feat: Add Parse Server options maxIncludeQueryComplexity, maxGraphQLQueryComplexity to limit query complexity for performance protection

[Moumouls]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.
• Link this pull request to an issue.

Issue

Give developers the option to strengthen the protection of the Parse Server REST and GraphQL APIs based on complexity factors such as fields and query depth.

Approach

Currently parse-server can't have default values because it's a breaking change.
Also if in a futur major release we introduce some large default values (Depth 10 + Fields 100 on rest) and (Depth 20 and fields 200 on GQL). The includeAll option should be then masterKey only

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, code comments)
• Add security check
• Add new Parse Error codes to Parse JS SDK

Summary by CodeRabbit

• New Features

  • Added configurable query-complexity controls for GraphQL and REST include queries (limits on depth and fields/count), runtime enforcement, includeAll blocking when limits are set, and master/maintenance key bypasses. GraphQL server now enforces complexity checks via a validation plugin and options cross-validation.

• Documentation

  • Public options and docs updated to expose new complexity settings and cross-option validation guidance.

• Tests

  • Comprehensive test suites added covering GraphQL and REST complexity rules, fragments/include behavior, bypass keys, combined constraints, and no-limit scenarios.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

🚀 Thanks for opening this pull request!

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds configurable query-complexity controls for GraphQL and REST includes, option/type/docs updates and validation in Config, an Apollo Server plugin enforcing GraphQL depth/field limits (with fragment and cycle handling and auth bypass), REST include validation/blocking for includeAll, and new tests for both features.

Changes

Cohort / File(s)	Summary
Configuration & Types src/Config.js, src/Options/index.js, src/Options/Definitions.js, src/Options/docs.js, types/Options/index.d.ts	Add maxGraphQLQueryComplexity and maxIncludeQueryComplexity option shapes, types, and docs; new types GraphQLQueryComplexityOptions and IncludeComplexityOptions; add Config.validateQueryComplexityOptions and wire validation into option processing.
GraphQL Complexity Validation src/GraphQL/helpers/queryComplexity.js, src/GraphQL/ParseGraphQLServer.js	New AST traversal to compute depth and field counts (handles Field, InlineFragment, FragmentSpread and cycle detection) and export createComplexityValidationPlugin(config); plugin attached conditionally to ApolloServer and skips checks for master/maintenance auth or when unset.
REST Include Validation src/RestQuery.js	Enforce include complexity (count/depth) after parsing; block includeAll and * includes for non-master/maintenance when configured; throw INVALID_QUERY with specific messages on violations.
Tests spec/ParseGraphQLQueryComplexity.spec.js, spec/RestQuery.spec.js	Add comprehensive tests covering GraphQL fields/depth limits, named/inline/cyclic fragments, combined constraints and bypass keys; add REST tests for include count/depth, includeAll blocking, and bypass scenarios.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Apollo as ApolloServer
    participant Plugin as ComplexityPlugin
    participant Resolver
    Note over Apollo: GraphQL request handling

    Client->>Apollo: POST /graphql (document, headers)
    Apollo->>Apollo: Check auth (master/maintenance?)
    alt master/maintenance key
        Apollo->>Resolver: Execute query (no complexity check)
    else normal request
        Apollo->>Plugin: didResolveOperation (document)
        activate Plugin
        Plugin->>Plugin: build fragment map, traverse AST, count depth & fields
        Plugin-->>Apollo: ok or throw GraphQLError(403)
        deactivate Plugin

        alt within limits
            Apollo->>Resolver: Execute query
            Resolver-->>Client: 200 + data
        else exceeds limits
            Apollo-->>Client: 403 GraphQLError (limit exceeded)
        end
    end

Loading

sequenceDiagram
    participant Client
    participant REST as REST Endpoint
    participant Auth as Auth Check
    participant Validator as IncludeValidator
    participant Handler as QueryHandler

    Client->>REST: GET /classes/Thing?include=...
    REST->>Auth: Validate credentials
    alt master key
        Auth->>Handler: Proceed (no include validation)
    else normal/maintenance
        Auth->>Validator: Validate include count & depth
        activate Validator
        Validator->>Validator: count include fields, compute depth
        Validator-->>Auth: ok or INVALID_QUERY error
        deactivate Validator

        alt within limits
            Auth->>Handler: Execute query and return results
        else exceeds limits
            REST-->>Client: 400 INVALID_QUERY
        end
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Review focus:
  • correctness of AST traversal, fragment resolution, and cycle detection in src/GraphQL/helpers/queryComplexity.js
  • plugin lifecycle hooks and auth bypass checks in src/GraphQL/ParseGraphQLServer.js
  • REST include parsing, includeAll blocking, and exact error messages in src/RestQuery.js
  • validation logic and cross-checks in src/Config.js
  • test reliability and server lifecycle in spec/ParseGraphQLQueryComplexity.spec.js and spec/RestQuery.spec.js

Possibly related issues

• Set default values for max depth and max fields #9928 — same area: introduces configurable max depth/fields protection for GraphQL; this PR implements/maxGraphQLQueryComplexity validation and enforcement relevant to that issue.

