Merge branch 'upstream/alpha' into moumouls/include-prevention-complexity

# Conflicts:
#	src/GraphQL/ParseGraphQLServer.js

Author: Moumouls

changelogs/CHANGELOG_alpha.md

@@ -1,3 +1,31 @@
+# [8.5.0-alpha.12](https://github.com/parse-community/parse-server/compare/8.5.0-alpha.11...8.5.0-alpha.12) (2025-11-19)
+
+
+### Features
+
+* Add `beforePasswordResetRequest` hook ([#9906](https://github.com/parse-community/parse-server/issues/9906)) ([94cee5b](https://github.com/parse-community/parse-server/commit/94cee5bfafca10c914c73cf17fcdb627a9f0837b))
+
+# [8.5.0-alpha.11](https://github.com/parse-community/parse-server/compare/8.5.0-alpha.10...8.5.0-alpha.11) (2025-11-17)
+
+
+### Bug Fixes
+
+* Deprecation warning logged at server launch for nested Parse Server option even if option is explicitly set ([#9934](https://github.com/parse-community/parse-server/issues/9934)) ([c22cb0a](https://github.com/parse-community/parse-server/commit/c22cb0ae58e64cd0e4597ab9610d57a1155c44a2))
+
+# [8.5.0-alpha.10](https://github.com/parse-community/parse-server/compare/8.5.0-alpha.9...8.5.0-alpha.10) (2025-11-17)
+
+
+### Bug Fixes
+
+* Queries with object field `authData.provider.id` are incorrectly transformed to `_auth_data_provider.id` for custom classes ([#9932](https://github.com/parse-community/parse-server/issues/9932)) ([7b9fa18](https://github.com/parse-community/parse-server/commit/7b9fa18f968ec084ea0b35dad2b5ba0451d59787))
+
+# [8.5.0-alpha.9](https://github.com/parse-community/parse-server/compare/8.5.0-alpha.8...8.5.0-alpha.9) (2025-11-17)
+
+
+### Bug Fixes
+
+* Race condition can cause multiple Apollo server initializations under load ([#9929](https://github.com/parse-community/parse-server/issues/9929)) ([7d5e9fc](https://github.com/parse-community/parse-server/commit/7d5e9fcf3ceb0abad8ab49c75bc26f521a0f1bde))
+
 # [8.5.0-alpha.8](https://github.com/parse-community/parse-server/compare/8.5.0-alpha.7...8.5.0-alpha.8) (2025-11-17)
 
 

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "parse-server",
-  "version": "8.5.0-alpha.8",
+  "version": "8.5.0-alpha.12",
   "description": "An express module providing a Parse-compatible API server",
   "main": "lib/index.js",
   "repository": {

