diff --git a/9.0.0.md b/9.0.0.md
new file mode 100644
index 0000000000..80ba6cf0a8
--- /dev/null
+++ b/9.0.0.md
@@ -0,0 +1,56 @@
+# Parse Server 9 Migration Guide
+
+This document only highlights specific changes that require a longer explanation. For a full list of changes in Parse Server 9 please refer to the [changelog](https://github.com/parse-community/parse-server/blob/alpha/CHANGELOG.md).
+
+---
+- [Route Path Syntax and Rate Limiting](#route-path-syntax-and-rate-limiting)
+---
+
+## Route Path Syntax and Rate Limiting
+Parse Server 9 standardizes the route pattern syntax across cloud routes and rate-limiting to use the new **path-to-regexp v8** style. This update introduces validation and a clear deprecation error for the old wildcard route syntax.
+
+### Key Changes
+- **Standardization**: All route paths now use the path-to-regexp v8 syntax, which provides better consistency and security.
+- **Validation**: Added validation to ensure route paths conform to the new syntax.
+- **Deprecation**: Old wildcard route syntax is deprecated and will trigger a clear error message.
+
+### Migration Steps
+
+#### Path Syntax Examples
+
+Update your rate limit configurations to use the new path-to-regexp v8 syntax:
+
+| Old Syntax (deprecated) | New Syntax (v8) |
+|------------------------|-----------------|
+| `/functions/*` | `/functions/*path` |
+| `/classes/*` | `/classes/*path` |
+| `/*` | `/*path` |
+| `*` | `*path` |
+
+**Before:**
+```javascript
+rateLimit: {
+ requestPath: '/functions/*',
+ requestTimeWindow: 10000,
+ requestCount: 100
+}
+```
+
+**After:**
+```javascript
+rateLimit: {
+ requestPath: '/functions/*path',
+ requestTimeWindow: 10000,
+ requestCount: 100
+}
+```
+
+- Review your custom cloud routes and ensure they use the new path-to-regexp v8 syntax.
+- Update any rate-limiting configurations to use the new route path format.
+- Test your application to ensure all routes work as expected with the new syntax.
+
+> [!Note]
+> Consult the [path-to-regexp v8 docs](https://github.com/pillarjs/path-to-regexp) and the [Express 5 migration guide](https://expressjs.com/en/guide/migrating-5.html#path-syntax) for more details on the new path syntax.
+
+### Related Pull Request
+- [#9942](https://github.com/parse-community/parse-server/pull/9942)
diff --git a/package-lock.json b/package-lock.json
index ee7f2cd789..1ce0ec3ad9 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -38,7 +38,7 @@
"mustache": "4.2.0",
"otpauth": "9.4.0",
"parse": "7.0.1",
- "path-to-regexp": "6.3.0",
+ "path-to-regexp": "8.3.0",
"pg-monitor": "3.0.0",
"pg-promise": "12.2.0",
"pluralize": "8.0.0",
@@ -18865,9 +18865,14 @@
}
},
"node_modules/path-to-regexp": {
- "version": "6.3.0",
- "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-6.3.0.tgz",
- "integrity": "sha512-Yhpw4T9C6hPpgPeA28us07OJeqZ5EzQTkbfwuhsUg0c237RomFoETJgmp2sa3F/41gfLE6G5cqcYwznmeEeOlQ=="
+ "version": "8.3.0",
+ "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.3.0.tgz",
+ "integrity": "sha512-7jdwVIRtsP8MYpdXSwOS0YdD0Du+qOoF/AEPIt88PcCFrZCzx41oxku1jD88hZBwbNUIEfpqvuhjFaMAqMTWnA==",
+ "license": "MIT",
+ "funding": {
+ "type": "opencollective",
+ "url": "https://opencollective.com/express"
+ }
},
"node_modules/path-type": {
"version": "4.0.0",
@@ -20155,14 +20160,6 @@
"resolved": "https://registry.npmjs.org/is-promise/-/is-promise-4.0.0.tgz",
"integrity": "sha512-hvpoI6korhJMnej285dSg6nu1+e6uxs7zG3BYAm5byqDsgJNWwxzM6z6iZiAgQR4TJ30JmBTOwqZUw3WlyH3AQ=="
},
- "node_modules/router/node_modules/path-to-regexp": {
- "version": "8.2.0",
- "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.2.0.tgz",
- "integrity": "sha512-TdrF7fW9Rphjq4RjrW0Kp2AW0Ahwu9sRGTkS6bvDi0SCwZlEZYmcfDbEsTz8RVk0EHIS/Vd1bv3JhG+1xZuAyQ==",
- "engines": {
- "node": ">=16"
- }
- },
"node_modules/run-parallel": {
