feat: Add Parse Server option verifyServerUrl to disable server URL verification on server launch

[Moumouls]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.
• Link this pull request to an issue.

Issue

Adds a new Parse Server option skipVerifyServerUrl that allows skipping the automatic server URL verification that occurs on the mount event.

This option is useful in environments where the server URL is not accessible from the server itself:

• Running behind a firewall
• Containerized environments with network restrictions
• Test environments (Jest, etc.) where the verification may cause issues or unnecessary delays

Closes: FILL_THIS_OUT

Approach

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, code comments)
• Add security check
• Add new Parse Error codes to Parse JS SDK

Summary by CodeRabbit

• New Features

  • Added a new configuration option verifyServerUrl (env: PARSE_SERVER_VERIFY_SERVER_URL). When false, the server URL verification step during startup is skipped. Default: true.

• Documentation

  • Added documentation for the new verifyServerUrl option and its default/usage guidance.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

🚀 Thanks for opening this pull request!

❌ Please fill out all fields with a placeholder FILL_THIS_OUT. If a field does not apply to the pull request, fill in n/a or delete the line.

[coderabbitai]

Warning

Rate limit exceeded

@mtrezza has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 9 minutes and 13 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 7816504 and 804b334.

📒 Files selected for processing (3)

• src/Options/Definitions.js (3 hunks)
• src/Options/docs.js (2 hunks)
• src/Options/index.js (2 hunks)

📝 Walkthrough

Walkthrough

Adds a new boolean option verifyServerUrl (default true) to the public ParseServer options and docs, and makes startup skip awaiting ParseServer.verifyServerUrl() only when options.verifyServerUrl is explicitly false.

Changes

Cohort / File(s)	Summary
Options: definitions src/Options/Definitions.js	Added verifyServerUrl option: env PARSE_SERVER_VERIFY_SERVER_URL, boolean parser (parsers.booleanParser), help text, default true, exported on ParseServerOptions.
Options: docs src/Options/docs.js	Added verifyServerUrl JSDoc/property to ParseServerOptions with descriptive explanation and default.
Options: public types src/Options/index.js, types/Options/index.d.ts	Added verifyServerUrl to the ParseServerOptions interface/type as an optional/nullable boolean.
Runtime: startup control flow src/ParseServer.ts	Conditionalized awaiting of ParseServer.verifyServerUrl() during startup: the verification call is awaited unless options.verifyServerUrl === false (i.e., only skipped when explicitly false).

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Caller as Caller
  participant PS as ParseServer.startApp
  participant API as express app / mount handler
  participant Verifier as ParseServer.verifyServerUrl

  Caller ->> PS: startApp(options)
  PS ->> API: configure listeners / mount callbacks

  alt options.verifyServerUrl === false
    API --x Verifier: verification skipped (not awaited)
    Note right of API #DDF2E9: startup proceeds without self-call
  else
    API ->> Verifier: await verifyServerUrl()
    Verifier -->> API: verification result
  end

  API ->> PS: continue startup

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Pay attention to: src/ParseServer.ts startup flow changes and any callers relying on verification timing; src/Options/Definitions.js env parsing/default; types/Options/index.d.ts and src/Options/index.js typings consistency.

Possibly related PRs

• fix: Server URL verification before server is ready #9882 — Adjusts when verifyServerUrl() is invoked during startup; strongly related to the conditionalization introduced here.

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The PR description does not adequately follow the required template structure. While the author provides useful context about the change (use cases for skipping verification), this information is placed in the Issue section instead of the required Approach section, which remains completely empty. Additionally, the Issue section has not been filled out with an actual issue link—it still contains the placeholder text "Closes: FILL_THIS_OUT". These are structural requirements of the template that have not been met.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title "feat: Add Parse Server option verifyServerUrl to disable server URL verification on server launch" clearly and specifically summarizes the primary change in this PR. The raw summary confirms that the main objective is adding a new verifyServerUrl option to ParseServerOptions across multiple files, and the title accurately reflects this. The title is concise, uses appropriate semantic versioning prefix ("feat:"), and is specific enough that a teammate scanning the repository history would understand the primary change.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

src/Options/Definitions.js (1)

596-602: Consider adding a security warning to the documentation.

