feat: Deprecation DEPPS11: Replace PublicAPIRouter with PagesRouter

[mtrezza]

Summary by CodeRabbit

• Deprecations

  • Marked a previously deprecated item as removed (timeline unchanged).

• Removals

  • Removed several static public HTML pages used for email verification, link/resend messages, and password reset confirmations.

• Refactor

  • Consolidated public-facing routing to a single pages handler.
  • Simplified pages endpoint resolution in configuration.

• Tests

  • Updated tests to assert on 200/content responses and extract tokens from form content instead of following redirects.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[parse-github-assistant]

🚀 Thanks for opening this pull request!

[coderabbitai]

Warning

Rate limit exceeded

@mtrezza has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 1 minutes and 35 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between d33ccd3 and 6d84aaa.

📒 Files selected for processing (2)

• DEPRECATIONS.md (1 hunks)
• src/Config.js (1 hunks)

📝 Walkthrough

Walkthrough

Removes PublicAPIRouter and six static public_html pages, always mounts PagesRouter at root, changes Config.pagesEndpoint lookup, updates many tests to assert 200/content instead of 302 redirects (and to extract tokens from form inputs), updates DEPPS11 to removed, and adjusts Dockerfile public directory copy.

Changes

Cohort / File(s)	Summary
Deprecation update DEPRECATIONS.md	DEPPS11 status changed from deprecated to removed (removal timeline unchanged).
Deleted static HTML assets public_html/invalid_link.html, public_html/invalid_verification_link.html, public_html/link_send_fail.html, public_html/link_send_success.html, public_html/password_reset_success.html, public_html/verify_email_success.html	Six static pages used for email verification and password-reset feedback were removed.
Routing change — ParseServer src/ParseServer.ts	Removed PublicAPIRouter import and conditional mount; root now always mounts new PagesRouter(pages).expressRouter().
Router module removed src/Routers/PublicAPIRouter.js	Entire PublicAPIRouter module (class, route handlers for verify/resend/reset/change password, static mounting, helpers) deleted.
Config behavior change src/Config.js	get pagesEndpoint() now returns this.pages.pagesEndpoint when present, otherwise 'apps'; no longer checks this.pages.enableRouter.
Tests updated — expectations & token handling spec/PasswordPolicy.spec.js, spec/EmailVerificationToken.spec.js, spec/RegexVulnerabilities.spec.js, spec/ValidationAndPasswordsReset.spec.js	Tests changed to expect HTTP 200 and inspect response content instead of expecting 302 redirects; token extraction updated to read hidden form inputs; some redirects adjusted to 303 where noted.
Deleted test suite spec/PublicAPI.spec.js	Entire public API test suite removed.
Dockerfile change Dockerfile	Release stage COPY adjusted from copying public_html to copying public (source/destination rename in COPY).

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Areas requiring extra attention:
  • Deleted src/Routers/PublicAPIRouter.js — ensure no remaining references and confirm PagesRouter handles required public endpoints or that expected endpoints are intentionally removed.
  • src/ParseServer.ts — verify middleware ordering and root mount semantics after removing conditional router.
  • src/Config.js getter change — check callers that previously depended on pages.enableRouter gating.
  • Test suite changes — validate that tests now reflect real runtime responses (status codes, token locations, and content).

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is completely empty; no content was provided by the author despite the template requiring key sections like Issue, Approach, and Tasks.	Add a detailed description following the template: include the issue link (Closes:), describe the approach/changes, and check applicable tasks (tests, documentation, security checks).

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: replacing PublicAPIRouter with PagesRouter as part of Deprecation DEPPS11, which is the primary objective of this PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[mtrezza]

BREAKING CHANGE: This release replaces PublicAPIRouter with PagesRouter (Deprecation DEPPS11).

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

spec/PasswordPolicy.spec.js (1)

49-50: Test expectations correctly updated for content responses.

The tests now expect HTTP 200 content responses instead of HTTP 302 redirects, reflecting the fundamental behavior change from the redirect-based flow to a content-based flow. Token extraction has been updated to parse HTML form fields instead of URL parameters.

