feat: Add Parse Server options maxIncludeQueryComplexity, maxGraphQLQueryComplexity to limit query complexity for performance protection

[Moumouls]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.
• Link this pull request to an issue.

Issue

Give developers the option to strengthen the protection of the Parse Server REST and GraphQL APIs based on complexity factors such as fields and query depth.

Approach

Currently parse-server can't have default values because it's a breaking change.
Also if in a futur major release we introduce some large default values (Depth 10 + Fields 100 on rest) and (Depth 20 and fields 200 on GQL). The includeAll option should be then masterKey only

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, code comments)
• Add security check
• Add new Parse Error codes to Parse JS SDK

Summary by CodeRabbit

• New Features
  • Configurable query complexity limits for GraphQL and REST includes (depth and fields/count); enforced at request time, blocks includeAll/include("*") for restricted users, and supports master/maintenance-key bypass.
• Documentation
  • Public options, types, and docs updated to expose new complexity settings and cross-option validation guidance.
• Tests
  • Comprehensive test suites covering GraphQL and REST complexity rules, fragments/includes, bypass keys, combined constraints, multi-operation and no-limit scenarios.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

🚀 Thanks for opening this pull request!

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds configurable query-complexity limits for GraphQL and REST includes, validates their cross-relations in Config, enforces GraphQL complexity via an Apollo plugin (AST traversal with fragment/cycle handling and auth bypass), blocks/validates REST includes (including includeAll and wildcard), and adds comprehensive tests for both features.

Changes

Cohort / File(s)	Summary
Configuration & Types src/Config.js, src/Options/index.js, src/Options/Definitions.js, src/Options/docs.js, types/Options/index.d.ts	Introduce maxGraphQLQueryComplexity and maxIncludeQueryComplexity option shapes, typings, and docs; add Config.validateQueryComplexityOptions and wire validation into option processing; update public option types.
GraphQL Complexity Validation src/GraphQL/helpers/queryComplexity.js, src/GraphQL/ParseGraphQLServer.js	Add AST traversal to compute depth and field counts (handles Field, InlineFragment, FragmentSpread and cycle detection); implement createComplexityValidationPlugin(config) and conditionally attach it to ApolloServer; plugin skips checks for master/maintenance auth or when unset and throws GraphQLError on violations.
REST Include Validation src/RestQuery.js	Block includeAll and wildcard * includes for non-master/maintenance users when configured; validate include count and depth after parsing and throw INVALID_QUERY with explicit messages on violations.
Tests spec/ParseGraphQLQueryComplexity.spec.js, spec/RestQuery.spec.js	Add comprehensive tests covering GraphQL fields/depth limits (named/inline/cyclic fragments, combined constraints, bypass keys) and REST include count/depth, includeAll/wildcard blocking, and bypass scenarios.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Apollo as ApolloServer
    participant Plugin as ComplexityPlugin
    participant Resolver
    Note over Apollo: GraphQL request lifecycle
    Client->>Apollo: POST /graphql (document, headers)
    Apollo->>Apollo: Check auth (master/maintenance?)
    alt master/maintenance key
        Apollo->>Resolver: Execute query (no complexity check)
    else normal request
        Apollo->>Plugin: didResolveOperation(document)
        activate Plugin
        Plugin->>Plugin: build fragment map, traverse AST, count depth & fields
        Plugin-->>Apollo: ok or throw GraphQLError(403)
        deactivate Plugin
        alt within limits
            Apollo->>Resolver: Execute query
            Resolver-->>Client: 200 + data
        else exceeds limits
            Apollo-->>Client: 403 GraphQLError (limit exceeded)
        end
    end

Loading

sequenceDiagram
    participant Client
    participant REST as REST Endpoint
    participant Auth as Auth Check
    participant Validator as IncludeValidator
    participant Handler as QueryHandler
    Client->>REST: GET /classes/Thing?include=...
    REST->>Auth: Validate credentials
    alt master key
        Auth->>Handler: Proceed (no include validation)
    else normal/maintenance
        Auth->>Validator: Validate include count & depth
        activate Validator
        Validator->>Validator: count include fields, compute max depth
        Validator-->>Auth: ok or INVALID_QUERY error
        deactivate Validator
        alt within limits
            Auth->>Handler: Execute query and return results
        else exceeds limits
            REST-->>Client: 400 INVALID_QUERY
        end
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Areas needing extra attention:
  • correctness and early-exit behavior of AST traversal, fragment resolution, and cycle detection in src/GraphQL/helpers/queryComplexity.js
  • plugin lifecycle hooks and master/maintenance bypass logic in src/GraphQL/ParseGraphQLServer.js
  • REST include parsing, includeAll/wildcard blocking, and exact error messages in src/RestQuery.js
  • cross-option validation in src/Config.js
  • reliability and flakiness risk in new tests (spec/*)

Possibly related issues

• Allow Parse.Query.includeAll when maxIncludeQueryComplexity is set #9939 — discusses includeAll/blocking behavior for includes; this PR implements includeAll and wildcard blocking under maxIncludeQueryComplexity.

Possibly related PRs

• fix: Data schema exposed via GraphQL API public introspection (GHSA-48q3-prgv-gm4w) #9819 — modifies Apollo Server plugin composition and GraphQL wiring; related to conditional plugin attachment here.
• feat: Add TypeScript definitions #9693 — introduces/adds query-complexity option types and related typings; closely related to the options and type updates in this PR.

Suggested reviewers

• mtrezza

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main feature: adding Parse Server options for query complexity limits to protect performance.
Description check	✅ Passed	The description includes the required issue context and approach, with completed tests and identified pending tasks; follows the template structure with clear objectives.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[Moumouls]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Actionable comments posted: 7

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a85ba19 and 278808d.

📒 Files selected for processing (9)

• spec/ParseGraphQLQueryComplexity.spec.js (1 hunks)
• spec/RestQuery.spec.js (1 hunks)
• src/Config.js (3 hunks)
• src/GraphQL/ParseGraphQLServer.js (2 hunks)
• src/GraphQL/helpers/queryComplexity.js (1 hunks)
• src/Options/Definitions.js (2 hunks)
• src/Options/docs.js (1 hunks)
• src/Options/index.js (2 hunks)
• src/RestQuery.js (3 hunks)

🧰 Additional context used

🧠 Learnings (10)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

📚 Learning: 2025-04-30T19:31:35.344Z

Learnt from: RahulLanjewar93
Repo: parse-community/parse-server PR: 9744
File: spec/ParseLiveQuery.spec.js:0-0
Timestamp: 2025-04-30T19:31:35.344Z
Learning: In the Parse Server codebase, the functions in QueryTools.js are typically tested through end-to-end behavior tests rather than direct unit tests, even though the functions are exported from the module.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• src/RestQuery.js
• spec/RestQuery.spec.js

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• spec/RestQuery.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• spec/RestQuery.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js

📚 Learning: 2025-11-08T13:46:04.917Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• src/Options/index.js
• src/Options/Definitions.js
• src/Config.js
• src/Options/docs.js

📚 Learning: 2025-09-21T15:43:32.265Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• src/Options/Definitions.js
• src/Config.js
• src/Options/docs.js

📚 Learning: 2025-08-26T14:06:31.853Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: spec/CloudCode.spec.js:446-469
Timestamp: 2025-08-26T14:06:31.853Z
Learning: In the Parse Server codebase, when handling query objects in maybeRunAfterFindTrigger, objects without a where property that contain options like limit/skip should be treated as query JSON with an empty where clause using the spread pattern { where: {}, ...query }, not nested as { where: query }.

Applied to files:

• src/RestQuery.js
• spec/RestQuery.spec.js

📚 Learning: 2025-11-08T13:46:04.917Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Applied to files:

• src/Options/Definitions.js
• src/Options/docs.js

📚 Learning: 2025-08-27T12:33:06.237Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: src/triggers.js:467-477
Timestamp: 2025-08-27T12:33:06.237Z
Learning: In the Parse Server codebase, maybeRunAfterFindTrigger is called in production with Parse.Query objects constructed via withJSON(), so the plain object query handling bug only affects tests, not production code paths.

