes config.

The error construction correctly passes the config context, allowing the sanitization behavior to be controlled by the disableSanitizeError option.

---

1456-1460: LGTM! Final permission error properly includes config.

The error construction correctly passes the config context for this final permission denial path.

src/Routers/PushRouter.js (1)

12-18: LGTM! Error construction properly includes config context.

The read-only masterKey error path correctly passes req.config as the third argument to createSanitizedError, enabling the new disableSanitizeError option to control error sanitization.

src/Routers/PurgeRouter.js (1)

8-14: LGTM! Error construction properly includes config context.

The read-only masterKey error path correctly passes req.config as the third argument to createSanitizedError, enabling the new disableSanitizeError option to control error sanitization.

src/GraphQL/loaders/schemaQueries.js (2)

29-45: LGTM! MasterKey enforcement properly includes config context.

The enforceMasterKeyAccess call correctly passes both auth and config parameters, matching the updated function signature. This enables the error thrown by enforceMasterKeyAccess to respect the disableSanitizeError configuration option.

---

56-70: LGTM! MasterKey enforcement properly includes config context.

The enforceMasterKeyAccess call correctly passes both auth and config parameters, matching the updated function signature. This enables the error thrown by enforceMasterKeyAccess to respect the disableSanitizeError configuration option.

src/Routers/GlobalConfigRouter.js (1)

43-50: LGTM! Error construction properly includes config context.

The read-only masterKey error path correctly passes req.config as the third argument to createSanitizedError, enabling the new disableSanitizeError option to control error sanitization.

src/Options/docs.js (1)

40-40: LGTM! Documentation is clear and accurate.

The documentation clearly describes the purpose of the disableSanitizeError option. Based on learnings, ensure that this file was generated by running npm run definitions rather than manually edited, as this file should be auto-generated from the definitions in src/Options/index.js.

Based on learnings, for new Parse Server options, verify that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js.

src/Options/index.js (1)

350-352: Verification complete—option definitions properly generated.

All required components are in place:

• ✓ Option documented in src/Options/index.js (lines 350-352)
• ✓ Definition in src/Options/Definitions.js (lines 202-207) with environment variable PARSE_SERVER_DISABLE_SANITIZE_ERROR, parser, help text, and default value
• ✓ Documentation in src/Options/docs.js (line 40)

The npm run definitions has been executed, and all changes are correctly reflected.

src/Routers/GraphQLRouter.js (1)

17-22: LGTM!

The config parameter is correctly passed to createSanitizedError, enabling config-aware error sanitization for read-only masterKey restrictions.

spec/ParseFile.spec.js (1)

769-779: LGTM!

The test correctly validates the new error handling behavior where invalid application IDs now return detailed error messages instead of the generic "Permission denied" response.

src/Routers/ClassesRouter.js (1)

109-116: LGTM!

The config parameter is correctly propagated to createSanitizedError for the invalid object ID restriction.

src/Routers/SchemasRouter.js (1)

73-81: LGTM!

The config parameter is correctly passed to all three schema operation error paths (create, update, delete) for read-only masterKey restrictions.

Also applies to: 96-104, 113-120

src/GraphQL/loaders/schemaMutations.js (1)

29-42: LGTM!

The GraphQL schema mutations correctly propagate the config parameter to both enforceMasterKeyAccess and createSanitizedError, ensuring consistent config-aware error handling across CreateClass, UpdateClass, and DeleteClass operations.

Also applies to: 79-92, 131-144

src/middlewares.js (1)

503-511: LGTM!

Both middleware functions correctly pass the config parameter to createSanitizedHttpError for master key access enforcement.

Also applies to: 513-518

spec/Utils.spec.js (2)

1-2: LGTM!

The import changes are correct. Tests should import from ../lib (compiled code) rather than ../src.

---

178-204: LGTM!

The test suites comprehensively validate the new disableSanitizeError functionality for both createSanitizedError and createSanitizedHttpError, covering both enabled and disabled states.

src/Options/Definitions.js (1)

202-208: No issues found. Option is properly documented and definitions are in sync.

The disableSanitizeError option is correctly documented in src/Options/index.js (lines 350–352) and present in both src/Options/docs.js and src/Options/Definitions.js with synchronized descriptions, indicating that npm run definitions has been executed.

src/Routers/UsersRouter.js (1)

173-201: Config-aware sanitized errors in UsersRouter look correct

Using req.config in the createSanitizedError calls for /users/me and /loginAs correctly aligns these paths with the new disableSanitizeError option without changing authorization logic.

