feat: Add autoSignupLogin to signup when user doesn't already exist

[coratgerl]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.
• Link this pull request to an issue.

Issue

Fixes: #9560

• Add tests
• Add changes to documentation (guides, repository pages, code comments)
• Add security check
• Add new Parse Error codes to Parse JS SDK

Summary by CodeRabbit

• New Features

  • Added autoSignupOnLogin option (default: false) to auto-create accounts during login when no match exists; supports username/password and email/password, respects email verification rules, and returns a session token while avoiding duplicates.

• Tests

  • Added comprehensive tests for auto-signup and verification behaviors (note: the test suite appears duplicated).

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[parse-github-assistant]

🚀 Thanks for opening this pull request!

[coderabbitai]

Warning

Rate limit exceeded

@coratgerl has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 3 minutes and 36 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between f167624 and 1894c60.

📒 Files selected for processing (2)

• spec/ParseUser.spec.js (1 hunks)
• src/Routers/UsersRouter.js (5 hunks)

📝 Walkthrough

Walkthrough

Adds a new Parse Server option autoSignupOnLogin, centralizes login payload extraction, and implements an auto-signup path in the login flow that creates a _User when login returns OBJECT_NOT_FOUND. Adds tests validating auto-signup behavior and email verification constraints.

Changes

Cohort / File(s)	Summary
Configuration & Types src/Options/Definitions.js, src/Options/docs.js, src/Options/index.js	Introduce new boolean option autoSignupOnLogin (env: PARSE_SERVER_AUTO_SIGNUP_ON_LOGIN, default: false) in option definitions, docs, and interface/type declarations.
Login Router & Flow src/Routers/UsersRouter.js	Add _getLoginPayload(req) to extract/validate login credentials; add async _resolveEmailVerificationFlags(req, userObj) to centralize verification flag resolution; add async _autoSignupOnLogin(req) to create a _User when no user is found and enforce verification rules; refactor _authenticateUserFromRequest(req) to use the payload extractor; update handleLogIn(req) to catch OBJECT_NOT_FOUND and delegate to auto-signup when enabled; conditionally skip standard session creation when _autoSignupOnLogin returns a session token.
Tests spec/ParseUser.spec.js	Add "autoSignupOnLogin option" test suite covering disabled behavior (OBJECT_NOT_FOUND, no user created), enabled behavior (creates user and returns session for username/password and email/password, email used as username), no duplicate creation when user exists, and enforcement of email verification constraints. (Patch contains duplicate copy of the same test block.)

Sequence Diagram(s)

sequenceDiagram
    actor Client
    participant LoginEndpoint as Login Endpoint
    participant Auth as _authenticateUserFromRequest
    participant AutoSignup as _autoSignupOnLogin
    participant RestWrite as RestWrite (Create _User)
    participant DB as User Database

    Client->>LoginEndpoint: POST /login (username/email + password)
    LoginEndpoint->>LoginEndpoint: _getLoginPayload(req)
    LoginEndpoint->>Auth: _authenticateUserFromRequest(req)
    Auth->>DB: Query user by username/email
    alt User Found
        DB-->>Auth: User record
        Auth-->>LoginEndpoint: Auth success
        LoginEndpoint-->>Client: 200 OK (user + session)
    else User Not Found (OBJECT_NOT_FOUND)
        DB-->>Auth: No user
        Auth-->>LoginEndpoint: Error: OBJECT_NOT_FOUND
        alt autoSignupOnLogin = true
            LoginEndpoint->>AutoSignup: _autoSignupOnLogin(req)
            AutoSignup->>AutoSignup: Build new _User payload (username/email, password)
            AutoSignup->>RestWrite: Create _User
            RestWrite->>DB: Insert user
            DB-->>RestWrite: Insert result
            AutoSignup->>DB: Fetch created user (fresh)
            DB-->>AutoSignup: User record
            AutoSignup->>AutoSignup: Enforce email verification rules
            AutoSignup-->>LoginEndpoint: { user, sessionToken, authDataResponse }
            LoginEndpoint-->>Client: 200 OK (new user + session)
        else autoSignupOnLogin = false
            LoginEndpoint-->>Client: 400 / OBJECT_NOT_FOUND
        end
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Pay attention to:
  • src/Routers/UsersRouter.js — try/catch flow around login, correctness of session creation/skipping, and interplay with authData handling.
  • Email verification logic in _autoSignupOnLogin and _resolveEmailVerificationFlags, including async option handling and behavior when preventLoginWithUnverifiedEmail / verifyUserEmails are configured.
  • Tests in spec/ParseUser.spec.js — duplication of the added test block and correctness of assertions against the new flows.

