feat: Skip verify server url

[Moumouls]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.
• Link this pull request to an issue.

Issue

Adds a new Parse Server option skipVerifyServerUrl that allows skipping the automatic server URL verification that occurs on the mount event.

This option is useful in environments where the server URL is not accessible from the server itself:

• Running behind a firewall
• Containerized environments with network restrictions
• Test environments (Jest, etc.) where the verification may cause issues or unnecessary delays

Closes: FILL_THIS_OUT

Approach

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, code comments)
• Add security check
• Add new Parse Error codes to Parse JS SDK

Summary by CodeRabbit

New Features

• Added skipVerifyServerUrl configuration option to skip server URL verification on startup. Useful for deployments behind firewalls, in containerized environments, or test scenarios. Configure via environment variable PARSE_SERVER_SKIP_VERIFY_SERVER_URL. Defaults to false.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

🚀 Thanks for opening this pull request!

❌ Please fill out all fields with a placeholder FILL_THIS_OUT. If a field does not apply to the pull request, fill in n/a or delete the line.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new configuration option skipVerifyServerUrl is added across the Parse Server codebase to allow disabling server URL verification during startup. The option is defined in configuration files, documented, typed, and conditionally applied to suppress verification checks in the ParseServer initialization.

Changes

Cohort / File(s)	Summary
Options Definition and Type Declarations src/Options/Definitions.js, src/Options/docs.js, src/Options/index.js, types/Options/index.d.ts	Added new boolean option skipVerifyServerUrl with environment variable binding, comprehensive documentation explaining use cases (firewall, containerization, test environments), boolean parser, and default value of false across configuration and type definition files.
ParseServer Implementation src/ParseServer.ts	Destructured skipVerifyServerUrl from options and wrapped the server URL verification logic (api.on('mount', ...)) with conditional check if (!skipVerifyServerUrl) to skip verification when flag is enabled. Applied in two locations during app initialization.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

The changes follow consistent, repetitive patterns for adding a new configuration option across existing structures. The logic change in ParseServer.ts is straightforward conditional wrapping. While affecting 5 files, the modifications are homogeneous and additive, requiring minimal reasoning per file.

Suggested reviewers

• mtrezza

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The pull request description does not fully adhere to the repository's description template structure. While the description contains valuable content explaining the purpose and use cases of the new skipVerifyServerUrl option, it has significant structural issues: the "## Approach" section header is missing entirely, and the approach content appears to be placed under the "## Issue" section instead; additionally, the "Closes:" link remains unfilled with "FILL_THIS_OUT". The description lacks the proper separation between the Issue identification and the technical Approach documentation that the template requires, making the structure incomplete even though the informational content is largely present.	To resolve this, the author should restructure the description to match the template: add a proper "## Approach" section header before the paragraph describing the changes, move the explanation of what the option does into that section, and fill out the actual GitHub issue link in the "Closes:" field. Additionally, clarify the "## Issue" section by either removing it or briefly stating which issue the PR addresses. Following the template structure will improve clarity and consistency with repository conventions.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The pull request title "feat: Skip verify server url" is directly aligned with the main change in the changeset. The PR introduces a new Parse Server option skipVerifyServerUrl that allows users to skip automatic server URL verification on startup, and the title concisely captures this feature addition. The title is clear, specific enough for someone scanning the commit history to understand the primary change, and appropriately uses the conventional commit format with the "feat:" prefix. While the phrasing could be slightly more polished, it effectively communicates the essence of the changes.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

src/Options/Definitions.js (1)

596-602: Consider adding a security warning to the documentation.

The option definition is technically correct and follows the established pattern. However, given the security implications of bypassing server URL verification, consider strengthening the documentation with an explicit warning.

Apply this diff to add a security note:

   skipVerifyServerUrl: {
     env: 'PARSE_SERVER_SKIP_VERIFY_SERVER_URL',
     help:
-      'Set to `true` to skip the server URL verification on startup. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall, in certain containerized environments, or in test environments like Jest where the verification may cause issues or unnecessary delays during test execution.<br><br>Default is `false`.',
+      'Set to `true` to skip the server URL verification on startup. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall, in certain containerized environments, or in test environments like Jest where the verification may cause issues or unnecessary delays during test execution.<br><br>⚠️ Only enable this option when necessary, as server URL verification helps detect configuration errors early. Skipping verification may hide issues that could affect Cloud Code and push notifications.<br><br>Default is `false`.',
     action: parsers.booleanParser,
     default: false,
   },

src/ParseServer.ts (1)

377-382: Consider adding a log message when verification is skipped.