Possibly related PRs

• fix: Data schema exposed via GraphQL API public introspection (GHSA-48q3-prgv-gm4w) #9819 — overlaps with Apollo Server plugin configuration and GraphQL-related option adjustments; likely touches the same ParseGraphQLServer plugin wiring.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Description check	❓ Inconclusive	The description addresses the core objective (adding complexity limits) and tasks, though it lacks a direct link to the GitHub issue as required by the template.	Add an explicit GitHub issue link in the 'Issue' section to fully comply with the PR template requirement (Closes: #XXXX).

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and clearly summarizes the main change: adding two new Parse Server options for limiting query complexity to protect performance.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5cc723f and 251e9b8.

📒 Files selected for processing (2)

• spec/RestQuery.spec.js (1 hunks)
• src/RestQuery.js (3 hunks)

🧰 Additional context used

🧠 Learnings (10)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

📚 Learning: 2025-04-30T19:31:35.344Z

Learnt from: RahulLanjewar93
Repo: parse-community/parse-server PR: 9744
File: spec/ParseLiveQuery.spec.js:0-0
Timestamp: 2025-04-30T19:31:35.344Z
Learning: In the Parse Server codebase, the functions in QueryTools.js are typically tested through end-to-end behavior tests rather than direct unit tests, even though the functions are exported from the module.

Applied to files:

• spec/RestQuery.spec.js
• src/RestQuery.js

📚 Learning: 2025-08-26T14:06:31.853Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: spec/CloudCode.spec.js:446-469
Timestamp: 2025-08-26T14:06:31.853Z
Learning: In the Parse Server codebase, when handling query objects in maybeRunAfterFindTrigger, objects without a where property that contain options like limit/skip should be treated as query JSON with an empty where clause using the spread pattern { where: {}, ...query }, not nested as { where: query }.

Applied to files:

• spec/RestQuery.spec.js
• src/RestQuery.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

• spec/RestQuery.spec.js

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.

Applied to files:

• spec/RestQuery.spec.js

📚 Learning: 2025-08-27T12:33:06.237Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: src/triggers.js:467-477
Timestamp: 2025-08-27T12:33:06.237Z
Learning: In the Parse Server codebase, maybeRunAfterFindTrigger is called in production with Parse.Query objects constructed via withJSON(), so the plain object query handling bug only affects tests, not production code paths.

Applied to files:

• spec/RestQuery.spec.js

📚 Learning: 2025-10-16T19:27:05.311Z

Learnt from: Moumouls
Repo: parse-community/parse-server PR: 9883
File: spec/CloudCodeLogger.spec.js:410-412
Timestamp: 2025-10-16T19:27:05.311Z
Learning: In spec/CloudCodeLogger.spec.js, the test "should log cloud function triggers using the silent log level" (around lines 383-420) is known to be flaky and requires the extra `await new Promise(resolve => setTimeout(resolve, 100))` timeout after awaiting `afterSavePromise` for reliability, even though it may appear redundant.

Applied to files:

• spec/RestQuery.spec.js

📚 Learning: 2025-08-27T09:08:34.252Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: src/triggers.js:446-454
Timestamp: 2025-08-27T09:08:34.252Z
Learning: When analyzing function signature changes in Parse Server codebase, verify that call sites are actually incorrect before flagging them. Passing tests are a strong indicator that function calls are already properly aligned with new signatures.

Applied to files:

• spec/RestQuery.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.

Applied to files:

• spec/RestQuery.spec.js

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• spec/RestQuery.spec.js

🧬 Code graph analysis (1)

spec/RestQuery.spec.js (1)

spec/helper.js (2)

• reconfigureServer (180-214)
• Parse (4-4)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (16)

• GitHub Check: Code Analysis (javascript)
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: Node 20
• GitHub Check: Node 22
• GitHub Check: Redis Cache
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: Node 18
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: Docker Build
• GitHub Check: Benchmarks

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[Moumouls]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Actionable comments posted: 7

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a85ba19 and 278808d.

