feat: Add Parse.File option maxUploadSize to override the Parse Server option maxUploadSize per file upload

[mtrezza]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.

Issue

Add Parse.File option maxUploadSize to override the Parse Server option maxUploadSize per file upload

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, code comments)
• Add security check
• Add new Parse Error codes to Parse JS SDK

Summary by CodeRabbit

• New Features

  • Per-request file upload size override for uploads (requires master key and respects IP allowlist).

• Tests

  • Added tests covering streaming and buffered uploads, override enforcement, invalid override handling, and related security checks.

• Chores

  • Bumped Parse dependency to 8.5.0.

[parse-github-assistant]

🚀 Thanks for opening this pull request!

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3a5ebe74-cc70-4094-81ef-042127f997d0

📥 Commits

Reviewing files that changed from the base of the PR and between 55aa10d and 50ac3cf.

📒 Files selected for processing (1)

• spec/ParseFile.spec.js

🚧 Files skipped from review as they are similar to previous changes (1)

• spec/ParseFile.spec.js

---

📝 Walkthrough

Walkthrough

Adds a master-key/IP-validated per-request maxUploadSize override via X-Parse-File-Max-Upload-Size, enforces it in body-parsing/streaming upload paths, adds tests for override behavior (REST and SDK), and bumps parse dependency from 8.4.0 to 8.5.0.

Changes

Cohort / File(s)	Summary
Dependency Update package.json	Bumped parse dependency from 8.4.0 to 8.5.0.
Feature Tests spec/ParseFile.spec.js	Added "maxUploadSize override" tests covering streaming and buffered uploads, master-key and IP-allowlist validation, invalid override values, limit enforcement, REST and SDK save paths.
File Upload Middleware src/Routers/FilesRouter.js	Added _earlyHeadersMiddleware() to parse/validate X-Parse-File-Max-Upload-Size (checks appId/masterKey and masterKeyIps), expose req._maxUploadSizeOverride; integrated into POST /files/:filename; updated _bodyParsingMiddleware and streaming/non-streaming paths to respect per-request overrides and set req._maxUploadSizeBytes.

Sequence Diagram

sequenceDiagram
    participant Client
    participant Router as FilesRouter
    participant Early as _earlyHeadersMiddleware
    participant Body as _bodyParsingMiddleware
    participant Storage as FileStorage

    Client->>Router: POST /files/:filename with X-Parse-File-Max-Upload-Size
    Router->>Early: run early headers middleware
    Early->>Early: validate appId & masterKey (and masterKeyIps)
    alt valid override & credentials
        Early->>Router: set req._maxUploadSizeOverride
        Router->>Body: parse body (streaming or raw)
        Body->>Body: compute effective max bytes (override or default)
        Body->>Storage: stream or buffer data, enforcing limit
        alt within limit
            Storage-->>Client: 201 Created / success
        else exceeds limit
            Body-->>Client: FILE_SAVE_ERROR (exceeds)
        end
    else invalid credentials or header
        Early-->>Client: 403 Forbidden or FILE_SAVE_ERROR (invalid override)
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat: Add support for streaming file upload via Buffer, Readable, ReadableStream #10065: Modifies src/Routers/FilesRouter.js and streaming/body-parsing logic; directly related to upload-size enforcement and streaming handling.
• feat: Add support for Parse.File.setDirectory, setMetadata, setTags with stream-based file upload #10092: Adds header-driven preprocessing to FilesRouter (directory/metadata/tags); overlaps with early header middleware insertion and request preprocessing.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main feature being added: a per-file upload override for the Parse Server maxUploadSize setting.
Description check	✅ Passed	The description follows the template structure with Issue and Tasks sections completed. However, two tasks remain pending: security check and Parse JS SDK error codes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ast-grep (0.41.0)

spec/ParseFile.spec.js

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

src/Routers/FilesRouter.js (2)

238-246: Optional: add a README note for the new override option.

The inline code docs are good; a short README mention for Parse.File maxUploadSize would improve discoverability for users.

Based on learnings: For new Parse Server features, checking README documentation is recommended, while new option documentation is optional rather than required.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Routers/FilesRouter.js` around lines 238 - 246, Add a short README entry
documenting the new per-request upload size override (header
`X-Parse-File-Max-Upload-Size`) and how to use it (requires master key, same
format as server option like "50mb"/"1gb", and maps to
`req._maxUploadSizeOverride` used by `_bodyParsingMiddleware`), referencing
FilesRouter middleware behavior in `FilesRouter.js` so users can discover the
feature and its security requirement.

