fix: Update to @apollo/server 5.0.0 and improve introspection prevention

[Moumouls]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.
• Link this pull request to an issue.

Issue

Closes: FILL_THIS_OUT

Approach

Update to V5, something changed on how introspection is managed internally, or maybe we got a bug before, introspection is always activated for master key, and public introspection is stil an option to opt in

Tasks

• [ ] Add tests
• [ ] Add changes to documentation (guides, repository pages, code comments)
• [ ] Add security check
• [ ] Add new Parse Error codes to Parse JS SDK

Summary by CodeRabbit

• Chores

  • Upgraded Apollo Server to 5.0.0 and added Express 5 integration dependency.

• Features

  • Improved GraphQL introspection controls: schema introspection short-circuited and type introspection more reliably detected and blocked unless authorized.
  • Public introspection can be enabled explicitly; master/maintenance keys still allow full introspection.

• Tests

  • Expanded coverage for aliased, fragment-based and nested introspection across auth and public-introspection configurations.

[parse-github-assistant[bot]]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant[bot]]

🚀 Thanks for opening this pull request!

❌ Please fill out all fields with a placeholder FILL_THIS_OUT. If a field does not apply to the pull request, fill in n/a or delete the line.

[parseplatformorg]

:white_check_mark: Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
:white_check_mark:	Open Source Security	0	0	0	0	0 issues

:computer: Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai[bot]]

📝 Walkthrough

Walkthrough

Replace Apollo Express adapter with @as-integrations/express5, bump @apollo/server to 5.0.0, add AST-based detection to block __type GraphQL introspection (including aliases/fragments) unless authorized (master/maintenance key or public introspection), run checks before execution, and add tests covering these cases.

Changes

Cohort / File(s)	Summary
Dependency updates package.json	Upgrades @apollo/server 4.12.1 → 5.0.0 and adds @as-integrations/[email protected].
GraphQL server & introspection control src/GraphQL/ParseGraphQLServer.js	Switches Express integration to @as-integrations/express5; imports parse/GraphQLError from graphql; adds hasTypeIntrospection(query) and throwIntrospectionError(); implements a fast __schema string check and AST-based __type detection (covers aliases/fragments) in an IntrospectionControlPlugin; performs introspection checks before execution.
Tests: introspection coverage spec/ParseGraphQLServer.spec.js	Adds tests blocking __type introspection without master/maintenance key (plain, aliased, fragment forms) and allowing it with master/maintenance keys or when public introspection is enabled; adds test scaffolding to reconfigure server and toggle public introspection across suites.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant Express
  participant ParseGraphQLServer
  participant ApolloServer
  participant IntrospectionPlugin

  Client->>Express: POST /graphql (operation)
  Express->>ParseGraphQLServer: forward request
  ParseGraphQLServer->>ApolloServer: prepare operation (query text / parsed)
  ApolloServer->>IntrospectionPlugin: requestDidStart / onRequest
  IntrospectionPlugin->>IntrospectionPlugin: quick string scan for "__schema"
  alt contains "__schema"
    IntrospectionPlugin-->>ApolloServer: throw introspection error (403)
  else contains "__type"
    IntrospectionPlugin->>ParseGraphQLServer: parse operation AST (hasTypeIntrospection)
    alt AST indicates type introspection (including aliases/fragments)
      IntrospectionPlugin-->>ApolloServer: throw introspection error (403)
    else
      IntrospectionPlugin-->>ApolloServer: allow execution
    end
  else
    IntrospectionPlugin-->>ApolloServer: allow execution
  end
  ApolloServer-->>Client: result or error

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Review focus:
  • Correctness of hasTypeIntrospection for aliases, fragments, and nested spreads.
  • Plugin hook selection and ordering to ensure pre-execution short-circuiting.
  • Migration implications for @as-integrations/express5 and Apollo Server v5 initialization.
  • Test isolation when toggling public introspection across suites.

Possibly related PRs

• parse-community/parse-server#9819 — Overlapping changes to ParseGraphQLServer introspection handling and tests; directly related to AST-based __type blocking and plugin ordering.

Suggested reviewers

• mtrezza

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The Approach section provides context for the changes but lacks detail; the Issue field remains unfilled ('FILL_THIS_OUT'), and no tasks are marked as completed despite multiple changes.	Fill in the 'Closes' issue reference, provide more detail in the Approach section explaining the introspection behavior changes, and update the Tasks checklist to reflect which actions were taken.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title directly matches the main objectives: upgrading Apollo Server 5 and restricting GraphQL introspection. It accurately summarizes the primary changes.

✨ Finishing touches

• [ ] 📝 Generate docstrings

🧪 Generate unit tests (beta)

• [ ] Create PR with unit tests
• [ ] Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov[bot]]

Codecov Report

:x: Patch coverage is 95.00000% with 1 line in your changes missing coverage. Please review. :white_check_mark: Project coverage is 92.58%. Comparing base (f9970d4) to head (6e39017). :warning: Report is 20 commits behind head on alpha.