Suggested reviewers

• mtrezza

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	Title references autoSignupLogin but the feature is named autoSignupOnLogin throughout the codebase and issue; the title's terminology is slightly inconsistent.	Clarify whether the feature should be called autoSignupLogin or autoSignupOnLogin to match issue #9560 and codebase naming conventions.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description check	✅ Passed	PR description includes the required issue link (Fixes: #9560) and checked 'Add tests', but 'Add changes to documentation', 'Add security check', and error code tasks are unchecked.
Linked Issues check	✅ Passed	Changes implement autoSignupOnLogin option, create users on login miss, enforce email verification rules, and add comprehensive tests covering all specified requirements from issue #9560.
Out of Scope Changes check	✅ Passed	All changes are directly related to implementing the autoSignupOnLogin feature; no unrelated or out-of-scope modifications detected in files changed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

spec/ParseUser.spec.js (2)

225-235: Verify single session creation during auto-signup.

The test should verify that only one session is created during auto-signup to ensure no session leakage. Consider adding an assertion similar to the test at lines 4148-4186 that checks session count.

Apply this diff to add session verification:

    it('creates user on login when enabled (username + password)', async () => {
      await reconfigureServer({ autoSignupOnLogin: true });
      const user = await Parse.User.logIn('auto-login-user', 'pass1234');
      expect(user.id).toBeDefined();
      expect(user.getSessionToken()).toBeDefined();
      const stored = await new Parse.Query(Parse.User)
        .equalTo('username', 'auto-login-user')
        .first({ useMasterKey: true });
      expect(stored).toBeTruthy();
      expect(stored.id).toBe(user.id);
+      const sessionCount = await new Parse.Query('_Session')
+        .equalTo('user', user.toPointer())
+        .count({ useMasterKey: true });
+      expect(sessionCount).toBe(1);
    });

---

277-313: Document the email verification behavior for auto-signup.

This test demonstrates that when autoSignupOnLogin is enabled with email verification requirements, the user is created but login fails. This means a user record with an initial session token exists but cannot be used until verified. Consider documenting this behavior in code comments or updating the test description to make this edge case explicit, as it could lead to accumulation of unverified user accounts.

src/Routers/UsersRouter.js (1)

188-193: Document username inference behavior.

When auto-signup is triggered with email-only credentials, the username is set to the email value (line 189). This is tested and expected behavior (see test line 252-253 in spec/ParseUser.spec.js), but consider adding a comment here to clarify this design decision for future maintainers.

  async _autoSignupOnLogin(req) {
    const { username, email, password } = this._getLoginPayload(req);
+   // When logging in with email only, use email as username
    const inferredUsername = username || email;

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e78e58d and c183da6.

📒 Files selected for processing (5)

• spec/ParseUser.spec.js (1 hunks)
• src/Options/Definitions.js (1 hunks)
• src/Options/docs.js (1 hunks)
• src/Options/index.js (1 hunks)
• src/Routers/UsersRouter.js (3 hunks)

🧰 Additional context used

🧠 Learnings (8)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T06:55:53.808Z
Learning: When reviewing Parse Server PRs that add or modify Parse Server options, always verify that changes are properly reflected in three files: src/Options/index.js (where changes originate), src/Options/Definitions.js, and src/Options/docs.js. The correct workflow is: make changes in index.js first, then run `npm run definitions` to automatically replicate the changes to Definitions.js and docs.js.

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• src/Options/docs.js
• src/Options/index.js
• src/Options/Definitions.js

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Applied to files:

• src/Options/docs.js
• src/Options/index.js
• src/Options/Definitions.js

📚 Learning: 2025-12-02T06:55:53.808Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T06:55:53.808Z
Learning: When reviewing Parse Server PRs that add or modify Parse Server options, always verify that changes are properly reflected in three files: src/Options/index.js (where changes originate), src/Options/Definitions.js, and src/Options/docs.js. The correct workflow is: make changes in index.js first, then run `npm run definitions` to automatically replicate the changes to Definitions.js and docs.js.