"version": "1.2.0",
"resolved": "https://registry.npmjs.org/run-parallel/-/run-parallel-1.2.0.tgz",
@@ -36194,9 +36191,9 @@
}
},
"path-to-regexp": {
- "version": "6.3.0",
- "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-6.3.0.tgz",
- "integrity": "sha512-Yhpw4T9C6hPpgPeA28us07OJeqZ5EzQTkbfwuhsUg0c237RomFoETJgmp2sa3F/41gfLE6G5cqcYwznmeEeOlQ=="
+ "version": "8.3.0",
+ "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.3.0.tgz",
+ "integrity": "sha512-7jdwVIRtsP8MYpdXSwOS0YdD0Du+qOoF/AEPIt88PcCFrZCzx41oxku1jD88hZBwbNUIEfpqvuhjFaMAqMTWnA=="
},
"path-type": {
"version": "4.0.0",
@@ -37114,11 +37111,6 @@
"version": "4.0.0",
"resolved": "https://registry.npmjs.org/is-promise/-/is-promise-4.0.0.tgz",
"integrity": "sha512-hvpoI6korhJMnej285dSg6nu1+e6uxs7zG3BYAm5byqDsgJNWwxzM6z6iZiAgQR4TJ30JmBTOwqZUw3WlyH3AQ=="
- },
- "path-to-regexp": {
- "version": "8.2.0",
- "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.2.0.tgz",
- "integrity": "sha512-TdrF7fW9Rphjq4RjrW0Kp2AW0Ahwu9sRGTkS6bvDi0SCwZlEZYmcfDbEsTz8RVk0EHIS/Vd1bv3JhG+1xZuAyQ=="
}
}
},
diff --git a/package.json b/package.json
index 45a8bf12b0..52e905e591 100644
--- a/package.json
+++ b/package.json
@@ -48,7 +48,7 @@
"mustache": "4.2.0",
"otpauth": "9.4.0",
"parse": "7.0.1",
- "path-to-regexp": "6.3.0",
+ "path-to-regexp": "8.3.0",
"pg-monitor": "3.0.0",
"pg-promise": "12.2.0",
"pluralize": "8.0.0",
diff --git a/spec/RateLimit.spec.js b/spec/RateLimit.spec.js
index 3c57810702..429b7aaed2 100644
--- a/spec/RateLimit.spec.js
+++ b/spec/RateLimit.spec.js
@@ -5,7 +5,7 @@ describe('rate limit', () => {
await reconfigureServer({
rateLimit: [
{
- requestPath: '/functions/*',
+ requestPath: '/functions/*path',
requestTimeWindow: 10000,
requestCount: 1,
errorResponseMessage: 'Too many requests',
@@ -26,7 +26,7 @@ describe('rate limit', () => {
await reconfigureServer({
rateLimit: [
{
- requestPath: '/functions/*',
+ requestPath: '/functions/*path',
requestTimeWindow: 10000,
requestCount: 1,
errorResponseMessage: 'Too many requests',
@@ -45,7 +45,7 @@ describe('rate limit', () => {
Parse.Cloud.define('test', () => 'Abc');
await reconfigureServer({
rateLimit: {
- requestPath: '*',
+ requestPath: '/*path',
requestTimeWindow: 10000,
requestCount: 1,
errorResponseMessage: 'Too many requests',
@@ -83,7 +83,7 @@ describe('rate limit', () => {
await reconfigureServer({
rateLimit: [
{
- requestPath: '/functions/*',
+ requestPath: '/functions/*path',
requestTimeWindow: 10000,
requestCount: 1,
errorResponseMessage: 'Too many requests',
@@ -102,7 +102,7 @@ describe('rate limit', () => {
await reconfigureServer({
rateLimit: [
{
- requestPath: '/functions/*',
+ requestPath: '/functions/*path',
requestTimeWindow: 10000,
requestCount: 1,
includeMasterKey: true,
@@ -122,7 +122,7 @@ describe('rate limit', () => {
await reconfigureServer({
rateLimit: [
{
- requestPath: '/classes/*',
+ requestPath: '/classes/*path',
requestTimeWindow: 10000,
requestCount: 1,
errorResponseMessage: 'Too many requests',
@@ -141,7 +141,7 @@ describe('rate limit', () => {
await reconfigureServer({
rateLimit: [
{
- requestPath: '/classes/*',
+ requestPath: '/classes/*path',
requestTimeWindow: 10000,
requestCount: 1,
requestMethods: 'POST',
@@ -240,7 +240,7 @@ describe('rate limit', () => {
await reconfigureServer({
rateLimit: [
{
- requestPath: '/classes/Test/*',
+ requestPath: '/classes/Test/*path',
requestTimeWindow: 10000,
requestCount: 1,
requestMethods: 'DELETE',
@@ -294,7 +294,7 @@ describe('rate limit', () => {
await reconfigureServer({
rateLimit: [
{
- requestPath: '/functions/*',
+ requestPath: '/functions/*path',
requestTimeWindow: 10000,
requestCount: 100,
errorResponseMessage: 'Too many requests',
@@ -320,7 +320,7 @@ describe('rate limit', () => {
await reconfigureServer({
rateLimit: [
{
