changelogs/CHANGELOG_alpha.md
/sessions/me bypasses _Session protectedFields (GHSA-g4v2-qx3q-4p64) (#10406) (d507575)matchedCount and modifiedCount from DatabaseController.update with many: true (#10353) (aea7596)protectedFieldsSaveResponseExempt option to strip protected fields from save responses (#10289) (4f7cb53)protectedFieldsTriggerExempt option to exempt Cloud Code triggers from protectedFields (#10288) (1610f98)protectedFieldsOwnerExempt: false despite email not in protectedFields (#10284) (4a65d77)protectedFieldsOwnerExempt option to control _User class owner exemption for protectedFields (#10280) (d5213f8)requestComplexity.batchRequestLimit (#10265) (164ed0d)Increment operation on PostgreSQL (GHSA-gqpp-xgvh-9h7h) (#10165) (169d692)Increment operation on nested object field in PostgreSQL (GHSA-q3vj-96h2-gwvg) (#10161) (8f82282)X-Content-Type-Options: nosniff header and customizable response headers for files via Parse.Cloud.afterFind(Parse.File) (#10158) (28d11a3)_GraphQLConfig and _Audience master key bypass via generic class routes (GHSA-7xg7-rqf6-pw6c) (#10151) (1de4e43)redirectClassNameForKey query parameter (GHSA-6r2j-cxgf-495f) (#10143) (70b7b07)requestKeywordDenylist keyword scan bypass through nested object placement (GHSA-q342-9w2p-57fp) (#10123) (4a44247)$regex query in LiveQuery (GHSA-mf3j-86qx-cq5j) (#10118) (5e113c2)__type introspection bypass via inline fragments when public introspection is disabled (GHSA-q5q9-2rhp-33qw) (#10111) (61261a5)beforeFind / afterFind trigger authorization (GHSA-hwx8-q9cg-mqmc) (#10106) (72e7707)PagesRouter path traversal allows reading files outside configured pages directory (GHSA-hm3f-q6rw-m6wh) (#10104) (e772543)$regex query leaks database error details in API response (GHSA-9cp7-3q5w-j92g) (#10101) (9792d24)readOnlyMasterKey invocation of Cloud Function via request.isReadOnly (#10100) (2c48751)/loginAs allows readOnlyMasterKey to gain full read and write access as any user (GHSA-79wj-8rqv-jvp5) (#10098) (bc20945)readOnlyMasterKey write restriction (GHSA-xfh7-phr7-gr2x) (#10095) (036365a)Parse.File option maxUploadSize to override the Parse Server option maxUploadSize per file upload (#10093) (3d8807b)Parse.File.setDirectory, setMetadata, setTags with stream-based file upload (#10092) (ca666b0)readOnlyMasterKey write restriction (GHSA-vc89-5g3r-cmhh) (#10088) (9a3dd4d)PagesRouter header parameters are not URL-encoded to support non-ASCII characters in app name (#10078) (c92660b)Parse.File.setDirectory() with master key to save file in directory (#10076) (17d987c)Parse.File.url validation with config fileUpload.allowedFileUrlDomains against SSRF attacks (#10044) (4c9c948)verifyUserEmails, preventLoginWithUnverifiedEmail to identify invoking signup / login action and auth provider (#9963) (ed98c15)databaseOptions.clientMetadata to send custom metadata to database server for logging and debugging (#10017) (756c204)logLevels.signupUsernameTaken to change log level of username already exists sign-up rejection (#9962) (f18f307)enableInsecureAuthAdapters default to false (Deprecation DEPPS13). (22d4622)allowPublicExplain default to false (Deprecation DEPPS12). (c1c7e69)PublicAPIRouter with PagesRouter (Deprecation DEPPS11). (8f877d4)Parse.Object in Cloud Function and remove option encodeParseObjectInCloudFunction (#9973) (a2d3dbe)Parse.Object in Cloud Function and removes option encodeParseObjectInCloudFunction (Deprecation DEPPS10). (a2d3dbe)16, PostGIS 3.5. (7483add)7.0.16. (7bb548b)masterKey or setting graphQLPublicIntrospection: true. (87c7f07)20.19.0. (633964d)cloudConfig to retrieve and mutation updateCloudConfig to update Cloud Config (#9947) (3ca85cd)enableSanitizedErrorResponse to remove detailed error messages from responses sent to clients (#9944) (4752197)authData.provider.id are incorrectly transformed to _auth_data_provider.id for custom classes (#9932) (7b9fa18)GridFSBucketAdapter throws when using some Parse Server specific options in MongoDB database options (#9915) (d3d4003)allowPublicExplain to allow Parse.Query.explain without master key (#9890) (4456b02)serverSelectionTimeoutMS, maxIdleTimeMS, heartbeatFrequencyMS (#9910) (1b661e9)fileUpload.fileExtensions (#9902) (fa245cb)_email_verify_token for email verification and _perishable_token password reset are not created automatically (#9893) (62dd3c5)verifyServerUrl to disable server URL verification on server launch (#9881) (b298ccc)Parse.Object update causes inconsistency between validation read and subsequent update write operation (#9859) (f49efaf)_JobStatus (#8343) (e98733c)Parse.Cloud.beforeFind(Parse.File)and Parse.Cloud.afterFind(Parse.File) (#8700) (b2beaa8)extendSessionOnUse does not correctly clear memory and functions as a debounce instead of a throttle (#8683) (6258a6a)databaseOptions keys autoSelectFamily, autoSelectFamilyAttemptTimeout (#9579) (5966068)databaseOptions keys minPoolSize, connectTimeoutMS, socketTimeoutMS (#9522) (91618fe)15, PostGIS 3.3 and removes support for Postgres 13, 14, PostGIS 3.1, 3.2. (89c9b54)encodeParseObjectInCloudFunction to true (#9527) (5c5ad69)encodeParseObjectInCloudFunction changes to true; the option has been deprecated and will be removed in a future version. (5c5ad69)6.0.19, 7.0.16, 8.0.4 and removes support for MongoDB 4, 5. (871e508)Parse.Cloud.beforeSave and Parse.Cloud.afterSave for Parse Config (#9232) (90a1e4a)maxLogFiles doesn't recognize day duration literals such as 1d to mean 1 day (#9215) (0319cee)Parse.Cloud.startJob and Parse.Push.send not returning status ID when setting Parse Server option directAccess: true (#8766) (5b0efb2)rateLimit.redisUrl with clusters (#8632) (c277739)Required option not handled correctly for special fields (File, GeoPoint, Polygon) on GraphQL API mutations (#8915) (907ad42)Required option not handled correctly for special fields (File, GeoPoint, Polygon) on GraphQL API mutations (#8915) (907ad42)fileExtensions default value rejects file extensions that are less than 3 or more than 4 characters long (#8699) (2760381)allowClientClassCreation defaults to false. (29624e0)masterKeyIps regardless of ACL and CLP (#8957) (a7b5b38)masterKeyIps, even if the request does not require the master key permission, for example for a public object in a public class class. (a7b5b38)auth.<provider>.enabled: true (0cf58eb)allowExpiredAuthDataToken defaults to false (#8860) (e29845f)allowExpiredAuthDataToken defaults to false; a 3rd party authentication token will be validated every time the user tries to log in and the login will fail if the token has expired; the effect of this change may differ for different authentication adapters, depending on the token lifetime and the token refresh logic of the adapter (e29845f)fields option is renamed to keys (38983e8)Parse.Cloud.beforeDeleteFile' has been changed to Parse.Cloud.beforeDelete(Parse.File, (request) => {})' (4e6a375)ignoreEmailVerification (#8895) (633a9d2)verifyEmail function if both username and email are changed (#8889) (1eb95ae)emailVerifyTokenReuseIfValid: true generates new token on every email verification request (#8885) (0023ce4)installationId, ip, resendRequest to arguments passed to verifyUserEmails on verification email request (#8873) (8adcbee)Parse.User passed as argument if verifyUserEmails is set to a function is renamed from user to object for consistency with invocations of verifyUserEmails on signup or login; the user object is not a plain JavaScript object anymore but an instance of Parse.User (8adcbee)Parse.User as function parameter to Parse Server options verifyUserEmails, preventLoginWithUnverifiedEmail on login (#8850) (972f630)verifyUserEmails, preventLoginWithUnverifiedEmail set to functions (#8838) (8e7a6b1)Parse.Session.current() no longer throws an error if the session token is expired, but instead returns the session token with its expiration date to allow checking its validity (f9dde4a)installationId to arguments for verifyUserEmails, preventLoginWithUnverifiedEmail (#8836) (a22dbe1)Parse.Query no longer supports the BSON type code; although this feature was never officially documented, its removal is announced as a breaking change to protect deployments where it might be in use. (3de8494)beforeFind when using Parse.Query.include (#8765) (7d32d89)fileUpload.fileExtensions fails to determine file extension if filename contains multiple dots (#8754) (3d6d50e)$setOnInsert operator to Parse.Server.database.update (#8791) (f630a45)enableCollationCaseComparison, transformEmailToLowercase, transformUsernameToLowercase (#8805) (09fbeeb)beforeLogin and afterLogin (#8724) (a9c34ef)createdAt and updatedAt during Parse.Object creation with maintenance key (#8696) (77bbfb3)enableCollationCaseComparison, transformEmailToLowercase, transformUsernameToLowercase (#8805) (09fbeeb)beforeFind when using Parse.Query.include (#8765) (7d32d89)createdAt and updatedAt during Parse.Object creation with maintenance key (#8696) (77bbfb3)fileUpload.fileExtensions fails to determine file extension if filename contains multiple dots (#8754) (3d6d50e)fileUpload.fileExtensions does not work with an array of extensions (#8688) (6a4a00c)Parse.Server.version to determine current version of Parse Server in Cloud Code (#8670) (a9d376b)verifyUserEmails, sendUserEmailVerification that now accept functions (#8425) (44acd6d)afterSave executes even if not set (#8520) (afd0515)enableSchemaHooks settings (#8467) (d4cda4b)handleShutdown is called (#8491) (967700b)extendSessionOnUse (#8562) (fd6a007)extendSessionOnUse to automatically renew Parse Sessions (#8505) (6f885d3)preventSignupWithUnverifiedEmail to prevent returning a user without session token on sign-up with unverified email address (#8451) (82da308)$eq query constraint in LiveQuery (#8614) (656d673)ip, user, session, global (#8508) (03fba97)Parse.Object pointers in Cloud Code arguments (#8490) (28aeda3)preventSignupWithUnverifiedEmail to prevent returning a user without session token on sign-up with unverified email address (#8451) (82da308){} when fetching a Parse Object (#8446) (22d2446)schemaCacheTtl for schema cache pulling as alternative to enableSchemaHooks (#8436) (b3b76de)resetPasswordSuccessOnInvalidEmail to choose success or error response on password reset with invalid email (#7551) (e5d610e)fields option in favor of keys for semantic consistency (#8388) (a49e323)AuthAdapter to make it available for extension with custom authentication adapters (#8443) (40c1961)schemaCacheTtl for schema cache pulling as alternative to enableSchemaHooks (#8436) (b3b76de)resetPasswordSuccessOnInvalidEmail to choose success or error response on password reset with invalid email (#7551) (e5d610e)requestKeywordDenylist can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability GHSA-xprv-wvh7-qqqx (#8302) (6728da1)ParseServer.verifyServerUrl may fail if server response headers are missing; remove unnecessary logging (#8391) (1c37a7c)RUN apk --no-cache add git (#8359) (40810b4)maintenanceKey; the internal scope contains unofficial and undocumented fields (prefixed with underscore _) which are used internally by Parse Server; you may want to manipulate these fields for out-of-band changes such as data migration or correction tasks; changes within the internal scope of Parse Server may happen at any time without notice or changelog entry, it is therefore recommended to look at the source code of Parse Server to understand the effects of manipulating internal fields before using the key; it is discouraged to use the maintenanceKey for routine operations in a production environment; see access scopes (#8212) (f3bcc93)_) are only returned using the new maintenanceKey; previously the masterKey allowed reading of internal fields; see access scopes for a comparison of the keys' access permissions (#8212) (f3bcc93)ParseServer.verifyServerUrl now returns a promise instead of a callback. (ffa4974)$match and the MongoDB document ID is referenced using _id instead of objectId (#8362) (d0d30c4)masterKeyIps may be circumvented, see GHSA-vm5r-c87r-pf6x (#8372) (892040d)trustProxy accordingly if Parse Server runs behind a proxy server, see the express framework's trust proxy setting (#8372) (892040d)package-lock.json is upgraded to version 2; while it is backwards with version 1 for the npm installer, consider this if you run any non-npm analysis tools that use the lock file (#8285) (ee72467)serverStartComplete; see the Parse Server 6 migration guide for more details (#8232) (99fcf45)Date object was saved as a JSON object like { "__type": "Date", "iso": "2020-01-01T00:00:00.000Z" } instead of its serialized representation 2020-01-01T00:00:00.000Z (#8209) (1412666)masterKeyIps (#8350) (e22b73d)enforcePrivateUsers is set to true by default; in previous releases this option defaults to false; this change