Applied to files:

• src/Options/docs.js
• src/Options/index.js
• src/Options/Definitions.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.

Applied to files:

• spec/ParseUser.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

• spec/ParseUser.spec.js

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.

Applied to files:

• spec/ParseUser.spec.js

📚 Learning: 2025-10-16T19:27:05.311Z

Learnt from: Moumouls
Repo: parse-community/parse-server PR: 9883
File: spec/CloudCodeLogger.spec.js:410-412
Timestamp: 2025-10-16T19:27:05.311Z
Learning: In spec/CloudCodeLogger.spec.js, the test "should log cloud function triggers using the silent log level" (around lines 383-420) is known to be flaky and requires the extra `await new Promise(resolve => setTimeout(resolve, 100))` timeout after awaiting `afterSavePromise` for reliability, even though it may appear redundant.

Applied to files:

• spec/ParseUser.spec.js

🧬 Code graph analysis (2)

src/Routers/UsersRouter.js (2)

src/Auth.js (4)

• req (538-538)
• req (551-551)
• Parse (1-1)
• user (522-522)

src/RestWrite.js (11)

• data (1730-1736)
• RestWrite (990-997)
• RestWrite (1155-1161)
• Auth (8-8)
• Auth (574-577)
• user (330-330)
• user (903-903)
• user (1517-1517)
• user (1798-1798)
• validatedAuthData (560-563)
• authData (453-453)

spec/ParseUser.spec.js (1)

src/TestUtils.js (1)

• res (31-31)

🪛 Biome (2.1.2)

src/Options/index.js

[error] 196-196: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)

• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: Node 18
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: Node 22
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: Node 20
• GitHub Check: Redis Cache
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: Docker Build
• GitHub Check: Benchmarks

🔇 Additional comments (7)

src/Options/Definitions.js (1)

116-122: LGTM! Option definition follows established patterns.

The new autoSignupOnLogin option is correctly defined with all required fields (environment variable, parser, default value, and help text). The structure and formatting are consistent with other Parse Server options in this generated file.

Based on learnings, the proper workflow has been followed: changes were made in src/Options/index.js and npm run definitions was executed to generate this file.

src/Options/docs.js (1)

25-25: LGTM! Documentation is clear and complete.

The JSDoc documentation for the new option accurately describes its behavior and default value, following the same format as other Parse Server options in this interface.

src/Options/index.js (2)

196-198: LGTM! Option definition is correct.

The new autoSignupOnLogin option is properly defined with:

• Clear description of behavior
• Appropriate Flow type annotation (?boolean)
• Conservative default value (false - opt-in feature)
• Correct placement near related authentication options

The static analysis error reported by Biome is a false positive. The Flow syntax ?boolean for nullable boolean types is valid and matches the pattern used throughout this file for other optional boolean properties.

Based on learnings, this is the correct source file for Parse Server options, and the npm run definitions command was executed to propagate changes to Definitions.js and docs.js.

---

196-198: Note: Documentation checklist item

The PR description shows "Add changes to documentation (guides, repository pages, code comments)" as unchecked. Based on learnings, README.md documentation is optional (though beneficial) for new Parse Server options. The option is properly documented in the code via JSDoc and inline comments. Consider whether additional user-facing documentation in README.md or guides would be helpful for this feature, but this is not a blocking issue.

src/Routers/UsersRouter.js (3)

64-95: LGTM! Clean credential extraction and validation.

The method consolidates credential extraction logic with proper validation and consistent error codes.

---

102-104: LGTM! Clean refactor using centralized payload extraction.

Using _getLoginPayload(req) eliminates duplicate validation logic and improves maintainability.

---

273-273: Verify the new autoSignupOnLogin option is properly documented in option files.

When adding new Parse Server options, ensure:

1. The option is defined in src/Options/index.js
2. npm run definitions has been executed to sync changes to src/Options/Definitions.js and src/Options/docs.js
3. README.md documentation (optional)

[codecov]

Codecov Report

❌ Patch coverage is 92.85714% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 92.57%. Comparing base (e78e58d) to head (1894c60).

Files with missing lines	Patch %	Lines
src/Routers/UsersRouter.js	92.85%	4 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##            alpha    #9961   +/-   ##
=======================================
  Coverage   92.56%   92.57%           
=======================================
  Files         191      191           
  Lines       15544    15582   +38     
  Branches      177      177           
=======================================
+ Hits        14389    14425   +36     
- Misses       1143     1145    +2     
  Partials       12       12           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

src/Routers/UsersRouter.js (1)

182-186: JSDoc return type is incomplete.

