feat: add response argument to cloud functions for HTTP status and headers

Author: hajjarjoseph

README.md

@@ -771,6 +771,55 @@ Logs are also viewable in Parse Dashboard.
 
 **Want new line delimited JSON error logs (for consumption by CloudWatch, Google Cloud Logging, etc)?** Pass the `JSON_LOGS` environment variable when starting `parse-server`. Usage :- `JSON_LOGS='1' parse-server --appId APPLICATION_ID --masterKey MASTER_KEY`
 
+## Cloud Functions HTTP Response
+
+Cloud functions support an Express-like `(req, res)` pattern to customize HTTP response status codes and headers.
+
+### Basic Usage
+
+```js
+// Set custom status code
+Parse.Cloud.define('createItem', (req, res) => {
+  res.status(201);
+  return { id: 'abc123', message: 'Created' };
+});
+
+// Set custom headers
+Parse.Cloud.define('apiEndpoint', (req, res) => {
+  res.set('X-Request-Id', 'req-123');
+  res.set('Cache-Control', 'no-cache');
+  return { success: true };
+});
+
+// Chain methods
+Parse.Cloud.define('authenticate', (req, res) => {
+  if (!isValid(req.params.token)) {
+    res.status(401).set('WWW-Authenticate', 'Bearer');
+    return { error: 'Unauthorized' };
+  }
+  return { user: 'john' };
+});
+```
+
+### Response Methods
+
+| Method | Description |
+|--------|-------------|
+| `res.status(code)` | Set HTTP status code (e.g., 201, 400, 404). Returns `res` for chaining. |
+| `res.set(name, value)` | Set HTTP header. Returns `res` for chaining. |
+
+### Backwards Compatibility
+
+The `res` argument is optional. Existing cloud functions using only `(req) => {}` continue to work unchanged.
+
+### Security Considerations
+
+The `set()` method allows setting arbitrary HTTP headers. Be cautious when setting security-sensitive headers such as:
+- CORS headers (`Access-Control-Allow-Origin`, `Access-Control-Allow-Credentials`)
+- `Set-Cookie`
+- `Location` (redirects)
+- Authentication headers (`WWW-Authenticate`)
+
 # Deprecations
 
 See the [Deprecation Plan](https://github.com/parse-community/parse-server/blob/master/DEPRECATIONS.md) for an overview of deprecations and planned breaking changes.

spec/CloudCode.spec.js

@@ -184,6 +184,142 @@ describe('Cloud Code', () => {
     expect(response.data.result.result).toEqual('this should be the result');
   });
 
+  it('res.status() called multiple times uses last value', async () => {
+    Parse.Cloud.define('multipleStatus', (req, res) => {
+      res.status(201);
+      res.status(202);
+      res.status(203);
+      return { message: 'ok' };
+    });
+
+    const response = await request({
+      method: 'POST',
+      url: 'http://localhost:8378/1/functions/multipleStatus',
+      headers: {
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+        'Content-Type': 'application/json',
+      },
+      body: {},
+    });
+
+    expect(response.status).toEqual(203);
+  });
+
+  it('res.set() called multiple times for same header uses last value', async () => {
+    Parse.Cloud.define('multipleHeaders', (req, res) => {
+      res.set('X-Custom-Header', 'first');
+      res.set('X-Custom-Header', 'second');
+      res.set('X-Custom-Header', 'third');
+      return { message: 'ok' };
+    });
+
+    const response = await request({
+      method: 'POST',
+      url: 'http://localhost:8378/1/functions/multipleHeaders',
+      headers: {
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+        'Content-Type': 'application/json',
+      },
+      body: {},
+    });
+
+    expect(response.headers['x-custom-header']).toEqual('third');
+  });
+
+  it('res.status() throws error for non-number status code', async () => {
+    Parse.Cloud.define('invalidStatusType', (req, res) => {
+      res.status('200');
+      return { message: 'ok' };
+    });
+
+    try {
+      await request({
+        method: 'POST',
+        url: 'http://localhost:8378/1/functions/invalidStatusType',
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+          'Content-Type': 'application/json',
+        },
+        body: {},
+      });
+      fail('Expected request to fail');
+    } catch (response) {
+      expect(response.status).toEqual(400);
+    }
+  });
+
+  it('res.set() throws error for non-string header name', async () => {
+    Parse.Cloud.define('invalidHeaderName', (req, res) => {
+      res.set(123, 'value');
+      return { message: 'ok' };
+    });
+
+    try {
+      await request({
+        method: 'POST',
+        url: 'http://localhost:8378/1/functions/invalidHeaderName',
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+          'Content-Type': 'application/json',
+        },
+        body: {},
+      });
+      fail('Expected request to fail');
+    } catch (response) {
+      expect(response.status).toEqual(400);
+    }
+  });
+
+  it('res.status() throws error for out of range status code', async () => {
+    Parse.Cloud.define('outOfRangeStatus', (req, res) => {
+      res.status(50);
+      return { message: 'ok' };
+    });
+
+    try {
+      await request({
+        method: 'POST',
+        url: 'http://localhost:8378/1/functions/outOfRangeStatus',
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+          'Content-Type': 'application/json',
+        },
+        body: {},
+      });
+      fail('Expected request to fail');
+    } catch (response) {
+      expect(response.status).toEqual(400);
+    }
+  });
+
+  it('res.set() throws error for undefined header value', async () => {
+    Parse.Cloud.define('undefinedHeaderValue', (req, res) => {
+      res.set('X-Custom-Header', undefined);
+      return { message: 'ok' };
+    });
+
+    try {
+      await request({
+        method: 'POST',
+        url: 'http://localhost:8378/1/functions/undefinedHeaderValue',
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+          'Content-Type': 'application/json',
+        },
+        body: {},
+      });
+      fail('Expected request to fail');
+    } catch (response) {
+      expect(response.status).toEqual(400);
+    }
+  });
+
   it('can get config', () => {
     const config = Parse.Server;
     let currentConfig = Config.get('test');

src/Routers/FunctionsRouter.js

@@ -19,6 +19,9 @@ class CloudResponse {
     if (typeof code !== 'number') {
       throw new Error('Status code must be a number');
     }
+    if (code < 100 || code > 599) {
+      throw new Error('Status code must be between 100 and 599');
+    }
     this._status = code;
     return this;
   }
@@ -27,6 +30,9 @@ class CloudResponse {
     if (typeof name !== 'string') {
       throw new Error('Header name must be a string');
     }
+    if (value === undefined || value === null) {
+      throw new Error('Header value must be defined');
+    }
     this._headers[name] = value;
     return this;
   }
@@ -153,7 +159,7 @@ export class FunctionsRouter extends PromiseRouter {
             response.status = status;
           }
           if (Object.keys(headers).length > 0) {
-            response.headers = headers;
+            response.headers = { ...headers };
           }
         }
         resolve(response);