📒 Files selected for processing (9)

• spec/ParseGraphQLQueryComplexity.spec.js (1 hunks)
• spec/RestQuery.spec.js (1 hunks)
• src/Config.js (3 hunks)
• src/GraphQL/ParseGraphQLServer.js (2 hunks)
• src/GraphQL/helpers/queryComplexity.js (1 hunks)
• src/Options/Definitions.js (2 hunks)
• src/Options/docs.js (1 hunks)
• src/Options/index.js (2 hunks)
• src/RestQuery.js (3 hunks)

🧰 Additional context used

🧠 Learnings (10)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

📚 Learning: 2025-04-30T19:31:35.344Z

Learnt from: RahulLanjewar93
Repo: parse-community/parse-server PR: 9744
File: spec/ParseLiveQuery.spec.js:0-0
Timestamp: 2025-04-30T19:31:35.344Z
Learning: In the Parse Server codebase, the functions in QueryTools.js are typically tested through end-to-end behavior tests rather than direct unit tests, even though the functions are exported from the module.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• src/RestQuery.js
• spec/RestQuery.spec.js

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• spec/RestQuery.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• spec/RestQuery.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js

📚 Learning: 2025-11-08T13:46:04.917Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• src/Options/index.js
• src/Options/Definitions.js
• src/Config.js
• src/Options/docs.js

📚 Learning: 2025-09-21T15:43:32.265Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• src/Options/Definitions.js
• src/Config.js
• src/Options/docs.js

📚 Learning: 2025-08-26T14:06:31.853Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: spec/CloudCode.spec.js:446-469
Timestamp: 2025-08-26T14:06:31.853Z
Learning: In the Parse Server codebase, when handling query objects in maybeRunAfterFindTrigger, objects without a where property that contain options like limit/skip should be treated as query JSON with an empty where clause using the spread pattern { where: {}, ...query }, not nested as { where: query }.

Applied to files:

• src/RestQuery.js
• spec/RestQuery.spec.js

📚 Learning: 2025-11-08T13:46:04.917Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Applied to files:

• src/Options/Definitions.js
• src/Options/docs.js

📚 Learning: 2025-08-27T12:33:06.237Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: src/triggers.js:467-477
Timestamp: 2025-08-27T12:33:06.237Z
Learning: In the Parse Server codebase, maybeRunAfterFindTrigger is called in production with Parse.Query objects constructed via withJSON(), so the plain object query handling bug only affects tests, not production code paths.

Applied to files:

• spec/RestQuery.spec.js

🪛 Biome (2.1.2)

src/Options/index.js

[error] 45-49: type alias are a TypeScript only feature. Convert your file to a TypeScript file or remove the syntax.

TypeScript only syntax

(parse)

---

[error] 362-362: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: Node 22
• GitHub Check: Node 18
• GitHub Check: Redis Cache
• GitHub Check: Node 20
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: Docker Build

[codecov]

Codecov Report

❌ Patch coverage is 86.15385% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.05%. Comparing base (dafea21) to head (251e9b8).
⚠️ Report is 1 commits behind head on alpha.

Files with missing lines	Patch %	Lines
src/Config.js	33.33%	4 Missing ⚠️
src/GraphQL/helpers/queryComplexity.js	90.90%	4 Missing ⚠️
src/RestQuery.js	90.90%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha    #9920      +/-   ##
==========================================
- Coverage   93.07%   93.05%   -0.02%     
==========================================
  Files         187      188       +1     
  Lines       15234    15299      +65     
  Branches      177      177              
==========================================
+ Hits        14179    14237      +58     
- Misses       1043     1050       +7     
  Partials       12       12              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (4)

src/Options/index.js (1)

354-369: Document the right counters for REST vs GraphQL complexity

The REST comment still describes a { depth, count } format while the shared type exposes fields, and the GraphQL comment says “fields = number of operations”, which contradicts the actual limiter (it counts field selections). This inconsistency will send users in circles. Please align the prose with the real counters—REST uses count for include paths, GraphQL uses fields for selected fields—and mention that fields limits field selections, not operations.

-  /* Maximum query complexity for REST API includes. Controls depth and number of include fields.
-   * Format: { depth: number, count: number }
-   * - depth: Maximum depth of nested includes (e.g., foo.bar.baz = depth 3)
-   * - count: Maximum number of include fields (e.g., foo,bar,baz = 3 fields)
+  /* Maximum query complexity for REST API includes. Controls include depth and include count.
+   * Format: { depth?: number, count?: number }
+   * - depth: Maximum depth of nested include paths (e.g., foo.bar.baz = depth 3)
+   * - count: Maximum number of include paths across the query (e.g., foo,bar,baz = 3)
…
-  /* Maximum query complexity for GraphQL queries. Controls depth and number of operations.
-   * Format: { depth: number, fields: number }
-   * - depth: Maximum depth of nested field selections
-   * - fields: Maximum number of operations (queries/mutations) in a single request
+  /* Maximum query complexity for GraphQL queries. Controls depth and total field selections.
+   * Format: { depth?: number, fields?: number }
+   * - depth: Maximum depth of nested field selections
+   * - fields: Maximum number of field selections within the resolved operation

spec/ParseGraphQLQueryComplexity.spec.js (1)

16-31: Close the HTTP server with a promise before reconfiguring

Line 19 (and again Line 54): httpServer.close() is callback-based; awaiting it directly never waits for the port to free, so the very next listen races and we can hit EADDRINUSE. Please wrap the close call in a Promise (and clear httpServer) before spinning up the next server, and reuse the same helper in afterEach.