The documented return type {{ user: Object, authDataResponse: any }} doesn't include sessionToken and skipSessionCreation which are also returned.

   /**
    * Auto sign-up when login misses existing user and option is enabled
    * @param {Object} req The request
-   * @returns {{ user: Object, authDataResponse: any }}
+   * @returns {{ user: Object, authDataResponse: any, sessionToken: string, skipSessionCreation: boolean }}
    */

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c183da6 and 25d7b84.

📒 Files selected for processing (1)

• src/Routers/UsersRouter.js (4 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

🧬 Code graph analysis (1)

src/Routers/UsersRouter.js (2)

src/Auth.js (3)

• req (538-538)
• req (551-551)
• user (522-522)

src/RestWrite.js (11)

• data (1730-1736)
• RestWrite (990-997)
• RestWrite (1155-1161)
• Auth (8-8)
• Auth (574-577)
• user (330-330)
• user (903-903)
• user (1517-1517)
• user (1798-1798)
• authData (453-453)
• sessionData (1012-1021)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)

• GitHub Check: Node 22
• GitHub Check: Redis Cache
• GitHub Check: Node 20
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: Node 18
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: Docker Build
• GitHub Check: Benchmarks

🔇 Additional comments (4)

src/Routers/UsersRouter.js (4)

64-95: LGTM! Clean extraction and validation of login payload.

Good refactor consolidating payload extraction logic. Using OBJECT_NOT_FOUND for type validation errors is appropriate to avoid leaking information about which specific validation failed.

---

284-301: Auto-signup integration looks correct.

The try/catch properly detects OBJECT_NOT_FOUND from authentication and delegates to _autoSignupOnLogin when autoSignupOnLogin is enabled. The session token from auto-signup is correctly assigned to the user object.

---

388-401: Session creation logic correctly avoids duplicates.

The conditional check at line 389 ensures a new session is only created when auto-signup hasn't already created one. This addresses the duplicate session concern from past reviews.

---

102-104: LGTM! Clean refactor to use shared payload extraction.

Using _getLoginPayload removes duplication and ensures consistent validation between login and auto-signup paths.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

src/Routers/UsersRouter.js (1)

319-323: Consider updating the PR title to follow Angular commit convention.

Based on learnings, Parse Server PRs should use Angular commit convention for changelog generation. The current title has a typo and could be clearer:

Current: feat: Add autoSignupLogin to signup when user doesn't already exist
Issues:

• Says "autoSignupLogin" but the option is named autoSignupOnLogin
• Says "to signup" which is confusing since this modifies the login flow
• Missing scope identifier

Suggested: feat(auth): add autoSignupOnLogin option to auto-create user on login miss

This format clearly conveys:

• Type: feat (new feature)
• Scope: auth (authentication subsystem)
• Description: what developers get (auto-user-creation when login finds no match)

Based on learnings, PR titles should make meaningful changelog entries for developers.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 25d7b84 and f167624.

📒 Files selected for processing (2)

• spec/ParseUser.spec.js (1 hunks)
• src/Routers/UsersRouter.js (5 hunks)

✅ Files skipped from review due to trivial changes (1)

• spec/ParseUser.spec.js

🧰 Additional context used

🧠 Learnings (5)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T06:55:53.808Z
Learning: When reviewing Parse Server PRs that add or modify Parse Server options, always verify that changes are properly reflected in three files: src/Options/index.js (where changes originate), src/Options/Definitions.js, and src/Options/docs.js. The correct workflow is: make changes in index.js first, then run `npm run definitions` to automatically replicate the changes to Definitions.js and docs.js.

📚 Learning: 2025-12-02T06:55:53.808Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T06:55:53.808Z
Learning: When reviewing Parse Server PRs that add or modify Parse Server options, always verify that changes are properly reflected in three files: src/Options/index.js (where changes originate), src/Options/Definitions.js, and src/Options/docs.js. The correct workflow is: make changes in index.js first, then run `npm run definitions` to automatically replicate the changes to Definitions.js and docs.js.