Applied to files:

• spec/RestQuery.spec.js

🪛 Biome (2.1.2)

src/Options/index.js

[error] 45-49: type alias are a TypeScript only feature. Convert your file to a TypeScript file or remove the syntax.

TypeScript only syntax

(parse)

---

[error] 362-362: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: Node 22
• GitHub Check: Node 18
• GitHub Check: Redis Cache
• GitHub Check: Node 20
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: Docker Build

[codecov]

Codecov Report

❌ Patch coverage is 86.15385% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.05%. Comparing base (d4c6de0) to head (996bdc2).
⚠️ Report is 1 commits behind head on alpha.

Files with missing lines	Patch %	Lines
src/Config.js	33.33%	4 Missing ⚠️
src/GraphQL/helpers/queryComplexity.js	90.90%	4 Missing ⚠️
src/RestQuery.js	90.90%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha    #9920      +/-   ##
==========================================
- Coverage   93.08%   93.05%   -0.03%     
==========================================
  Files         188      189       +1     
  Lines       15298    15363      +65     
  Branches      177      177              
==========================================
+ Hits        14240    14296      +56     
- Misses       1046     1055       +9     
  Partials       12       12              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (4)

src/Options/index.js (1)

354-369: Document the right counters for REST vs GraphQL complexity

The REST comment still describes a { depth, count } format while the shared type exposes fields, and the GraphQL comment says “fields = number of operations”, which contradicts the actual limiter (it counts field selections). This inconsistency will send users in circles. Please align the prose with the real counters—REST uses count for include paths, GraphQL uses fields for selected fields—and mention that fields limits field selections, not operations.

-  /* Maximum query complexity for REST API includes. Controls depth and number of include fields.
-   * Format: { depth: number, count: number }
-   * - depth: Maximum depth of nested includes (e.g., foo.bar.baz = depth 3)
-   * - count: Maximum number of include fields (e.g., foo,bar,baz = 3 fields)
+  /* Maximum query complexity for REST API includes. Controls include depth and include count.
+   * Format: { depth?: number, count?: number }
+   * - depth: Maximum depth of nested include paths (e.g., foo.bar.baz = depth 3)
+   * - count: Maximum number of include paths across the query (e.g., foo,bar,baz = 3)
…
-  /* Maximum query complexity for GraphQL queries. Controls depth and number of operations.
-   * Format: { depth: number, fields: number }
-   * - depth: Maximum depth of nested field selections
-   * - fields: Maximum number of operations (queries/mutations) in a single request
+  /* Maximum query complexity for GraphQL queries. Controls depth and total field selections.
+   * Format: { depth?: number, fields?: number }
+   * - depth: Maximum depth of nested field selections
+   * - fields: Maximum number of field selections within the resolved operation

spec/ParseGraphQLQueryComplexity.spec.js (1)

16-31: Close the HTTP server with a promise before reconfiguring

Line 19 (and again Line 54): httpServer.close() is callback-based; awaiting it directly never waits for the port to free, so the very next listen races and we can hit EADDRINUSE. Please wrap the close call in a Promise (and clear httpServer) before spinning up the next server, and reuse the same helper in afterEach.

-  async function reconfigureServer(options = {}) {
-    if (httpServer) {
-      await httpServer.close();
-    }
+  async function shutdownHttpServer() {
+    if (!httpServer) {
+      return;
+    }
+    await new Promise(resolve => httpServer.close(resolve));
+    httpServer = null;
+  }
+
+  async function reconfigureServer(options = {}) {
+    await shutdownHttpServer();
…
-    if (httpServer) {
-      await httpServer.close();
-    }
+    await shutdownHttpServer();

Also applies to: 52-55

spec/RestQuery.spec.js (1)

1107-1133: Use the actual include-count key in the “no includes” tests

Lines 1110 & 1131 still configure { paths: 1 }, so we never exercise the include-count limiter branch these tests are meant to cover. Change those objects to use the real count property so the server actually enforces the limit during the test run.

       maxIncludeQueryComplexity: {
         depth: 1,
-        paths: 1,
+        count: 1,
       },
…
       maxIncludeQueryComplexity: {
         depth: 1,
-        paths: 1,
+        count: 1,
       },

src/Options/Definitions.js (1)

402-402: Duplicate: Fix the fields description.

The description of the fields property is misleading as noted in a previous review. It currently states "Maximum number of operations (queries/mutations)" but the implementation enforces the number of field selections, not operations.

🧹 Nitpick comments (1)

src/Options/Definitions.js (1)

416-421: Consider consistent property naming across complexity options.

The maxIncludeQueryComplexity option uses a count property while maxGraphQLQueryComplexity uses a fields property, even though both measure similar concepts (the number of items being selected or included). This inconsistency may cause confusion.

Consider renaming one to match the other for API consistency, such as using fields for both or count for both. If the different names are intentional to reflect different semantics (GraphQL field selections vs REST include counts), this distinction should be clearly documented.

⚠️ Note: This is generated code. Changes must be made in src/Options/index.js.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 278808d and 9343bc0.

📒 Files selected for processing (8)

• spec/ParseGraphQLQueryComplexity.spec.js (1 hunks)
• spec/RestQuery.spec.js (1 hunks)
• src/Config.js (3 hunks)
• src/GraphQL/helpers/queryComplexity.js (1 hunks)
• src/Options/Definitions.js (2 hunks)
• src/Options/docs.js (1 hunks)
• src/Options/index.js (2 hunks)
• src/RestQuery.js (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• src/RestQuery.js
• src/Options/docs.js

🧰 Additional context used

🧠 Learnings (12)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

📚 Learning: 2025-04-30T19:31:35.344Z

Learnt from: RahulLanjewar93
Repo: parse-community/parse-server PR: 9744
File: spec/ParseLiveQuery.spec.js:0-0
Timestamp: 2025-04-30T19:31:35.344Z
Learning: In the Parse Server codebase, the functions in QueryTools.js are typically tested through end-to-end behavior tests rather than direct unit tests, even though the functions are exported from the module.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• spec/RestQuery.spec.js

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• spec/RestQuery.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• spec/RestQuery.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• spec/RestQuery.spec.js

📚 Learning: 2025-10-16T19:27:05.311Z

Learnt from: Moumouls
Repo: parse-community/parse-server PR: 9883
File: spec/CloudCodeLogger.spec.js:410-412
Timestamp: 2025-10-16T19:27:05.311Z
Learning: In spec/CloudCodeLogger.spec.js, the test "should log cloud function triggers using the silent log level" (around lines 383-420) is known to be flaky and requires the extra `await new Promise(resolve => setTimeout(resolve, 100))` timeout after awaiting `afterSavePromise` for reliability, even though it may appear redundant.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• spec/RestQuery.spec.js

📚 Learning: 2025-09-21T15:43:32.265Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• src/Options/Definitions.js
• src/Config.js

📚 Learning: 2025-08-26T14:06:31.853Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: spec/CloudCode.spec.js:446-469
Timestamp: 2025-08-26T14:06:31.853Z
Learning: In the Parse Server codebase, when handling query objects in maybeRunAfterFindTrigger, objects without a where property that contain options like limit/skip should be treated as query JSON with an empty where clause using the spread pattern { where: {}, ...query }, not nested as { where: query }.

Applied to files:

• spec/RestQuery.spec.js
• src/Options/Definitions.js
• src/Options/index.js

📚 Learning: 2025-08-27T12:33:06.237Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: src/triggers.js:467-477
Timestamp: 2025-08-27T12:33:06.237Z
Learning: In the Parse Server codebase, maybeRunAfterFindTrigger is called in production with Parse.Query objects constructed via withJSON(), so the plain object query handling bug only affects tests, not production code paths.