-  async function reconfigureServer(options = {}) {
-    if (httpServer) {
-      await httpServer.close();
-    }
+  async function shutdownHttpServer() {
+    if (!httpServer) {
+      return;
+    }
+    await new Promise(resolve => httpServer.close(resolve));
+    httpServer = null;
+  }
+
+  async function reconfigureServer(options = {}) {
+    await shutdownHttpServer();
…
-    if (httpServer) {
-      await httpServer.close();
-    }
+    await shutdownHttpServer();

Also applies to: 52-55

spec/RestQuery.spec.js (1)

1107-1133: Use the actual include-count key in the “no includes” tests

Lines 1110 & 1131 still configure { paths: 1 }, so we never exercise the include-count limiter branch these tests are meant to cover. Change those objects to use the real count property so the server actually enforces the limit during the test run.

       maxIncludeQueryComplexity: {
         depth: 1,
-        paths: 1,
+        count: 1,
       },
…
       maxIncludeQueryComplexity: {
         depth: 1,
-        paths: 1,
+        count: 1,
       },

src/Options/Definitions.js (1)

402-402: Duplicate: Fix the fields description.

The description of the fields property is misleading as noted in a previous review. It currently states "Maximum number of operations (queries/mutations)" but the implementation enforces the number of field selections, not operations.

🧹 Nitpick comments (1)

src/Options/Definitions.js (1)

416-421: Consider consistent property naming across complexity options.

The maxIncludeQueryComplexity option uses a count property while maxGraphQLQueryComplexity uses a fields property, even though both measure similar concepts (the number of items being selected or included). This inconsistency may cause confusion.

Consider renaming one to match the other for API consistency, such as using fields for both or count for both. If the different names are intentional to reflect different semantics (GraphQL field selections vs REST include counts), this distinction should be clearly documented.

⚠️ Note: This is generated code. Changes must be made in src/Options/index.js.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 278808d and 9343bc0.

📒 Files selected for processing (8)

• spec/ParseGraphQLQueryComplexity.spec.js (1 hunks)
• spec/RestQuery.spec.js (1 hunks)
• src/Config.js (3 hunks)
• src/GraphQL/helpers/queryComplexity.js (1 hunks)
• src/Options/Definitions.js (2 hunks)
• src/Options/docs.js (1 hunks)
• src/Options/index.js (2 hunks)
• src/RestQuery.js (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• src/RestQuery.js
• src/Options/docs.js

🧰 Additional context used

🧠 Learnings (12)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

📚 Learning: 2025-04-30T19:31:35.344Z

Learnt from: RahulLanjewar93
Repo: parse-community/parse-server PR: 9744
File: spec/ParseLiveQuery.spec.js:0-0
Timestamp: 2025-04-30T19:31:35.344Z
Learning: In the Parse Server codebase, the functions in QueryTools.js are typically tested through end-to-end behavior tests rather than direct unit tests, even though the functions are exported from the module.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• spec/RestQuery.spec.js

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• spec/RestQuery.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• spec/RestQuery.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• spec/RestQuery.spec.js

📚 Learning: 2025-10-16T19:27:05.311Z

Learnt from: Moumouls
Repo: parse-community/parse-server PR: 9883
File: spec/CloudCodeLogger.spec.js:410-412
Timestamp: 2025-10-16T19:27:05.311Z
Learning: In spec/CloudCodeLogger.spec.js, the test "should log cloud function triggers using the silent log level" (around lines 383-420) is known to be flaky and requires the extra `await new Promise(resolve => setTimeout(resolve, 100))` timeout after awaiting `afterSavePromise` for reliability, even though it may appear redundant.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• spec/RestQuery.spec.js

📚 Learning: 2025-09-21T15:43:32.265Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• src/Options/Definitions.js
• src/Config.js

📚 Learning: 2025-08-26T14:06:31.853Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: spec/CloudCode.spec.js:446-469
Timestamp: 2025-08-26T14:06:31.853Z
Learning: In the Parse Server codebase, when handling query objects in maybeRunAfterFindTrigger, objects without a where property that contain options like limit/skip should be treated as query JSON with an empty where clause using the spread pattern { where: {}, ...query }, not nested as { where: query }.

