feat: Deprecate GraphQL Playground that exposes master key in HTTP response

[mtrezza]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.

Issue

Closes: #10110

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, code comments)
• Add security check
• Add new Parse Error codes to Parse JS SDK

Summary by CodeRabbit

• Documentation
  • Marked GraphQL Playground options as deprecated with planned removal; added entries to deprecations docs and updated user-facing help/warning text to recommend Parse Dashboard or third‑party GraphQL clients with custom headers.
• Tests
  • Added tests to verify deprecation warning/logging behavior for Playground-related options and removed-key cases.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c89ae0b0-5f4a-44a1-bc86-f7924e2c7adf

📥 Commits

Reviewing files that changed from the base of the PR and between c48b80e and f1288de.

📒 Files selected for processing (6)

• DEPRECATIONS.md
• src/Deprecator/Deprecations.js
• src/Options/Definitions.js
• src/Options/docs.js
• src/Options/index.js
• src/ParseServer.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• src/Options/Definitions.js
• src/Deprecator/Deprecations.js

---

📝 Walkthrough

Walkthrough

Adds deprecations for GraphQL Playground options (mountPlayground, playgroundPath), updates deprecation detection and message logic in the Deprecator to only warn when removed-option keys are present, updates user-facing texts, and adds tests for the new logging behavior.

Changes

Cohort / File(s)	Summary
Deprecation notes DEPRECATIONS.md	Added two new deprecation entries for mountPlayground and playgroundPath (deprecated now; removal planned for 10.0.0). Minor formatting tweak to existing DEPPS15 line presentation.
Deprecations list src/Deprecator/Deprecations.js	Appended deprecation objects for mountPlayground and playgroundPath to the exported deprecations array.
Deprecator logic src/Deprecator/Deprecator.js	Changed scanning logic to read changeNewKey and only emit warnings for removed-key deprecations when the option is actually set; adjusted message emission to check for defined changeNewKey (explicit null/undefined handling).
Tests spec/Deprecator.spec.js	Added tests verifying deprecation logging occurs only when removed-key options are set (covers exampleKey and mountPlayground cases) and does not log when unset.
User-facing docs & messages src/ParseServer.ts, src/Options/... (Definitions.js, docs.js, index.js)	Updated JSDoc/help strings and a runtime warning message to mark GraphQL Playground options as deprecated and recommend Parse Dashboard or third‑party GraphQL clients with custom headers.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix: Deprecation warning logged at server launch for nested Parse Server option even if option is explicitly set #9934 — Changes to Deprecator.js logic for when deprecation warnings are emitted.
• feat: Add security check for server option mountPlayground for GraphQL development #10103 — Edits touching mountPlayground runtime warning/messages in src/ParseServer.ts.
• feat: Add Parse.File.url validation with config fileUpload.allowedFileUrlDomains against SSRF attacks #10044 — Related additions of deprecation entries and tests for the deprecations system.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically identifies the main change: deprecating the GraphQL Playground feature that exposes the master key.
Description check	✅ Passed	The pull request description follows the template structure with issue reference, completed tasks, and missing optional tasks clearly marked.
Linked Issues check	✅ Passed	All coding requirements from issue #10110 are met: deprecation entries added to Deprecations.js, deprecation warnings implemented in Deprecator.js, tests added in Deprecator.spec.js, and documentation updated across multiple files.
Out of Scope Changes check	✅ Passed	All code changes directly support the deprecation objectives: new deprecations, warning logic, tests, and documentation updates remain focused on deprecating GraphQL Playground.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

spec/Deprecator.spec.js (1)

130-151: Add a regression test for the shipped playgroundPath deprecation entry.

The production change deprecates both mountPlayground and playgroundPath, but this block only asserts the mountPlayground entry. A typo or accidental removal of playgroundPath from src/Deprecator/Deprecations.js would still pass this suite.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@spec/Deprecator.spec.js` around lines 130 - 151, Add an assertion to the test
block that also verifies Deprecator._logOption is called for the
'playgroundPath' deprecation when playground-related options are set: in the
'logs deprecation for mountPlayground when set' test (using reconfigureServer
and the logSpy on Deprecator._logOption) add an expect that toHaveBeenCalledWith
jasmine.objectContaining({ optionKey: 'playgroundPath', changeNewKey: '' }) so
the suite fails if the playgroundPath deprecation entry is removed or renamed.

src/ParseServer.ts (1)

459-463: Avoid double-warning for mountPlayground.

