feat: Add deprecation on explain

[coratgerl]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.
• Link this pull request to an issue.

Issue

Fixes: #7519

• Add tests
• Add changes to documentation (guides, repository pages, code comments)
• Add security check
• Add new Parse Error codes to Parse JS SDK

Summary by CodeRabbit

• New Features

  • Added a deprecated server option allowPublicExplain (default: true) to control whether explain queries work without the master key.

• Deprecations

  • Introduced DEPPS12: allowPublicExplain defaults will change to false in a future release; deprecation note and timeline published and added to changelog.

• Behavior

  • When allowPublicExplain is disabled, explain requests without the master key are rejected.

• Tests

  • Added tests covering explain behavior with and without the master key.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

🚀 Thanks for opening this pull request!

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

Warning

Rate limit exceeded

@coratgerl has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 11 minutes and 56 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between bb8eedb and 19ebc5b.

📒 Files selected for processing (10)

• DEPRECATIONS.md (1 hunks)
• changelogs/CHANGELOG_alpha.md (1 hunks)
• spec/ParseQuery.spec.js (2 hunks)
• src/Adapters/Storage/Mongo/MongoStorageAdapter.js (1 hunks)
• src/Config.js (1 hunks)
• src/Deprecator/Deprecations.js (1 hunks)
• src/Options/Definitions.js (1 hunks)
• src/Options/docs.js (1 hunks)
• src/Options/index.js (1 hunks)
• src/rest.js (1 hunks)

📝 Walkthrough

Walkthrough

Adds deprecation DEPPS12 restricting use of the explain query parameter to master-key requests, emits a runtime deprecation log when explain is used without master key, adds tests asserting the deprecation log, and updates DEPRECATIONS and changelog entries.

Changes

Cohort / File(s)	Summary
Documentation DEPRECATIONS.md, changelogs/CHANGELOG_alpha.md	Add DEPPS12 entry describing timeline and restriction of explain to master-key requests; add changelog entry for 8.3.0-alpha.13.
Runtime src/rest.js	When explain is present on non-master requests in runFindTriggers, call Deprecator.logRuntimeDeprecation (no throw; control flow unchanged).
Tests spec/ParseQuery.spec.js	Add DEPPS12 test blocks that spy on Deprecator.logRuntimeDeprecation, assert it is emitted when explain used without master key, and verify explain works with master key. (Diff contains two identical DEPPS12 blocks — review for unintended duplication.)

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant API as REST API
    participant Dep as Deprecator

    rect rgb(250,240,230)
    Note over API: Non-master request with explain
    Client->>API: GET /classes/Thing?explain=true
    API->>Dep: logRuntimeDeprecation("explain requires master key")
    Dep-->>API: recorded
    API-->>Client: explain result (returned, deprecated)
    end

    rect rgb(230,250,240)
    Note over API: Master-key request with explain
    Client->>API: GET /classes/Thing?explain=true + useMasterKey
    API-->>Client: explain result (allowed)
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Pay attention to:
  • src/rest.js — condition and message passed to Deprecator.logRuntimeDeprecation.
  • spec/ParseQuery.spec.js — duplicate DEPPS12 test blocks and commented-out assertions; ensure tests are deterministic and not duplicated.
  • DEPRECATIONS.md / changelogs/CHANGELOG_alpha.md — dates/timeline formatting and DEPPS12 wording.

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The pull request description is incomplete when compared against the required template. While the PR includes the Issue section with a link to GitHub issue #7519, it is missing the "Approach" section, which is explicitly required by the template to describe the changes made in the pull request. The description only includes the template boilerplate and the issue link, but provides no explanation of what modifications were implemented or why. The tasks checklist is filled out, but the critical narrative description of the approach is absent.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The pull request title "feat: Add deprecation on explain" is concise and directly reflects the main change in the changeset. The title clearly communicates that a deprecation is being added for the explain parameter, which is precisely what the code changes implement. The summary confirms that DEPPS12 deprecation was added to restrict explain query parameter usage to master key authenticated requests. The title is specific enough for a teammate reviewing commit history to understand the primary objective without ambiguity.
Linked Issues Check	✅ Passed	The code changes align well with the objectives stated in linked issue #7519. The PR implements the deprecation mechanism for the explain parameter as requested, with DEPPS12 added to DEPRECATIONS.md to document the restriction to master key usage. Tests have been added to spec/ParseQuery.spec.js to verify the deprecation behavior when explain is used without a master key, and the runtime deprecation logging is implemented in src/rest.js. Documentation has been updated in CHANGELOG_alpha.md. The implementation follows the parse-community deprecation policy by using the Deprecator to log runtime warnings rather than immediately throwing errors, allowing for a gradual transition to the new behavior.
Out of Scope Changes Check	✅ Passed	All code changes in this pull request are directly scoped to the requirements of issue #7519. The modifications include adding the deprecation definition (DEPRECATIONS.md), updating the changelog (CHANGELOG_alpha.md), implementing deprecation logging in the query execution path (src/rest.js), and adding corresponding tests (spec/ParseQuery.spec.js). No extraneous refactoring, unrelated bug fixes, dependency updates, or changes outside the deprecation feature are present. Each file modified serves a clear purpose in implementing the restrict-explain-to-master-key deprecation.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

spec/ParseQuery.spec.js (1)

5407-5411: Clean up commented code or document the intention.