Applied to files:

• spec/RestQuery.spec.js
• src/Options/Definitions.js
• src/Options/index.js

📚 Learning: 2025-08-27T12:33:06.237Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: src/triggers.js:467-477
Timestamp: 2025-08-27T12:33:06.237Z
Learning: In the Parse Server codebase, maybeRunAfterFindTrigger is called in production with Parse.Query objects constructed via withJSON(), so the plain object query handling bug only affects tests, not production code paths.

Applied to files:

• spec/RestQuery.spec.js

📚 Learning: 2025-08-27T09:08:34.252Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: src/triggers.js:446-454
Timestamp: 2025-08-27T09:08:34.252Z
Learning: When analyzing function signature changes in Parse Server codebase, verify that call sites are actually incorrect before flagging them. Passing tests are a strong indicator that function calls are already properly aligned with new signatures.

Applied to files:

• spec/RestQuery.spec.js

📚 Learning: 2025-11-08T13:46:04.917Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• spec/RestQuery.spec.js
• src/Options/Definitions.js
• src/Config.js
• src/Options/index.js

📚 Learning: 2025-11-08T13:46:04.917Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Applied to files:

• src/Options/Definitions.js
• src/Options/index.js

🧬 Code graph analysis (4)

spec/ParseGraphQLQueryComplexity.spec.js (1)

spec/helper.js (1)

• reconfigureServer (180-214)

spec/RestQuery.spec.js (3)

spec/helper.js (2)

• reconfigureServer (180-214)
• Parse (4-4)

src/RestQuery.js (3)

• query (372-381)
• query (382-382)
• results (800-800)

src/rest.js (1)

• query (120-130)

src/Options/Definitions.js (1)

resources/buildConfigDefinitions.js (1)

• parsers (12-12)

src/Options/index.js (2)

resources/buildConfigDefinitions.js (3)

• type (121-121)
• type (159-159)
• type (216-216)

src/triggers.js (1)

• type (819-819)

🪛 Biome (2.1.2)

src/Options/index.js

[error] 45-49: type alias are a TypeScript only feature. Convert your file to a TypeScript file or remove the syntax.

TypeScript only syntax

(parse)

---

[error] 362-362: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

🔇 Additional comments (1)

src/Options/Definitions.js (1)

399-404: The core claim about an undefined option reference is incorrect.

The review comment states that line 402 references a non-existent maxQueryComplexity option. However, searching the entire codebase confirms maxQueryComplexity does not appear anywhere. More importantly, line 402 actually references only maxIncludeQueryComplexity and maxGraphQLQueryComplexity—both of which are properly defined options in the codebase and validated in src/Config.js.

A separate but valid concern exists: The environment variable PARSE_SERVER_MAX_GRAPH_QLQUERY_COMPLEXITY uses inconsistent naming. Other GraphQL-related environment variables in the same file use GRAPHQL (e.g., PARSE_SERVER_GRAPHQL_PATH, PARSE_SERVER_GRAPHQL_PUBLIC_INTROSPECTION, PARSE_SERVER_MOUNT_GRAPHQL), while two variables oddly use GRAPH_QL (PARSE_SERVER_GRAPH_QLSCHEMA and PARSE_SERVER_MAX_GRAPH_QLQUERY_COMPLEXITY). This is worth addressing, though it's a separate issue from what the review comment claimed.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 4

♻️ Duplicate comments (1)

spec/ParseGraphQLQueryComplexity.spec.js (1)

18-55: Await the HTTP server shutdown before restarting.

httpServer.close() is callback-based; await httpServer.close() returns immediately and the port can still be bound when the next test starts, causing intermittent EADDRINUSE. Wrap the close in a Promise (and mirror the change in afterEach) so we only continue once the listener is actually closed:

if (httpServer) {
-  await httpServer.close();
+  await new Promise(resolve => httpServer.close(resolve));
+  httpServer = null;
}

Apply the same promise wrapper inside afterEach.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9343bc0 and 5d405e9.