- requestPath: '/functions/*',
+ requestPath: '/functions/*path',
requestTimeWindow: 10000,
requestCount: 1,
errorResponseMessage: 'Too many requests',
@@ -340,7 +340,7 @@ describe('rate limit', () => {
it('can use global zone', async () => {
await reconfigureServer({
rateLimit: {
- requestPath: '*',
+ requestPath: '*path',
requestTimeWindow: 10000,
requestCount: 1,
errorResponseMessage: 'Too many requests',
@@ -373,7 +373,7 @@ describe('rate limit', () => {
});
fakeRes.json = jasmine.createSpy('json').and.callFake(resolvingPromise);
middlewares.handleParseHeaders(fakeReq, fakeRes, () => {
- throw 'Should not call next';
+ throw new Error('Should not call next');
});
await promise;
expect(fakeRes.status).toHaveBeenCalledWith(429);
@@ -386,7 +386,7 @@ describe('rate limit', () => {
it('can use session zone', async () => {
await reconfigureServer({
rateLimit: {
- requestPath: '/functions/*',
+ requestPath: '/functions/*path',
requestTimeWindow: 10000,
requestCount: 1,
errorResponseMessage: 'Too many requests',
@@ -407,7 +407,7 @@ describe('rate limit', () => {
it('can use user zone', async () => {
await reconfigureServer({
rateLimit: {
- requestPath: '/functions/*',
+ requestPath: '/functions/*path',
requestTimeWindow: 10000,
requestCount: 1,
errorResponseMessage: 'Too many requests',
@@ -494,7 +494,7 @@ describe('rate limit', () => {
await reconfigureServer({
rateLimit: [
{
- requestPath: '/classes/*',
+ requestPath: '/classes/*path',
requestTimeWindow: 10000,
requestCount: 1,
errorResponseMessage: 'Too many requests',
diff --git a/src/Config.js b/src/Config.js
index 241edf9771..879aebd77a 100644
--- a/src/Config.js
+++ b/src/Config.js
@@ -3,6 +3,7 @@
// mount is the URL for the root of the API; includes http, domain, etc.
import { isBoolean, isString } from 'lodash';
+import { pathToRegexp } from 'path-to-regexp';
import net from 'net';
import AppCache from './cache';
import DatabaseController from './Controllers/DatabaseController';
@@ -687,6 +688,14 @@ export class Config {
if (typeof option.requestPath !== 'string') {
throw `rateLimit.requestPath must be a string`;
}
+
+ // Validate that the path is valid path-to-regexp syntax
+ try {
+ pathToRegexp(option.requestPath);
+ } catch (error) {
+ throw `rateLimit.requestPath "${option.requestPath}" is not valid: ${error.message}`;
+ }
+
if (option.requestTimeWindow == null) {
throw `rateLimit.requestTimeWindow must be defined`;
}
diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js
index 6eeff0ed57..93c90505d6 100644
--- a/src/Options/Definitions.js
+++ b/src/Options/Definitions.js
@@ -678,7 +678,7 @@ module.exports.RateLimitOptions = {
requestPath: {
env: 'PARSE_SERVER_RATE_LIMIT_REQUEST_PATH',
help:
- 'The path of the API route to be rate limited. Route paths, in combination with a request method, define the endpoints at which requests can be made. Route paths can be strings, string patterns, or regular expression. See: https://expressjs.com/en/guide/routing.html',
+ 'The path of the API route to be rate limited. Route paths, in combination with a request method, define the endpoints at which requests can be made. Route paths can be strings or string patterns following path-to-regexp v8 syntax.',
required: true,
},
requestTimeWindow: {
diff --git a/src/Options/docs.js b/src/Options/docs.js
index 03fa9cc981..d516ba8473 100644
--- a/src/Options/docs.js
+++ b/src/Options/docs.js
@@ -120,7 +120,7 @@
* @property {String} redisUrl Optional, the URL of the Redis server to store rate limit data. This allows to rate limit requests for multiple servers by calculating the sum of all requests across all servers. This is useful if multiple servers are processing requests behind a load balancer. For example, the limit of 10 requests is reached if each of 2 servers processed 5 requests.