Line 69 already routes this option through Deprecator.scanParseServerOptions(options), so enabling the playground now emits the generic deprecation warning plus this second warning. Consider keeping a single deprecation warning here, or making this log security-specific only.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/ParseServer.ts` around lines 459 - 463, The code emits a second generic
deprecation warning when options.mountPlayground is true even though
Deprecator.scanParseServerOptions(options) already logged a deprecation; update
the logic around parseGraphQLServer.applyPlayground to avoid duplicate warnings
by either removing the generic deprecation log or making it security-specific.
Specifically, in the block that checks options.mountPlayground and calls
parseGraphQLServer.applyPlayground(app), remove or replace the
logging.getLogger().warn(...) call so it no longer duplicates
Deprecator.scanParseServerOptions(options); if you choose to preserve a log,
change it to a focused security warning about master-key exposure (mentioning
master key) rather than a generic deprecation message.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/Deprecator/Deprecations.js`:
- Around line 29-38: The options metadata still lists mountPlayground and
playgroundPath as supported; mark both option entries as deprecated in the
options metadata (add deprecated: true and a deprecation message for optionKey
'mountPlayground' and 'playgroundPath' in the Options index so runtime and
generated docs reflect deprecation), then regenerate the Options definitions and
docs so Definitions.js and docs.js include the deprecation flags and updated
solutions; ensure the option entries in the generated output include the same
deprecation message text as in the Deprecator entries to keep runtime warnings
and canonical metadata consistent.

---

Nitpick comments:
In `@spec/Deprecator.spec.js`:
- Around line 130-151: Add an assertion to the test block that also verifies
Deprecator._logOption is called for the 'playgroundPath' deprecation when
playground-related options are set: in the 'logs deprecation for mountPlayground
when set' test (using reconfigureServer and the logSpy on Deprecator._logOption)
add an expect that toHaveBeenCalledWith jasmine.objectContaining({ optionKey:
'playgroundPath', changeNewKey: '' }) so the suite fails if the playgroundPath
deprecation entry is removed or renamed.

In `@src/ParseServer.ts`:
- Around line 459-463: The code emits a second generic deprecation warning when
options.mountPlayground is true even though
Deprecator.scanParseServerOptions(options) already logged a deprecation; update
the logic around parseGraphQLServer.applyPlayground to avoid duplicate warnings
by either removing the generic deprecation log or making it security-specific.
Specifically, in the block that checks options.mountPlayground and calls
parseGraphQLServer.applyPlayground(app), remove or replace the
logging.getLogger().warn(...) call so it no longer duplicates
Deprecator.scanParseServerOptions(options); if you choose to preserve a log,
change it to a focused security warning about master-key exposure (mentioning
master key) rather than a generic deprecation message.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 37818ee6-2ff2-415c-bd43-17d86e21a79b

📥 Commits

Reviewing files that changed from the base of the PR and between 6b1b50c and 1f86799.

📒 Files selected for processing (5)

• DEPRECATIONS.md
• spec/Deprecator.spec.js
• src/Deprecator/Deprecations.js
• src/Deprecator/Deprecator.js
• src/ParseServer.ts

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.69%. Comparing base (cbff6b4) to head (f1288de).
⚠️ Report is 6 commits behind head on alpha.

Additional details and impacted files

@@           Coverage Diff           @@
##            alpha   #10112   +/-   ##
=======================================
  Coverage   92.69%   92.69%           
=======================================
  Files         191      191           
  Lines       15898    15901    +3     
  Branches      180      180           
=======================================
+ Hits        14737    14740    +3     
  Misses       1149     1149           
  Partials       12       12           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/Options/index.js`:
- Around line 342-347: Update the deprecation text to reference the announced
removal timeline by replacing vague "future version" wording with "next major
release" in the user-facing comments; specifically edit the comment string for
the mountPlayground option (symbol: mountPlayground) and the playground mount
path comment (environment symbol: PARSE_SERVER_PLAYGROUND_PATH) so both
explicitly say the playground will be removed in the "next major release".

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: aba02a0d-b600-451c-b377-7a2c93ccf998

📥 Commits

Reviewing files that changed from the base of the PR and between 1f86799 and c48b80e.

📒 Files selected for processing (3)

• src/Options/Definitions.js
• src/Options/docs.js
• src/Options/index.js

✅ Files skipped from review due to trivial changes (1)

• src/Options/Definitions.js

[parseplatformorg]

🎉 This change has been released in version 9.5.0-alpha.13

[parseplatformorg]

🎉 This change has been released in version 9.5.0