Applied to files:

• spec/RestQuery.spec.js

📚 Learning: 2025-08-27T09:08:34.252Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: src/triggers.js:446-454
Timestamp: 2025-08-27T09:08:34.252Z
Learning: When analyzing function signature changes in Parse Server codebase, verify that call sites are actually incorrect before flagging them. Passing tests are a strong indicator that function calls are already properly aligned with new signatures.

Applied to files:

• spec/RestQuery.spec.js

📚 Learning: 2025-11-08T13:46:04.917Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• spec/RestQuery.spec.js
• src/Options/Definitions.js
• src/Config.js
• src/Options/index.js

📚 Learning: 2025-11-08T13:46:04.917Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Applied to files:

• src/Options/Definitions.js
• src/Options/index.js

🧬 Code graph analysis (4)

spec/ParseGraphQLQueryComplexity.spec.js (1)

spec/helper.js (1)

• reconfigureServer (180-214)

spec/RestQuery.spec.js (3)

spec/helper.js (2)

• reconfigureServer (180-214)
• Parse (4-4)

src/RestQuery.js (3)

• query (372-381)
• query (382-382)
• results (800-800)

src/rest.js (1)

• query (120-130)

src/Options/Definitions.js (1)

resources/buildConfigDefinitions.js (1)

• parsers (12-12)

src/Options/index.js (2)

resources/buildConfigDefinitions.js (3)

• type (121-121)
• type (159-159)
• type (216-216)

src/triggers.js (1)

• type (819-819)

🪛 Biome (2.1.2)

src/Options/index.js

[error] 45-49: type alias are a TypeScript only feature. Convert your file to a TypeScript file or remove the syntax.

TypeScript only syntax

(parse)

---

[error] 362-362: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

🔇 Additional comments (1)

src/Options/Definitions.js (1)

399-404: The core claim about an undefined option reference is incorrect.

The review comment states that line 402 references a non-existent maxQueryComplexity option. However, searching the entire codebase confirms maxQueryComplexity does not appear anywhere. More importantly, line 402 actually references only maxIncludeQueryComplexity and maxGraphQLQueryComplexity—both of which are properly defined options in the codebase and validated in src/Config.js.

A separate but valid concern exists: The environment variable PARSE_SERVER_MAX_GRAPH_QLQUERY_COMPLEXITY uses inconsistent naming. Other GraphQL-related environment variables in the same file use GRAPHQL (e.g., PARSE_SERVER_GRAPHQL_PATH, PARSE_SERVER_GRAPHQL_PUBLIC_INTROSPECTION, PARSE_SERVER_MOUNT_GRAPHQL), while two variables oddly use GRAPH_QL (PARSE_SERVER_GRAPH_QLSCHEMA and PARSE_SERVER_MAX_GRAPH_QLQUERY_COMPLEXITY). This is worth addressing, though it's a separate issue from what the review comment claimed.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 4

♻️ Duplicate comments (1)

spec/ParseGraphQLQueryComplexity.spec.js (1)

18-55: Await the HTTP server shutdown before restarting.

httpServer.close() is callback-based; await httpServer.close() returns immediately and the port can still be bound when the next test starts, causing intermittent EADDRINUSE. Wrap the close in a Promise (and mirror the change in afterEach) so we only continue once the listener is actually closed:

if (httpServer) {
-  await httpServer.close();
+  await new Promise(resolve => httpServer.close(resolve));
+  httpServer = null;
}

Apply the same promise wrapper inside afterEach.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9343bc0 and 5d405e9.

📒 Files selected for processing (5)

• spec/ParseGraphQLQueryComplexity.spec.js (1 hunks)
• src/GraphQL/helpers/queryComplexity.js (1 hunks)
• src/Options/docs.js (1 hunks)
• src/Options/index.js (2 hunks)
• types/Options/index.d.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• src/GraphQL/helpers/queryComplexity.js

🧰 Additional context used

🧠 Learnings (10)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

📚 Learning: 2025-11-08T13:46:04.917Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• src/Options/docs.js
• src/Options/index.js
• spec/ParseGraphQLQueryComplexity.spec.js
• types/Options/index.d.ts

📚 Learning: 2025-11-08T13:46:04.917Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Applied to files:

• src/Options/docs.js
• src/Options/index.js

📚 Learning: 2025-09-21T15:43:32.265Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

Applied to files:

• src/Options/docs.js

📚 Learning: 2025-08-26T14:06:31.853Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: spec/CloudCode.spec.js:446-469
Timestamp: 2025-08-26T14:06:31.853Z
Learning: In the Parse Server codebase, when handling query objects in maybeRunAfterFindTrigger, objects without a where property that contain options like limit/skip should be treated as query JSON with an empty where clause using the spread pattern { where: {}, ...query }, not nested as { where: query }.

Applied to files:

• src/Options/index.js

📚 Learning: 2025-04-30T19:31:35.344Z

Learnt from: RahulLanjewar93
Repo: parse-community/parse-server PR: 9744
File: spec/ParseLiveQuery.spec.js:0-0
Timestamp: 2025-04-30T19:31:35.344Z
Learning: In the Parse Server codebase, the functions in QueryTools.js are typically tested through end-to-end behavior tests rather than direct unit tests, even though the functions are exported from the module.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js

📚 Learning: 2025-10-16T19:27:05.311Z

Learnt from: Moumouls
Repo: parse-community/parse-server PR: 9883
File: spec/CloudCodeLogger.spec.js:410-412
Timestamp: 2025-10-16T19:27:05.311Z
Learning: In spec/CloudCodeLogger.spec.js, the test "should log cloud function triggers using the silent log level" (around lines 383-420) is known to be flaky and requires the extra `await new Promise(resolve => setTimeout(resolve, 100))` timeout after awaiting `afterSavePromise` for reliability, even though it may appear redundant.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js

🧬 Code graph analysis (3)

src/Options/index.js (2)

resources/buildConfigDefinitions.js (3)

• type (121-121)
• type (159-159)
• type (216-216)

src/triggers.js (1)

• type (819-819)

spec/ParseGraphQLQueryComplexity.spec.js (1)

spec/helper.js (1)

• reconfigureServer (180-214)

types/Options/index.d.ts (6)

src/Adapters/Analytics/AnalyticsAdapter.js (1)

• AnalyticsAdapter (6-23)

src/Adapters/Logger/LoggerAdapter.js (1)

• LoggerAdapter (9-18)

src/Adapters/Cache/CacheAdapter.js (1)

• CacheAdapter (6-32)

src/Adapters/Email/MailAdapter.js (1)

• MailAdapter (8-23)

src/Adapters/PubSub/PubSubAdapter.js (1)

• PubSubAdapter (6-15)

src/Adapters/WebSocketServer/WSSAdapter.js (1)

• WSSAdapter (17-57)

🪛 Biome (2.1.2)

src/Options/index.js

[error] 49-53: type alias are a TypeScript only feature. Convert your file to a TypeScript file or remove the syntax.

TypeScript only syntax

(parse)

---

[error] 366-366: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

---

[error] 373-373: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)

• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: Node 18
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: Node 22
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: Node 20
• GitHub Check: Redis Cache
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: Docker Build
• GitHub Check: Benchmarks

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

src/Options/Definitions.js (1)

399-404: The fields description still incorrectly states "operations" instead of "field selections".

This issue was flagged in a previous review and marked as addressed, but the incorrect description remains. Line 402 still describes fields as limiting "operations (queries/mutations)" when it should describe limiting the number of field selections in a single request.

Since this is generated code, the fix must be applied in src/Options/index.js and then npm run definitions must be executed to regenerate this file.

Based on learnings.

🧹 Nitpick comments (1)

src/Options/Definitions.js (1)

400-400: Verify the environment variable naming convention.