package.json

@@ -3307,19 +3307,19 @@ describe('afterFind hooks', () => {
     }).not.toThrow('Only the _User class is allowed for the beforeLogin and afterLogin triggers');
     expect(() => {
       Parse.Cloud.beforeLogin('SomeClass', () => { });
-    }).toThrow('Only the _User class is allowed for the beforeLogin and afterLogin triggers');
+    }).toThrow('Only the _User class is allowed for the beforeLogin, afterLogin, and beforePasswordResetRequest triggers');
     expect(() => {
       Parse.Cloud.afterLogin(() => { });
-    }).not.toThrow('Only the _User class is allowed for the beforeLogin and afterLogin triggers');
+    }).not.toThrow('Only the _User class is allowed for the beforeLogin, afterLogin, and beforePasswordResetRequest triggers');
     expect(() => {
       Parse.Cloud.afterLogin('_User', () => { });
-    }).not.toThrow('Only the _User class is allowed for the beforeLogin and afterLogin triggers');
+    }).not.toThrow('Only the _User class is allowed for the beforeLogin, afterLogin, and beforePasswordResetRequest triggers');
     expect(() => {
       Parse.Cloud.afterLogin(Parse.User, () => { });
-    }).not.toThrow('Only the _User class is allowed for the beforeLogin and afterLogin triggers');
+    }).not.toThrow('Only the _User class is allowed for the beforeLogin, afterLogin, and beforePasswordResetRequest triggers');
     expect(() => {
       Parse.Cloud.afterLogin('SomeClass', () => { });
-    }).toThrow('Only the _User class is allowed for the beforeLogin and afterLogin triggers');
+    }).toThrow('Only the _User class is allowed for the beforeLogin, afterLogin, and beforePasswordResetRequest triggers');
     expect(() => {
       Parse.Cloud.afterLogout(() => { });
     }).not.toThrow();
@@ -4656,3 +4656,157 @@ describe('sendEmail', () => {
     );
   });
 });
+
+describe('beforePasswordResetRequest hook', () => {
+  it('should run beforePasswordResetRequest with valid user', async () => {
+    let hit = 0;
+    let sendPasswordResetEmailCalled = false;
+    const emailAdapter = {
+      sendVerificationEmail: () => Promise.resolve(),
+      sendPasswordResetEmail: () => {
+        sendPasswordResetEmailCalled = true;
+      },
+      sendMail: () => {},
+    };
+
+    await reconfigureServer({
+      appName: 'test',
+      emailAdapter: emailAdapter,
+      publicServerURL: 'http://localhost:8378/1',
+    });
+
+    Parse.Cloud.beforePasswordResetRequest(req => {
+      hit++;
+      expect(req.object).toBeDefined();
+      expect(req.object.get('email')).toEqual('[email protected]');
+      expect(req.object.get('username')).toEqual('testuser');
+    });
+
+    const user = new Parse.User();
+    user.setUsername('testuser');
+    user.setPassword('password');
+    user.set('email', '[email protected]');
+    await user.signUp();
+
+    await Parse.User.requestPasswordReset('[email protected]');
+    expect(hit).toBe(1);
+    expect(sendPasswordResetEmailCalled).toBe(true);
+  });
+
+  it('should be able to block password reset request if an error is thrown', async () => {
+    let hit = 0;
+    let sendPasswordResetEmailCalled = false;
+    const emailAdapter = {
+      sendVerificationEmail: () => Promise.resolve(),
+      sendPasswordResetEmail: () => {
+        sendPasswordResetEmailCalled = true;
+      },
+      sendMail: () => {},
+    };
+
+    await reconfigureServer({
+      appName: 'test',
+      emailAdapter: emailAdapter,
+      publicServerURL: 'http://localhost:8378/1',
+    });
+
+    Parse.Cloud.beforePasswordResetRequest(req => {
+      hit++;
+      throw new Error('password reset blocked');
+    });
+
+    const user = new Parse.User();
+    user.setUsername('testuser');
+    user.setPassword('password');
+    user.set('email', '[email protected]');
+    await user.signUp();
+
+    try {
+      await Parse.User.requestPasswordReset('[email protected]');
+      throw new Error('should not have sent password reset email.');
+    } catch (e) {
+      expect(e.message).toBe('password reset blocked');
+    }
+    expect(hit).toBe(1);
+    expect(sendPasswordResetEmailCalled).toBe(false);
+  });
+
+  it('should not run beforePasswordResetRequest if email does not exist', async () => {
+    let hit = 0;
+    const emailAdapter = {
+      sendVerificationEmail: () => Promise.resolve(),
+      sendPasswordResetEmail: () => {},
+      sendMail: () => {},
+    };
+
+    await reconfigureServer({
+      appName: 'test',
+      emailAdapter: emailAdapter,
+      publicServerURL: 'http://localhost:8378/1',
+    });
+
+    Parse.Cloud.beforePasswordResetRequest(req => {
+      hit++;
+    });
+
+    await Parse.User.requestPasswordReset('[email protected]');
+
+    expect(hit).toBe(0);
+  });
+
+  it('should have expected data in request in beforePasswordResetRequest', async () => {
+    const emailAdapter = {
+      sendVerificationEmail: () => Promise.resolve(),
+      sendPasswordResetEmail: () => {},
+      sendMail: () => {},
+    };
+
+    await reconfigureServer({
+      appName: 'test',
+      emailAdapter: emailAdapter,
+      publicServerURL: 'http://localhost:8378/1',
+    });
+
+    const base64 = 'V29ya2luZyBhdCBQYXJzZSBpcyBncmVhdCE=';
+    const file = new Parse.File('myfile.txt', { base64 });
+    await file.save();
+
+    Parse.Cloud.beforePasswordResetRequest(req => {
+      expect(req.object).toBeDefined();
+      expect(req.object.get('email')).toBeDefined();
+      expect(req.object.get('email')).toBe('[email protected]');
+      expect(req.object.get('file')).toBeDefined();
+      expect(req.object.get('file')).toBeInstanceOf(Parse.File);
+      expect(req.object.get('file').name()).toContain('myfile.txt');
+      expect(req.headers).toBeDefined();
+      expect(req.ip).toBeDefined();
+      expect(req.installationId).toBeDefined();
+      expect(req.context).toBeDefined();
+      expect(req.config).toBeDefined();
+    });
+
+    const user = new Parse.User();
+    user.setUsername('testuser2');
+    user.setPassword('password');
+    user.set('email', '[email protected]');
+    user.set('file', file);
+    await user.signUp();
+
+    await Parse.User.requestPasswordReset('[email protected]');
+  });
+
+  it('should validate that only _User class is allowed for beforePasswordResetRequest', () => {
+    expect(() => {
+      Parse.Cloud.beforePasswordResetRequest('SomeClass', () => { });
+    }).toThrow('Only the _User class is allowed for the beforeLogin, afterLogin, and beforePasswordResetRequest triggers');
+    expect(() => {
+      Parse.Cloud.beforePasswordResetRequest(() => { });
+    }).not.toThrow();
+    expect(() => {
+      Parse.Cloud.beforePasswordResetRequest('_User', () => { });
+    }).not.toThrow();
+    expect(() => {
+      Parse.Cloud.beforePasswordResetRequest(Parse.User, () => { });
+    }).not.toThrow();
+  });
+});