Also applies to: 336-343

src/GraphQL/parseGraphQLUtils.js (1)

5-13: GraphQL master-key enforcement now supports disableSanitizeError via config

Passing config into createSanitizedError here is consistent with REST/middleware behavior; just ensure all enforceMasterKeyAccess call sites have been updated to provide the new config argument so the helper doesn’t receive undefined.

src/SharedRest.js (1)

12-44: enforceRoleSecurity now config-aware; behavior preserved

Wiring config through enforceRoleSecurity and into createSanitizedError for installation/master-only/read-only cases cleanly integrates the new sanitization flag without altering existing permission checks.

src/RestWrite.js (1)

31-38: Constructor read-only master key guard aligned with sanitization helper

Throwing createSanitizedError with config when auth.isReadOnly blocks writes from the read-only master key in all call sites and ensures the new disableSanitizeError option applies consistently here as well.

src/GraphQL/loaders/usersQueries.js (1)

9-13: Config passed into sanitized INVALID_SESSION_TOKEN errors for GraphQL viewer

Both the early “no session token” branch and the “no user found” branch now call createSanitizedError with config, matching REST and UsersRouter behavior while enabling disableSanitizeError.

Also applies to: 55-67

src/rest.js (2)

137-149: Propagating config into enforceRoleSecurity across REST verbs

find, get, del, create, and update now pass config into enforceRoleSecurity, so all class-level and read-only master-key permission denials participate in the disableSanitizeError behavior without changing which operations are allowed.

Also applies to: 152-164, 176-177, 267-268, 276-277

---

193-263: handleSessionMissingError now emits config-aware SESSION_MISSING errors

Using handleSessionMissingError(error, className, auth, config) in the del and update chains and mapping _User OBJECT_NOT_FOUND errors to createSanitizedError(Parse.Error.SESSION_MISSING, 'Insufficient auth.', config) preserves the previous semantics while letting operators opt into detailed messages via disableSanitizeError; the synchronous throw inside the helper still correctly rethrows from the Promise catch.

Also applies to: 322-331

src/RestQuery.js (1)

39-80: RestQuery role enforcement and _Session INVALID_SESSION_TOKEN now config-aware

Calling enforceRoleSecurity(method, className, auth, config) and using createSanitizedError(..., config) when a non-master user queries _Session ensures both role-based access control and invalid-session errors respect the new disableSanitizeError flag, with no change to the underlying authorization rules.

Also applies to: 121-139

src/Error.js (1)

11-20: ****

The concern about missing config parameters is unfounded. Verification of all call sites in the codebase shows:

• 40+ calls to createSanitizedError — every single one passes a config parameter (config, this.config, or req.config)
• 2 calls to createSanitizedHttpError — both pass request.config or req.config
• Tests pass, confirming that function signatures and call sites are aligned

There are no legacy or future call sites that pass only (code, message) or undefined. The functions are correctly called throughout the codebase.

Minor note: The JSDoc comments in Error.js (lines 8–10, 27–28) do not document the config parameter, but this is a documentation gap, not a functional issue.

Likely an incorrect or invalid review comment.

[codecov]

Codecov Report

❌ Patch coverage is 85.18519% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.75%. Comparing base (d4c6de0) to head (a0a32ee).
⚠️ Report is 1 commits behind head on alpha.

Files with missing lines	Patch %	Lines
src/Routers/UsersRouter.js	0.00%	2 Missing ⚠️
src/GraphQL/loaders/usersQueries.js	50.00%	1 Missing ⚠️
src/rest.js	88.88%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha    #9944      +/-   ##
==========================================
+ Coverage   93.08%   93.75%   +0.66%     
==========================================
  Files         188      188              
  Lines       15298    15297       -1     
  Branches      177      177              
==========================================
+ Hits        14240    14341     +101     
+ Misses       1046      944     -102     
  Partials       12       12              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

spec/Utils.spec.js (1)

178-214: Good coverage of config-driven behavior; consider tightening test names

The new specs nicely cover:

• default/sanitized behavior (disableSanitizeError false or missing), and
• detailed behavior (disableSanitizeError true)
  for both createSanitizedError and createSanitizedHttpError.