📒 Files selected for processing (5)

• spec/ParseGraphQLQueryComplexity.spec.js (1 hunks)
• src/GraphQL/helpers/queryComplexity.js (1 hunks)
• src/Options/docs.js (1 hunks)
• src/Options/index.js (2 hunks)
• types/Options/index.d.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• src/GraphQL/helpers/queryComplexity.js

🧰 Additional context used

🧠 Learnings (10)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

📚 Learning: 2025-11-08T13:46:04.917Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• src/Options/docs.js
• src/Options/index.js
• spec/ParseGraphQLQueryComplexity.spec.js
• types/Options/index.d.ts

📚 Learning: 2025-11-08T13:46:04.917Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Applied to files:

• src/Options/docs.js
• src/Options/index.js

📚 Learning: 2025-09-21T15:43:32.265Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

Applied to files:

• src/Options/docs.js

📚 Learning: 2025-08-26T14:06:31.853Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: spec/CloudCode.spec.js:446-469
Timestamp: 2025-08-26T14:06:31.853Z
Learning: In the Parse Server codebase, when handling query objects in maybeRunAfterFindTrigger, objects without a where property that contain options like limit/skip should be treated as query JSON with an empty where clause using the spread pattern { where: {}, ...query }, not nested as { where: query }.

Applied to files:

• src/Options/index.js

📚 Learning: 2025-04-30T19:31:35.344Z

Learnt from: RahulLanjewar93
Repo: parse-community/parse-server PR: 9744
File: spec/ParseLiveQuery.spec.js:0-0
Timestamp: 2025-04-30T19:31:35.344Z
Learning: In the Parse Server codebase, the functions in QueryTools.js are typically tested through end-to-end behavior tests rather than direct unit tests, even though the functions are exported from the module.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js

📚 Learning: 2025-10-16T19:27:05.311Z

Learnt from: Moumouls
Repo: parse-community/parse-server PR: 9883
File: spec/CloudCodeLogger.spec.js:410-412
Timestamp: 2025-10-16T19:27:05.311Z
Learning: In spec/CloudCodeLogger.spec.js, the test "should log cloud function triggers using the silent log level" (around lines 383-420) is known to be flaky and requires the extra `await new Promise(resolve => setTimeout(resolve, 100))` timeout after awaiting `afterSavePromise` for reliability, even though it may appear redundant.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js

🧬 Code graph analysis (3)

src/Options/index.js (2)

resources/buildConfigDefinitions.js (3)

• type (121-121)
• type (159-159)
• type (216-216)

src/triggers.js (1)

• type (819-819)

spec/ParseGraphQLQueryComplexity.spec.js (1)

spec/helper.js (1)

• reconfigureServer (180-214)

types/Options/index.d.ts (6)

src/Adapters/Analytics/AnalyticsAdapter.js (1)

• AnalyticsAdapter (6-23)

src/Adapters/Logger/LoggerAdapter.js (1)

• LoggerAdapter (9-18)

src/Adapters/Cache/CacheAdapter.js (1)

• CacheAdapter (6-32)

src/Adapters/Email/MailAdapter.js (1)

• MailAdapter (8-23)

src/Adapters/PubSub/PubSubAdapter.js (1)

• PubSubAdapter (6-15)

src/Adapters/WebSocketServer/WSSAdapter.js (1)

• WSSAdapter (17-57)

🪛 Biome (2.1.2)

src/Options/index.js

[error] 49-53: type alias are a TypeScript only feature. Convert your file to a TypeScript file or remove the syntax.

TypeScript only syntax

(parse)

---

[error] 366-366: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

---

[error] 373-373: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)

• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: Node 18
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: Node 22
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: Node 20
• GitHub Check: Redis Cache
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: Docker Build
• GitHub Check: Benchmarks

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

src/Options/Definitions.js (1)

399-404: The fields description still incorrectly states "operations" instead of "field selections".

This issue was flagged in a previous review and marked as addressed, but the incorrect description remains. Line 402 still describes fields as limiting "operations (queries/mutations)" when it should describe limiting the number of field selections in a single request.

Since this is generated code, the fix must be applied in src/Options/index.js and then npm run definitions must be executed to regenerate this file.

Based on learnings.

🧹 Nitpick comments (1)

src/Options/Definitions.js (1)

400-400: Verify the environment variable naming convention.

The environment variable PARSE_SERVER_MAX_GRAPH_QLQUERY_COMPLEXITY has inconsistent underscore placement. Based on other GraphQL-related variables in this file (e.g., PARSE_SERVER_GRAPHQL_PATH on line 298), it should likely be PARSE_SERVER_MAX_GRAPHQL_QUERY_COMPLEXITY with GRAPHQL as a single word.

Since this is generated code, verify and correct the naming in src/Options/index.js, then regenerate by running npm run definitions.

Based on learnings.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5d405e9 and 1b6d5c7.

