feat: Deprecation DEPPS113: Config option enableInsecureAuthAdapters defaults to false
#9982
+8
−8
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
🚀 Thanks for opening this pull request! |
Contributor
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
📝 WalkthroughWalkthroughDocs add a new deprecation entry for Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes
Pre-merge checks and finishing touches❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✨ Finishing touches
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
mtrezza
changed the title
enableInsecureAuthAdapters defaults to false
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (5)
DEPRECATIONS.md(1 hunks)src/Deprecator/Deprecations.js(1 hunks)src/Options/Definitions.js(1 hunks)src/Options/docs.js(1 hunks)src/Options/index.js(1 hunks)
🧰 Additional context used
🧠 Learnings (7)
📓 Common learnings
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.
📚 Learning: 2025-12-02T08:00:08.440Z
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:08.440Z
Learning: For Parse Server 9 release preparation, the parse/push-adapter dependency should be upgraded to version >= 8.0.0, not 7.x, as version 8.x is required despite dropping Node 18 support (which aligns with Parse Server 9's removal of EOL Node versions).
Applied to files:
DEPRECATIONS.mdsrc/Options/index.jssrc/Options/Definitions.js
📚 Learning: 2025-12-02T08:00:20.138Z
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:20.138Z
Learning: For Parse Server 9 release (PR #9938 and related), the parse/push-adapter dependency must be upgraded to version >= 8.0.0, not 7.0.0. Version 8.x drops support for Node 18.
Applied to files:
DEPRECATIONS.mdsrc/Options/index.jssrc/Options/Definitions.js
📚 Learning: 2025-11-08T13:46:04.940Z
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.
Applied to files:
src/Options/index.jssrc/Options/docs.jssrc/Options/Definitions.js
📚 Learning: 2025-12-02T06:55:53.808Z
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T06:55:53.808Z
Learning: When reviewing Parse Server PRs that add or modify Parse Server options, always verify that changes are properly reflected in three files: src/Options/index.js (where changes originate), src/Options/Definitions.js, and src/Options/docs.js. The correct workflow is: make changes in index.js first, then run `npm run definitions` to automatically replicate the changes to Definitions.js and docs.js.
Applied to files:
src/Options/index.jssrc/Options/Definitions.js
📚 Learning: 2025-11-08T13:46:04.940Z
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.
Applied to files:
src/Options/index.jssrc/Options/Definitions.js
📚 Learning: 2025-11-17T15:02:48.786Z
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.
Applied to files:
src/Options/index.js
🧬 Code graph analysis (1)
src/Options/Definitions.js (1)
resources/buildConfigDefinitions.js (1)
parsers(12-12)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (10)
- GitHub Check: PostgreSQL 16, PostGIS 3.5
- GitHub Check: PostgreSQL 18, PostGIS 3.6
- GitHub Check: PostgreSQL 17, PostGIS 3.5
- GitHub Check: Node 22
- GitHub Check: Node 20
- GitHub Check: Redis Cache
- GitHub Check: MongoDB 8, ReplicaSet
- GitHub Check: MongoDB 7, ReplicaSet
- GitHub Check: Docker Build
- GitHub Check: Benchmarks
🔇 Additional comments (4)
src/Options/Definitions.js (1)
244-250: Generated definitions updated correctly; please ensure they were regenerated from src/Options/index.js
The new default (false) and help text look consistent with the intended behavior, but since this is generated code, it should only be changed viasrc/Options/index.js+npm run definitions. Based on learnings, please confirm the generator was run and these files are in sync.src/Options/docs.js (1)
47-48: Docs update is consistent with the new default
The option description and default (false) read consistent with the change.src/Options/index.js (1)
170-173: LGTM; appears to be the correct source-of-truth change for regeneration
This looks like the right place to update the option docs/default sonpm run definitionscan propagate the change. Based on learnings, please ensure Definitions.js/docs.js were regenerated from this.src/Deprecator/Deprecations.js (1)
18-18: The review comment's concern is based on an incorrect assumption about how deprecations are handled. TheDeprecations.jsfile (created with an empty array) is designed for Parse Server option deprecations announced at startup. Runtime warnings for insecure auth adapters are handled independently viaDeprecator.logRuntimeDeprecation()calls in:
src/Config.jsline 573 — logs whenenableInsecureAuthAdapters: true- Individual adapter files (
vkontakte.js,janrainengage.js,phantauth.js,meetup.js,twitter.js) — log when adapters are usedThese runtime warnings remain fully functional and are not affected by the
Deprecations.jsarray. The change does not silence guidance to users.
| | DEPPS10 | Encode `Parse.Object` in Cloud Function and remove option `encodeParseObjectInCloudFunction` | [#8634](https://github.com/parse-community/parse-server/issues/8634) | 6.2.0 (2023) | 9.0.0 (2026) | removed | - | | ||
| | DEPPS11 | Replace `PublicAPIRouter` with `PagesRouter` | [#7625](https://github.com/parse-community/parse-server/issues/7625) | 8.0.0 (2025) | 9.0.0 (2026) | removed | - | | ||
| | DEPPS12 | Database option `allowPublicExplain` defaults to `false` | [#7519](https://github.com/parse-community/parse-server/issues/7519) | 8.5.0 (2025) | 9.0.0 (2026) | removed | - | | ||
| | DEPPS13 | Config option `enableInsecureAuthAdapters` defaults to `false` | [#9667](https://github.com/parse-community/parse-server/pull/9667) | 8.0.0 (2025) | 9.0.0 (2026) | removed | - | |
There was a problem hiding this comment.
