Merge remote-tracking branch 'upstream/alpha' into alpha

Author: mtrezza

DEPRECATIONS.md

@@ -18,6 +18,9 @@ The following is a list of deprecations, according to the [Deprecation Policy](h
 | DEPPS12 | Database option `allowPublicExplain` defaults to `false`                                     | [#7519](https://github.com/parse-community/parse-server/issues/7519)   | 8.5.0 (2025)                    | 9.0.0 (2026)                    | changed               | -     |
 | DEPPS13 | Config option `enableInsecureAuthAdapters` defaults to `false`                               | [#9667](https://github.com/parse-community/parse-server/pull/9667)     | 8.0.0 (2025)                    | 9.0.0 (2026)                    | changed               | -     |
 | DEPPS14 | Config option `pages.encodePageParamHeaders` defaults to `true`                              | [#10063](https://github.com/parse-community/parse-server/issues/10063) | 9.4.0 (2026)                    | 10.0.0 (2027)                   | deprecated            | -     |
+| DEPPS15 | Config option `readOnlyMasterKeyIps` defaults to `['127.0.0.1', '::1']`                      | [#10115](https://github.com/parse-community/parse-server/pull/10115)   | 9.5.0 (2026)                    | 10.0.0 (2027)                   | deprecated            | -     |
+| DEPPS16 | Remove config option `mountPlayground`                                                       | [#10110](https://github.com/parse-community/parse-server/issues/10110) | 9.5.0 (2026)                    | 10.0.0 (2027)                   | deprecated            | -     |
+| DEPPS17 | Remove config option `playgroundPath`                                                        | [#10110](https://github.com/parse-community/parse-server/issues/10110) | 9.5.0 (2026)                    | 10.0.0 (2027)                   | deprecated            | -     |
 
 [i_deprecation]: ## "The version and date of the deprecation."
 [i_change]: ## "The version and date of the planned change."

changelogs/CHANGELOG_alpha.md

@@ -1,3 +1,17 @@
+# [9.5.0-alpha.13](https://github.com/parse-community/parse-server/compare/9.5.0-alpha.12...9.5.0-alpha.13) (2026-03-06)
+
+
+### Features
+
+* Deprecate GraphQL Playground that exposes master key in HTTP response  ([#10112](https://github.com/parse-community/parse-server/issues/10112)) ([d54d800](https://github.com/parse-community/parse-server/commit/d54d800f596f1937701f5bd57c81104f102bc3ae))
+
+# [9.5.0-alpha.12](https://github.com/parse-community/parse-server/compare/9.5.0-alpha.11...9.5.0-alpha.12) (2026-03-06)
+
+
+### Features
+
+* Add server option `readOnlyMasterKeyIps` to restrict `readOnlyMasterKey` by IP ([#10115](https://github.com/parse-community/parse-server/issues/10115)) ([cbff6b4](https://github.com/parse-community/parse-server/commit/cbff6b42a0b4f02552457f04a8757ac2376d3e04))
+
 # [9.5.0-alpha.11](https://github.com/parse-community/parse-server/compare/9.5.0-alpha.10...9.5.0-alpha.11) (2026-03-06)
 
 

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "parse-server",
-  "version": "9.5.0-alpha.11",
+  "version": "9.5.0-alpha.13",
   "description": "An express module providing a Parse-compatible API server",
   "main": "lib/index.js",
   "repository": {

package.json

@@ -103,4 +103,50 @@ describe('Deprecator', () => {
       })
     );
   });
+
+  it('logs deprecation for removed key when option is set', async () => {
+    deprecations = [{ optionKey: 'exampleKey', changeNewKey: '', solution: 'Use something else.' }];
+
+    spyOn(Deprecator, '_getDeprecations').and.callFake(() => deprecations);
+    const logger = require('../lib/logger').logger;
+    const logSpy = spyOn(logger, 'warn').and.callFake(() => {});
+
+    await reconfigureServer({ exampleKey: true });
+    expect(logSpy).toHaveBeenCalledWith(
+      `DeprecationWarning: The Parse Server option '${deprecations[0].optionKey}' is deprecated and will be removed in a future version. ${deprecations[0].solution}`
+    );
+  });
+
+  it('does not log deprecation for removed key when option is not set', async () => {
+    deprecations = [{ optionKey: 'exampleKey', changeNewKey: '', solution: 'Use something else.' }];
+
+    spyOn(Deprecator, '_getDeprecations').and.callFake(() => deprecations);
+    const logSpy = spyOn(Deprecator, '_logOption').and.callFake(() => {});
+
+    await reconfigureServer();
+    expect(logSpy).not.toHaveBeenCalled();
+  });
+
+  it('logs deprecation for mountPlayground when set', async () => {
+    const logSpy = spyOn(Deprecator, '_logOption').and.callFake(() => {});
+
+    await reconfigureServer({ mountPlayground: true, mountGraphQL: true });
+    expect(logSpy).toHaveBeenCalledWith(
+      jasmine.objectContaining({
+        optionKey: 'mountPlayground',
+        changeNewKey: '',
+      })
+    );
+  });
+
+  it('does not log deprecation for mountPlayground when not set', async () => {
+    const logSpy = spyOn(Deprecator, '_logOption').and.callFake(() => {});
+
+    await reconfigureServer();
+    expect(logSpy).not.toHaveBeenCalledWith(
+      jasmine.objectContaining({
+        optionKey: 'mountPlayground',
+      })
+    );
+  });
 });