improves the default security configuration of Parse Server (#8283) (ed499e3)masterKey to localhost by default; if you are using Parse Dashboard on a different server to connect to Parse Server you need to add the IP address of the server that hosts Parse Dashboard to this option (#8281) (6c16021)afterLogin, afterLogout returns a rejected promise; in previous releases it crashed the server if you did not handle the error on the Node.js process level; consider adapting your code if your app currently handles these errors on the Node.js process level with process.on('unhandledRejection', ...) (130d290)directAccess defaults to true; set this to false in environments where multiple Parse Server instances run behind a load balancer and Parse requests within the current Node.js environment should be routed via the load balancer and distributed as HTTP requests among all instances via the serverURL. (f535ee6)DEPPS4: Remove convenience method for http request Parse.Cloud.httpRequest (#8287) (2d79c08)Parse.Cloud.httpRequest is removed; use your preferred 3rd party library for making HTTP requests (2d79c08)appIds is set as a string (e.g. abc) instead of an array of strings (e.g. ["abc"]) (GHSA-r657-33vp-gp22) [skip release] (#8187) (8c8ec71)equalTo with value false (#8032) (7f5a15d)_Idempotency and _Role are not protected in defined schema (#8121) (c16f529)containedIn not working when object field is an array (#8128) (1d9605b)badge doesn't update with Installation beforeSave trigger (#8162) (3c75c2b)Date when directAccess: true (#8167) (e424137)Parse.Query.or, Parse.Query.and not working (#8203) (28f0d26)INVALID_SERVER_ERROR on Postgres (#8157) (3b775a1)Parse.Server (#8244) (9f11115)Parse.Query.limit() constraint (#8152) (0388956)Parse.Server (#8244) (9f11115)Parse.Query.or, Parse.Query.and not working (#8203) (28f0d26)appIds is set as a string (e.g. abc) instead of an array of strings (e.g. ["abc"]) (GHSA-r657-33vp-gp22) [skip release] (#8187) (8c8ec71)Date when directAccess: true (#8167) (e424137)badge doesn't update with Installation beforeSave trigger (#8162) (3c75c2b)_Idempotency and _Role are not protected in defined schema (#8121) (c16f529)equalTo with value false (#8032) (7f5a15d)Unexpected Error (#8045) (0d81887)Parse.Cloud.beforeSave(Parse.File, (request) => {}), the old syntax Parse.Cloud.beforeSaveFile((request) => {}) has been deprecated (#7966) (c6dcad8)null. Previously, setting a field value to null would save a null value in the database, which was not according to the GraphQL specs. To delete a file field use file: null, the previous way of using file: { file: null } has become obsolete. (626fad2)databaseOptions.enableSchemaHooks: true to enable this feature and keep the schema in sync across all instances. Failing to do so will cause a schema change to not propagate to other instances and re-syncing will only happen when these instances restart. The options enableSingleSchemaCache and schemaCacheTTL have been removed. To use this feature with MongoDB, a replica set cluster with change stream support is required. (Diamond Lewis, SebC) #7214fileUpload parameter in the Parse Server Options (dblythy, Manuel Trezza) #7071@parse/s3-files-adapter (Manuel Trezza) #7324restricted; the field was a code artifact from a feature that never existed in Open Source Parse Server; if you have been using this field for custom purposes, consider that for new Parse Server installations the field does not exist anymore in the schema, and for existing installations the field default value false will not be set anymore when creating a new session (Manuel Trezza) #7543/loginAs to create session of any user with master key; allows to impersonate another user. (GormanFletcher) #7406enforcePrivateUsers, which will remove public access by default on new Parse.Users (dblythy) #7319Parse.Cloud.sendEmail(...) to send email via email adapter in Cloud Code (dblythy) #7089classNames (Nes-si) #7131requireAnyUserRoles and requireAllUserRoles for Parse Cloud validator (dblythy) #7097accountLockout.unlockOnPasswordReset to automatically unlock account on password reset (Manuel Trezza) #7146options to be async (dblythy) #7155Parse.Cloud.httpRequest; it is recommended to use a HTTP library instead. (Daniel Blyth) #7595