feat: Upgrade to express 5.0.1 (parse-community#9530)

pocketcolin · web-flow · commit e0480dfa8d97 · 2025-03-03T22:11:42.000+01:00
BREAKING CHANGE: This upgrades the internally used Express framework from version 4 to 5, which may be a breaking change. If Parse Server is set up to be mounted on an Express application, we recommend to also use version 5 of the Express framework to avoid any compatibility issues. Note that even if there are no issues after upgrading, future releases of Parse Server may introduce issues if Parse Server internally relies on Express 5-specific features which are unsupported by the Express version on which it is mounted. See the Express [migration guide](https://expressjs.com/en/guide/migrating-5.html) and [release announcement](https://expressjs.com/2024/10/15/v5-release.html#breaking-changes) for more info.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -28,11 +28,10 @@
     "@parse/fs-files-adapter": "3.0.0",
     "@parse/push-adapter": "6.10.0",
     "bcryptjs": "2.4.3",
-    "body-parser": "1.20.3",
     "commander": "13.0.0",
     "cors": "2.8.5",
     "deepcopy": "2.1.0",
-    "express": "4.21.2",
+    "express": "5.0.1",
     "express-rate-limit": "7.5.0",
     "follow-redirects": "1.15.9",
     "graphql": "16.9.0",
@@ -58,6 +57,7 @@
     "punycode": "2.3.1",
     "rate-limit-redis": "4.2.0",
     "redis": "4.7.0",
+    "router": "2.0.0",
     "semver": "7.7.1",
     "subscriptions-transport-ws": "0.11.0",
     "tv4": "1.3.0",
diff --git a/spec/HTTPRequest.spec.js b/spec/HTTPRequest.spec.js
@@ -2,15 +2,14 @@
 
 const httpRequest = require('../lib/request'),
   HTTPResponse = require('../lib/request').HTTPResponse,
-  bodyParser = require('body-parser'),
   express = require('express');
 
 const port = 13371;
 const httpRequestServer = `http://localhost:${port}`;
 
 function startServer(done) {
   const app = express();
-  app.use(bodyParser.json({ type: '*/*' }));
+  app.use(express.json({ type: '*/*' }));
   app.get('/hello', function (req, res) {
     res.json({ response: 'OK' });
   });
diff --git a/spec/ParseHooks.spec.js b/spec/ParseHooks.spec.js
@@ -4,7 +4,6 @@ const request = require('../lib/request');
 const triggers = require('../lib/triggers');
 const HooksController = require('../lib/Controllers/HooksController').default;
 const express = require('express');
-const bodyParser = require('body-parser');
 const auth = require('../lib/Auth');
 const Config = require('../lib/Config');
 
@@ -17,7 +16,7 @@ describe('Hooks', () => {
   beforeEach(done => {
     if (!app) {
       app = express();
-      app.use(bodyParser.json({ type: '*/*' }));
+      app.use(express.json({ type: '*/*' }));
       server = app.listen(port, undefined, done);
     } else {
       done();
diff --git a/spec/vulnerabilities.spec.js b/spec/vulnerabilities.spec.js
@@ -250,11 +250,10 @@ describe('Vulnerabilities', () => {
 
     it_id('e8b5f1e1-8326-4c70-b5f4-1e8678dfff8d')(it)('denies creating a hook with polluted data', async () => {
       const express = require('express');
-      const bodyParser = require('body-parser');
       const port = 34567;
       const hookServerURL = 'http://localhost:' + port;
       const app = express();
-      app.use(bodyParser.json({ type: '*/*' }));
+      app.use(express.json({ type: '*/*' }));
       const server = await new Promise(resolve => {
         const res = app.listen(port, undefined, () => resolve(res));
       });
diff --git a/src/Controllers/AnalyticsController.js b/src/Controllers/AnalyticsController.js
@@ -5,7 +5,7 @@ export class AnalyticsController extends AdaptableController {
   appOpened(req) {
     return Promise.resolve()
       .then(() => {
-        return this.adapter.appOpened(req.body, req);
+        return this.adapter.appOpened(req.body || {}, req);
       })
       .then(response => {
         return { response: response || {} };
@@ -18,7 +18,7 @@ export class AnalyticsController extends AdaptableController {
   trackEvent(req) {
     return Promise.resolve()
       .then(() => {
-        return this.adapter.trackEvent(req.params.eventName, req.body, req);
+        return this.adapter.trackEvent(req.params.eventName, req.body || {}, req);
       })
       .then(response => {
         return { response: response || {} };
diff --git a/src/ParseServer.js b/src/ParseServer.js
@@ -1,7 +1,6 @@
 // ParseServer - open-source compatible API Server for Parse apps
 