spec/CloudCode.spec.js

@@ -45,4 +45,29 @@ describe('Deprecator', () => {
       `DeprecationWarning: ${options.usage} is deprecated and will be removed in a future version. ${options.solution}`
     );
   });
+
+  it('logs deprecation for nested option key with dot notation', async () => {
+    deprecations = [{ optionKey: 'databaseOptions.allowPublicExplain', changeNewDefault: 'false' }];
+
+    spyOn(Deprecator, '_getDeprecations').and.callFake(() => deprecations);
+    const logger = require('../lib/logger').logger;
+    const logSpy = spyOn(logger, 'warn').and.callFake(() => {});
+
+    await reconfigureServer();
+    expect(logSpy.calls.all()[0].args[0]).toEqual(
+      `DeprecationWarning: The Parse Server option '${deprecations[0].optionKey}' default will change to '${deprecations[0].changeNewDefault}' in a future version.`
+    );
+  });
+
+  it('does not log deprecation for nested option key if option is set manually', async () => {
+    deprecations = [{ optionKey: 'databaseOptions.allowPublicExplain', changeNewDefault: 'false' }];
+
+    spyOn(Deprecator, '_getDeprecations').and.callFake(() => deprecations);
+    const logSpy = spyOn(Deprecator, '_logOption').and.callFake(() => {});
+    const Config = require('../lib/Config');
+    const config = Config.get('test');
+    // Directly test scanParseServerOptions with nested option set
+    Deprecator.scanParseServerOptions({ databaseOptions: { allowPublicExplain: true } });
+    expect(logSpy).not.toHaveBeenCalled();
+  });
 });

spec/Deprecator.spec.js

@@ -521,6 +521,23 @@ describe('parseObjectToMongoObjectForCreate', () => {
     expect(output.authData).toBe('random');
     done();
   });
+
+  it('should only transform authData.provider.id for _User class', () => {
+    // Test that for _User class, authData.facebook.id is transformed
+    const userInput = {
+      'authData.facebook.id': '10000000000000001',
+    };
+    const userOutput = transform.transformWhere('_User', userInput, { fields: {} });
+    expect(userOutput['_auth_data_facebook.id']).toBe('10000000000000001');
+
+    // Test that for non-User classes, authData.facebook.id is NOT transformed
+    const customInput = {
+      'authData.facebook.id': '10000000000000001',
+    };
+    const customOutput = transform.transformWhere('SpamAlerts', customInput, { fields: {} });
+    expect(customOutput['authData.facebook.id']).toBe('10000000000000001');
+    expect(customOutput['_auth_data_facebook.id']).toBeUndefined();
+  });
 });
 
 it('cannot have a custom field name beginning with underscore', done => {

spec/MongoTransform.spec.js

@@ -118,6 +118,20 @@ describe('ParseGraphQLServer', () => {
       expect(server3).not.toBe(server2);
       expect(server3).toBe(server4);
     });
+
+    it('should return same server reference when called 100 times in parallel', async () => {
+      parseGraphQLServer.server = undefined;
+
+      // Call _getServer 100 times in parallel
+      const promises = Array.from({ length: 100 }, () => parseGraphQLServer._getServer());
+      const servers = await Promise.all(promises);
+
+      // All resolved servers should be the same reference
+      const firstServer = servers[0];
+      servers.forEach((server, index) => {
+        expect(server).toBe(firstServer);
+      });
+    });
   });
 
   describe('_getGraphQLOptions', () => {