spec/Deprecator.spec.js

@@ -7,6 +7,7 @@ const AppCachePut = (appId, config) =>
     ...config,
     maintenanceKeyIpsStore: new Map(),
     masterKeyIpsStore: new Map(),
+    readOnlyMasterKeyIpsStore: new Map(),
   });
 
 describe('middlewares', () => {
@@ -207,6 +208,55 @@ describe('middlewares', () => {
     expect(fakeReq.auth.isMaster).toBe(true);
   });
 
+  it('should not succeed and log if the ip does not belong to readOnlyMasterKeyIps list', async () => {
+    const logger = require('../lib/logger').logger;
+    spyOn(logger, 'error').and.callFake(() => {});
+    AppCachePut(fakeReq.body._ApplicationId, {
+      masterKeyIps: ['0.0.0.0/0'],
+      readOnlyMasterKey: 'readOnlyMasterKey',
+      readOnlyMasterKeyIps: ['10.0.0.1'],
+    });
+    fakeReq.ip = '127.0.0.1';
+    fakeReq.headers['x-parse-application-id'] = fakeReq.body._ApplicationId;
+    fakeReq.headers['x-parse-master-key'] = 'readOnlyMasterKey';
+
+    const error = await middlewares.handleParseHeaders(fakeReq, fakeRes, () => {}).catch(e => e);
+
+    expect(error).toBeDefined();
+    expect(error.message).toEqual('unauthorized');
+    expect(logger.error).toHaveBeenCalledWith(
+      `Request using read-only master key rejected as the request IP address '127.0.0.1' is not set in Parse Server option 'readOnlyMasterKeyIps'.`
+    );
+  });
+
+  it('should succeed if the ip does belong to readOnlyMasterKeyIps list', async () => {
+    AppCachePut(fakeReq.body._ApplicationId, {
+      masterKeyIps: ['0.0.0.0/0'],
+      readOnlyMasterKey: 'readOnlyMasterKey',
+      readOnlyMasterKeyIps: ['10.0.0.1'],
+    });
+    fakeReq.ip = '10.0.0.1';
+    fakeReq.headers['x-parse-application-id'] = fakeReq.body._ApplicationId;
+    fakeReq.headers['x-parse-master-key'] = 'readOnlyMasterKey';
+    await new Promise(resolve => middlewares.handleParseHeaders(fakeReq, fakeRes, resolve));
+    expect(fakeReq.auth.isMaster).toBe(true);
+    expect(fakeReq.auth.isReadOnly).toBe(true);
+  });
+
+  it('should allow any ip to use readOnlyMasterKey if readOnlyMasterKeyIps is 0.0.0.0/0', async () => {
+    AppCachePut(fakeReq.body._ApplicationId, {
+      masterKeyIps: ['0.0.0.0/0'],
+      readOnlyMasterKey: 'readOnlyMasterKey',
+      readOnlyMasterKeyIps: ['0.0.0.0/0'],
+    });
+    fakeReq.ip = '10.0.0.1';
+    fakeReq.headers['x-parse-application-id'] = fakeReq.body._ApplicationId;
+    fakeReq.headers['x-parse-master-key'] = 'readOnlyMasterKey';
+    await new Promise(resolve => middlewares.handleParseHeaders(fakeReq, fakeRes, resolve));
+    expect(fakeReq.auth.isMaster).toBe(true);
+    expect(fakeReq.auth.isReadOnly).toBe(true);
+  });
+
   it('can set trust proxy', async () => {
     const server = await reconfigureServer({ trustProxy: 1 });
     expect(server.app.parent.settings['trust proxy']).toBe(1);

spec/Middlewares.spec.js

@@ -35,6 +35,8 @@ describe('Security Check Groups', () => {
       config.enableInsecureAuthAdapters = false;
       config.graphQLPublicIntrospection = false;
       config.mountPlayground = false;
+      config.readOnlyMasterKey = 'someReadOnlyMasterKey';
+      config.readOnlyMasterKeyIps = ['127.0.0.1', '::1'];
       await reconfigureServer(config);
 