 var batch = require('./batch'),
-  bodyParser = require('body-parser'),
   express = require('express'),
   middlewares = require('./middlewares'),
   Parse = require('parse/node').Parse,
@@ -253,6 +252,7 @@ class ParseServer {
     var api = express();
     //api.use("/apps", express.static(__dirname + "/public"));
     api.use(middlewares.allowCrossDomain(appId));
+    api.use(middlewares.allowDoubleForwardSlash);
     // File handling needs to be before default middlewares are applied
     api.use(
       '/',
@@ -273,15 +273,16 @@ class ParseServer {
 
     api.use(
       '/',
-      bodyParser.urlencoded({ extended: false }),
+      express.urlencoded({ extended: false }),
       pages.enableRouter
         ? new PagesRouter(pages).expressRouter()
         : new PublicAPIRouter().expressRouter()
     );
 
-    api.use(bodyParser.json({ type: '*/*', limit: maxUploadSize }));
+    api.use(express.json({ type: '*/*', limit: maxUploadSize }));
     api.use(middlewares.allowMethodOverride);
     api.use(middlewares.handleParseHeaders);
+    api.set('query parser', 'extended');
     const routes = Array.isArray(rateLimit) ? rateLimit : [rateLimit];
     for (const route of routes) {
       middlewares.addRateLimit(route, options);
diff --git a/src/PromiseRouter.js b/src/PromiseRouter.js
@@ -9,7 +9,7 @@ import Parse from 'parse/node';
 import express from 'express';
 import log from './logger';
 import { inspect } from 'util';
-const Layer = require('express/lib/router/layer');
+const Layer = require('router/lib/layer');
 
 function validateParameter(key, value) {
   if (key == 'className') {
diff --git a/src/Routers/AggregateRouter.js b/src/Routers/AggregateRouter.js
@@ -6,7 +6,7 @@ import UsersRouter from './UsersRouter';
 
 export class AggregateRouter extends ClassesRouter {
   handleFind(req) {
-    const body = Object.assign(req.body, ClassesRouter.JSONFromQuery(req.query));
+    const body = Object.assign(req.body || {}, ClassesRouter.JSONFromQuery(req.query));
     const options = {};
     if (body.distinct) {
       options.distinct = String(body.distinct);
diff --git a/src/Routers/AudiencesRouter.js b/src/Routers/AudiencesRouter.js
@@ -8,7 +8,7 @@ export class AudiencesRouter extends ClassesRouter {
   }
 
   handleFind(req) {
-    const body = Object.assign(req.body, ClassesRouter.JSONFromQuery(req.query));
+    const body = Object.assign(req.body || {}, ClassesRouter.JSONFromQuery(req.query));
     const options = ClassesRouter.optionsFromBody(body, req.config.defaultLimit);
 
     return rest
diff --git a/src/Routers/ClassesRouter.js b/src/Routers/ClassesRouter.js
@@ -19,7 +19,7 @@ export class ClassesRouter extends PromiseRouter {
   }
 
   handleFind(req) {
-    const body = Object.assign(req.body, ClassesRouter.JSONFromQuery(req.query));
+    const body = Object.assign(req.body || {}, ClassesRouter.JSONFromQuery(req.query));
     const options = ClassesRouter.optionsFromBody(body, req.config.defaultLimit);
     if (req.config.maxLimit && body.limit > req.config.maxLimit) {
       // Silently replace the limit on the query with the max configured
@@ -48,7 +48,7 @@ export class ClassesRouter extends PromiseRouter {
 
