feat: Deprecate GraphQL Playground that exposes master key in HTTP response

[mtrezza]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.

Issue

Closes: #10110

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, code comments)
• Add security check
• Add new Parse Error codes to Parse JS SDK

Summary by CodeRabbit

• Documentation

  • Marked GraphQL Playground options as deprecated: mountPlayground and playgroundPath, with planned removal in a future release.
  • Updated user guidance to recommend Parse Dashboard or third‑party GraphQL clients with custom headers.

• Tests

  • Added tests to verify deprecation warning/logging behavior for the Playground-related options.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds deprecations for GraphQL Playground options (mountPlayground, playgroundPath), updates deprecation handling and messages, and adds tests covering the new deprecation logging behavior.

Changes

Cohort / File(s)	Summary
Deprecation docs DEPRECATIONS.md	Added two new deprecation entries (DEPPS15, DEPPS16) for mountPlayground and playgroundPath, scheduled for removal in 10.0.0.
Deprecations list src/Deprecator/Deprecations.js	Appended deprecation objects for mountPlayground and playgroundPath to the exported deprecations array.
Deprecator logic src/Deprecator/Deprecator.js	Adjusted handling of changeNewKey: only warn when option is set and switched message construction to explicit null-check for changeNewKey.
Tests spec/Deprecator.spec.js	Added tests asserting deprecation logging behavior for removed-key deprecations and mountPlayground when set vs. unset.
User-facing messages src/ParseServer.ts, src/Options/Definitions.js, src/Options/docs.js, src/Options/index.js	Updated warning and option help/JSDoc strings to mark Playground-related options as deprecated and recommend alternatives.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix: Deprecation warning logged at server launch for nested Parse Server option even if option is explicitly set #9934 — Related changes to Deprecator.js logic for when to emit deprecation warnings.
• feat: Add security check for server option mountPlayground for GraphQL development #10103 — Related edits touching mountPlayground warning/messages in src/ParseServer.ts.
• feat: Deprecation DEPPS10: Encode Parse.Object in Cloud Function and remove option encodeParseObjectInCloudFunction #9973 — Modifies the Deprecator deprecations list; related additions/removals of deprecation entries.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: Deprecate GraphQL Playground that exposes master key in HTTP response' clearly and specifically describes the main change: deprecating GraphQL Playground due to security concerns.
Description check	✅ Passed	The PR description follows the template and includes the linked issue (#10110), marks tests and documentation updates as completed, with non-applicable security and SDK tasks appropriately unchecked.
Linked Issues check	✅ Passed	All three objectives from #10110 are met: deprecated mountPlayground and playgroundPath options, emit warnings when enabled, and mark for removal in next major version.
Out of Scope Changes check	✅ Passed	All changes directly support the deprecation objective: DEPRECATIONS.md entries, tests, deprecation handling, option definitions, documentation, and warning messages are all in-scope.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

spec/Deprecator.spec.js (1)

130-151: Add a regression test for the shipped playgroundPath deprecation entry.

The production change deprecates both mountPlayground and playgroundPath, but this block only asserts the mountPlayground entry. A typo or accidental removal of playgroundPath from src/Deprecator/Deprecations.js would still pass this suite.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@spec/Deprecator.spec.js` around lines 130 - 151, Add an assertion to the test
block that also verifies Deprecator._logOption is called for the
'playgroundPath' deprecation when playground-related options are set: in the
'logs deprecation for mountPlayground when set' test (using reconfigureServer
and the logSpy on Deprecator._logOption) add an expect that toHaveBeenCalledWith
jasmine.objectContaining({ optionKey: 'playgroundPath', changeNewKey: '' }) so
the suite fails if the playgroundPath deprecation entry is removed or renamed.

src/ParseServer.ts (1)

459-463: Avoid double-warning for mountPlayground.

