feat: Add query server options namespace with aggregation raw defaults

mtrezza · mtrezza · commit 2f39a13b9f5a · 2026-04-16T08:30:19.000+02:00
diff --git a/resources/buildConfigDefinitions.js b/resources/buildConfigDefinitions.js
@@ -23,6 +23,7 @@ const nestedOptionTypes = [
   'PagesOptions',
   'PagesRoute',
   'PasswordPolicyOptions',
+  'QueryServerOptions',
   'RequestComplexityOptions',
   'SecurityOptions',
   'SchemaOptions',
@@ -48,6 +49,7 @@ const nestedOptionEnvPrefix = {
   PagesRoute: 'PARSE_SERVER_PAGES_ROUTE_',
   ParseServerOptions: 'PARSE_SERVER_',
   PasswordPolicyOptions: 'PARSE_SERVER_PASSWORD_POLICY_',
+  QueryServerOptions: 'PARSE_SERVER_QUERY_',
   RateLimitOptions: 'PARSE_SERVER_RATE_LIMIT_',
   RequestComplexityOptions: 'PARSE_SERVER_REQUEST_COMPLEXITY_',
   SchemaOptions: 'PARSE_SERVER_SCHEMA_',
diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js
@@ -512,6 +512,13 @@ module.exports.ParseServerOptions = {
     help: 'Configuration for push, as stringified JSON. See http://docs.parseplatform.org/parse-server/guide/#push-notifications',
     action: parsers.objectParser,
   },
+  query: {
+    env: 'PARSE_SERVER_QUERY',
+    help: 'Query-related server defaults.',
+    action: parsers.objectParser,
+    type: 'QueryServerOptions',
+    default: {},
+  },
   rateLimit: {
     env: 'PARSE_SERVER_RATE_LIMIT',
     help: "Options to limit repeated requests to Parse Server APIs. This can be used to protect sensitive endpoints such as `/requestPasswordReset` from brute-force attacks or Parse Server as a whole from denial-of-service (DoS) attacks.<br><br>\u2139\uFE0F Mind the following limitations:<br>- rate limits applied per IP address; this limits protection against distributed denial-of-service (DDoS) attacks where many requests are coming from various IP addresses<br>- if multiple Parse Server instances are behind a load balancer or ran in a cluster, each instance will calculate it's own request rates, independent from other instances; this limits the applicability of this feature when using a load balancer and another rate limiting solution that takes requests across all instances into account may be more suitable<br>- this feature provides basic protection against denial-of-service attacks, but a more sophisticated solution works earlier in the request flow and prevents a malicious requests to even reach a server instance; it's therefore recommended to implement a solution according to architecture and use case.",
@@ -778,6 +785,20 @@ module.exports.SecurityOptions = {
     default: false,
   },
 };
+module.exports.QueryServerOptions = {
+  aggregationRawFieldNames: {
+    env: 'PARSE_SERVER_QUERY_AGGREGATION_RAW_FIELD_NAMES',
+    help: 'When `true`, all aggregation queries default to using native MongoDB field names (no automatic `createdAt` \u2192 `_created_at` rewriting). Individual queries can still override this via the `rawFieldNames` option. Default is `false`.',
+    action: parsers.booleanParser,
+    default: false,
+  },
+  aggregationRawValues: {
+    env: 'PARSE_SERVER_QUERY_AGGREGATION_RAW_VALUES',
+    help: 'When `true`, all aggregation queries default to using MongoDB Extended JSON (EJSON) for explicit value typing and skip schema-based value coercion. Individual queries can still override this via the `rawValues` option. Default is `false`.',
+    action: parsers.booleanParser,
+    default: false,
+  },
+};
 module.exports.PagesOptions = {
   customRoutes: {
     env: 'PARSE_SERVER_PAGES_CUSTOM_ROUTES',
diff --git a/src/Options/docs.js b/src/Options/docs.js
diff --git a/src/Options/index.js b/src/Options/index.js
@@ -391,6 +391,10 @@ export interface ParseServerOptions {
   :ENV: PARSE_SERVER_REQUEST_COMPLEXITY
   :DEFAULT: {} */
   requestComplexity: ?RequestComplexityOptions;
+  /* Query-related server defaults.
+  :ENV: PARSE_SERVER_QUERY
+  :DEFAULT: {} */
+  query: ?QueryServerOptions;
   /* The security options to identify and report weak security settings.
   :DEFAULT: {} */
   security: ?SecurityOptions;
@@ -490,6 +494,17 @@ export interface SecurityOptions {
   checkGroups: ?(CheckGroup[]);
 }
 
+export interface QueryServerOptions {
+  /* When `true`, all aggregation queries default to using MongoDB Extended JSON (EJSON) for explicit value typing and skip schema-based value coercion. Individual queries can still override this via the `rawValues` option. Default is `false`.
+  :ENV: PARSE_SERVER_QUERY_AGGREGATION_RAW_VALUES
+  :DEFAULT: false */
+  aggregationRawValues: ?boolean;
+  /* When `true`, all aggregation queries default to using native MongoDB field names (no automatic `createdAt` → `_created_at` rewriting). Individual queries can still override this via the `rawFieldNames` option. Default is `false`.
+  :ENV: PARSE_SERVER_QUERY_AGGREGATION_RAW_FIELD_NAMES
+  :DEFAULT: false */
+  aggregationRawFieldNames: ?boolean;
+}
+
 export interface PagesOptions {
   /* Is true if pages should be localized; this has no effect on custom page redirects.
   :DEFAULT: false */
