feat: Update route patterns to use path-to-regexp v8 syntax (#9942)

BREAKING CHANGE: Route pattern syntax across cloud routes and rate-limiting now use the new path-to-regexp v8 syntax; see the [migration guide](https://github.com/parse-community/parse-server/blob/alpha/9.0.0.md) for more details.

Author: coratgerl

9.0.0.md

@@ -0,0 +1,56 @@
+# Parse Server 9 Migration Guide <!-- omit in toc -->
+
+This document only highlights specific changes that require a longer explanation. For a full list of changes in Parse Server 9 please refer to the [changelog](https://github.com/parse-community/parse-server/blob/alpha/CHANGELOG.md).
+
+---
+- [Route Path Syntax and Rate Limiting](#route-path-syntax-and-rate-limiting)
+---
+
+## Route Path Syntax and Rate Limiting
+Parse Server 9 standardizes the route pattern syntax across cloud routes and rate-limiting to use the new **path-to-regexp v8** style. This update introduces validation and a clear deprecation error for the old wildcard route syntax.
+
+### Key Changes
+- **Standardization**: All route paths now use the path-to-regexp v8 syntax, which provides better consistency and security.
+- **Validation**: Added validation to ensure route paths conform to the new syntax.
+- **Deprecation**: Old wildcard route syntax is deprecated and will trigger a clear error message.
+
+### Migration Steps
+
+#### Path Syntax Examples
+
+Update your rate limit configurations to use the new path-to-regexp v8 syntax:
+
+| Old Syntax (deprecated) | New Syntax (v8) |
+|------------------------|-----------------|
+| `/functions/*` | `/functions/*path` |
+| `/classes/*` | `/classes/*path` |
+| `/*` | `/*path` |
+| `*` | `*path` |
+
+**Before:**
+```javascript
+rateLimit: {
+  requestPath: '/functions/*',
+  requestTimeWindow: 10000,
+  requestCount: 100
+}
+```
+
+**After:**
+```javascript
+rateLimit: {
+  requestPath: '/functions/*path',
+  requestTimeWindow: 10000,
+  requestCount: 100
+}
+```
+
+- Review your custom cloud routes and ensure they use the new path-to-regexp v8 syntax.
+- Update any rate-limiting configurations to use the new route path format.
+- Test your application to ensure all routes work as expected with the new syntax.
+
+> [!Note]
+> Consult the [path-to-regexp v8 docs](https://github.com/pillarjs/path-to-regexp) and the [Express 5 migration guide](https://expressjs.com/en/guide/migrating-5.html#path-syntax) for more details on the new path syntax.
+
+### Related Pull Request
+- [#9942](https://github.com/parse-community/parse-server/pull/9942)

package-lock.json

@@ -48,8 +48,8 @@
     "mongodb": "6.20.0",
     "mustache": "4.2.0",
     "otpauth": "9.4.0",
+    "path-to-regexp": "8.3.0",
     "parse": "8.0.0",
-    "path-to-regexp": "6.3.0",
     "pg-monitor": "3.0.0",
     "pg-promise": "12.2.0",
     "pluralize": "8.0.0",