Files with missing lines	Patch %	Lines
src/GraphQL/ParseGraphQLServer.js	95.00%	1 Missing :warning:

Additional details and impacted files

@@           Coverage Diff           @@
##            alpha    #9888   +/-   ##
=======================================
  Coverage   92.58%   92.58%           
=======================================
  Files         191      191           
  Lines       15544    15559   +15     
  Branches      177      177           
=======================================
+ Hits        14391    14405   +14     
- Misses       1141     1142    +1     
  Partials       12       12           

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:

• :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Moumouls]

@mtrezza i improved the system btw: this update need to drop node 18 for parse-server

[mtrezza]

@mtrezza i improved the system btw: this update need to drop node 18 for parse-server

Marked as breaking change; can be merged with Parse Server 9 which will drop Node 18 support.

[mtrezza]

Note that there is apparently a bug regarding introspection, see https://github.com/parse-community/parse-server/issues/9900. Does this PR address that issue as well?

[Moumouls]

@mtrezza it's fixed here the introspection detection is more precise

[Moumouls]

oops @mtrezza missed the last feedback of coderabbit

[Moumouls]

Waiting coderabbit check, but we should be good to go here @mtrezza !

[mtrezza]

@Moumouls could you fix the conflict?

[mtrezza]

@Moumouls All breaking change PRs for PS9 release are being prepared; could you please fix this conflict so the CI passes?

[Moumouls]

ready to merge @mtrezza

[mtrezza]

@coderabbitai List all breaking changes for this PR, for the change log entry.

[coderabbitai[bot]]

[!TIP] For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Get the diff for package.json to see dependency changes
git diff origin/alpha HEAD -- package.json

# Get the diff for ParseGraphQLServer.js to see implementation changes
git diff origin/alpha HEAD -- src/GraphQL/ParseGraphQLServer.js

# Check if there are any other files changed that might indicate breaking changes
git diff origin/alpha HEAD --name-only

Length of output: 4262

---

@mtrezza Here are the breaking changes for this PR:

Breaking Changes

1. Node.js version support: Dropped support for Node.js 18. Parse Server now requires Node.js 20 or higher.

2. @apollo/server major version upgrade: Upgraded from @apollo/server 4.12.1 to 5.0.0. This major version update may introduce breaking changes from Apollo Server itself. Applications relying on specific Apollo Server 4.x behaviors should review the Apollo Server 5.0 migration guide.

3. Express integration change: Switched from @apollo/server/express4 to @as-integrations/express5 (version 1.1.2). This changes the underlying Express integration layer for GraphQL endpoints.

4. GraphQL introspection detection improvements: Enhanced introspection query detection to properly identify both __schema and __type introspection queries through AST parsing. Previously, the introspection control had a bug (issue #9900) where certain introspection queries could bypass restrictions. This fix ensures that introspection is correctly blocked unless using a master key or when graphQLPublicIntrospection is enabled.

---

Suggested changelog entry format:

BREAKING CHANGES:
- Dropped Node.js 18 support; minimum version is now Node.js 20
- Upgraded @apollo/server from 4.x to 5.0
- Changed GraphQL Express integration to @as-integrations/express5
- Improved GraphQL introspection detection; introspection queries are now properly restricted

---

🧠 Learnings used

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:20.138Z
Learning: For Parse Server 9 release (PR #9938 and related), the parse/push-adapter dependency must be upgraded to version >= 8.0.0, not 7.0.0. Version 8.x drops support for Node 18.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:08.440Z
Learning: For Parse Server 9 release preparation, the parse/push-adapter dependency should be upgraded to version >= 8.0.0, not 7.x, as version 8.x is required despite dropping Node 18 support (which aligns with Parse Server 9's removal of EOL Node versions).

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T06:55:53.808Z
Learning: When reviewing Parse Server PRs that add or modify Parse Server options, always verify that changes are properly reflected in three files: src/Options/index.js (where changes originate), src/Options/Definitions.js, and src/Options/docs.js. The correct workflow is: make changes in index.js first, then run `npm run definitions` to automatically replicate the changes to Definitions.js and docs.js.

---

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: src/triggers.js:446-454
Timestamp: 2025-08-27T09:08:34.252Z
Learning: When analyzing function signature changes in Parse Server codebase, verify that call sites are actually incorrect before flagging them. Passing tests are a strong indicator that function calls are already properly aligned with new signatures.

[mtrezza]

BREAKING CHANGE: Upgrade to Apollo Server 5 and GraphQL express 5 integration; GraphQL introspection now requires using masterKey or setting graphQLPublicIntrospection: true.

[parseplatformorg]

🎉 This change has been released in version 9.0.0-alpha.3

[parseplatformorg]

🎉 This change has been released in version 9.0.0