DEPRECATIONS.md: DEPPS13 status looks incorrect (“removed” vs “deprecated”)
If enableInsecureAuthAdapters still exists (it does in this PR) and insecure adapters are only deprecated, the status should likely be deprecated, not removed, otherwise readers will assume the option is already gone.
-| DEPPS13 | Config option `enableInsecureAuthAdapters` defaults to `false` | [#9667](https://github.com/parse-community/parse-server/pull/9667) | 8.0.0 (2025) | 9.0.0 (2026) | removed | - |
+| DEPPS13 | Config option `enableInsecureAuthAdapters` defaults to `false` | [#9667](https://github.com/parse-community/parse-server/pull/9667) | 8.0.0 (2025) | 9.0.0 (2026) | deprecated | - |🤖 Prompt for AI Agents
In DEPRECATIONS.md around line 19, the DEPPS13 row incorrectly marks the Config
option `enableInsecureAuthAdapters` as "removed" while the option still exists
and is being deprecated; update that table cell from "removed" to "deprecated"
(and ensure the deprecation/removal version columns remain accurate: keep 8.0.0
(2025) as the deprecation target and 9.0.0 (2026) as the removal target) so
readers understand the option is deprecated rather than already removed.
Member
Author
There was a problem hiding this comment.
That's fine, the table entry was actually missing, so this goes straight to the "removed" state.
There was a problem hiding this comment.
@mtrezza, thank you for the clarification! I understand now – since the deprecation already occurred in an earlier version and the table entry was simply missing, it's appropriate to add it directly with the "removed" status. This makes sense for backfilling the documentation.
🧠 Learnings used
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:20.138Z
Learning: For Parse Server 9 release (PR #9938 and related), the parse/push-adapter dependency must be upgraded to version >= 8.0.0, not 7.0.0. Version 8.x drops support for Node 18.
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:08.440Z
Learning: For Parse Server 9 release preparation, the parse/push-adapter dependency should be upgraded to version >= 8.0.0, not 7.x, as version 8.x is required despite dropping Node 18 support (which aligns with Parse Server 9's removal of EOL Node versions).
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T06:55:53.808Z
Learning: When reviewing Parse Server PRs that add or modify Parse Server options, always verify that changes are properly reflected in three files: src/Options/index.js (where changes originate), src/Options/Definitions.js, and src/Options/docs.js. The correct workflow is: make changes in index.js first, then run `npm run definitions` to automatically replicate the changes to Definitions.js and docs.js.
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.
25 tasks
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (1)
spec/SecurityCheckGroups.spec.js (1)
1-113: PR title suggestion (Angular convention):feat(security): default enableInsecureAuthAdapters to false
Based on learnings, this will produce a clearer changelog entry for developers.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
spec/SecurityCheckGroups.spec.js(1 hunks)
🧰 Additional context used
🧠 Learnings (2)
📓 Common learnings
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:20.138Z
Learning: For Parse Server 9 release (PR #9938 and related), the parse/push-adapter dependency must be upgraded to version >= 8.0.0, not 7.0.0. Version 8.x drops support for Node 18.
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:08.440Z
Learning: For Parse Server 9 release preparation, the parse/push-adapter dependency should be upgraded to version >= 8.0.0, not 7.x, as version 8.x is required despite dropping Node 18 support (which aligns with Parse Server 9's removal of EOL Node versions).
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.
📚 Learning: 2025-09-21T15:43:32.265Z
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.
Applied to files:
spec/SecurityCheckGroups.spec.js
🧬 Code graph analysis (1)
spec/SecurityCheckGroups.spec.js (1)
spec/SecurityCheck.spec.js (1)
config(17-17)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (10)
- GitHub Check: Redis Cache
- GitHub Check: MongoDB 8, ReplicaSet
- GitHub Check: Node 22
- GitHub Check: Node 20
- GitHub Check: MongoDB 7, ReplicaSet
- GitHub Check: PostgreSQL 18, PostGIS 3.6
- GitHub Check: PostgreSQL 16, PostGIS 3.5
- GitHub Check: PostgreSQL 17, PostGIS 3.5
- GitHub Check: Docker Build
- GitHub Check: Benchmarks
🔇 Additional comments (1)
spec/SecurityCheckGroups.spec.js (1)
48-55: The assertion for the "insecure auth adapters" check (index 4) is already present and correct.Setting
config.enableInsecureAuthAdapters = true(Line 52) is the right opt-in for this scenario, and the test does assert the corresponding check at index 4 fails (Line 61). However, the test should note that index 3 ("Users are created without public access" /enforcePrivateUsers) is also implicitly failing but not asserted, since it's not set in the config.If the concern is about brittleness of index-based assertions, that's valid for the entire test suite, but the specific claim that the insecureAuthAdapters check is not being tested is incorrect.