* @property {Number} requestCount The number of requests that can be made per IP address within the time window set in `requestTimeWindow` before the rate limit is applied.
* @property {String[]} requestMethods Optional, the HTTP request methods to which the rate limit should be applied, default is all methods.
- * @property {String} requestPath The path of the API route to be rate limited. Route paths, in combination with a request method, define the endpoints at which requests can be made. Route paths can be strings, string patterns, or regular expression. See: https://expressjs.com/en/guide/routing.html
+ * @property {String} requestPath The path of the API route to be rate limited. Route paths, in combination with a request method, define the endpoints at which requests can be made. Route paths can be strings or string patterns following path-to-regexp v8 syntax.
* @property {Number} requestTimeWindow The window of time in milliseconds within which the number of requests set in `requestCount` can be made before the rate limit is applied.
* @property {String} zone The type of rate limit to apply. The following types are supported:- `global`: rate limit based on the number of requests made by all users
- `ip`: rate limit based on the IP address of the request
- `user`: rate limit based on the user ID of the request
- `session`: rate limit based on the session token of the request
Default is `ip`.
*/
diff --git a/src/Options/index.js b/src/Options/index.js
index 11ab00a00f..45506fe679 100644
--- a/src/Options/index.js
+++ b/src/Options/index.js
@@ -350,7 +350,7 @@ export interface ParseServerOptions {
}
export interface RateLimitOptions {
- /* The path of the API route to be rate limited. Route paths, in combination with a request method, define the endpoints at which requests can be made. Route paths can be strings, string patterns, or regular expression. See: https://expressjs.com/en/guide/routing.html */
+ /* The path of the API route to be rate limited. Route paths, in combination with a request method, define the endpoints at which requests can be made. Route paths can be strings or string patterns following path-to-regexp v8 syntax. */
requestPath: string;
/* The window of time in milliseconds within which the number of requests set in `requestCount` can be made before the rate limit is applied. */
requestTimeWindow: ?number;
diff --git a/src/cloud-code/Parse.Cloud.js b/src/cloud-code/Parse.Cloud.js
index a057f8b3e6..3fc38c3aad 100644
--- a/src/cloud-code/Parse.Cloud.js
+++ b/src/cloud-code/Parse.Cloud.js
@@ -82,12 +82,12 @@ const getRoute = parseClass => {
'@Config' : 'config',
}[parseClass] || 'classes';
if (parseClass === '@File') {
- return `/${route}/:id?(.*)`;
+ return `/${route}{/*id}`;
}
if (parseClass === '@Config') {
return `/${route}`;
}
- return `/${route}/${parseClass}/:id?(.*)`;
+ return `/${route}/${parseClass}{/*id}`;
};
/** @namespace
* @name Parse
diff --git a/src/middlewares.js b/src/middlewares.js
index 2da7016b4f..e02ed98305 100644
--- a/src/middlewares.js
+++ b/src/middlewares.js
@@ -322,7 +322,7 @@ const handleRateLimit = async (req, res, next) => {
try {
await Promise.all(
rateLimits.map(async limit => {
- const pathExp = new RegExp(limit.path);
+ const pathExp = limit.path.regexp || limit.path;
if (pathExp.test(req.url)) {
await limit.handler(req, res, err => {
if (err) {
@@ -560,12 +560,8 @@ export const addRateLimit = (route, config, cloud) => {
},
});
}
- let transformPath = route.requestPath.split('/*').join('/(.*)');
- if (transformPath === '*') {
- transformPath = '(.*)';
- }
config.rateLimits.push({
- path: pathToRegexp(transformPath),
+ path: pathToRegexp(route.requestPath),
handler: rateLimit({
windowMs: route.requestTimeWindow,
max: route.requestCount,