package.json

@@ -5,7 +5,7 @@ describe('rate limit', () => {
     await reconfigureServer({
       rateLimit: [
         {
-          requestPath: '/functions/*',
+          requestPath: '/functions/*path',
           requestTimeWindow: 10000,
           requestCount: 1,
           errorResponseMessage: 'Too many requests',
@@ -26,7 +26,7 @@ describe('rate limit', () => {
     await reconfigureServer({
       rateLimit: [
         {
-          requestPath: '/functions/*',
+          requestPath: '/functions/*path',
           requestTimeWindow: 10000,
           requestCount: 1,
           errorResponseMessage: 'Too many requests',
@@ -45,7 +45,7 @@ describe('rate limit', () => {
     Parse.Cloud.define('test', () => 'Abc');
     await reconfigureServer({
       rateLimit: {
-        requestPath: '*',
+        requestPath: '/*path',
         requestTimeWindow: 10000,
         requestCount: 1,
         errorResponseMessage: 'Too many requests',
@@ -83,7 +83,7 @@ describe('rate limit', () => {
     await reconfigureServer({
       rateLimit: [
         {
-          requestPath: '/functions/*',
+          requestPath: '/functions/*path',
           requestTimeWindow: 10000,
           requestCount: 1,
           errorResponseMessage: 'Too many requests',
@@ -102,7 +102,7 @@ describe('rate limit', () => {
     await reconfigureServer({
       rateLimit: [
         {
-          requestPath: '/functions/*',
+          requestPath: '/functions/*path',
           requestTimeWindow: 10000,
           requestCount: 1,
           includeMasterKey: true,
@@ -122,7 +122,7 @@ describe('rate limit', () => {
     await reconfigureServer({
       rateLimit: [
         {
-          requestPath: '/classes/*',
+          requestPath: '/classes/*path',
           requestTimeWindow: 10000,
           requestCount: 1,
           errorResponseMessage: 'Too many requests',
@@ -141,7 +141,7 @@ describe('rate limit', () => {
     await reconfigureServer({
       rateLimit: [
         {
-          requestPath: '/classes/*',
+          requestPath: '/classes/*path',
           requestTimeWindow: 10000,
           requestCount: 1,
           requestMethods: 'POST',
@@ -240,7 +240,7 @@ describe('rate limit', () => {
     await reconfigureServer({
       rateLimit: [
         {
-          requestPath: '/classes/Test/*',
+          requestPath: '/classes/Test/*path',
           requestTimeWindow: 10000,
           requestCount: 1,
           requestMethods: 'DELETE',
@@ -294,7 +294,7 @@ describe('rate limit', () => {
     await reconfigureServer({
       rateLimit: [
         {
-          requestPath: '/functions/*',
+          requestPath: '/functions/*path',
           requestTimeWindow: 10000,
           requestCount: 100,
           errorResponseMessage: 'Too many requests',
@@ -320,7 +320,7 @@ describe('rate limit', () => {
     await reconfigureServer({
       rateLimit: [
         {
-          requestPath: '/functions/*',
+          requestPath: '/functions/*path',
           requestTimeWindow: 10000,
           requestCount: 1,
           errorResponseMessage: 'Too many requests',
@@ -340,7 +340,7 @@ describe('rate limit', () => {
     it('can use global zone', async () => {
       await reconfigureServer({
         rateLimit: {
-          requestPath: '*',
+          requestPath: '*path',
           requestTimeWindow: 10000,
           requestCount: 1,
           errorResponseMessage: 'Too many requests',
@@ -373,7 +373,7 @@ describe('rate limit', () => {
       });
       fakeRes.json = jasmine.createSpy('json').and.callFake(resolvingPromise);
       middlewares.handleParseHeaders(fakeReq, fakeRes, () => {
-        throw 'Should not call next';
+        throw new Error('Should not call next');
       });
       await promise;
       expect(fakeRes.status).toHaveBeenCalledWith(429);
@@ -386,7 +386,7 @@ describe('rate limit', () => {
     it('can use session zone', async () => {
       await reconfigureServer({
         rateLimit: {
-          requestPath: '/functions/*',
+          requestPath: '/functions/*path',
           requestTimeWindow: 10000,
           requestCount: 1,
           errorResponseMessage: 'Too many requests',
@@ -407,7 +407,7 @@ describe('rate limit', () => {
     it('can use user zone', async () => {
       await reconfigureServer({
         rateLimit: {
-          requestPath: '/functions/*',
+          requestPath: '/functions/*path',
           requestTimeWindow: 10000,
           requestCount: 1,
           errorResponseMessage: 'Too many requests',
@@ -494,7 +494,7 @@ describe('rate limit', () => {
       await reconfigureServer({
         rateLimit: [
           {
-            requestPath: '/classes/*',
+            requestPath: '/classes/*path',
             requestTimeWindow: 10000,
             requestCount: 1,
             errorResponseMessage: 'Too many requests',

spec/RateLimit.spec.js

@@ -3,6 +3,7 @@
 // mount is the URL for the root of the API; includes http, domain, etc.
 
 import { isBoolean, isString } from 'lodash';
+import { pathToRegexp } from 'path-to-regexp';
 import net from 'net';
 import AppCache from './cache';
 import DatabaseController from './Controllers/DatabaseController';
@@ -687,6 +688,14 @@ export class Config {
       if (typeof option.requestPath !== 'string') {
         throw `rateLimit.requestPath must be a string`;
       }
+
+      // Validate that the path is valid path-to-regexp syntax
+      try {
+        pathToRegexp(option.requestPath);
+      } catch (error) {
+        throw `rateLimit.requestPath "${option.requestPath}" is not valid: ${error.message}`;
+      }
+
       if (option.requestTimeWindow == null) {
         throw `rateLimit.requestTimeWindow must be defined`;
       }

src/Config.js

@@ -686,7 +686,7 @@ module.exports.RateLimitOptions = {
   requestPath: {
     env: 'PARSE_SERVER_RATE_LIMIT_REQUEST_PATH',
     help:
-      'The path of the API route to be rate limited. Route paths, in combination with a request method, define the endpoints at which requests can be made. Route paths can be strings, string patterns, or regular expression. See: https://expressjs.com/en/guide/routing.html',
+      'The path of the API route to be rate limited. Route paths, in combination with a request method, define the endpoints at which requests can be made. Route paths can be strings or string patterns following <a href="https://github.com/pillarjs/path-to-regexp">path-to-regexp v8</a> syntax.',
     required: true,
   },
   requestTimeWindow: {