The conditional logic correctly skips verification when skipVerifyServerUrl is true. However, adding an informational log message would help with debugging and make it clear to operators that verification was intentionally skipped.

Apply this diff to add logging:

       // verify the server url after a 'mount' event is received
       /* istanbul ignore next */
       if (!skipVerifyServerUrl) {
         api.on('mount', async function () {
           await new Promise(resolve => setTimeout(resolve, 1000));
           ParseServer.verifyServerUrl();
         });
+      } else {
+        const logger = (logging as any).logger;
+        logger.info('Server URL verification is disabled via skipVerifyServerUrl option');
       }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 115e76e and 32b27db.

📒 Files selected for processing (5)

• src/Options/Definitions.js (1 hunks)
• src/Options/docs.js (1 hunks)
• src/Options/index.js (1 hunks)
• src/ParseServer.ts (2 hunks)
• types/Options/index.d.ts (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

src/Options/Definitions.js (1)

resources/buildConfigDefinitions.js (1)

• parsers (12-12)

🪛 Biome (2.1.2)

src/Options/index.js

[error] 64-64: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: Node 20
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: Node 18
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: Redis Cache
• GitHub Check: Docker Build
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: Code Analysis (javascript)

🔇 Additional comments (5)

types/Options/index.d.ts (1)

125-125: LGTM! TypeScript declaration is correct.

The TypeScript declaration for skipVerifyServerUrl follows the established pattern for optional boolean properties in the ParseServerOptions interface.

src/Options/index.js (1)

60-64: LGTM! Flow interface declaration is correct.

The Flow type declaration and documentation for skipVerifyServerUrl are properly formatted and match the patterns used throughout this file.

Note: The Biome static analysis error about the ? token is a false positive—Biome is not configured to parse Flow syntax.

src/ParseServer.ts (2)

299-306: LGTM! Option destructuring is correct.

The skipVerifyServerUrl option is properly destructured alongside other configuration options.

---

377-382: Address remaining PR objectives before merge

• No tests cover the new skipVerifyServerUrl option; add specs verifying that verifyServerUrl is skipped when this flag is true.
• External documentation (e.g. README.md or docs site) wasn’t updated; please add or update docs for this feature.
• The planned security check for server URL validation is missing; confirm and implement the required check.
• New Parse Error codes for the JS SDK have not been added; specify which codes and include them in a follow-up commit or PR.

src/Options/docs.js (1)

106-106: LGTM! Documentation follows established patterns.

The JSDoc documentation for skipVerifyServerUrl is properly formatted and aligns with the documentation in other files.

Note: If the security warning suggestion for src/Options/Definitions.js is accepted, this documentation should be updated to match.

[codecov]

Codecov Report

❌ Patch coverage is 33.33333% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.01%. Comparing base (abfa94c) to head (32b27db).
⚠️ Report is 3 commits behind head on alpha.

Files with missing lines	Patch %	Lines
src/ParseServer.ts	33.33%	2 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##            alpha    #9881   +/-   ##
=======================================
  Coverage   93.00%   93.01%           
=======================================
  Files         187      187           
  Lines       15158    15160    +2     
  Branches      176      177    +1     
=======================================
+ Hits        14098    14101    +3     
+ Misses       1048     1047    -1     
  Partials       12       12           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mtrezza]

I'm not against the new option, but I think the original bug is that ParseServer.verifyServerUrl(); is called in api.on('mount'). It should be called once PS has started up and with await as part of the start-up routine. So moving the verification to another place should solve the issue. If we also want to add a new option to disable the check altogether, I'm all for it.

See #9882 for how this may be fixed. Feel free to incorporate the changes into your PR, or I'll simply merge my PR and then we can merge yours with only the new option.

[Moumouls]

So moving the verification to another place should solve the issue.

@mtrezza it worked nice before but i seems that Daniel added the timeout to stabilize something, and even if we move the code elsewhere the timeout will still be a problem and introduce a latency of 1sec on each test, if developers use isolated test, the impact of perf is huge.

[mtrezza]

@Moumouls Did you take a look at my PR? No timeout needed. It's clear why the timeout was added - because the verification should not actually happen on mounting but on startup.

[Moumouls]

feel free to close this one @mtrezza if you feel your PR resolve the issue and the verifyUrl on stratup with expo backoff works.

I think your approach is better than mine :)

[mtrezza]

@Moumouls sorry, I was just proposing that my PR may solve the root cause. Did you try it out? I've merged #9882 so you can use the alpha release.

If you want to add the option to disable the verification, feel free to rebase and we can merge. However, the issue you originally opened this PR for should be solved with #9882.

[Moumouls]

i think the option is still useful @mtrezza i'll refresh this PR :)