joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Update route patterns to use path-to-regexp v8 syntax (#9942)

Browse Source 
BREAKING CHANGE: Route pattern syntax across cloud routes and rate-limiting now use the new path-to-regexp v8 syntax; see the [migration guide](https://github.com/parse-community/parse-server/blob/alpha/9.0.0.md) for more details.
This commit is contained in:
Lucas
2025-12-12 19:36:27 +01:00
committed by GitHub
parent 5a61993cb7
commit fa8723b3d1
10 changed files with 100 additions and 105 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
9.0.0.md Normal file
View File

@@ -0,0 +1,56 @@
# Parse Server 9 Migration Guide <!-- omit in toc -->
This document only highlights specific changes that require a longer explanation. For a full list of changes in Parse Server 9 please refer to the [changelog](https://github.com/parse-community/parse-server/blob/alpha/CHANGELOG.md).
---
- [Route Path Syntax and Rate Limiting](#route-path-syntax-and-rate-limiting)
---
## Route Path Syntax and Rate Limiting
Parse Server 9 standardizes the route pattern syntax across cloud routes and rate-limiting to use the new **path-to-regexp v8** style. This update introduces validation and a clear deprecation error for the old wildcard route syntax.
### Key Changes
- **Standardization**: All route paths now use the path-to-regexp v8 syntax, which provides better consistency and security.
- **Validation**: Added validation to ensure route paths conform to the new syntax.
- **Deprecation**: Old wildcard route syntax is deprecated and will trigger a clear error message.
### Migration Steps
#### Path Syntax Examples
Update your rate limit configurations to use the new path-to-regexp v8 syntax:
| Old Syntax (deprecated) | New Syntax (v8) |
|------------------------|-----------------|
| `/functions/*` | `/functions/*path` |
| `/classes/*` | `/classes/*path` |
| `/*` | `/*path` |
| `*` | `*path` |
**Before:**
```javascript
rateLimit: {
requestPath: '/functions/*',
requestTimeWindow: 10000,
requestCount: 100
}
```
**After:**
```javascript
rateLimit: {
requestPath: '/functions/*path',
requestTimeWindow: 10000,
requestCount: 100
}
```
- Review your custom cloud routes and ensure they use the new path-to-regexp v8 syntax.
- Update any rate-limiting configurations to use the new route path format.
- Test your application to ensure all routes work as expected with the new syntax.
> [!Note]
> Consult the [path-to-regexp v8 docs](https://github.com/pillarjs/path-to-regexp) and the [Express 5 migration guide](https://expressjs.com/en/guide/migrating-5.html#path-syntax) for more details on the new path syntax.
### Related Pull Request
- [#9942](https://github.com/parse-community/parse-server/pull/9942)

