parse-server icon indicating copy to clipboard operation
parse-server copied to clipboard
verified publisher icon parse-community

feat: Added autosignuponlogin

Open swittk opened this issue 2 months ago โ€ข 9 comments

Pull Request

Issue

Closes: https://github.com/parse-community/parse-server/issues/9560

Approach

  • Optional autoSignupOnLogin boolean flag for Parse-server configuration
  • A retry try/catch wrapper around login to support the new flag, creating a signup user only when the flag is true & conditions are met.

Tasks

  • [x] Add tests

Summary by CodeRabbit

  • New Features

    • Optional auto-signup on login: when enabled, a missing-user login with valid credentials will create the user and complete login.

  • Configuration

    • New option autoSignupOnLogin (default: false). Can be set via environment/config.

  • Documentation

    • Public docs and types updated to include autoSignupOnLogin.

  • Tests

    • Added tests to validate automatic user creation and successful login when enabled.

โœ๏ธ Tip: You can customize this high-level summary in your review settings.

swittk avatar Oct 07 '25 16:10 swittk

I will reformat the title to use the proper commit message syntax.

parse-github-assistant[bot] avatar Oct 07 '25 16:10 parse-github-assistant[bot]

๐Ÿš€ Thanks for opening this pull request!

parse-github-assistant[bot] avatar Oct 07 '25 16:10 parse-github-assistant[bot]

:white_check_mark: Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
:white_check_mark: Open Source Security 0 0 0 0 0 issues

:computer: Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

parseplatformorg avatar Oct 07 '25 16:10 parseplatformorg

๐Ÿ“ Walkthrough

Walkthrough

Adds a new server option autoSignupOnLogin, wires it into config, options, docs and typings, updates UsersRouter to automatically create a user on login-if-not-found, and adds tests (including a duplicated test block) and validation for the new option.

Changes

Cohort / File(s) Summary
Tests: Auto-signup on login
spec/ParseUser.spec.js		 Adds a test "auto signs up user on login when enabled" that enables autoSignupOnLogin, performs REST login for a new username/password, asserts returned username and sessionToken, verifies login via Parse.User.logIn, then resets config. The test block is added twice (duplicate).
Config validation
src/Config.js		 Adds autoSignupOnLogin to options validation: introduces validateAutoSignupOnLogin and calls it from validateOptions.
Options definitions and docs
src/Options/Definitions.js, src/Options/docs.js, src/Options/index.js		 Adds public option autoSignupOnLogin (PARSE_SERVER_AUTO_SIGNUP_ON_LOGIN, boolean, default false) to definitions and docs; also exposes emailVerifyTokenValidityDuration in index.js.
Login flow: auto-signup
src/Routers/UsersRouter.js		 Extends handleLogIn to attempt auto-signup on OBJECT_NOT_FOUND when enabled: adds helpers _getLoginPayload, _prepareAutoSignupCredentials, _autoSignupOnLogin; creates temporary signup session, retries authentication, and attempts cleanup of the temp session token.
Type definitions
types/Options/index.d.ts		 Adds optional boolean autoSignupOnLogin?: boolean to ParseServerOptions typings.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant C as Client
  participant UR as UsersRouter
  participant AU as AuthService
  participant UC as UserCreate
  participant SS as Sessions

  C->>UR: POST /login {username/email, password}
  UR->>AU: authenticate(credentials)
  AU-->>UR: Error OBJECT_NOT_FOUND
  alt autoSignupOnLogin enabled & username/password present
    UR->>UC: createUser(minimalCredentials)
    UC-->>UR: {userId, tempSessionToken}
    UR->>AU: authenticate(credentials)  -- retry after signup
    AU-->>UR: {sessionToken, user}
    UR->>SS: revoke(tempSessionToken)  -- best-effort cleanup
    SS-->>UR: OK / NOT_FOUND
    UR-->>C: 200 {sessionToken, user}
  else disabled or missing credentials
    UR-->>C: Error OBJECT_NOT_FOUND
  end

Estimated code review effort

๐ŸŽฏ 4 (Complex) | โฑ๏ธ ~60 minutes

  • Review UsersRouter changes carefully: new control flow, race conditions, and cleanup of temporary signup session token.
  • Confirm security/validation in _prepareAutoSignupCredentials to avoid unintended auto-creation (authData checks, email vs username handling).
  • Verify tests: duplicated test block should be deduplicated or justified.

Pre-merge checks and finishing touches

โœ… Passed checks (5 passed)
Check name Status Explanation
Title check โœ… Passed The title 'feat: Added autosignuponlogin' is specific to the feature being added and accurately describes the primary change in the changeset.
Description check โœ… Passed The description includes the required Issue section with a linked issue, an Approach section explaining the changes, and marks the tasks checkbox. However, it lacks explicit mention of documentation updates and security checks that the template indicates as important.
Linked Issues check โœ… Passed The PR implements the core requirement from issue #9560: an optional autoSignupOnLogin flag that creates users on login when no matching user exists. Configuration, validation, routing logic, tests, and type definitions have been added.
Out of Scope Changes check โœ… Passed All changes are scoped to the autoSignupOnLogin feature as specified in issue #9560. The addition of emailVerifyTokenValidityDuration in Options/index.js appears incidental but does not conflict with the stated objectives.
Docstring Coverage โœ… Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
โœจ Finishing touches
  • [ ] ๐Ÿ“ Generate docstrings
๐Ÿงช Generate unit tests (beta)
  • [ ] Create PR with unit tests
  • [ ] Post copyable unit tests in a comment

[!WARNING] There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

๐Ÿ”ง ast-grep (0.40.0)
spec/ParseUser.spec.js

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

โค๏ธ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot] avatar Oct 07 '25 16:10 coderabbitai[bot]

any more changes needed?

swittk avatar Oct 09 '25 12:10 swittk

it's uncommon to signup a user by email without validating his email, this feature can expose a breach or will be useless in common production app.

That should not be possible. If validation is needed, then the login endpoint should return the same response as the the sign-up endpoint would.

the approach should be inverted and like "autoLoginOnSignup", i you provided the correct email/username and password to the login endpoint, you login the user, otherwise you try to signup and then return error code if email validation for example is needed.

What's the difference? If we extend /login then we add sign-up before the existing code, if we extend /signup then we add login after existing code. In either case the endpoint needs to extend its response specs.

i strongly suggest to add tests to covering edges cases and email validation/user account creation are not bypassed

Good point; it seems more tests need to be added before merging.

mtrezza avatar Oct 14 '25 17:10 mtrezza

Codecov Report

:x: Patch coverage is 74.00000% with 13 lines in your changes missing coverage. Please review. :white_check_mark: Project coverage is 92.50%. Comparing base (e78e58d) to head (ebc9a64).

Files with missing lines Patch % Lines
src/Routers/UsersRouter.js 74.46% 12 Missing :warning:
src/Config.js 66.66% 1 Missing :warning:
Additional details and impacted files 
@@            Coverage Diff             @@
##            alpha    #9873      +/-   ##
==========================================
- Coverage   92.56%   92.50%   -0.07%     
==========================================
  Files         191      191              
  Lines       15544    15592      +48     
  Branches      177      177              
==========================================
+ Hits        14389    14424      +35     
- Misses       1143     1156      +13     
  Partials       12       12

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

codecov[bot] avatar Dec 05 '25 20:12 codecov[bot]

@Moumouls Just a ping so we can continue with this PR; there are some open questions.

mtrezza avatar Dec 05 '25 20:12 mtrezza

@swittk are you still willing to work on this PR?

mtrezza avatar Dec 05 '25 21:12 mtrezza