The environment variable PARSE_SERVER_MAX_GRAPH_QLQUERY_COMPLEXITY has inconsistent underscore placement. Based on other GraphQL-related variables in this file (e.g., PARSE_SERVER_GRAPHQL_PATH on line 298), it should likely be PARSE_SERVER_MAX_GRAPHQL_QUERY_COMPLEXITY with GRAPHQL as a single word.

Since this is generated code, verify and correct the naming in src/Options/index.js, then regenerate by running npm run definitions.

Based on learnings.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5d405e9 and 1b6d5c7.

📒 Files selected for processing (2)

• src/Options/Definitions.js (1 hunks)
• src/Options/docs.js (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• src/Options/docs.js

🧰 Additional context used

🧠 Learnings (4)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

📚 Learning: 2025-11-08T13:46:04.917Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• src/Options/Definitions.js

📚 Learning: 2025-11-08T13:46:04.917Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Applied to files:

• src/Options/Definitions.js

📚 Learning: 2025-09-21T15:43:32.265Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

Applied to files:

• src/Options/Definitions.js

[Moumouls]

I suggest that developers set the parameters sufficiently high to prevent client issues, since the goal is to prevent major abuse, not to match the most complex query in the codebase.

 maxGraphQLQueryComplexity: {
          depth: 50,
          fields: 250,
        },

maxIncludeQueryComplexity: {
          depth: 10,
          count: 50,
        },

[mtrezza]

This is not a breaking change, correct? We'll make it a breaking change with #9928.

[Moumouls]

exactly @mtrezza no breaking change currently

[Moumouls]

@mtrezza i currently don't see a proper time window on my side to ship this correctly asap, i suggest to go ahead, it will be an opt in in PS9 and a breaking change for PS10, what do you think ?

[mtrezza]

I think we could go ahead and merge and add this as a caveat. I've opened #9939 to track the feature improvement. If you could just fix the conflict and #9920 (comment).

[Moumouls]

it's fixed @mtrezza we will have a merge conflict also between this one and apollo server update

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

src/Options/index.js (1)

1-1: Consider a more concise PR title with scope for the changelog.

The current title is quite long. For a clearer changelog entry, consider:

feat(security): add query complexity limits for REST and GraphQL APIs

This follows Angular convention with a scope and is more concise while still clearly conveying the feature's impact.

Based on learnings

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 251e9b8 and 025ea8a.

📒 Files selected for processing (4)

• src/GraphQL/ParseGraphQLServer.js (2 hunks)
• src/Options/Definitions.js (1 hunks)
• src/Options/docs.js (1 hunks)
• src/Options/index.js (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• src/GraphQL/ParseGraphQLServer.js
• src/Options/docs.js

🧰 Additional context used

🧠 Learnings (6)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• src/Options/Definitions.js
• src/Options/index.js

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Applied to files:

• src/Options/Definitions.js
• src/Options/index.js

📚 Learning: 2025-11-17T15:02:48.786Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Applied to files:

• src/Options/Definitions.js
• src/Options/index.js

📚 Learning: 2025-09-21T15:43:32.265Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

Applied to files:

• src/Options/Definitions.js

📚 Learning: 2025-08-26T14:06:31.853Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: spec/CloudCode.spec.js:446-469
Timestamp: 2025-08-26T14:06:31.853Z
Learning: In the Parse Server codebase, when handling query objects in maybeRunAfterFindTrigger, objects without a where property that contain options like limit/skip should be treated as query JSON with an empty where clause using the spread pattern { where: {}, ...query }, not nested as { where: query }.

Applied to files:

• src/Options/index.js

🧬 Code graph analysis (1)

src/Options/Definitions.js (1)

resources/buildConfigDefinitions.js (1)

• parsers (12-12)

🪛 Biome (2.1.2)

src/Options/index.js

[error] 49-53: type alias are a TypeScript only feature. Convert your file to a TypeScript file or remove the syntax.

TypeScript only syntax

(parse)

---

[error] 368-368: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

---

[error] 377-377: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)

• GitHub Check: Redis Cache
• GitHub Check: Node 18
• GitHub Check: Node 20
• GitHub Check: Node 22
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: Benchmarks
• GitHub Check: Docker Build

🔇 Additional comments (2)

src/Options/Definitions.js (1)

1-5: Note: This is auto-generated code.

Based on lines 1-5, this file is generated by resources/buildConfigDefinitions.js from src/Options/index.js. Any issues should be fixed in the source file and then regenerated by running npm run definitions.

src/Options/index.js (1)

46-53: LGTM! Type definitions are well-structured.

The separate type definitions for GraphQLQueryComplexityOptions and IncludeComplexityOptions correctly reflect their different runtime shapes, and all fields are properly marked optional to match actual usage patterns.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

src/Options/index.js (1)

358-375: Option docs and HTML formatting for query complexity look good; minor follow-ups

The new maxIncludeQueryComplexity / maxGraphQLQueryComplexity JSDoc blocks:

• Use the required HTML formatting (<br><br>, <ul><li>) so they are parsable by the docs generator.
• Correctly describe depth and count / fields in terms of include paths vs field selections and mention the cross‑option constraint, matching the validator behavior.

Two optional polish ideas:

• Consider explicitly noting that depth / count / fields are individually optional in the prose (since the types allow partial objects), e.g. “Supported keys: depth, count …”.
• Suggested Angular-style PR title for the changelog:
  feat(graphql,rest): add query complexity limits for GraphQL and REST includes.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 025ea8a and 672dda1.

📒 Files selected for processing (3)

• src/Options/Definitions.js (1 hunks)
• src/Options/docs.js (1 hunks)
• src/Options/index.js (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• src/Options/docs.js

🧰 Additional context used

🧠 Learnings (7)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• src/Options/Definitions.js
• src/Options/index.js

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Applied to files:

• src/Options/Definitions.js
• src/Options/index.js

📚 Learning: 2025-11-17T15:02:48.786Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Applied to files:

• src/Options/Definitions.js
• src/Options/index.js

📚 Learning: 2025-09-21T15:43:32.265Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

Applied to files:

• src/Options/Definitions.js

📚 Learning: 2025-08-26T14:06:31.853Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: spec/CloudCode.spec.js:446-469
Timestamp: 2025-08-26T14:06:31.853Z
Learning: In the Parse Server codebase, when handling query objects in maybeRunAfterFindTrigger, objects without a where property that contain options like limit/skip should be treated as query JSON with an empty where clause using the spread pattern { where: {}, ...query }, not nested as { where: query }.

Applied to files:

• src/Options/index.js

📚 Learning: 2025-11-17T15:02:24.824Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

Applied to files:

• src/Options/index.js

🧬 Code graph analysis (2)

src/Options/Definitions.js (1)

resources/buildConfigDefinitions.js (1)

• parsers (12-12)

src/Options/index.js (2)

src/triggers.js (1)

• type (821-821)

resources/buildConfigDefinitions.js (3)

• type (121-121)
• type (159-159)
• type (216-216)

🪛 Biome (2.1.2)

src/Options/index.js

[error] 49-53: type alias are a TypeScript only feature. Convert your file to a TypeScript file or remove the syntax.

TypeScript only syntax

(parse)

---

[error] 367-367: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

---

[error] 375-375: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)

• GitHub Check: Node 18
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: Node 22
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: Docker Build
• GitHub Check: Redis Cache
• GitHub Check: Node 20
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: Benchmarks
• GitHub Check: MongoDB 7, ReplicaSet

🔇 Additional comments (2)

src/Options/index.js (1)

46-53: Flow type aliases correctly model complexity options; Biome warnings are benign

GraphQLQueryComplexityOptions / IncludeComplexityOptions with optional depth / fields / count align with the runtime behavior (supporting partial configs) and resolve earlier type-shape issues for these options. The Biome parse errors about type aliases and ? are just the TS parser misreading this Flow-typed file; there’s nothing to change code-wise, but you may want to exclude this file or configure Biome to treat it as Flow.

src/Options/Definitions.js (1)

399-410: Definitions for new complexity options are consistent with Options/index.js

The maxGraphQLQueryComplexity / maxIncludeQueryComplexity entries correctly:

• Use the intended env vars (PARSE_SERVER_MAX_GRAPH_QLQUERY_COMPLEXITY, PARSE_SERVER_MAX_INCLUDE_QUERY_COMPLEXITY).
• Mirror the HTML-formatted help text and semantics from src/Options/index.js, including the field-selection vs include-path distinction and the “include < graphQL” constraint.
• Parse via objectParser, matching how other structured options are handled.