Likely an incorrect or invalid review comment.
mtrezza
added
the
state:breaking
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## alpha #9982 +/- ##
=======================================
Coverage 92.54% 92.54%
=======================================
Files 190 190
Lines 15434 15434
Branches 176 176
=======================================
Hits 14283 14283
Misses 1139 1139
Partials 12 12 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
parseplatformorg
pushed a commit
that referenced
this pull request
Dec 14, 2025
# [9.0.0-alpha.11](9.0.0-alpha.10...9.0.0-alpha.11) (2025-12-14) ### Features * Deprecation DEPPS113: Config option `enableInsecureAuthAdapters` defaults to `false` ([#9982](#9982)) ([22d4622](22d4622)) ### BREAKING CHANGES * This release changes the config option `enableInsecureAuthAdapters` default to `false` (Deprecation DEPPS13). ([22d4622](22d4622))
Contributor
|
🎉 This change has been released in version 9.0.0-alpha.11 |
parseplatformorg
pushed a commit
that referenced
this pull request
Dec 14, 2025
# [9.0.0](8.6.0...9.0.0) (2025-12-14) ### Bug Fixes * Upgrade to GraphQL Apollo Server 5 and restrict GraphQL introspection ([#9888](#9888)) ([87c7f07](87c7f07)) ### Features * Deprecation DEPPS10: Encode `Parse.Object` in Cloud Function and remove option `encodeParseObjectInCloudFunction` ([#9973](#9973)) ([a2d3dbe](a2d3dbe)) * Deprecation DEPPS11: Replace `PublicAPIRouter` with `PagesRouter` ([#9974](#9974)) ([8f877d4](8f877d4)) * Deprecation DEPPS113: Config option `enableInsecureAuthAdapters` defaults to `false` ([#9982](#9982)) ([22d4622](22d4622)) * Deprecation DEPPS12: Database option `allowPublicExplain` defaults to `false` ([#9975](#9975)) ([c1c7e69](c1c7e69)) * Increase required minimum MongoDB version to `7.0.16` ([#9971](#9971)) ([7bb548b](7bb548b)) * Increase required minimum Node version to `20.19.0` ([#9970](#9970)) ([633964d](633964d)) * Increase required minimum version to Postgres `16`, PostGIS `3.5` ([#9972](#9972)) ([7483add](7483add)) * Update route patterns to use path-to-regexp v8 syntax ([#9942](#9942)) ([fa8723b](fa8723b)) * Upgrade to @parse/push-adapter 8.1.0 ([#9938](#9938)) ([d5e76b0](d5e76b0)) * Upgrade to parse 8.0.0 ([#9976](#9976)) ([f9970d4](f9970d4)) ### BREAKING CHANGES * This release changes the config option `enableInsecureAuthAdapters` default to `false` (Deprecation DEPPS13). ([22d4622](22d4622)) * This release changes the MongoDB database option `allowPublicExplain` default to `false` (Deprecation DEPPS12). ([c1c7e69](c1c7e69)) * This release replaces `PublicAPIRouter` with `PagesRouter` (Deprecation DEPPS11). ([8f877d4](8f877d4)) * This release encodes `Parse.Object` in Cloud Function and removes option `encodeParseObjectInCloudFunction` (Deprecation DEPPS10). ([a2d3dbe](a2d3dbe)) * This releases increases the required minimum version to Postgres `16`, PostGIS `3.5`. ([7483add](7483add)) * Route pattern syntax across cloud routes and rate-limiting now use the new path-to-regexp v8 syntax; see the [migration guide](https://github.com/parse-community/parse-server/blob/alpha/9.0.0.md) for more details. ([fa8723b](fa8723b)) * This releases increases the required minimum MongoDB version to `7.0.16`. ([7bb548b](7bb548b)) * Upgrade to Apollo Server 5 and GraphQL express 5 integration; GraphQL introspection now requires using `masterKey` or setting `graphQLPublicIntrospection: true`. ([87c7f07](87c7f07)) * This releases increases the required minimum Node version to `20.19.0`. ([633964d](633964d))
Contributor
|
🎉 This change has been released in version 9.0.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
BREAKING CHANGE: This release changes the config option
enableInsecureAuthAdaptersdefault tofalse(Deprecation DEPPS13).Summary by CodeRabbit
Deprecations
Documentation
Tests
✏️ Tip: You can customize this high-level summary in your review settings.