The option definition is technically correct and follows the established pattern. However, given the security implications of bypassing server URL verification, consider strengthening the documentation with an explicit warning.

Apply this diff to add a security note:

   skipVerifyServerUrl: {
     env: 'PARSE_SERVER_SKIP_VERIFY_SERVER_URL',
     help:
-      'Set to `true` to skip the server URL verification on startup. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall, in certain containerized environments, or in test environments like Jest where the verification may cause issues or unnecessary delays during test execution.<br><br>Default is `false`.',
+      'Set to `true` to skip the server URL verification on startup. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall, in certain containerized environments, or in test environments like Jest where the verification may cause issues or unnecessary delays during test execution.<br><br>⚠️ Only enable this option when necessary, as server URL verification helps detect configuration errors early. Skipping verification may hide issues that could affect Cloud Code and push notifications.<br><br>Default is `false`.',
     action: parsers.booleanParser,
     default: false,
   },

src/ParseServer.ts (1)

377-382: Consider adding a log message when verification is skipped.

The conditional logic correctly skips verification when skipVerifyServerUrl is true. However, adding an informational log message would help with debugging and make it clear to operators that verification was intentionally skipped.

Apply this diff to add logging:

       // verify the server url after a 'mount' event is received
       /* istanbul ignore next */
       if (!skipVerifyServerUrl) {
         api.on('mount', async function () {
           await new Promise(resolve => setTimeout(resolve, 1000));
           ParseServer.verifyServerUrl();
         });
+      } else {
+        const logger = (logging as any).logger;
+        logger.info('Server URL verification is disabled via skipVerifyServerUrl option');
       }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 115e76e and 32b27db.

📒 Files selected for processing (5)

• src/Options/Definitions.js (1 hunks)
• src/Options/docs.js (1 hunks)
• src/Options/index.js (1 hunks)
• src/ParseServer.ts (2 hunks)
• types/Options/index.d.ts (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

src/Options/Definitions.js (1)

resources/buildConfigDefinitions.js (1)

• parsers (12-12)

🪛 Biome (2.1.2)

src/Options/index.js

[error] 64-64: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: Node 20
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: Node 18
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: Redis Cache
• GitHub Check: Docker Build
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: Code Analysis (javascript)

🔇 Additional comments (5)

types/Options/index.d.ts (1)

125-125: LGTM! TypeScript declaration is correct.

The TypeScript declaration for skipVerifyServerUrl follows the established pattern for optional boolean properties in the ParseServerOptions interface.

src/Options/index.js (1)

60-64: LGTM! Flow interface declaration is correct.

The Flow type declaration and documentation for skipVerifyServerUrl are properly formatted and match the patterns used throughout this file.

Note: The Biome static analysis error about the ? token is a false positive—Biome is not configured to parse Flow syntax.

src/ParseServer.ts (2)

299-306: LGTM! Option destructuring is correct.

The skipVerifyServerUrl option is properly destructured alongside other configuration options.

---

377-382: Address remaining PR objectives before merge

• No tests cover the new skipVerifyServerUrl option; add specs verifying that verifyServerUrl is skipped when this flag is true.
• External documentation (e.g. README.md or docs site) wasn’t updated; please add or update docs for this feature.
• The planned security check for server URL validation is missing; confirm and implement the required check.
• New Parse Error codes for the JS SDK have not been added; specify which codes and include them in a follow-up commit or PR.

src/Options/docs.js (1)

106-106: LGTM! Documentation follows established patterns.

The JSDoc documentation for skipVerifyServerUrl is properly formatted and aligns with the documentation in other files.

Note: If the security warning suggestion for src/Options/Definitions.js is accepted, this documentation should be updated to match.