90
package-lock.json generated
View File

@@ -39,7 +39,7 @@
"mustache": "4.2.0",
"otpauth": "9.4.0",
"parse": "8.0.0",
"path-to-regexp": "6.3.0",
"path-to-regexp": "8.3.0",
"pg-monitor": "3.0.0",
"pg-promise": "12.2.0",
"pluralize": "8.0.0",
@@ -12474,13 +12474,6 @@
"url": "https://github.com/sponsors/sindresorhus"
}
},
"node_modules/ip": {
"version": "2.0.1",
"resolved": "https://registry.npmjs.org/ip/-/ip-2.0.1.tgz",
"integrity": "sha512-lJUL9imLTNi1ZfXT+DU6rBBdbiKGBuay9B6xGSPVjUeQwaH1RIGqef8RZkUtHioLmSNpPR5M4HVKJGm1j8FWVQ==",
"optional": true,
"peer": true
},
"node_modules/ipaddr.js": {
"version": "1.9.1",
"resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz",
@@ -18494,9 +18487,14 @@
}
},
"node_modules/path-to-regexp": {
"version": "6.3.0",
"resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-6.3.0.tgz",
"integrity": "sha512-Yhpw4T9C6hPpgPeA28us07OJeqZ5EzQTkbfwuhsUg0c237RomFoETJgmp2sa3F/41gfLE6G5cqcYwznmeEeOlQ=="
"version": "8.3.0",
"resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.3.0.tgz",
"integrity": "sha512-7jdwVIRtsP8MYpdXSwOS0YdD0Du+qOoF/AEPIt88PcCFrZCzx41oxku1jD88hZBwbNUIEfpqvuhjFaMAqMTWnA==",
"license": "MIT",
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/express"
}
},
"node_modules/path-type": {
"version": "4.0.0",
@@ -19796,14 +19794,6 @@
"resolved": "https://registry.npmjs.org/is-promise/-/is-promise-4.0.0.tgz",
"integrity": "sha512-hvpoI6korhJMnej285dSg6nu1+e6uxs7zG3BYAm5byqDsgJNWwxzM6z6iZiAgQR4TJ30JmBTOwqZUw3WlyH3AQ=="
},
"node_modules/router/node_modules/path-to-regexp": {
"version": "8.2.0",
"resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.2.0.tgz",
"integrity": "sha512-TdrF7fW9Rphjq4RjrW0Kp2AW0Ahwu9sRGTkS6bvDi0SCwZlEZYmcfDbEsTz8RVk0EHIS/Vd1bv3JhG+1xZuAyQ==",
"engines": {
"node": ">=16"
}
},
"node_modules/run-parallel": {
"version": "1.2.0",
"resolved": "https://registry.npmjs.org/run-parallel/-/run-parallel-1.2.0.tgz",
@@ -20682,32 +20672,6 @@
"url": "https://github.com/sponsors/sindresorhus"
}
},
"node_modules/smart-buffer": {
"version": "4.2.0",
"resolved": "https://registry.npmjs.org/smart-buffer/-/smart-buffer-4.2.0.tgz",
"integrity": "sha512-94hK0Hh8rPqQl2xXc3HsaBoOXKV20MToPkcXvwbISWLEs+64sBq5kFgn2kJDHb1Pry9yrP0dxrCI9RRci7RXKg==",
"optional": true,
"peer": true,
"engines": {
"node": ">= 6.0.0",
"npm": ">= 3.0.0"
}
},
"node_modules/socks": {
"version": "2.7.1",
"resolved": "https://registry.npmjs.org/socks/-/socks-2.7.1.tgz",