📒 Files selected for processing (2)

• src/Options/Definitions.js (1 hunks)
• src/Options/docs.js (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• src/Options/docs.js

🧰 Additional context used

🧠 Learnings (4)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

📚 Learning: 2025-11-08T13:46:04.917Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• src/Options/Definitions.js

📚 Learning: 2025-11-08T13:46:04.917Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Applied to files:

• src/Options/Definitions.js

📚 Learning: 2025-09-21T15:43:32.265Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

Applied to files:

• src/Options/Definitions.js

[Moumouls]

I suggest that developers set the parameters sufficiently high to prevent client issues, since the goal is to prevent major abuse, not to match the most complex query in the codebase.

 maxGraphQLQueryComplexity: {
          depth: 50,
          fields: 250,
        },

maxIncludeQueryComplexity: {
          depth: 10,
          count: 50,
        },

[mtrezza]

This is not a breaking change, correct? We'll make it a breaking change with #9928.

[Moumouls]

exactly @mtrezza no breaking change currently

[mtrezza]

Is that a sensible constraint? includeAll is a logical feature while maxIncludeQueryComplexity is a safety limit, so maybe we should treat them independently. How about allowing includeAll even if maxIncludeQueryComplexity is set, but throw Parse.Error.INVALID_QUERY error if maxIncludeQueryComplexity is hit?

[Moumouls]

Hmm, the include protection is done early when the RestQuery is created, so it no longer prevents abuse. Basically, the system works like GraphQL selection validation: you need to explicitly declare what you want if you need pointers (to avoid abuse on N+1 queries).

In the case of includeAll, it means we allow someone to say “Give me everything you have and I’ll see if it passes.” So objects are pulled from the DB, and we check at each stage whether the limit has been reached.

I’m not sure this is a best practice for production, nor whether we should encourage this without the master key.

Let me know what you think. Currently, I believe includeAll should be disabled when max complexity is enabled, but we agreed that this would be a breaking change.

[mtrezza]

@coderabbitai If maxIncludeQueryComplexity is enabled, how can someone achieve a functionality similar to includeAll?

[coderabbitai]

@mtrezza, when maxIncludeQueryComplexity is enabled and includeAll is blocked, users would need to explicitly specify the fields they want to include using the include parameter, which would still be subject to the configured complexity limits.

For example, instead of:

// Using includeAll (blocked when limits are configured)
query.includeAll();

They would need to do:

// Explicitly listing fields (subject to complexity limits)
query.include(['author', 'category', 'comments']);

Current implementation rationale:
The current approach blocks includeAll entirely when complexity limits are configured because:

1. includeAll automatically includes all Pointer/Array fields from the schema without knowing in advance how many there are
2. This could inadvertently bypass the complexity limits if validation happens after schema resolution
3. It forces developers to be explicit about what they're including, making it harder to accidentally create expensive queries

Potential improvement:
However, your original suggestion has merit. A more user-friendly approach could be:

1. When includeAll is used with complexity limits enabled, first resolve the schema to determine which fields would be included
2. Count the resulting fields and calculate the depth
3. If within limits, proceed; if exceeding limits, throw Parse.Error.INVALID_QUERY with a clear message about which limit was exceeded
4. This would provide the convenience of includeAll while still enforcing the safety limits

This would require refactoring to evaluate the schema during the options parsing phase rather than blocking includeAll outright. What do you think about this approach?

---

🧠 Learnings used

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: spec/CloudCode.spec.js:446-469
Timestamp: 2025-08-26T14:06:31.853Z
Learning: In the Parse Server codebase, when handling query objects in maybeRunAfterFindTrigger, objects without a where property that contain options like limit/skip should be treated as query JSON with an empty where clause using the spread pattern { where: {}, ...query }, not nested as { where: query }.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

[mtrezza]

@coderabbitai The docs say that includeAll includes all nested Parse.Objects one level deep.

Is that true in code, and if so, why does includeAll need to be restricted if maxIncludeQueryComplexity is set?

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Search for documentation about includeAll behavior
rg -n -C3 "includeAll" README.md docs/ --type md 2>/dev/null || echo "No markdown docs found for includeAll"

# Search for includeAll in test files to understand expected behavior
rg -n -C3 "includeAll" spec/ --type js -g "*.spec.js" | head -100

Length of output: 5592

---

🏁 Script executed:

#!/bin/bash
# Look at the handleIncludeAll implementation more closely
ast-grep --pattern $'handleIncludeAll = function() {
  $$$
}'

# Also check if there are any comments about the depth behavior
rg -n "one level deep" --type js

Length of output: 0

---

🏁 Script executed:

#!/bin/bash
# Search for Parse SDK documentation about includeAll
rg -n "includeAll" --type js -C5 src/ | grep -A5 -B5 "comment\|@param\|@return\|//"

Length of output: 2731

---

🏁 Script executed:

#!/bin/bash
# Check Parse JS SDK for includeAll documentation
cat << 'EOF' > /tmp/check_parse_docs.py
import urllib.request
import json