   // Returns a promise for a {response} object.
   handleGet(req) {
-    const body = Object.assign(req.body, ClassesRouter.JSONFromQuery(req.query));
+    const body = Object.assign(req.body || {}, ClassesRouter.JSONFromQuery(req.query));
     const options = {};
 
     for (const key of Object.keys(body)) {
@@ -117,7 +117,7 @@ export class ClassesRouter extends PromiseRouter {
       req.config,
       req.auth,
       this.className(req),
-      req.body,
+      req.body || {},
       req.info.clientSDK,
       req.info.context
     );
@@ -130,7 +130,7 @@ export class ClassesRouter extends PromiseRouter {
       req.auth,
       this.className(req),
       where,
-      req.body,
+      req.body || {},
       req.info.clientSDK,
       req.info.context
     );
diff --git a/src/Routers/CloudCodeRouter.js b/src/Routers/CloudCodeRouter.js
@@ -77,7 +77,7 @@ export class CloudCodeRouter extends PromiseRouter {
   }
 
   static createJob(req) {
-    const { job_schedule } = req.body;
+    const { job_schedule } = req.body || {};
     validateJobSchedule(req.config, job_schedule);
     return rest.create(
       req.config,
@@ -91,7 +91,7 @@ export class CloudCodeRouter extends PromiseRouter {
 
   static editJob(req) {
     const { objectId } = req.params;
-    const { job_schedule } = req.body;
+    const { job_schedule } = req.body || {};
     validateJobSchedule(req.config, job_schedule);
     return rest
       .update(
diff --git a/src/Routers/FilesRouter.js b/src/Routers/FilesRouter.js
@@ -1,5 +1,4 @@
 import express from 'express';
-import BodyParser from 'body-parser';
 import * as Middlewares from '../middlewares';
 import Parse from 'parse/node';
 import Config from '../Config';
@@ -45,7 +44,7 @@ export class FilesRouter {
 
     router.post(
       '/files/:filename',
-      BodyParser.raw({
+      express.raw({
         type: () => {
           return true;
         },
diff --git a/src/Routers/FunctionsRouter.js b/src/Routers/FunctionsRouter.js
@@ -58,7 +58,7 @@ export class FunctionsRouter extends PromiseRouter {
   }
 
   static handleCloudJob(req) {
-    const jobName = req.params.jobName || req.body.jobName;
+    const jobName = req.params.jobName || req.body?.jobName;
     const applicationId = req.config.applicationId;
     const jobHandler = jobStatusHandler(req.config);
     const jobFunction = triggers.getJob(jobName, applicationId);
diff --git a/src/Routers/GlobalConfigRouter.js b/src/Routers/GlobalConfigRouter.js
@@ -46,8 +46,8 @@ export class GlobalConfigRouter extends PromiseRouter {
         "read-only masterKey isn't allowed to update the config."
       );
     }
-    const params = req.body.params;
-    const masterKeyOnly = req.body.masterKeyOnly || {};
+    const params = req.body.params || {};
+    const masterKeyOnly = req.body?.masterKeyOnly || {};
     // Transform in dot notation to make sure it works
     const update = Object.keys(params).reduce((acc, key) => {
       acc[`params.${key}`] = params[key];
diff --git a/src/Routers/GraphQLRouter.js b/src/Routers/GraphQLRouter.js
@@ -19,7 +19,7 @@ export class GraphQLRouter extends PromiseRouter {
         "read-only masterKey isn't allowed to update the GraphQL config."
       );
     }
-    const data = await req.config.parseGraphQLController.updateGraphQLConfig(req.body.params);
+    const data = await req.config.parseGraphQLController.updateGraphQLConfig(req.body?.params || {});
     return {
       response: data,
     };
diff --git a/src/Routers/HooksRouter.js b/src/Routers/HooksRouter.js
@@ -12,7 +12,7 @@ export class HooksRouter extends PromiseRouter {
   }
 
   handlePost(req) {
-    return this.createHook(req.body, req.config);
+    return this.createHook(req.body || {}, req.config);
   }
 
   handleGetFunctions(req) {
@@ -66,11 +66,11 @@ export class HooksRouter extends PromiseRouter {
 
   handleUpdate(req) {
     var hook;
-    if (req.params.functionName && req.body.url) {
+    if (req.params.functionName && req.body?.url) {
       hook = {};
       hook.functionName = req.params.functionName;
       hook.url = req.body.url;
-    } else if (req.params.className && req.params.triggerName && req.body.url) {
+    } else if (req.params.className && req.params.triggerName && req.body?.url) {
       hook = {};
       hook.className = req.params.className;
       hook.triggerName = req.params.triggerName;
@@ -82,7 +82,7 @@ export class HooksRouter extends PromiseRouter {
   }
 
   handlePut(req) {
-    var body = req.body;
+    var body = req.body || {};
     if (body.__op == 'Delete') {
       return this.handleDelete(req);
     } else {
diff --git a/src/Routers/IAPValidationRouter.js b/src/Routers/IAPValidationRouter.js
@@ -68,8 +68,8 @@ function getFileForProductIdentifier(productIdentifier, req) {
 
 export class IAPValidationRouter extends PromiseRouter {
   handleRequest(req) {
-    let receipt = req.body.receipt;
-    const productIdentifier = req.body.productIdentifier;
+    let receipt = req.body?.receipt;
+    const productIdentifier = req.body?.productIdentifier;
 
     if (!receipt || !productIdentifier) {
       // TODO: Error, malformed request
@@ -84,7 +84,7 @@ export class IAPValidationRouter extends PromiseRouter {
       }
     }
 