This confirms npm run definitions has been run and keeps options/docs in sync; no changes needed here. (README coverage can follow later with the planned docs task.)

[mtrezza]

@Moumouls if we set default values at some point with #9928, but the value 0 means no depth is allowed, what should a user set to disable the limits? undefined may be complicated as it's almost the same as not defined, and I don't think we make such nuanced distinctions for other options. It would be good to consider this already in this PR, so we don't have to make large changes later.

Should we define a value < 0 as disabling the options?

maxIncludeQueryComplexity: {
  depth: -1,
  count: -1,
}

[mtrezza]

@Moumouls Friendly ping so we can merge this.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

spec/RestQuery.spec.js (1)

1019-1188: Fix paths typo in configs and consider tightening the “queries without includes” tests

The includeAll / include('*') and “no limits configured” blocks look good: they correctly assert that:

• includeAll / include('*') are rejected with INVALID_QUERY when any include complexity limit is set,
• but still work with master key and when no complexity limits are configured.

Two issues in the “Queries without includes” section though:

1. Config key typo (paths vs count)

Both tests configure:

maxIncludeQueryComplexity: {
  depth: 1,
  paths: 1,
},

but the option surface and validator use count, not paths. This means the tests never exercise the count branch and are inconsistent with the public option shape.

Change paths to count in both configs:

       maxIncludeQueryComplexity: {
         depth: 1,
-        paths: 1,
+        count: 1,
       },

2. Two tests currently cover the same scenario

'should allow queries without includes regardless of complexity limits' and 'should allow queries with empty includes array' currently execute identical logic (both just new Parse.Query('SimpleObject').find() without any includes), so they don’t differentiate “no includes” from “empty includes”.

If you want distinct coverage, you could, for example, turn the second test into an explicit REST-level call with include= or use the SDK’s empty-include form so it truly hits the “empty includes” code path; otherwise, consider dropping or renaming it to avoid confusion. This is optional and doesn’t affect runtime behavior.

Also applies to: 1191-1230, 1232-1267

🧹 Nitpick comments (3)

src/Options/index.js (1)

358-375: Surface includeAll / include("*") restrictions in the option docs and keep generated docs in sync

The option comments describe depth / count / fields and the cross-limit rule, but they don’t mention that when maxIncludeQueryComplexity is configured, wildcard includes via includeAll() and include('*') are rejected for non-master / non-maintenance requests, as exercised in REST Query Complexity tests. That’s important behavior for operators.

Consider extending the maxIncludeQueryComplexity comment with a short HTML-formatted note about wildcard includes being disabled under these limits (and that explicit include paths should be used instead), then run npm run definitions so src/Options/docs.js and src/Options/Definitions.js pick up the updated wording as well.

Example diff for this file only:

   /* Maximum query complexity for REST API includes. Controls depth and number of include fields.
   <br><br>
   Format: `{ depth: number, count: number }`
   <ul>
   <li>`depth`: Maximum depth of nested includes (e.g., foo.bar.baz = depth 3)</li>
   <li>`count`: Maximum number of include fields (e.g., foo,bar,baz = 3 fields)</li>
-  </ul>
+  </ul>
+  <br>
+  When this option is configured, wildcard includes via `includeAll()` or `include("*")` are disabled for non-maintenance and non-master key requests to prevent uncontrolled include expansion. Use explicit include paths instead.
+  <br><br>
   If both `maxIncludeQueryComplexity` and `maxGraphQLQueryComplexity` are provided, `maxIncludeQueryComplexity` values must be lower than `maxGraphQLQueryComplexity` values to avoid validation conflicts. */
   maxIncludeQueryComplexity: ?IncludeComplexityOptions;

Also, per the changelog guidelines, a concise Angular-style PR title that reflects this feature could be:

feat(security): add query complexity limits for GraphQL and REST includes

src/Options/docs.js (1)

74-75: Docs for new complexity options are aligned; extend via generator if you add includeAll note

These @property entries for maxGraphQLQueryComplexity and maxIncludeQueryComplexity correctly describe:

• the option shapes ({ depth, fields } vs { depth, count }),
• what each dimension controls, and
• the cross-limit constraint between REST includes and GraphQL complexity.

If you adopt the suggested includeAll / include("*") note in src/Options/index.js, please rely on npm run definitions to regenerate this file instead of editing it directly, so the JSDoc and generated docs stay in sync.

src/Options/Definitions.js (1)

399-410: Generated definitions for new options look correct; keep them driven from Options/index.js

The maxGraphQLQueryComplexity and maxIncludeQueryComplexity entries have:

• sensible env var names,
• help text consistent with the Flow option docs (depth vs fields / count and the cross-limit rule),
• and use objectParser, which matches the { depth, fields/count } structure.

Given this file is generated, any further wording tweaks (for example, if you add an includeAll / include("*") restriction note in src/Options/index.js) should be made in Options/index.js and then propagated here via npm run definitions, not edited by hand. No changes needed to this snippet itself.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 672dda1 and 996bdc2.

📒 Files selected for processing (5)

• spec/RestQuery.spec.js (1 hunks)
• src/Options/Definitions.js (1 hunks)
• src/Options/docs.js (1 hunks)
• src/Options/index.js (2 hunks)
• src/RestQuery.js (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• src/RestQuery.js

🧰 Additional context used

🧠 Learnings (14)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• src/Options/docs.js
• spec/RestQuery.spec.js
• src/Options/Definitions.js
• src/Options/index.js

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Applied to files:

• src/Options/docs.js
• src/Options/Definitions.js
• src/Options/index.js

📚 Learning: 2025-11-17T15:02:48.786Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Applied to files:

• src/Options/docs.js
• src/Options/Definitions.js
• src/Options/index.js

📚 Learning: 2025-09-21T15:43:32.265Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

Applied to files:

• src/Options/docs.js
• src/Options/Definitions.js

📚 Learning: 2025-04-30T19:31:35.344Z

Learnt from: RahulLanjewar93
Repo: parse-community/parse-server PR: 9744
File: spec/ParseLiveQuery.spec.js:0-0
Timestamp: 2025-04-30T19:31:35.344Z
Learning: In the Parse Server codebase, the functions in QueryTools.js are typically tested through end-to-end behavior tests rather than direct unit tests, even though the functions are exported from the module.

Applied to files:

• spec/RestQuery.spec.js

📚 Learning: 2025-08-26T14:06:31.853Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: spec/CloudCode.spec.js:446-469
Timestamp: 2025-08-26T14:06:31.853Z
Learning: In the Parse Server codebase, when handling query objects in maybeRunAfterFindTrigger, objects without a where property that contain options like limit/skip should be treated as query JSON with an empty where clause using the spread pattern { where: {}, ...query }, not nested as { where: query }.

Applied to files:

• spec/RestQuery.spec.js
• src/Options/index.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

• spec/RestQuery.spec.js

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.

Applied to files:

• spec/RestQuery.spec.js

📚 Learning: 2025-08-27T12:33:06.237Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: src/triggers.js:467-477
Timestamp: 2025-08-27T12:33:06.237Z
Learning: In the Parse Server codebase, maybeRunAfterFindTrigger is called in production with Parse.Query objects constructed via withJSON(), so the plain object query handling bug only affects tests, not production code paths.