Line 69 already routes this option through Deprecator.scanParseServerOptions(options), so enabling the playground now emits the generic deprecation warning plus this second warning. Consider keeping a single deprecation warning here, or making this log security-specific only.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/ParseServer.ts` around lines 459 - 463, The code emits a second generic
deprecation warning when options.mountPlayground is true even though
Deprecator.scanParseServerOptions(options) already logged a deprecation; update
the logic around parseGraphQLServer.applyPlayground to avoid duplicate warnings
by either removing the generic deprecation log or making it security-specific.
Specifically, in the block that checks options.mountPlayground and calls
parseGraphQLServer.applyPlayground(app), remove or replace the
logging.getLogger().warn(...) call so it no longer duplicates
Deprecator.scanParseServerOptions(options); if you choose to preserve a log,
change it to a focused security warning about master-key exposure (mentioning
master key) rather than a generic deprecation message.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/Deprecator/Deprecations.js`:
- Around line 29-38: The options metadata still lists mountPlayground and
playgroundPath as supported; mark both option entries as deprecated in the
options metadata (add deprecated: true and a deprecation message for optionKey
'mountPlayground' and 'playgroundPath' in the Options index so runtime and
generated docs reflect deprecation), then regenerate the Options definitions and
docs so Definitions.js and docs.js include the deprecation flags and updated
solutions; ensure the option entries in the generated output include the same
deprecation message text as in the Deprecator entries to keep runtime warnings
and canonical metadata consistent.

---

Nitpick comments:
In `@spec/Deprecator.spec.js`:
- Around line 130-151: Add an assertion to the test block that also verifies
Deprecator._logOption is called for the 'playgroundPath' deprecation when
playground-related options are set: in the 'logs deprecation for mountPlayground
when set' test (using reconfigureServer and the logSpy on Deprecator._logOption)
add an expect that toHaveBeenCalledWith jasmine.objectContaining({ optionKey:
'playgroundPath', changeNewKey: '' }) so the suite fails if the playgroundPath
deprecation entry is removed or renamed.

In `@src/ParseServer.ts`:
- Around line 459-463: The code emits a second generic deprecation warning when
options.mountPlayground is true even though
Deprecator.scanParseServerOptions(options) already logged a deprecation; update
the logic around parseGraphQLServer.applyPlayground to avoid duplicate warnings
by either removing the generic deprecation log or making it security-specific.
Specifically, in the block that checks options.mountPlayground and calls
parseGraphQLServer.applyPlayground(app), remove or replace the
logging.getLogger().warn(...) call so it no longer duplicates
Deprecator.scanParseServerOptions(options); if you choose to preserve a log,
change it to a focused security warning about master-key exposure (mentioning
master key) rather than a generic deprecation message.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 37818ee6-2ff2-415c-bd43-17d86e21a79b

📥 Commits

Reviewing files that changed from the base of the PR and between 6b1b50c and 1f86799.

📒 Files selected for processing (5)

• DEPRECATIONS.md
• spec/Deprecator.spec.js
• src/Deprecator/Deprecations.js
• src/Deprecator/Deprecator.js
• src/ParseServer.ts

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.68%. Comparing base (61261a5) to head (c48b80e).
⚠️ Report is 1 commits behind head on alpha.

Additional details and impacted files

@@           Coverage Diff           @@
##            alpha   #10112   +/-   ##
=======================================
  Coverage   92.68%   92.68%           
=======================================
  Files         191      191           
  Lines       15879    15882    +3     
  Branches      180      180           
=======================================
+ Hits        14717    14720    +3     
  Misses       1150     1150           
  Partials       12       12           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/Options/index.js`:
- Around line 342-347: Update the deprecation text to reference the announced
removal timeline by replacing vague "future version" wording with "next major
release" in the user-facing comments; specifically edit the comment string for
the mountPlayground option (symbol: mountPlayground) and the playground mount
path comment (environment symbol: PARSE_SERVER_PLAYGROUND_PATH) so both
explicitly say the playground will be removed in the "next major release".

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: aba02a0d-b600-451c-b377-7a2c93ccf998

📥 Commits

Reviewing files that changed from the base of the PR and between 1f86799 and c48b80e.

📒 Files selected for processing (3)

• src/Options/Definitions.js
• src/Options/docs.js
• src/Options/index.js

✅ Files skipped from review due to trivial changes (1)

• src/Options/Definitions.js