Applied to files:

• src/Routers/UsersRouter.js

📚 Learning: 2025-08-27T09:08:34.252Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: src/triggers.js:446-454
Timestamp: 2025-08-27T09:08:34.252Z
Learning: When analyzing function signature changes in Parse Server codebase, verify that call sites are actually incorrect before flagging them. Passing tests are a strong indicator that function calls are already properly aligned with new signatures.

Applied to files:

• src/Routers/UsersRouter.js

📚 Learning: 2025-10-16T19:27:05.311Z

Learnt from: Moumouls
Repo: parse-community/parse-server PR: 9883
File: spec/CloudCodeLogger.spec.js:410-412
Timestamp: 2025-10-16T19:27:05.311Z
Learning: In spec/CloudCodeLogger.spec.js, the test "should log cloud function triggers using the silent log level" (around lines 383-420) is known to be flaky and requires the extra `await new Promise(resolve => setTimeout(resolve, 100))` timeout after awaiting `afterSavePromise` for reliability, even though it may appear redundant.

Applied to files:

• src/Routers/UsersRouter.js

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• src/Routers/UsersRouter.js

🧬 Code graph analysis (1)

src/Routers/UsersRouter.js (2)

src/Auth.js (2)

• req (538-538)
• req (551-551)

src/RestWrite.js (10)

• request (823-829)
• request (958-964)
• verifyUserEmails (968-968)
• preventLoginWithUnverifiedEmail (969-969)
• RestWrite (990-997)
• RestWrite (1155-1161)
• Auth (8-8)
• Auth (574-577)
• validatedAuthData (560-563)
• authData (453-453)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (16)

• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: Node 20
• GitHub Check: Node 18
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: Docker Build
• GitHub Check: Node 22
• GitHub Check: Redis Cache
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: Code Analysis (javascript)
• GitHub Check: Benchmarks

🔇 Additional comments (5)

src/Routers/UsersRouter.js (5)

64-96: LGTM! Good abstraction for email verification flags.

This method correctly handles both boolean and async function config options, and centralizes the resolution logic. This addresses the previous concern about inconsistent handling of verifyUserEmails and preventLoginWithUnverifiedEmail.

---

98-129: LGTM! Clean payload extraction and validation.

The method properly validates required fields and types, providing clear error messages. Good refactoring to centralize login payload handling.

---

136-205: LGTM! Clean refactoring with improved maintainability.

The refactored method correctly delegates to _getLoginPayload and _resolveEmailVerificationFlags, eliminating code duplication while preserving the existing authentication logic.

---

309-450: LGTM! Clean integration of auto-signup flow.

The handleLogIn method correctly integrates the auto-signup path:

• Attempts authentication first, falls back to auto-signup only on OBJECT_NOT_FOUND when configured
• Properly reuses the session token from auto-signup to avoid duplicate session creation (lines 326-328, 420-432)
• Maintains backward compatibility for normal login flow

This addresses the previous concern about duplicate session creation.

---

319-319: Ensure autoSignupOnLogin option is documented in all three required files.

Per Parse Server conventions, new options must be documented in src/Options/index.js, src/Options/Definitions.js, and src/Options/docs.js. After making changes to index.js, run npm run definitions to automatically replicate the changes to the other two files. Verify this workflow was followed for the autoSignupOnLogin option.

[mtrezza]

@coratgerl mind that there is an existing PR for this feature with a discussion about the approach. I'm also unsure about the state of the other PR, it may even be finished.

[coratgerl]

@coratgerl mind that there is an existing PR for this feature with a discussion about the approach. I'm also unsure about the state of the other PR, it may even be finished.

Hum, i checking the other PR and seems inactive since 2 months so I propose an approach here with edges cases tests like asked by @Moumouls. Like tests based on preventLoginWithUnverifiedEmail, on the clean of session and user creation if error etc.

[mtrezza]

The other PR author has asked if any more changes were needed, but there wasn't any specific change request. It would be good to ask the other PR author if they're interested in continuing the PR, provided that we give a concrete feedback on what needs to change.

[coratgerl]

The other PR author has asked if any more changes were needed, but there wasn't any specific change request. It would be good to ask the other PR author if they're interested in continuing the PR, provided that we give a concrete feedback on what needs to change.

Ok ! We can wait any response of other contributor and otherwise we can move forward here 🙂

[mtrezza]

Yes, but we'll have the same open questions. The reason the other PR got stale was because the questions were not resolved. Let's continue the discussion there and if the PR author abandoned the PR let's continue here.