feat: Deprecation DEPPS5: Config option allowClientClassCreation defaults to false (#8849)

BREAKING CHANGE: The Parse Server option `allowClientClassCreation` defaults to `false`.

DEPRECATIONS.md

@@ -8,7 +8,7 @@ The following is a list of deprecations, according to the [Deprecation Policy](h
 | DEPPS2 | Config option `directAccess` defaults to `true` | [#6636](https://github.com/parse-community/parse-server/pull/6636)   | 5.0.0 (2022)                    | 6.0.0 (2023)                    | removed            | -     |
 | DEPPS3 | Config option `enforcePrivateUsers` defaults to `true` | [#7319](https://github.com/parse-community/parse-server/pull/7319)   | 5.0.0 (2022)                    | 6.0.0 (2023)                    | removed            | -     |
 | DEPPS4 | Remove convenience method for http request `Parse.Cloud.httpRequest` | [#7589](https://github.com/parse-community/parse-server/pull/7589)   | 5.0.0 (2022)                    | 6.0.0 (2023)                    | removed            | -     |
-| DEPPS5 | Config option `allowClientClassCreation` defaults to `false` | [#7925](https://github.com/parse-community/parse-server/pull/7925)   | 5.3.0 (2022)                    | 7.0.0 (2024)                    | deprecated            | -     |
+| DEPPS5 | Config option `allowClientClassCreation` defaults to `false` | [#7925](https://github.com/parse-community/parse-server/pull/7925)   | 5.3.0 (2022)                    | 7.0.0 (2024)                    | removed            | -     |
 | DEPPS6 | Auth providers disabled by default | [#7953](https://github.com/parse-community/parse-server/pull/7953)   | 5.3.0 (2022)                    | 7.0.0 (2024)                    | removed            | -     |
 | DEPPS7 | Remove file trigger syntax `Parse.Cloud.beforeSaveFile((request) => {})` | [#7966](https://github.com/parse-community/parse-server/pull/7966)   | 5.3.0 (2022)                    | 7.0.0 (2024)                    | removed            | -     |
 | DEPPS8 | Login with expired 3rd party authentication token defaults to `false` | [#7079](https://github.com/parse-community/parse-server/pull/7079)   | 5.3.0 (2022)                    | 7.0.0 (2024)                    | removed            | -     |

spec/ParseUser.spec.js

@@ -4402,3 +4402,31 @@ describe('login as other user', () => {
     done();
   });
 });
+
+describe('allowClientClassCreation option', () => {
+  it('should enforce boolean values', async () => {
+    const options = [[], 'a', '', 0, 1, {}, 'true', 'false'];
+    for (const option of options) {
+      await expectAsync(reconfigureServer({ allowClientClassCreation: option })).toBeRejected();
+    }
+  });
+
+  it('should accept true value', async () => {
+    await reconfigureServer({ allowClientClassCreation: true });
+    expect(Config.get(Parse.applicationId).allowClientClassCreation).toBe(true);
+  });
+
+  it('should accept false value', async () => {
+    await reconfigureServer({ allowClientClassCreation: false });
+    expect(Config.get(Parse.applicationId).allowClientClassCreation).toBe(false);
+  });
+
+  it('should default false', async () => {
+    // remove predefined allowClientClassCreation:true on global defaultConfiguration
+    delete defaultConfiguration.allowClientClassCreation;
+    await reconfigureServer(defaultConfiguration);
+    expect(Config.get(Parse.applicationId).allowClientClassCreation).toBe(false);
+    // Need to set it back to true to avoid other test fails
+    defaultConfiguration.allowClientClassCreation = true;
+  });
+});

spec/helper.js

@@ -129,6 +129,7 @@ const defaultConfiguration = {
     },
     shortLivedAuth: mockShortLivedAuth(),
   },
+  allowClientClassCreation: true,
 };
 
 if (process.env.PARSE_SERVER_TEST_CACHE === 'redis') {

src/Config.js

@@ -90,6 +90,7 @@ export class Config {
     rateLimit,
     databaseOptions,
     extendSessionOnUse,
+    allowClientClassCreation,
   }) {
     if (masterKey === readOnlyMasterKey) {
       throw new Error('masterKey and readOnlyMasterKey should be different');
@@ -132,6 +133,7 @@ export class Config {
     this.validateRateLimit(rateLimit);
     this.validateLogLevels(logLevels);
     this.validateDatabaseOptions(databaseOptions);
+    this.validateAllowClientClassCreation(allowClientClassCreation);
   }
 
   static validateControllers({
@@ -174,6 +176,12 @@ export class Config {
     }
   }
 
+  static validateAllowClientClassCreation(allowClientClassCreation) {
+    if (typeof allowClientClassCreation !== 'boolean') {
+      throw 'Parse Server option allowClientClassCreation must be a boolean.';
+    }
+  }
+
   static validateSecurityOptions(security) {
     if (Object.prototype.toString.call(security) !== '[object Object]') {
       throw 'Parse Server option security must be an object.';

src/Deprecator/Deprecations.js

@@ -16,6 +16,5 @@
  * If there are no deprecations, this must return an empty array.
  */
 module.exports = [
-  { optionKey: 'allowClientClassCreation', changeNewDefault: 'false' },
   { optionKey: 'encodeParseObjectInCloudFunction', changeNewDefault: 'true' },
 ];

src/Options/Definitions.js

@@ -57,9 +57,9 @@ module.exports.ParseServerOptions = {
   },
   allowClientClassCreation: {
     env: 'PARSE_SERVER_ALLOW_CLIENT_CLASS_CREATION',
-    help: 'Enable (or disable) client class creation, defaults to true',
+    help: 'Enable (or disable) client class creation, defaults to false',
     action: parsers.booleanParser,
-    default: true,
+    default: false,
   },
   allowCustomObjectId: {
     env: 'PARSE_SERVER_ALLOW_CUSTOM_OBJECT_ID',

src/Options/docs.js

@@ -12,7 +12,7 @@
 /**
  * @interface ParseServerOptions
  * @property {AccountLockoutOptions} accountLockout The account lockout policy for failed login attempts.
- * @property {Boolean} allowClientClassCreation Enable (or disable) client class creation, defaults to true
+ * @property {Boolean} allowClientClassCreation Enable (or disable) client class creation, defaults to false
  * @property {Boolean} allowCustomObjectId Enable (or disable) custom objectId
  * @property {Boolean} allowExpiredAuthDataToken Allow a user to log in even if the 3rd party authentication token that was used to sign in to their account has expired. If this is set to `false`, then the token will be validated every time the user signs in to their account. This refers to the token that is stored in the `_User.authData` field. Defaults to `false`.
  * @property {String[]} allowHeaders Add headers to Access-Control-Allow-Headers

src/Options/index.js

@@ -148,9 +148,9 @@ export interface ParseServerOptions {
   :ENV: PARSE_SERVER_ENABLE_ANON_USERS
   :DEFAULT: true */
   enableAnonymousUsers: ?boolean;
-  /* Enable (or disable) client class creation, defaults to true
+  /* Enable (or disable) client class creation, defaults to false
   :ENV: PARSE_SERVER_ALLOW_CLIENT_CLASS_CREATION
-  :DEFAULT: true */
+  :DEFAULT: false */
   allowClientClassCreation: ?boolean;
   /* Enable (or disable) custom objectId
   :ENV: PARSE_SERVER_ALLOW_CUSTOM_OBJECT_ID