-    if (process.env.TESTING == '1' && req.body.bypassAppStoreValidation) {
+    if (process.env.TESTING == '1' && req.body?.bypassAppStoreValidation) {
       return getFileForProductIdentifier(productIdentifier, req);
     }
 
diff --git a/src/Routers/InstallationsRouter.js b/src/Routers/InstallationsRouter.js
@@ -10,7 +10,7 @@ export class InstallationsRouter extends ClassesRouter {
   }
 
   handleFind(req) {
-    const body = Object.assign(req.body, ClassesRouter.JSONFromQuery(req.query));
+    const body = Object.assign(req.body || {}, ClassesRouter.JSONFromQuery(req.query));
     const options = ClassesRouter.optionsFromBody(body, req.config.defaultLimit);
     return rest
       .find(
diff --git a/src/Routers/PagesRouter.js b/src/Routers/PagesRouter.js
@@ -107,8 +107,8 @@ export class PagesRouter extends PromiseRouter {
 
   resendVerificationEmail(req) {
     const config = req.config;
-    const username = req.body.username;
-    const token = req.body.token;
+    const username = req.body?.username;
+    const token = req.body?.token;
 
     if (!config) {
       this.invalidRequest();
@@ -178,7 +178,7 @@ export class PagesRouter extends PromiseRouter {
       this.invalidRequest();
     }
 
-    const { new_password, token: rawToken } = req.body;
+    const { new_password, token: rawToken } = req.body || {};
     const token = rawToken && typeof rawToken !== 'string' ? rawToken.toString() : rawToken;
 
     if ((!token || !new_password) && req.xhr === false) {
@@ -320,7 +320,7 @@ export class PagesRouter extends PromiseRouter {
    */
   staticRoute(req) {
     // Get requested path
-    const relativePath = req.params[0];
+    const relativePath = req.params['resource'][0];
 
     // Resolve requested path to absolute path
     const absolutePath = path.resolve(this.pagesPath, relativePath);
@@ -716,7 +716,7 @@ export class PagesRouter extends PromiseRouter {
   mountStaticRoute() {
     this.route(
       'GET',
-      `/${this.pagesEndpoint}/(*)?`,
+      `/${this.pagesEndpoint}/*resource`,
       req => {
         this.setConfig(req, true);
       },
diff --git a/src/Routers/PublicAPIRouter.js b/src/Routers/PublicAPIRouter.js
@@ -52,7 +52,7 @@ export class PublicAPIRouter extends PromiseRouter {
   }
 
   resendVerificationEmail(req) {
-    const username = req.body.username;
+    const username = req.body?.username;
     const appId = req.params.appId;
     const config = Config.get(appId);
 
@@ -162,7 +162,7 @@ export class PublicAPIRouter extends PromiseRouter {
       return this.missingPublicServerURL();
     }
 
-    const { new_password, token: rawToken } = req.body;
+    const { new_password, token: rawToken } = req.body || {};
     const token = rawToken && typeof rawToken !== 'string' ? rawToken.toString() : rawToken;
 
     if ((!token || !new_password) && req.xhr === false) {
diff --git a/src/Routers/PushRouter.js b/src/Routers/PushRouter.js
@@ -26,7 +26,7 @@ export class PushRouter extends PromiseRouter {
     });
     let pushStatusId;
     pushController
-      .sendPush(req.body, where, req.config, req.auth, objectId => {
+      .sendPush(req.body || {}, where, req.config, req.auth, objectId => {
         pushStatusId = objectId;
         resolve({
           headers: {
diff --git a/src/Routers/SchemasRouter.js b/src/Routers/SchemasRouter.js
diff --git a/src/Routers/UsersRouter.js b/src/Routers/UsersRouter.js
diff --git a/src/batch.js b/src/batch.js
diff --git a/src/middlewares.js b/src/middlewares.js