       const group = new CheckGroupServerConfig();
@@ -45,6 +47,7 @@ describe('Security Check Groups', () => {
       expect(group.checks()[4].checkState()).toBe(CheckState.success);
       expect(group.checks()[5].checkState()).toBe(CheckState.success);
       expect(group.checks()[6].checkState()).toBe(CheckState.success);
+      expect(group.checks()[8].checkState()).toBe(CheckState.success);
     });
 
     it('checks fail correctly', async () => {
@@ -54,6 +57,8 @@ describe('Security Check Groups', () => {
       config.enableInsecureAuthAdapters = true;
       config.graphQLPublicIntrospection = true;
       config.mountPlayground = true;
+      config.readOnlyMasterKey = 'someReadOnlyMasterKey';
+      config.readOnlyMasterKeyIps = ['0.0.0.0/0'];
       await reconfigureServer(config);
 
       const group = new CheckGroupServerConfig();
@@ -64,6 +69,7 @@ describe('Security Check Groups', () => {
       expect(group.checks()[4].checkState()).toBe(CheckState.fail);
       expect(group.checks()[5].checkState()).toBe(CheckState.fail);
       expect(group.checks()[6].checkState()).toBe(CheckState.fail);
+      expect(group.checks()[8].checkState()).toBe(CheckState.fail);
     });
 
     it_only_db('mongo')('checks succeed correctly (MongoDB specific)', async () => {

spec/SecurityCheckGroups.spec.js

@@ -118,6 +118,7 @@ export class Config {
     maintenanceKey,
     maintenanceKeyIps,
     readOnlyMasterKey,
+    readOnlyMasterKeyIps,
     allowHeaders,
     idempotencyOptions,
     fileUpload,
@@ -158,6 +159,7 @@ export class Config {
     this.validateSessionConfiguration(sessionLength, expireInactiveSessions);
     this.validateIps('masterKeyIps', masterKeyIps);
     this.validateIps('maintenanceKeyIps', maintenanceKeyIps);
+    this.validateIps('readOnlyMasterKeyIps', readOnlyMasterKeyIps);
     this.validateDefaultLimit(defaultLimit);
     this.validateMaxLimit(maxLimit);
     this.validateAllowHeaders(allowHeaders);

src/Config.js

@@ -26,4 +26,19 @@ module.exports = [
     changeNewDefault: 'true',
     solution: "Set 'pages.encodePageParamHeaders' to 'true' to URI-encode non-ASCII characters in page parameter headers.",
   },
+  {
+    optionKey: 'readOnlyMasterKeyIps',
+    changeNewDefault: '["127.0.0.1", "::1"]',
+    solution: "Set 'readOnlyMasterKeyIps' to the IP addresses that should be allowed to use the read-only master key, or to '[\"127.0.0.1\", \"::1\"]' to restrict access to localhost.",
+  },
+  {
+    optionKey: 'mountPlayground',
+    changeNewKey: '',
+    solution: "Use Parse Dashboard as GraphQL IDE or configure a third-party GraphQL client such as Apollo Sandbox, GraphiQL, or Insomnia with custom request headers.",
+  },
+  {
+    optionKey: 'playgroundPath',
+    changeNewKey: '',
+    solution: "Use Parse Dashboard as GraphQL IDE or configure a third-party GraphQL client such as Apollo Sandbox, GraphiQL, or Insomnia with custom request headers.",
+  },
 ];

src/Deprecator/Deprecations.js

@@ -20,11 +20,17 @@ class Deprecator {
       const solution = deprecation.solution;
       const optionKey = deprecation.optionKey;
       const changeNewDefault = deprecation.changeNewDefault;
+      const changeNewKey = deprecation.changeNewKey;
 
       // If default will change, only throw a warning if option is not set
       if (changeNewDefault != null && Utils.getNestedProperty(options, optionKey) == null) {
         Deprecator._logOption({ optionKey, changeNewDefault, solution });
       }
+
+      // If key will be removed or renamed, only throw a warning if option is set
+      if (changeNewKey != null && Utils.getNestedProperty(options, optionKey) != null) {
+        Deprecator._logOption({ optionKey, changeNewKey, solution });
+      }
     }
   }
 
@@ -107,7 +113,7 @@ class Deprecator {
 
     // Compose message
     let output = `DeprecationWarning: The Parse Server ${type} '${key}' `;
-    output += changeNewKey ? `is deprecated and will be ${keyAction} in a future version.` : '';
+    output += changeNewKey != null ? `is deprecated and will be ${keyAction} in a future version.` : '';
     output += changeNewDefault
       ? `default will change to '${changeNewDefault}' in a future version.`
       : '';