"integrity": "sha512-7maUZy1N7uo6+WVEX6psASxtNlKaNVMlGQKkG/63nEDdLOWNbiUMoLK7X4uYoLhQstau72mLgfEWcXcwsaHbYQ==",
"optional": true,
"peer": true,
"dependencies": {
"ip": "^2.0.0",
"smart-buffer": "^4.2.0"
},
"engines": {
"node": ">= 10.13.0",
"npm": ">= 3.0.0"
}
},
"node_modules/source-map": {
"version": "0.6.1",
"resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
@@ -31334,13 +31298,6 @@
"p-is-promise": "^3.0.0"
}
},
"ip": {
"version": "2.0.1",
"resolved": "https://registry.npmjs.org/ip/-/ip-2.0.1.tgz",
"integrity": "sha512-lJUL9imLTNi1ZfXT+DU6rBBdbiKGBuay9B6xGSPVjUeQwaH1RIGqef8RZkUtHioLmSNpPR5M4HVKJGm1j8FWVQ==",
"optional": true,
"peer": true
},
"ipaddr.js": {
"version": "1.9.1",
"resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz",
@@ -35522,9 +35479,9 @@
}
},
"path-to-regexp": {
"version": "6.3.0",
"resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-6.3.0.tgz",
"integrity": "sha512-Yhpw4T9C6hPpgPeA28us07OJeqZ5EzQTkbfwuhsUg0c237RomFoETJgmp2sa3F/41gfLE6G5cqcYwznmeEeOlQ=="
"version": "8.3.0",
"resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.3.0.tgz",
"integrity": "sha512-7jdwVIRtsP8MYpdXSwOS0YdD0Du+qOoF/AEPIt88PcCFrZCzx41oxku1jD88hZBwbNUIEfpqvuhjFaMAqMTWnA=="
},
"path-type": {
"version": "4.0.0",
@@ -36453,11 +36410,6 @@
"version": "4.0.0",
"resolved": "https://registry.npmjs.org/is-promise/-/is-promise-4.0.0.tgz",
"integrity": "sha512-hvpoI6korhJMnej285dSg6nu1+e6uxs7zG3BYAm5byqDsgJNWwxzM6z6iZiAgQR4TJ30JmBTOwqZUw3WlyH3AQ=="
},
"path-to-regexp": {
"version": "8.2.0",
"resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.2.0.tgz",
"integrity": "sha512-TdrF7fW9Rphjq4RjrW0Kp2AW0Ahwu9sRGTkS6bvDi0SCwZlEZYmcfDbEsTz8RVk0EHIS/Vd1bv3JhG+1xZuAyQ=="
}
}
},
@@ -37046,24 +36998,6 @@
}
}
},
"smart-buffer": {
"version": "4.2.0",
"resolved": "https://registry.npmjs.org/smart-buffer/-/smart-buffer-4.2.0.tgz",
"integrity": "sha512-94hK0Hh8rPqQl2xXc3HsaBoOXKV20MToPkcXvwbISWLEs+64sBq5kFgn2kJDHb1Pry9yrP0dxrCI9RRci7RXKg==",
"optional": true,
"peer": true
},
"socks": {
"version": "2.7.1",
"resolved": "https://registry.npmjs.org/socks/-/socks-2.7.1.tgz",
"integrity": "sha512-7maUZy1N7uo6+WVEX6psASxtNlKaNVMlGQKkG/63nEDdLOWNbiUMoLK7X4uYoLhQstau72mLgfEWcXcwsaHbYQ==",
"optional": true,
"peer": true,
"requires": {
"ip": "^2.0.0",
"smart-buffer": "^4.2.0"
}
},
"source-map": {
"version": "0.6.1",
"resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",