[codecov]

Codecov Report

❌ Patch coverage is 33.33333% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.01%. Comparing base (f49efaf) to head (804b334).
⚠️ Report is 3 commits behind head on alpha.

Files with missing lines	Patch %	Lines
src/ParseServer.ts	33.33%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha    #9881      +/-   ##
==========================================
- Coverage   93.02%   93.01%   -0.01%     
==========================================
  Files         187      187              
  Lines       15161    15163       +2     
  Branches      176      177       +1     
==========================================
+ Hits        14103    14104       +1     
- Misses       1046     1047       +1     
  Partials       12       12              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mtrezza]

I'm not against the new option, but I think the original bug is that ParseServer.verifyServerUrl(); is called in api.on('mount'). It should be called once PS has started up and with await as part of the start-up routine. So moving the verification to another place should solve the issue. If we also want to add a new option to disable the check altogether, I'm all for it.

See #9882 for how this may be fixed. Feel free to incorporate the changes into your PR, or I'll simply merge my PR and then we can merge yours with only the new option.

[Moumouls]

So moving the verification to another place should solve the issue.

@mtrezza it worked nice before but i seems that Daniel added the timeout to stabilize something, and even if we move the code elsewhere the timeout will still be a problem and introduce a latency of 1sec on each test, if developers use isolated test, the impact of perf is huge.

[mtrezza]

@Moumouls Did you take a look at my PR? No timeout needed. It's clear why the timeout was added - because the verification should not actually happen on mounting but on startup.

[Moumouls]

feel free to close this one @mtrezza if you feel your PR resolve the issue and the verifyUrl on stratup with expo backoff works.

I think your approach is better than mine :)

[mtrezza]

@Moumouls sorry, I was just proposing that my PR may solve the root cause. Did you try it out? I've merged #9882 so you can use the alpha release.

If you want to add the option to disable the verification, feel free to rebase and we can merge. However, the issue you originally opened this PR for should be solved with #9882.

[Moumouls]

i think the option is still useful @mtrezza i'll refresh this PR :)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

src/Options/index.js (1)

60-64: LGTM! Clear documentation and correct implementation.

The new option is well-documented with clear use cases and follows the established patterns in the codebase. The safe default (false) ensures verification runs unless explicitly disabled.

Note on static analysis: The Biome error flagging the ? at line 64 is a false positive—?boolean is valid Flow syntax for an optional boolean type.

Optional security consideration: While the documentation is clear, you might consider adding a brief note emphasizing that when skipping verification, operators should manually ensure serverURL is correctly configured, as skipping the check could mask misconfigurations that would otherwise surface early.

Consider this optional enhancement to the documentation:

-  /* Set to `true` to skip the server URL verification on startup. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall, in certain containerized environments, or in test environments like Jest where the verification may cause issues or unnecessary delays during test execution.
+  /* Set to `true` to skip the server URL verification on startup. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall, in certain containerized environments, or in test environments like Jest where the verification may cause issues or unnecessary delays during test execution.
+  <br><br>
+  ⚠️ When skipping verification, ensure that `serverURL` is correctly configured, as misconfigurations will not be detected automatically.
   <br><br>
   Default is `false`.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 32b27db and 74c4bda.

📒 Files selected for processing (4)

• src/Options/Definitions.js (1 hunks)
• src/Options/docs.js (1 hunks)
• src/Options/index.js (1 hunks)
• src/ParseServer.ts (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• src/Options/docs.js
• src/ParseServer.ts
• src/Options/Definitions.js

🧰 Additional context used

🪛 Biome (2.1.2)

src/Options/index.js

[error] 64-64: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: Node 20
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: Node 18
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: Redis Cache
• GitHub Check: Docker Build

[mtrezza]

@Moumouls I've made some changes to the docs here, with your insights that these 2 features require PS to call itself:

• verify url
• post request for file upload inside Graphql mutation system

I think with that it looks good to merge, what do you think?

[parseplatformorg]

🎉 This change has been released in version 8.3.0-alpha.12