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@ export class AudiencesRouter extends ClassesRouter {`
`8`	`8`	`}`
`9`	`9`
`10`	`10`	`handleFind(req) {`
`11`		`- const body = Object.assign(req.body, ClassesRouter.JSONFromQuery(req.query));`
	`11`	`+ const body = Object.assign(req.body \|\| {}, ClassesRouter.JSONFromQuery(req.query));`
`12`	`12`	`const options = ClassesRouter.optionsFromBody(body, req.config.defaultLimit);`
`13`	`13`
`14`	`14`	`return rest`
Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,7 @@ export class FunctionsRouter extends PromiseRouter {`
`58`	`58`	`}`
`59`	`59`
`60`	`60`	`static handleCloudJob(req) {`
`61`		`- const jobName = req.params.jobName \|\| req.body.jobName;`
	`61`	`+ const jobName = req.params.jobName \|\| req.body?.jobName;`
`62`	`62`	`const applicationId = req.config.applicationId;`
`63`	`63`	`const jobHandler = jobStatusHandler(req.config);`
`64`	`64`	`const jobFunction = triggers.getJob(jobName, applicationId);`
Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ export class GraphQLRouter extends PromiseRouter {`
`19`	`19`	`"read-only masterKey isn't allowed to update the GraphQL config."`
`20`	`20`	`);`
`21`	`21`	`}`
`22`		`- const data = await req.config.parseGraphQLController.updateGraphQLConfig(req.body.params);`
	`22`	`+ const data = await req.config.parseGraphQLController.updateGraphQLConfig(req.body?.params \|\| {});`
`23`	`23`	`return {`
`24`	`24`	`response: data,`
`25`	`25`	`};`
Original file line number	Diff line number	Diff line change
`@@ -68,8 +68,8 @@ function getFileForProductIdentifier(productIdentifier, req) {`
`68`	`68`
`69`	`69`	`export class IAPValidationRouter extends PromiseRouter {`
`70`	`70`	`handleRequest(req) {`
`71`		`- let receipt = req.body.receipt;`
`72`		`- const productIdentifier = req.body.productIdentifier;`
	`71`	`+ let receipt = req.body?.receipt;`
	`72`	`+ const productIdentifier = req.body?.productIdentifier;`
`73`	`73`
`74`	`74`	`if (!receipt \|\| !productIdentifier) {`
`75`	`75`	`// TODO: Error, malformed request`
`@@ -84,7 +84,7 @@ export class IAPValidationRouter extends PromiseRouter {`
`84`	`84`	`}`
`85`	`85`	`}`
`86`	`86`
`87`		`- if (process.env.TESTING == '1' && req.body.bypassAppStoreValidation) {`
	`87`	`+ if (process.env.TESTING == '1' && req.body?.bypassAppStoreValidation) {`
`88`	`88`	`return getFileForProductIdentifier(productIdentifier, req);`
`89`	`89`	`}`
`90`	`90`
Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ export class InstallationsRouter extends ClassesRouter {`
`10`	`10`	`}`
`11`	`11`
`12`	`12`	`handleFind(req) {`
`13`		`- const body = Object.assign(req.body, ClassesRouter.JSONFromQuery(req.query));`
	`13`	`+ const body = Object.assign(req.body \|\| {}, ClassesRouter.JSONFromQuery(req.query));`
`14`	`14`	`const options = ClassesRouter.optionsFromBody(body, req.config.defaultLimit);`
`15`	`15`	`return rest`
`16`	`16`	`.find(`
Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,7 @@ export class PublicAPIRouter extends PromiseRouter {`
`52`	`52`	`}`
`53`	`53`
`54`	`54`	`resendVerificationEmail(req) {`
`55`		`- const username = req.body.username;`
	`55`	`+ const username = req.body?.username;`
`56`	`56`	`const appId = req.params.appId;`
`57`	`57`	`const config = Config.get(appId);`
`58`	`58`
`@@ -162,7 +162,7 @@ export class PublicAPIRouter extends PromiseRouter {`
`162`	`162`	`return this.missingPublicServerURL();`
`163`	`163`	`}`
`164`	`164`
`165`		`- const { new_password, token: rawToken } = req.body;`
	`165`	`+ const { new_password, token: rawToken } = req.body \|\| {};`
`166`	`166`	`const token = rawToken && typeof rawToken !== 'string' ? rawToken.toString() : rawToken;`
`167`	`167`
`168`	`168`	`if ((!token \|\| !new_password) && req.xhr === false) {`