test: Plaintext password accessible in beforeSave trigger on _User class

[mtrezza]

Issue

Plaintext password accessible in beforeSave trigger on _User class

Tasks

• Add test to document behavior

Summary by CodeRabbit

• Tests
  • Added test coverage for user password handling to ensure plaintext passwords are not exposed in API responses during sign-up and password updates.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a09b87c6-8d14-41b3-9556-5e98413dbaab

📥 Commits

Reviewing files that changed from the base of the PR and between 44a520c and 43027e5.

📒 Files selected for processing (1)

• spec/CloudCode.spec.js

🚧 Files skipped from review as they are similar to previous changes (1)

• spec/CloudCode.spec.js

---

📝 Walkthrough

Walkthrough

Adds three tests to spec/CloudCode.spec.js validating Parse.Cloud.beforeSave behavior for Parse.User: plaintext password is available during signUp and during password updates via user.save with a session token; and signup responses do not expose password or _hashed_password.

Changes

Cohort / File(s)	Summary
BeforeSave Hook Password Tests spec/CloudCode.spec.js	Adds three tests: (1) req.object.get('password') contains plaintext during signUp, (2) req.object.get('password') contains plaintext during password update via user.save with session token, and (3) the object returned from signUp does not include password or _hashed_password fields.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Engage In Review Feedback	❓ Inconclusive	The custom check requires verification of review feedback comments, which exist exclusively on GitHub servers and are not accessible through git repository data.	Access the GitHub PR at #10380 to review reviewer comments and author engagement in the Conversations tab.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title begins with 'test:' prefix as required and clearly describes the addition of tests for plaintext password handling in beforeSave triggers.
Description check	✅ Passed	The PR description includes the Issue section and a completed Tasks section, but lacks the Approach section which typically describes the changes made.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Security Check	✅ Passed	This pull request contains only test-only changes (43 lines added to spec/CloudCode.spec.js with no production code modifications) that document and verify proper security behavior for password handling in the _User class.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.52%. Comparing base (c7814b4) to head (43027e5).
⚠️ Report is 4 commits behind head on alpha.

Additional details and impacted files

@@           Coverage Diff           @@
##            alpha   #10380   +/-   ##
=======================================
  Coverage   92.52%   92.52%           
=======================================
  Files         192      192           
  Lines       16568    16568           
  Branches      231      231           
=======================================
  Hits        15329    15329           
  Misses       1217     1217           
  Partials       22       22           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[parseplatformorg]

🎉 This change has been released in version 9.7.1-alpha.3