Consider extracting the token regex pattern into a test helper constant to avoid repetition:

const TOKEN_REGEX = /name="token"[^>]*value="([^"]+)"/;

// Then use it in tests:
const match = response.text.match(TOKEN_REGEX);

This would make the pattern easier to maintain if the HTML structure changes in the future.

Also applies to: 107-108, 621-622, 643-644, 711-712, 733-734, 895-896, 917-918, 984-985, 1044-1045, 1066-1067, 1308-1309, 1330-1331, 1461-1462, 1488-1489

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between aa98357 and ef1c8c9.

📒 Files selected for processing (12)

• DEPRECATIONS.md (1 hunks)
• public_html/invalid_link.html (0 hunks)
• public_html/invalid_verification_link.html (0 hunks)
• public_html/link_send_fail.html (0 hunks)
• public_html/link_send_success.html (0 hunks)
• public_html/password_reset_success.html (0 hunks)
• public_html/verify_email_success.html (0 hunks)
• spec/PasswordPolicy.spec.js (15 hunks)
• spec/PublicAPI.spec.js (0 hunks)
• src/Config.js (1 hunks)
• src/ParseServer.ts (1 hunks)
• src/Routers/PublicAPIRouter.js (0 hunks)

💤 Files with no reviewable changes (8)

• public_html/invalid_verification_link.html
• public_html/verify_email_success.html
• public_html/invalid_link.html
• src/Routers/PublicAPIRouter.js
• spec/PublicAPI.spec.js
• public_html/link_send_fail.html
• public_html/link_send_success.html
• public_html/password_reset_success.html

🧰 Additional context used

🧠 Learnings (6)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:20.138Z
Learning: For Parse Server 9 release (PR #9938 and related), the parse/push-adapter dependency must be upgraded to version >= 8.0.0, not 7.0.0. Version 8.x drops support for Node 18.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:08.440Z
Learning: For Parse Server 9 release preparation, the parse/push-adapter dependency should be upgraded to version >= 8.0.0, not 7.x, as version 8.x is required despite dropping Node 18 support (which aligns with Parse Server 9's removal of EOL Node versions).

📚 Learning: 2025-12-02T08:00:20.138Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:20.138Z
Learning: For Parse Server 9 release (PR #9938 and related), the parse/push-adapter dependency must be upgraded to version >= 8.0.0, not 7.0.0. Version 8.x drops support for Node 18.

Applied to files:

• DEPRECATIONS.md

📚 Learning: 2025-12-02T08:00:08.440Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:08.440Z
Learning: For Parse Server 9 release preparation, the parse/push-adapter dependency should be upgraded to version >= 8.0.0, not 7.x, as version 8.x is required despite dropping Node 18 support (which aligns with Parse Server 9's removal of EOL Node versions).

Applied to files:

• DEPRECATIONS.md

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

• spec/PasswordPolicy.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.

Applied to files:

• spec/PasswordPolicy.spec.js

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.

Applied to files:

• spec/PasswordPolicy.spec.js

🧬 Code graph analysis (1)

src/ParseServer.ts (1)

src/Routers/PagesRouter.js (2)

• PagesRouter (64-734)
• pages (12-42)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)

• GitHub Check: Redis Cache
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: Node 18
• GitHub Check: Node 20
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: Node 22
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: Code Analysis (javascript)
• GitHub Check: Benchmarks

🔇 Additional comments (3)

DEPRECATIONS.md (1)

17-17: LGTM! Deprecation status correctly updated.

The status change from "deprecated" to "removed" accurately reflects the implementation of this breaking change.

src/Config.js (1)

822-826: LGTM! Endpoint resolution simplified correctly.

The removal of the enableRouter dependency is appropriate since PagesRouter is now the sole router. The logic correctly returns the configured endpoint or defaults to 'apps'.

src/ParseServer.ts (1)

329-333: Routing consolidation to PagesRouter is correct.

This change implements the intentional deprecation of PublicAPIRouter in favor of PagesRouter (PR #9526). The PagesRouter provides comprehensive coverage of email verification, password reset flows, custom routes, and localization—validated through extensive test coverage.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

spec/ValidationAndPasswordsReset.spec.js (1)

1135-1205: Fix incorrect assertion: database.find returns an array

Parse.Server.database.find(...) returns an array (as used earlier via obj[0]), but the final assertion reads expect(obj._perishable_token)..., which will be undefined / throw depending on runner behavior.