2
package.json
View File

@@ -48,8 +48,8 @@
"mongodb": "6.20.0",
"mustache": "4.2.0",
"otpauth": "9.4.0",
"path-to-regexp": "8.3.0",
"parse": "8.0.0",
"path-to-regexp": "6.3.0",
"pg-monitor": "3.0.0",
"pg-promise": "12.2.0",
"pluralize": "8.0.0",

30
spec/RateLimit.spec.js
View File

@@ -5,7 +5,7 @@ describe('rate limit', () => {
await reconfigureServer({
rateLimit: [
{
requestPath: '/functions/*',
requestPath: '/functions/*path',
requestTimeWindow: 10000,
requestCount: 1,
errorResponseMessage: 'Too many requests',
@@ -26,7 +26,7 @@ describe('rate limit', () => {
await reconfigureServer({
rateLimit: [
{
requestPath: '/functions/*',
requestPath: '/functions/*path',
requestTimeWindow: 10000,
requestCount: 1,
errorResponseMessage: 'Too many requests',
@@ -45,7 +45,7 @@ describe('rate limit', () => {
Parse.Cloud.define('test', () => 'Abc');
await reconfigureServer({
rateLimit: {
requestPath: '*',
requestPath: '/*path',
requestTimeWindow: 10000,
requestCount: 1,
errorResponseMessage: 'Too many requests',
@@ -83,7 +83,7 @@ describe('rate limit', () => {
await reconfigureServer({
rateLimit: [
{
requestPath: '/functions/*',
requestPath: '/functions/*path',
requestTimeWindow: 10000,
requestCount: 1,
errorResponseMessage: 'Too many requests',
@@ -102,7 +102,7 @@ describe('rate limit', () => {
await reconfigureServer({
rateLimit: [
{
requestPath: '/functions/*',
requestPath: '/functions/*path',
requestTimeWindow: 10000,
requestCount: 1,
includeMasterKey: true,
@@ -122,7 +122,7 @@ describe('rate limit', () => {
await reconfigureServer({
rateLimit: [
{
requestPath: '/classes/*',
requestPath: '/classes/*path',
requestTimeWindow: 10000,
requestCount: 1,
errorResponseMessage: 'Too many requests',
@@ -141,7 +141,7 @@ describe('rate limit', () => {
await reconfigureServer({
rateLimit: [
{
requestPath: '/classes/*',
requestPath: '/classes/*path',
requestTimeWindow: 10000,
requestCount: 1,
requestMethods: 'POST',
@@ -240,7 +240,7 @@ describe('rate limit', () => {
await reconfigureServer({
rateLimit: [
{
requestPath: '/classes/Test/*',
requestPath: '/classes/Test/*path',
requestTimeWindow: 10000,
requestCount: 1,
requestMethods: 'DELETE',
@@ -294,7 +294,7 @@ describe('rate limit', () => {
await reconfigureServer({
rateLimit: [
{
requestPath: '/functions/*',
requestPath: '/functions/*path',
requestTimeWindow: 10000,
requestCount: 100,
errorResponseMessage: 'Too many requests',
@@ -320,7 +320,7 @@ describe('rate limit', () => {
await reconfigureServer({
rateLimit: [
{
requestPath: '/functions/*',
requestPath: '/functions/*path',
requestTimeWindow: 10000,
requestCount: 1,
errorResponseMessage: 'Too many requests',
@@ -340,7 +340,7 @@ describe('rate limit', () => {
it('can use global zone', async () => {
await reconfigureServer({
rateLimit: {
requestPath: '*',
requestPath: '*path',
requestTimeWindow: 10000,
requestCount: 1,
errorResponseMessage: 'Too many requests',
@@ -373,7 +373,7 @@ describe('rate limit', () => {
});
fakeRes.json = jasmine.createSpy('json').and.callFake(resolvingPromise);
middlewares.handleParseHeaders(fakeReq, fakeRes, () => {
throw 'Should not call next';
throw new Error('Should not call next');
});
await promise;
expect(fakeRes.status).toHaveBeenCalledWith(429);
@@ -386,7 +386,7 @@ describe('rate limit', () => {
it('can use session zone', async () => {
await reconfigureServer({
rateLimit: {
requestPath: '/functions/*',
requestPath: '/functions/*path',
requestTimeWindow: 10000,
requestCount: 1,
errorResponseMessage: 'Too many requests',
@@ -407,7 +407,7 @@ describe('rate limit', () => {
it('can use user zone', async () => {
await reconfigureServer({
rateLimit: {
requestPath: '/functions/*',
requestPath: '/functions/*path',
requestTimeWindow: 10000,
requestCount: 1,
errorResponseMessage: 'Too many requests',
@@ -494,7 +494,7 @@ describe('rate limit', () => {
await reconfigureServer({
rateLimit: [
{
requestPath: '/classes/*',
requestPath: '/classes/*path',
requestTimeWindow: 10000,
requestCount: 1,
errorResponseMessage: 'Too many requests',

9
src/Config.js
View File

@@ -3,6 +3,7 @@
// mount is the URL for the root of the API; includes http, domain, etc.
import { isBoolean, isString } from 'lodash';
import { pathToRegexp } from 'path-to-regexp';
import net from 'net';
import AppCache from './cache';
import DatabaseController from './Controllers/DatabaseController';
@@ -687,6 +688,14 @@ export class Config {
if (typeof option.requestPath !== 'string') {
throw `rateLimit.requestPath must be a string`;
}
// Validate that the path is valid path-to-regexp syntax
try {
pathToRegexp(option.requestPath);
} catch (error) {
throw `rateLimit.requestPath "${option.requestPath}" is not valid: ${error.message}`;
}
if (option.requestTimeWindow == null) {
throw `rateLimit.requestTimeWindow must be defined`;
}

2
src/Options/Definitions.js
View File

@@ -686,7 +686,7 @@ module.exports.RateLimitOptions = {
requestPath: {
env: 'PARSE_SERVER_RATE_LIMIT_REQUEST_PATH',
help:
'The path of the API route to be rate limited. Route paths, in combination with a request method, define the endpoints at which requests can be made. Route paths can be strings, string patterns, or regular expression. See: https://expressjs.com/en/guide/routing.html',
'The path of the API route to be rate limited. Route paths, in combination with a request method, define the endpoints at which requests can be made. Route paths can be strings or string patterns following <a href="https://github.com/pillarjs/path-to-regexp">path-to-regexp v8</a> syntax.',
required: true,
},
requestTimeWindow: {