Applied to files:

• spec/RestQuery.spec.js

📚 Learning: 2025-10-16T19:27:05.311Z

Learnt from: Moumouls
Repo: parse-community/parse-server PR: 9883
File: spec/CloudCodeLogger.spec.js:410-412
Timestamp: 2025-10-16T19:27:05.311Z
Learning: In spec/CloudCodeLogger.spec.js, the test "should log cloud function triggers using the silent log level" (around lines 383-420) is known to be flaky and requires the extra `await new Promise(resolve => setTimeout(resolve, 100))` timeout after awaiting `afterSavePromise` for reliability, even though it may appear redundant.

Applied to files:

• spec/RestQuery.spec.js

📚 Learning: 2025-08-27T09:08:34.252Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: src/triggers.js:446-454
Timestamp: 2025-08-27T09:08:34.252Z
Learning: When analyzing function signature changes in Parse Server codebase, verify that call sites are actually incorrect before flagging them. Passing tests are a strong indicator that function calls are already properly aligned with new signatures.

Applied to files:

• spec/RestQuery.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.

Applied to files:

• spec/RestQuery.spec.js

📚 Learning: 2025-11-17T15:02:24.824Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

Applied to files:

• src/Options/index.js

🧬 Code graph analysis (2)

spec/RestQuery.spec.js (3)

spec/helper.js (2)

• reconfigureServer (180-214)
• Parse (4-4)

spec/ParseQuery.FullTextSearch.spec.js (1)

• Parse (4-4)

src/RestQuery.js (3)

• query (373-382)
• query (383-383)
• results (801-801)

src/Options/Definitions.js (1)

resources/buildConfigDefinitions.js (1)

• parsers (12-12)

🪛 Biome (2.1.2)

src/Options/index.js

[error] 49-53: type alias are a TypeScript only feature. Convert your file to a TypeScript file or remove the syntax.

TypeScript only syntax

(parse)

---

[error] 367-367: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

---

[error] 375-375: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)

• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: Node 18
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: Node 22
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: Node 20
• GitHub Check: Redis Cache
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: Docker Build
• GitHub Check: Benchmarks

🔇 Additional comments (2)

src/Options/index.js (1)

46-53: GraphQL / include complexity option types look consistent with runtime behavior

GraphQLQueryComplexityOptions and IncludeComplexityOptions correctly model the two dimensions used at runtime (depth + fields vs depth + count), and marking all properties optional matches how the validator accepts partial configs in tests and Config. No changes needed here.

spec/RestQuery.spec.js (1)

769-1016: Depth and combined depth+count coverage is thorough and matches the option semantics

The maxIncludeQueryComplexity.depth and “Combined depth and fields validation” suites exercise:

• Allowed vs rejected depth-only queries (depth: 2 vs depth: 1 with post.author).
• Multiple sibling nested paths under the same depth budget (post.author + post.category).
• Master-key and maintenance-key bypasses for over-depth includes.
• A scenario where depth is generous but count is tight, ensuring the count limit alone can reject a query.

This aligns well with how the depth and count options are documented and implemented. No changes needed here.

[mtrezza]

@Moumouls we're preparing all PS9 breaking change PRs for merge. Although this isn't a breaking change, we may want to consider #9920 (comment) to make a future introduction of a default limit easier. We can in fact merge this PR with a default limit already for the PS9 release, so we don't have to worry about adding a default in the future. If we can't find a solution here, then we can merge the feature anytime after the PS9 release and add the default with PS10. Maybe @coratgerl wants to take a look at this as well.

[coratgerl]

I discussed with @Moumouls about a potential improvement, either in this PR or in a future one, depending on the scop to use the validationRules object from Apollo Server for this type of validation.

[mtrezza]

@coratgerl The main question now is whether we can get the PR ready with a default value and add it as breaking change in PS9 release, or add it without default value after PS9 release. For now I've removed this PR from the required PRs for PS9. If you guys can find a solution for #9920 (comment) in time then we merge with a default value, otherwise we just disregard the PR for PS9 release and we can merge without default value when #9920 (comment) is solved.

[Moumouls]

@coderabbitai could you suggest good default value for new parameters introduced in this PR

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@Moumouls Based on the discussions in this PR and the constraint that REST limits must be lower than GraphQL limits, here are my recommendations for default values:

Recommended Default Values

For maxIncludeQueryComplexity (REST API):

maxIncludeQueryComplexity: {
  depth: 10,
  count: 100
}

For maxGraphQLQueryComplexity:

maxGraphQLQueryComplexity: {
  depth: 20,
  fields: 200
}

Rationale:

1. Conservative but practical: These values align with the illustrative defaults mentioned in the PR description and should accommodate most legitimate use cases while preventing abuse.

2. Follows the constraint: REST values (depth: 10, count: 100) are lower than GraphQL values (depth: 20, fields: 200), satisfying the validation rules.

3. Depth rationale:

   • REST depth of 10: Most REST queries with includes rarely need more than 3-5 levels of nesting. A depth of 10 provides a comfortable buffer.
   • GraphQL depth of 20: GraphQL queries can be more complex by nature; 20 levels provides flexibility while preventing deeply nested attacks.

4. Count/Fields rationale:

   • REST count of 100: Allows for complex include queries with many relations without being unlimited.
   • GraphQL fields of 200: GraphQL queries can select many fields across objects; 200 provides generous limits.

5. Regarding the -1 convention (addressing @mtrezza's concern): I recommend using -1 to explicitly disable limits when defaults are introduced:

   maxIncludeQueryComplexity: {
     depth: -1,  // disables depth limit
     count: -1   // disables count limit
   }

   This is a common convention in many systems and would make the future migration clearer.

Alternative Approach (More Generous):

If you prefer more generous defaults to minimize potential breakage:

maxIncludeQueryComplexity: {
  depth: 10,
  count: 150
}

maxGraphQLQueryComplexity: {
  depth: 50,
  fields: 300
}

These higher values match closer to @Moumouls's earlier suggestion and would be even safer for existing applications while still providing DoS protection.

---

🧠 Learnings used

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T06:55:53.808Z
Learning: When reviewing Parse Server PRs that add or modify Parse Server options, always verify that changes are properly reflected in three files: src/Options/index.js (where changes originate), src/Options/Definitions.js, and src/Options/docs.js. The correct workflow is: make changes in index.js first, then run `npm run definitions` to automatically replicate the changes to Definitions.js and docs.js.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

---

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: spec/CloudCode.spec.js:446-469
Timestamp: 2025-08-26T14:06:31.853Z
Learning: In the Parse Server codebase, when handling query objects in maybeRunAfterFindTrigger, objects without a where property that contain options like limit/skip should be treated as query JSON with an empty where clause using the spread pattern { where: {}, ...query }, not nested as { where: query }.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:20.138Z
Learning: For Parse Server 9 release (PR #9938 and related), the parse/push-adapter dependency must be upgraded to version >= 8.0.0, not 7.0.0. Version 8.x drops support for Node 18.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

[coderabbitai]

Actionable comments posted: 5

♻️ Duplicate comments (3)

spec/RestQuery.spec.js (2)

697-767: Master/maintenance bypass tests don’t exceed count limit (so they don’t prove bypass).
Both tests set count: 2 but only request 2 include paths (post, post.author). Add a 3rd include (and corresponding relation) so non-privileged requests would fail but privileged succeed.

---

1190-1229: maxIncludeQueryComplexity uses count, but tests configure paths (typo), so the intended branch may never run.
Replace paths with count in both “Queries without includes” tests.

src/RestQuery.js (1)

301-321: includeCount = this.include.length can overcount due to internal expansion of nested paths.
This is the “count requested include paths, not expansion nodes” issue; consider counting based on the original, de-duped include strings (before exploding into traversal order).