-    expect(obj._perishable_token).not.toBe(token);
+    expect(obj[0]._perishable_token).not.toBe(token);

🧹 Nitpick comments (3)

spec/EmailVerificationToken.spec.js (1)

39-45: Good shift to 200 + content assertions; consider reducing brittleness of filename-fragment checks

The move from redirect assertions to status === 200 and response.text checks matches the PagesRouter direction and should be more robust than URL-based redirects. The couple of assertions that check for HTML filename fragments (e.g. email_verification_send_success.html) are comparatively brittle—if possible, prefer asserting on a stable user-facing message or a semantic marker in the HTML instead of a filename.

Also applies to: 76-83, 109-115, 141-148, 174-182, 261-278, 482-499, 525-541, 569-586, 622-628, 939-960, 1124-1145

spec/RegexVulnerabilities.spec.js (1)

95-104: Optionally assert status/body for the verify_email regex case (to avoid masking 5xx)

Right now it only asserts that emailVerified stays false; adding a minimal status === 200 + “Invalid verification link!” (or similar) check would make regressions noisier if the endpoint starts erroring.

spec/ValidationAndPasswordsReset.spec.js (1)

806-842: Token extraction via hidden input looks good; consider migrating remaining done/setTimeout tests to async/await

The regex extraction from name="token" is a reasonable replacement for URL token parsing. Separately, this file still heavily uses done callbacks and setTimeout, which tends to be flaky; migrating these tests to promise-based async/await would align with repo testing learnings. Based on learnings, prefer promise-based patterns over done().

Also applies to: 866-939, 941-996, 998-1056

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ef1c8c9 and 42c1b6d.

📒 Files selected for processing (3)

• spec/EmailVerificationToken.spec.js (15 hunks)
• spec/RegexVulnerabilities.spec.js (2 hunks)
• spec/ValidationAndPasswordsReset.spec.js (14 hunks)

🧰 Additional context used

🧠 Learnings (4)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:20.138Z
Learning: For Parse Server 9 release (PR #9938 and related), the parse/push-adapter dependency must be upgraded to version >= 8.0.0, not 7.0.0. Version 8.x drops support for Node 18.

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.

Applied to files:

• spec/ValidationAndPasswordsReset.spec.js
• spec/EmailVerificationToken.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

• spec/ValidationAndPasswordsReset.spec.js
• spec/EmailVerificationToken.spec.js

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.

Applied to files:

• spec/ValidationAndPasswordsReset.spec.js

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: Node 20
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: Benchmarks
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: Node 22
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: Node 18
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: Redis Cache

🔇 Additional comments (2)

spec/RegexVulnerabilities.spec.js (1)

146-167: LGTM: validates non-redirect behavior for invalid/valid reset tokens

Asserting 200 plus body text is a solid way to ensure the PagesRouter flow remains safe and isn’t relying on redirects.

Also applies to: 194-211

spec/ValidationAndPasswordsReset.spec.js (1)

742-765: Re-check the expected behavior for resend_verification_email failure: 303 vs 200

This test expects response.status === 303 and asserts on response.text containing email_verification_send_fail.html. If the new PagesRouter returns a 200 with rendered content (as other updated tests do), this should likely be 200 (and/or assert on a message) rather than 303.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.55%. Comparing base (a2d3dbe) to head (6d84aaa).
⚠️ Report is 10 commits behind head on alpha.

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha    #9974      +/-   ##
==========================================
- Coverage   92.56%   92.55%   -0.01%     
==========================================
  Files         191      190       -1     
  Lines       15560    15434     -126     
  Branches      177      176       -1     
==========================================
- Hits        14403    14285     -118     
+ Misses       1145     1137       -8     
  Partials       12       12              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[parseplatformorg]

🎉 This change has been released in version 9.0.0-alpha.8

[parseplatformorg]

🎉 This change has been released in version 9.0.0