2
src/Options/docs.js
View File

@@ -121,7 +121,7 @@
* @property {String} redisUrl Optional, the URL of the Redis server to store rate limit data. This allows to rate limit requests for multiple servers by calculating the sum of all requests across all servers. This is useful if multiple servers are processing requests behind a load balancer. For example, the limit of 10 requests is reached if each of 2 servers processed 5 requests.
* @property {Number} requestCount The number of requests that can be made per IP address within the time window set in `requestTimeWindow` before the rate limit is applied.
* @property {String[]} requestMethods Optional, the HTTP request methods to which the rate limit should be applied, default is all methods.
* @property {String} requestPath The path of the API route to be rate limited. Route paths, in combination with a request method, define the endpoints at which requests can be made. Route paths can be strings, string patterns, or regular expression. See: https://expressjs.com/en/guide/routing.html
* @property {String} requestPath The path of the API route to be rate limited. Route paths, in combination with a request method, define the endpoints at which requests can be made. Route paths can be strings or string patterns following <a href="https://github.com/pillarjs/path-to-regexp">path-to-regexp v8</a> syntax.
* @property {Number} requestTimeWindow The window of time in milliseconds within which the number of requests set in `requestCount` can be made before the rate limit is applied.
* @property {String} zone The type of rate limit to apply. The following types are supported:<ul><li>`global`: rate limit based on the number of requests made by all users</li><li>`ip`: rate limit based on the IP address of the request</li><li>`user`: rate limit based on the user ID of the request</li><li>`session`: rate limit based on the session token of the request</li></ul>Default is `ip`.
*/

2
src/Options/index.js
View File

@@ -353,7 +353,7 @@ export interface ParseServerOptions {
}
export interface RateLimitOptions {
/* The path of the API route to be rate limited. Route paths, in combination with a request method, define the endpoints at which requests can be made. Route paths can be strings, string patterns, or regular expression. See: https://expressjs.com/en/guide/routing.html */
/* The path of the API route to be rate limited. Route paths, in combination with a request method, define the endpoints at which requests can be made. Route paths can be strings or string patterns following <a href="https://github.com/pillarjs/path-to-regexp">path-to-regexp v8</a> syntax. */
requestPath: string;
/* The window of time in milliseconds within which the number of requests set in `requestCount` can be made before the rate limit is applied. */
requestTimeWindow: ?number;

4
src/cloud-code/Parse.Cloud.js
View File

@@ -82,12 +82,12 @@ const getRoute = parseClass => {
'@Config' : 'config',
}[parseClass] || 'classes';
if (parseClass === '@File') {
return `/${route}/:id?(.*)`;
return `/${route}{/*id}`;
}
if (parseClass === '@Config') {
return `/${route}`;
}
return `/${route}/${parseClass}/:id?(.*)`;
return `/${route}/${parseClass}{/*id}`;
};
/** @namespace
* @name Parse

8
src/middlewares.js
View File

@@ -322,7 +322,7 @@ const handleRateLimit = async (req, res, next) => {
try {
await Promise.all(
rateLimits.map(async limit => {
const pathExp = new RegExp(limit.path);
const pathExp = limit.path.regexp || limit.path;
if (pathExp.test(req.url)) {
await limit.handler(req, res, err => {
if (err) {
@@ -560,12 +560,8 @@ export const addRateLimit = (route, config, cloud) => {
},
});
}
let transformPath = route.requestPath.split('/*').join('/(.*)');
if (transformPath === '*') {
transformPath = '(.*)';
}
config.rateLimits.push({
path: pathToRegexp(transformPath),
path: pathToRegexp(route.requestPath),
handler: rateLimit({
windowMs: route.requestTimeWindow,
max: route.requestCount,