🧹 Nitpick comments (3)

spec/RestQuery.spec.js (1)

1211-1229: “empty includes array” test doesn’t set empty includes (it’s the same as the prior test).
Either remove it or make it actually pass an empty include (e.g. REST ?include=) so it’s not redundant.

src/RestQuery.js (1)

210-223: DRY: extract the repeated “block includeAll when limits active” check.
Avoid duplicating the same multi-clause condition and error construction in both branches.

Also applies to: 252-266

src/Config.js (1)

236-254: Consider validating numeric types/ranges for depth/count/fields (not just cross-relations).
E.g., enforce integers and >= -1 so misconfiguration fails early and predictably.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 996bdc2 and 7bfd8c9.

📒 Files selected for processing (8)

• spec/ParseGraphQLQueryComplexity.spec.js (1 hunks)
• spec/RestQuery.spec.js (1 hunks)
• src/Config.js (3 hunks)
• src/GraphQL/helpers/queryComplexity.js (1 hunks)
• src/Options/Definitions.js (1 hunks)
• src/Options/docs.js (1 hunks)
• src/Options/index.js (2 hunks)
• src/RestQuery.js (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• src/Options/docs.js
• spec/ParseGraphQLQueryComplexity.spec.js
• src/GraphQL/helpers/queryComplexity.js

🧰 Additional context used

🧠 Learnings (16)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T06:55:53.808Z
Learning: When reviewing Parse Server PRs that add or modify Parse Server options, always verify that changes are properly reflected in three files: src/Options/index.js (where changes originate), src/Options/Definitions.js, and src/Options/docs.js. The correct workflow is: make changes in index.js first, then run `npm run definitions` to automatically replicate the changes to Definitions.js and docs.js.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

📚 Learning: 2025-08-26T14:06:31.853Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: spec/CloudCode.spec.js:446-469
Timestamp: 2025-08-26T14:06:31.853Z
Learning: In the Parse Server codebase, when handling query objects in maybeRunAfterFindTrigger, objects without a where property that contain options like limit/skip should be treated as query JSON with an empty where clause using the spread pattern { where: {}, ...query }, not nested as { where: query }.

Applied to files:

• src/RestQuery.js
• src/Options/index.js
• spec/RestQuery.spec.js

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Applied to files:

• src/RestQuery.js
• src/Options/index.js
• src/Options/Definitions.js

📚 Learning: 2025-11-17T15:02:48.786Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Applied to files:

• src/RestQuery.js
• src/Options/index.js
• src/Options/Definitions.js

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• src/RestQuery.js
• src/Options/index.js
• src/Options/Definitions.js
• spec/RestQuery.spec.js
• src/Config.js

📚 Learning: 2025-12-02T06:55:53.808Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T06:55:53.808Z
Learning: When reviewing Parse Server PRs that add or modify Parse Server options, always verify that changes are properly reflected in three files: src/Options/index.js (where changes originate), src/Options/Definitions.js, and src/Options/docs.js. The correct workflow is: make changes in index.js first, then run `npm run definitions` to automatically replicate the changes to Definitions.js and docs.js.

Applied to files:

• src/RestQuery.js
• src/Options/index.js
• src/Options/Definitions.js
• spec/RestQuery.spec.js
• src/Config.js

📚 Learning: 2025-08-27T12:33:06.237Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: src/triggers.js:467-477
Timestamp: 2025-08-27T12:33:06.237Z
Learning: In the Parse Server codebase, maybeRunAfterFindTrigger is called in production with Parse.Query objects constructed via withJSON(), so the plain object query handling bug only affects tests, not production code paths.

Applied to files:

• src/RestQuery.js
• spec/RestQuery.spec.js

📚 Learning: 2025-04-30T19:31:35.344Z

Learnt from: RahulLanjewar93
Repo: parse-community/parse-server PR: 9744
File: spec/ParseLiveQuery.spec.js:0-0
Timestamp: 2025-04-30T19:31:35.344Z
Learning: In the Parse Server codebase, the functions in QueryTools.js are typically tested through end-to-end behavior tests rather than direct unit tests, even though the functions are exported from the module.

Applied to files:

• src/RestQuery.js
• spec/RestQuery.spec.js

📚 Learning: 2025-12-02T08:00:20.138Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:20.138Z
Learning: For Parse Server 9 release (PR #9938 and related), the parse/push-adapter dependency must be upgraded to version >= 8.0.0, not 7.0.0. Version 8.x drops support for Node 18.

Applied to files:

• src/RestQuery.js

📚 Learning: 2025-11-17T15:02:24.824Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

Applied to files:

• src/Options/index.js

📚 Learning: 2025-09-21T15:43:32.265Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

Applied to files:

• src/Options/Definitions.js
• src/Config.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

• spec/RestQuery.spec.js

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.

Applied to files:

• spec/RestQuery.spec.js

📚 Learning: 2025-10-16T19:27:05.311Z

Learnt from: Moumouls
Repo: parse-community/parse-server PR: 9883
File: spec/CloudCodeLogger.spec.js:410-412
Timestamp: 2025-10-16T19:27:05.311Z
Learning: In spec/CloudCodeLogger.spec.js, the test "should log cloud function triggers using the silent log level" (around lines 383-420) is known to be flaky and requires the extra `await new Promise(resolve => setTimeout(resolve, 100))` timeout after awaiting `afterSavePromise` for reliability, even though it may appear redundant.

Applied to files:

• spec/RestQuery.spec.js

📚 Learning: 2025-08-27T09:08:34.252Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: src/triggers.js:446-454
Timestamp: 2025-08-27T09:08:34.252Z
Learning: When analyzing function signature changes in Parse Server codebase, verify that call sites are actually incorrect before flagging them. Passing tests are a strong indicator that function calls are already properly aligned with new signatures.

Applied to files:

• spec/RestQuery.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.

Applied to files:

• spec/RestQuery.spec.js

🧬 Code graph analysis (3)

src/Options/Definitions.js (1)

resources/buildConfigDefinitions.js (1)

• parsers (12-12)

spec/RestQuery.spec.js (1)

spec/helper.js (1)

• reconfigureServer (180-214)

src/Config.js (1)

src/RestQuery.js (1)

• includeCount (303-303)

🪛 Biome (2.1.2)

src/Options/index.js

[error] 49-53: type alias are a TypeScript only feature. Convert your file to a TypeScript file or remove the syntax.

TypeScript only syntax

(parse)

---

[error] 361-361: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

---

[error] 373-373: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

---

[error] 381-381: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (16)

• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: Node 22
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: Node 20
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: Node 18
• GitHub Check: Redis Cache
• GitHub Check: Docker Build
• GitHub Check: Code Analysis (javascript)
• GitHub Check: Benchmarks

🔇 Additional comments (4)

src/Options/index.js (2)

46-53: Flow option shapes look correct (optional depth/fields vs depth/count).

---

46-53: Biome reports parse errors on this Flow file — confirm CI/tooling expectations.
If Biome is part of required checks, it likely needs to ignore Flow syntax here (or be configured appropriately), otherwise this will remain a merge blocker.

Also applies to: 361-381

src/Config.js (1)

135-179: Options are correctly plumbed into validateOptions and the new validator is invoked.

src/Options/Definitions.js (1)

407-418: Generated definitions look consistent with the intended public option docs (including -1 semantics).
Just ensure the “includeAll not allowed” statement matches the final runtime behavior once tests/implementation are aligned.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

-1 semantics vs includeAll expectations are inconsistent with current server behavior/docs.
These tests expect includeAll() allowed when either depth or count is -1, but src/RestQuery.js currently blocks includeAll whenever any limit is enabled, and the option docs say includeAll is not allowed when the option is active. Align tests and implementation (pick one behavior and make it consistent).