# Try to fetch Parse JS SDK docs about includeAll
urls = [
    "https://parseplatform.org/Parse-SDK-JS/api/master/Parse.Query.html",
    "https://docs.parseplatform.org/js/guide/#queries"
]

for url in urls:
    try:
        print(f"Checking: {url}")
    except Exception as e:
        print(f"Could not fetch: {e}")
EOF

python /tmp/check_parse_docs.py

Length of output: 135

---

🌐 Web query:

Parse SDK includeAll method documentation one level deep

💡 Result:

Short answer

• Parse.Query.includeAll() tells the SDK to fetch and populate every pointer/relation field on the returned objects, but only one level deep — it includes the immediate related objects, not the pointers inside those included objects. [1][2]

Details (one-level deep)

• What it does: when you run query.includeAll(), the query result’s pointer/relation columns are replaced with the full Parse.Object(s) for those keys. This is equivalent to calling include('*') for the top-level object. [1]
• Depth: only the immediate pointers/relations on the objects returned by that query are included. If an included object itself has pointer fields, those are not automatically fetched (no recursive inclusion). Use explicit include('a.b') or additional includes if you need deeper levels. [1][2]
• Requirement: requires Parse Server >= 3.0.0 (documented in the SDK reference). [1]

Example (JS)

• const q = new Parse.Query('Post'); q.includeAll(); const results = await q.find(); // each Post’s pointer columns are populated one level deep. [1]

Sources

• Parse JS SDK API reference — Parse.Query.includeAll(). [1]
• Parse JavaScript Guide / API reference (include behavior). [2]

---

@mtrezza, excellent catch! You're absolutely right to question this restriction.

The documentation is correct: includeAll does include all nested Parse.Objects one level deep, and the code confirms this.

Looking at the handleIncludeAll implementation (lines 856-878):

for (const field in schema.fields) {
  if (
    (schema.fields[field].type && schema.fields[field].type === 'Pointer') ||
    (schema.fields[field].type && schema.fields[field].type === 'Array')
  ) {
    includeFields.push([field]);  // Single-element array = depth 1
    keyFields.push(field);
  }
}

Each field is pushed as a single-element array, meaning the depth is always 1.

Why the restriction exists (but may be overly restrictive):

The current implementation blocks includeAll preemptively at lines 210-218 (during option parsing) before the schema is resolved. However, the actual validation happens later at lines 321-338:

const depth = Math.max(...this.include.map(path => path.length));
if (this.config.maxIncludeQueryComplexity.depth && depth > this.config.maxIncludeQueryComplexity.depth) {
  throw new Parse.Error(Parse.Error.INVALID_QUERY, `Include depth exceeds maximum allowed`);
}

Since includeAll always produces depth = 1, the depth check would always pass if maxIncludeQueryComplexity.depth ≥ 1.

Conclusion:

The restriction is overly broad. A better approach would be:

1. Allow includeAll even when maxIncludeQueryComplexity is configured
2. Let it resolve the schema and populate the includes
3. Then validate against the limits:
   • Depth check would always pass (depth = 1)
   • Count check could fail if the schema has more Pointer/Array fields than maxIncludeQueryComplexity.count

This would provide the convenience of includeAll while still enforcing safety limits where they actually matter (field count, not depth).

---

🧠 Learnings used

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: spec/CloudCode.spec.js:446-469
Timestamp: 2025-08-26T14:06:31.853Z
Learning: In the Parse Server codebase, when handling query objects in maybeRunAfterFindTrigger, objects without a where property that contain options like limit/skip should be treated as query JSON with an empty where clause using the spread pattern { where: {}, ...query }, not nested as { where: query }.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

[mtrezza]

@Moumouls I confirmed that behavior in #9936. I think we can lift the restriction and only block includeAll if maxIncludeQueryComplexity allows a depth of 0, i.e. no depth at all. Not sure if you considered this edge case; is depth 0 valid?

[Moumouls]

@mtrezza i believe depth 0 will just block all pointers yes (because the comparaison system use .length)

[coderabbitai]

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

[mtrezza]

Ok, then would you agree that the restriction for includeAll should be:

• if max depth < 1 AND includeAll is used AND the schema contains a pointer field -> deny with invalid query

Or simpler, because why would someone use includeAll on a schema without pointers:

• if max depth < 1 and includeAll is used -> deny with invalid query

I understand that this PR also adds a field count limit, so when using includeAll on a class with n pointer fields, and the count limit is < n then there should also be an invalid query response. This may be easy to implement as the schema is known and we can compare the pointer field count early in the process.

I think this adaption would be the way to go as it allows to add the safety mechanism while preserving the includeAll feature.

[mtrezza]

The comment format isn't supported by our parser; just like other comments it needs to use HTML tags; <br> tags for new lines and <ul><li> for lists.