Two minor nits:

• The first test names say "false or undefined" but only cover false; undefined is covered separately. You could rename to "when disableSanitizeError is false" for clarity.
• The "should not crash with config undefined" tests are also verifying that the message is sanitized; renaming to something like "should sanitize message when config is undefined" would better describe the assertion.

Also, these tests rely on a global Parse (for Parse.Error.OPERATION_FORBIDDEN), which is standard in this repo; just confirm there’s no intention to change that test setup.

src/Error.js (1)

11-20: Update JSDoc to document the new config parameter

The new config argument is not yet reflected in the JSDoc. To keep tooling and future readers aligned with the implementation, consider adding it, e.g.:

/**
 * @param {Object} [config] - Parse Server config; when config.disableSanitizeError is true,
 *   the detailed message is exposed to the client instead of being sanitized.
 */
function createSanitizedError(errorCode, detailedMessage, config) {

Same applies to the JSDoc above createSanitizedHttpError.

If you want to be strict that only an explicit boolean true disables sanitization, you could also tighten the condition to config?.disableSanitizeError === true, but the current truthy check is fine if that’s the intended semantics.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 50592d7 and a0a32ee.

📒 Files selected for processing (2)

• spec/Utils.spec.js (2 hunks)
• src/Error.js (3 hunks)

🧰 Additional context used

🧠 Learnings (6)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

📚 Learning: 2025-04-30T19:31:35.344Z

Learnt from: RahulLanjewar93
Repo: parse-community/parse-server PR: 9744
File: spec/ParseLiveQuery.spec.js:0-0
Timestamp: 2025-04-30T19:31:35.344Z
Learning: In the Parse Server codebase, the functions in QueryTools.js are typically tested through end-to-end behavior tests rather than direct unit tests, even though the functions are exported from the module.

Applied to files:

• spec/Utils.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

• spec/Utils.spec.js

📚 Learning: 2025-10-16T19:27:05.311Z

Learnt from: Moumouls
Repo: parse-community/parse-server PR: 9883
File: spec/CloudCodeLogger.spec.js:410-412
Timestamp: 2025-10-16T19:27:05.311Z
Learning: In spec/CloudCodeLogger.spec.js, the test "should log cloud function triggers using the silent log level" (around lines 383-420) is known to be flaky and requires the extra `await new Promise(resolve => setTimeout(resolve, 100))` timeout after awaiting `afterSavePromise` for reliability, even though it may appear redundant.

Applied to files:

• spec/Utils.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.

Applied to files:

• spec/Utils.spec.js

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.

Applied to files:

• spec/Utils.spec.js

🧬 Code graph analysis (2)

spec/Utils.spec.js (1)

src/Error.js (1)

• error (38-38)

src/Error.js (1)

src/middlewares.js (5)

• config (208-208)
• config (642-642)
• config (644-644)
• error (252-252)
• error (505-505)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (16)

• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: Node 20
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: Node 22
• GitHub Check: Node 18
• GitHub Check: Redis Cache
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: Docker Build
• GitHub Check: Code Analysis (javascript)
• GitHub Check: Benchmarks

🔇 Additional comments (2)

spec/Utils.spec.js (1)

1-2: Import updates look consistent with lib build usage

Requiring ../lib/Utils and ../lib/Error aligns these tests with the built artifacts; this looks fine and keeps tests exercising the same entry points as production.

src/Error.js (1)

30-41: Config-driven sanitization logic is correct; ensure option wiring/docs are in sync

The HTTP helper mirrors the Parse.Error helper correctly:

• always logs the detailed message server-side, and
• conditionally exposes the detailed message vs "Permission denied" to clients based on config?.disableSanitizeError.

This matches the intended disableSanitizeError behavior. Given this is controlled by a config flag that can weaken error-hiding, please ensure:

• The new option is clearly described as development/debug only in the relevant docs (Options docs and, optionally, README).
• src/Options/index.js, src/Options/docs.js, and src/Options/Definitions.js are consistent and that npm run definitions has been run so generated files match the source. Based on learnings, this is the expected workflow for new options.

Behavior itself looks good.

[Moumouls]

LGTM

[Moumouls]

@mtrezza do we need to be enable by default or not ?

Use case A:

• Developers notice issue on error messages (now sanitazed) and check here in github to add the option to re enable full message

Use case B:

• We disable sanitize by default, and for PS8 it's just en opt-in

Basically, does the option should be an opt-in or an opt-out ?