The commented-out code suggests this deprecation is planned but not yet enforced. If this is a phased approach (warn now, enforce later), consider adding a comment explaining the timeline:

-        // fail('Should have thrown an error');
       } catch (error) {
-        // Uncomment this after the Deprecation DEPPS12
-        // expect(error.code).toEqual(Parse.Error.INVALID_QUERY);
-        // expect(error.message).toEqual('Using the explain query parameter without the master key');
+        // TODO: Enforce restriction in next major version (DEPPS12)
+        // expect(error.code).toEqual(Parse.Error.INVALID_QUERY);
+        // expect(error.message).toEqual('Using the explain query parameter without the master key');
       }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 00f8d4c and 705b1ef.

📒 Files selected for processing (4)

• DEPRECATIONS.md (1 hunks)
• changelogs/CHANGELOG_alpha.md (1 hunks)
• spec/ParseQuery.spec.js (1 hunks)
• src/rest.js (2 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-08-26T14:06:31.853Z

Learnt from: EmpiDev
PR: parse-community/parse-server#9770
File: spec/CloudCode.spec.js:446-469
Timestamp: 2025-08-26T14:06:31.853Z
Learning: In the Parse Server codebase, when handling query objects in maybeRunAfterFindTrigger, objects without a where property that contain options like limit/skip should be treated as query JSON with an empty where clause using the spread pattern { where: {}, ...query }, not nested as { where: query }.

Applied to files:

• src/rest.js

🧬 Code graph analysis (2)

src/rest.js (1)

spec/helper.js (1)

• auth (394-394)

spec/ParseQuery.spec.js (2)

spec/helper.js (2)

• TestObject (279-281)
• Parse (4-4)

src/rest.js (1)

• Deprecator (16-16)

🪛 GitHub Check: Lint

spec/ParseQuery.spec.js

[failure] 5394-5394:
'Deprecator' is not defined

🪛 markdownlint-cli2 (0.18.1)

changelogs/CHANGELOG_alpha.md

3-3: Heading levels should only increment by one level at a time
Expected: h2; Actual: h3

(MD001, heading-increment)

DEPRECATIONS.md

17-17: Table pipe style
Expected: leading_and_trailing; Actual: leading_only; Missing trailing pipe

(MD055, table-pipe-style)

---

17-17: Table column count
Expected: 7; Actual: 5; Too few cells, row will be missing data

(MD056, table-column-count)

---

18-18: Table column count
Expected: 7; Actual: 9; Too many cells, extra data will be missing

(MD056, table-column-count)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: Node 18
• GitHub Check: Node 20
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: Redis Cache
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: Docker Build

🔇 Additional comments (3)

changelogs/CHANGELOG_alpha.md (1)

1-6: LGTM!

The changelog entry follows the established format and clearly documents the DEPPS12 deprecation with appropriate links.

src/rest.js (2)

16-16: LGTM!

The Deprecator import is correctly added to support the new deprecation logging functionality.

---

39-50: LGTM!

The deprecation logging is correctly implemented:

• Properly detects when explain is used without master key authorization
• Logs a clear deprecation message without breaking existing functionality
• Preserves the commented error path for future enforcement when the deprecation period ends

[codecov]

Codecov Report

❌ Patch coverage is 88.88889% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 93.01%. Comparing base (b298ccc) to head (19ebc5b).
⚠️ Report is 1 commits behind head on alpha.

Files with missing lines	Patch %	Lines
src/Config.js	75.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha    #9890      +/-   ##
==========================================
- Coverage   93.01%   93.01%   -0.01%     
==========================================
  Files         187      187              
  Lines       15163    15170       +7     
  Branches      177      177              
==========================================
+ Hits        14104    14110       +6     
- Misses       1047     1048       +1     
  Partials       12       12              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mtrezza]

This PR requires a new Parse Server config option to enable / disable explain requiring master key. The option will be deprecated, so this is not a RuntimeDeprecation but a deprecation of the config option.

The new option should be in the DatabaseOptions interface, maybe called allowPublicExplain which is true by default.

Then replace the current test with 3 tests:

• reconfigure server with allowPublicExplain: true and ensure it works with and without master key
• reconfigure server with allowPublicExplain: false and ensure it works with master key and not without master key
• do not reconfigure server, i.e. don't explicitly set allowPublicExplain to test default value and ensure it works with and without master key

[coratgerl]

Done @mtrezza. Note that I had to remove this line in MongoStorageAdapter because it mutates the databaseOptions. This mutation causes the test to remove the value before it is injected into ParseApp, which then defaults to using the default options. This deletion is weird since we already remove the option below in this._mongoOptions.