---

247-273: Prefer shared auth validation to avoid drift.

This block re-implements master-key/IP validation inline. Extracting/reusing a shared auth validator would reduce behavioral drift from Middlewares.handleParseHeaders over time (especially around logging and future auth-path changes).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Routers/FilesRouter.js` around lines 247 - 273, This inline master-key/IP
validation in _earlyHeadersMiddleware duplicates logic from
Middlewares.handleParseHeaders and risks drift; replace the custom checks by
delegating to the shared auth validator (or refactor the common logic into a new
Middlewares.validateParseHeaders or similar) so header parsing, master-key
loading (Config.loadMasterKey), and IP checks (Middlewares.checkIp) and their
error handling are centralized; update _earlyHeadersMiddleware to call that
shared validator and propagate/return the resulting sanitized HTTP error
responses (status and JSON) instead of reimplementing the checks locally,
ensuring identical logging and future behavior.

package.json (1)

51-51: Suggested PR title for changelog clarity

feat(files): allow per-upload maxUploadSize override in Parse.File

Based on learnings: For Parse Server PRs, suggest an Angular commit convention PR title using type(scope): description.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 51, Update the PR title to follow the Angular commit
convention and be descriptive: use "feat(files): allow per-upload maxUploadSize
override in Parse.File" as the PR/commit title; ensure the scope is "files" and
the subject references "Parse.File" and the ability to override maxUploadSize
per upload so changelogs and package updates (e.g., related to the "parse":
"8.5.0" dependency change) pick up the feature correctly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/Routers/FilesRouter.js`:
- Around line 291-298: The code uses the logical OR operator and thus treats a
zero-valued override as falsy; update the two instances that read
req._maxUploadSizeOverride in FilesRouter (the branch that sets
req._maxUploadSizeBytes and the branch that computes limit) to use the nullish
coalescing operator (??) instead of || so an explicit 0 override is preserved
(keep defaultMaxBytes from parseSizeToBytes and maxUploadSize as the fallback
values).

---

Nitpick comments:
In `@package.json`:
- Line 51: Update the PR title to follow the Angular commit convention and be
descriptive: use "feat(files): allow per-upload maxUploadSize override in
Parse.File" as the PR/commit title; ensure the scope is "files" and the subject
references "Parse.File" and the ability to override maxUploadSize per upload so
changelogs and package updates (e.g., related to the "parse": "8.5.0" dependency
change) pick up the feature correctly.

In `@src/Routers/FilesRouter.js`:
- Around line 238-246: Add a short README entry documenting the new per-request
upload size override (header `X-Parse-File-Max-Upload-Size`) and how to use it
(requires master key, same format as server option like "50mb"/"1gb", and maps
to `req._maxUploadSizeOverride` used by `_bodyParsingMiddleware`), referencing
FilesRouter middleware behavior in `FilesRouter.js` so users can discover the
feature and its security requirement.
- Around line 247-273: This inline master-key/IP validation in
_earlyHeadersMiddleware duplicates logic from Middlewares.handleParseHeaders and
risks drift; replace the custom checks by delegating to the shared auth
validator (or refactor the common logic into a new
Middlewares.validateParseHeaders or similar) so header parsing, master-key
loading (Config.loadMasterKey), and IP checks (Middlewares.checkIp) and their
error handling are centralized; update _earlyHeadersMiddleware to call that
shared validator and propagate/return the resulting sanitized HTTP error
responses (status and JSON) instead of reimplementing the checks locally,
ensuring identical logging and future behavior.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 433d7a16-858e-4eb6-bc9a-b9097fa599be

📥 Commits

Reviewing files that changed from the base of the PR and between 792af37 and a46ac62.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (3)

• package.json
• spec/ParseFile.spec.js
• src/Routers/FilesRouter.js

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.22%. Comparing base (ca666b0) to head (50ac3cf).
⚠️ Report is 3 commits behind head on alpha.

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha   #10093      +/-   ##
==========================================
- Coverage   92.63%   92.22%   -0.42%     
==========================================
  Files         191      191              
  Lines       15804    15831      +27     
  Branches      180      180              
==========================================
- Hits        14640    14600      -40     
- Misses       1152     1215      +63     
- Partials       12       16       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[parseplatformorg]

🎉 This change has been released in version 9.5.0-alpha.2