🤖 Prompt for AI Agents

In spec/RestQuery.spec.js around lines 1269 to 1475, the tests assume
includeAll() is allowed when either depth or count is -1, but the server
implementation and docs currently disallow includeAll whenever the
maxIncludeQueryComplexity option is active; update the tests to match the
implementation/docs: change the two "should allow includeAll" tests to assert
that query.find() is rejected with Parse.Error.INVALID_QUERY when
maxIncludeQueryComplexity is enabled, and if you need a positive test for
includeAll being allowed, add a new test that calls reconfigureServer with
maxIncludeQueryComplexity unset or both depth and count explicitly set to -1 and
assert includeAll works; ensure error expectations use the same
jasmine.objectContaining({...code: Parse.Error.INVALID_QUERY}) pattern as other
tests.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Good coverage for depth: 0 / count: 0 semantics, but it currently won’t pass with the implementation.
src/RestQuery.js uses truthy checks (if (count && …)) which skip validation when count or depth is 0. If 0 is meant to mean “reject all includes”, fix the implementation accordingly.

🤖 Prompt for AI Agents

In src/RestQuery.js (around the include-complexity checks), the code uses truthy
checks like `if (count && ...)`/`if (depth && ...)` which skip validation when
count or depth is 0; change those checks to explicit existence/typing checks
(e.g. `typeof count === "number"` or `count !== undefined`) and then perform
numeric comparisons so that 0 is treated as a valid limit that rejects any
includes when exceeded (e.g. if count !== undefined && computedCount > count ->
reject; if depth !== undefined && computedDepth > depth -> reject). Also update
any related error paths to run when the explicit checks fail so the tests for
count:0 and depth:0 pass.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Keep includeAll policy consistent across docs, tests, and runtime.
Docs say includeAll is not allowed when limits are active, but the new REST tests expect it to be allowed for some -1 configurations. Please align one intended behavior across all three.

🧰 Tools

🪛 Biome (2.1.2)

[error] 361-361: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

---

[error] 373-373: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

---

[error] 381-381: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

🤖 Prompt for AI Agents

In src/Options/index.js around lines 361 to 381, the behavior of allow/deny for
includeAll is inconsistent between docs, tests, and runtime; standardize by
making includeAll allowed only when the relevant maxIncludeQueryComplexity is
effectively disabled (both depth and count are -1), and disallowed whenever any
active limit (depth or count >= 0) is set. Update the runtime validation to
treat {-1,-1} as "no limits" and permit includeAll, update unit/integration
tests to expect includeAll allowed only for the fully-disabled case, and update
the comments/docs block to state this exact rule so docs, tests, and runtime are
aligned.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Decide intended includeAll behavior for partial -1 configs and keep it consistent with tests/docs.
Right now any enabled limit blocks includeAll/include=* up-front, which contradicts the new tests that expect includeAll allowed when one dimension is -1. Either adjust tests/docs or change the blocking condition to match the intended semantics.

Also applies to: 252-266

🤖 Prompt for AI Agents

In src/RestQuery.js around lines 210-223 (and similarly at 252-266), the current
check blocks includeAll if any configured limit is enabled, but tests/docs
expect includeAll to be allowed when one dimension is -1; change the condition
so includeAll is only blocked when both maxIncludeQueryComplexity.depth and
.count are not -1 (i.e., both limits are enabled). Update the boolean logic to
handle undefined config safely and throw only when config exists and depth > -1
AND count > -1.

[Moumouls]

yes any enabled constraint will block includeAll, what should i update to make everythinkg consistent ?

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Search for includeAll test cases with -1 values in the REST query complexity tests
rg -n -A5 -B5 "includeAll" spec/RestQuery.spec.js | head -100

Length of output: 3443

---

🏁 Script executed:

#!/bin/bash
# Search for test cases involving -1 (disabled) values in complexity tests
rg -n -C8 "depth.*-1|count.*-1" spec/RestQuery.spec.js | head -150

Length of output: 5039

---

🏁 Script executed:

#!/bin/bash
# Check documentation for includeAll blocking behavior
rg -n -C3 "includeAll" src/Options/Definitions.js src/Options/docs.js src/Options/index.js

Length of output: 5915

---

@Moumouls The tests need to be updated to match your intended behavior. Currently, these two test cases expect includeAll to succeed when one dimension is -1:

Lines 1386-1411: "should allow includeAll when depth is -1"

• Config: { depth: -1, count: 5 }
• Currently expects: includeAll succeeds
• Should expect: rejection with error "includeAll is not allowed when query complexity limits are configured"

Lines 1413-1438: "should allow includeAll when count is -1"

• Config: { depth: 5, count: -1 }
• Currently expects: includeAll succeeds
• Should expect: rejection with error "includeAll is not allowed when query complexity limits are configured"

These tests should be updated to expect rejection instead of success, since your intent is that any enabled constraint (even with the other set to -1) should block includeAll.

You could also consider updating the documentation in src/Options/index.js (line 370) and src/Options/Definitions.js (line 416) to clarify:

Note: when this option is active (even if only one dimension is enabled), the `includeAll` method is not allowed.

This would make it clear that partial -1 configs still block includeAll.

---

🧠 Learnings used

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: spec/CloudCode.spec.js:446-469
Timestamp: 2025-08-26T14:06:31.853Z
Learning: In the Parse Server codebase, when handling query objects in maybeRunAfterFindTrigger, objects without a where property that contain options like limit/skip should be treated as query JSON with an empty where clause using the spread pattern { where: {}, ...query }, not nested as { where: query }.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T06:55:53.808Z
Learning: When reviewing Parse Server PRs that add or modify Parse Server options, always verify that changes are properly reflected in three files: src/Options/index.js (where changes originate), src/Options/Definitions.js, and src/Options/docs.js. The correct workflow is: make changes in index.js first, then run `npm run definitions` to automatically replicate the changes to Definitions.js and docs.js.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Bug: count: 0 / depth: 0 won’t be enforced (falsy checks), but tests expect rejection.
This currently skips validation when limit is 0. Use explicit number checks instead of truthiness.

-  if (!this.auth.isMaster && !this.auth.isMaintenance && this.config.maxIncludeQueryComplexity && this.include && this.include.length > 0) {
+  if (!this.auth.isMaster && !this.auth.isMaintenance && this.config.maxIncludeQueryComplexity && this.include?.length > 0) {
     const includeCount = this.include.length;

-    if (this.config.maxIncludeQueryComplexity.count !== -1 && this.config.maxIncludeQueryComplexity.count && includeCount > this.config.maxIncludeQueryComplexity.count) {
+    const countLimit = this.config.maxIncludeQueryComplexity.count;
+    if (typeof countLimit === 'number' && countLimit !== -1 && includeCount > countLimit) {
       throw new Parse.Error(
         Parse.Error.INVALID_QUERY,
         `Number of include fields exceeds maximum allowed`
       );
     }

     const depth = Math.max(...this.include.map(path => path.length));
-    if (this.config.maxIncludeQueryComplexity.depth !== -1 && this.config.maxIncludeQueryComplexity.depth && depth > this.config.maxIncludeQueryComplexity.depth) {
+    const depthLimit = this.config.maxIncludeQueryComplexity.depth;
+    if (typeof depthLimit === 'number' && depthLimit !== -1 && depth > depthLimit) {
       throw new Parse.Error(
         Parse.Error.INVALID_QUERY,
         `Include depth exceeds maximum allowed`
       );
     }
   }

🤖 Prompt for AI Agents

In src/RestQuery.js around lines 301 to 321, the current checks use truthiness
for maxIncludeQueryComplexity.count and .depth so values of 0 are skipped;
change the conditions to explicitly check for numeric limits: verify the config
field is a number (e.g. typeof this.config.maxIncludeQueryComplexity.count ===
'number') and not equal to -1, then compare includeCount > count (and similarly
for depth) so 0 is enforced correctly.

[mtrezza]

This is the last unmerged PR for Parse Server 9 release. We can merge as breaking, considering #9928. If you run into complexities, no worries, we'll go ahead with PS9 release and merge this at a later point as non-breaking.