feat: Add custom http status code and headers support for cloud funct…

[hajjarjoseph]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.
• Link this pull request to an issue.

Issue

Closes: #9479

Approach

Modified FunctionsRouter.createResponseObject to detect __httpResponse: true in cloud function return values and pass through status and headers to the existing PromiseRouter infrastructure. Fully backwards compatible.

edited new approach:

Added CloudResponse class and pass it as second argument to cloud functions (req, res). When res.status() or res.set() are called, FunctionsRouter.createResponseObject passes status and headers to the existing PromiseRouter infrastructure. The res argument is optional - existing functions using only (req) continue to work unchanged.

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, code comments)
• Add security check
• Add new Parse Error codes to Parse JS SDK

Summary by CodeRabbit

• New Features

  • Cloud Functions can optionally customize HTTP responses (set status codes and headers via an Express-like response object).

• Documentation

  • README updated with usage examples, chaining behavior, and security considerations for response headers; note that the response argument is optional.

• Tests

  • Extensive new tests covering status/header setting, validation, combined responses, error paths, and edge cases.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

🚀 Thanks for opening this pull request!

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a CloudResponse helper passed as a second argument to cloud functions so functions can set custom HTTP status and headers; FunctionsRouter collects CloudResponse data and applies status/headers to outgoing responses. Tests and README documentation were added.

Changes

Cohort / File(s)	Summary
Cloud Code Tests spec/CloudCode.spec.js	Added extensive test coverage for custom HTTP status codes, custom headers, combined status+headers, normal responses when res unused, last-write-wins behavior, and input validation/error paths for res.status() and res.set().
Cloud Function Router src/Routers/FunctionsRouter.js	Introduced CloudResponse class with status(), set(), hasCustomResponse(), getStatus(), getHeaders(). Updated FunctionsRouter.createResponseObject(resolve, reject) → createResponseObject(resolve, reject, cloudResponse). Cloud functions are invoked as (request, cloudResponse) and router applies custom status/headers when present.
Documentation README.md	Added "Cloud Function Custom HTTP Response" section and TOC entry with usage examples, chaining behavior, backwards-compatibility note, and security considerations for sensitive headers.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Client
participant FunctionsRouter
participant CloudFunction
participant CloudResponse
participant HTTPResponse
Client->>FunctionsRouter: Invoke cloud function request
FunctionsRouter->>CloudResponse: create CloudResponse instance
FunctionsRouter->>CloudFunction: call theFunction(request, cloudResponse)
CloudFunction->>CloudResponse: call status(code) / set(name, value) (optional)
CloudFunction-->>FunctionsRouter: return value or throw error
FunctionsRouter->>CloudResponse: inspect hasCustomResponse(), getStatus(), getHeaders()
FunctionsRouter->>HTTPResponse: apply status (if any) and headers (if any)
FunctionsRouter->>Client: send final HTTP response (body + status/headers)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20–30 minutes

• Inspect CloudResponse validation (status range, integer check, header name/value validation, CRLF/prototype-pollution protections).
• Verify createResponseObject is threaded correctly through success and error flows.
• Confirm backward compatibility for cloud functions that accept only (request).
• Review tests in spec/CloudCode.spec.js for edge cases and coverage completeness.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main feature added: custom HTTP status code and headers support for cloud functions.
Linked Issues check	✅ Passed	The implementation successfully addresses issue #9479 by adding CloudResponse class with status() and set() methods, enabling cloud functions to customize HTTP responses.
Out of Scope Changes check	✅ Passed	All changes directly support the core objective of enabling custom HTTP status codes and headers in cloud functions, with comprehensive tests and documentation updates in scope.
Description check	✅ Passed	The PR description includes the required sections with the issue link, approach explanation, and marked tasks, though documentation task is marked incomplete.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[mtrezza]

I'm not a fan of this implementation; it looks like manipulation a server-internal property. Exposing a response object alongside the request object would be a cleaner approach.

[hajjarjoseph]

I'm not a fan of this implementation; it looks like manipulation a server-internal property. Exposing a response object alongside the request object would be a cleaner approach.

I'm not a fan of this implementation; it looks like manipulation a server-internal property. Exposing a response object alongside the request object would be a cleaner approach.

Changed my approach:

Added CloudResponse class and pass it as second argument to cloud functions (req, res). When res.status() or res.set() are called, FunctionsRouter.createResponseObject passes status and headers to the existing PromiseRouter infrastructure. The res argument is optional - existing functions using only (req) continue to work unchanged.

Example:

Parse.Cloud.define('myFunction', (req, res) => { res.status(201).set('X-Custom-Header', 'value'); return { message: 'Created' }; }); 

I do not want the bounty for this feature implementation, would just be happy if I get a tiny contribution to a project I have been using regularly!

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

spec/CloudCode.spec.js (1)

96-185: Consider adding edge case tests.

While the current tests provide good coverage, consider adding tests for edge cases:

• Invalid status codes (negative numbers, strings, out of valid HTTP range)
• Calling res.status() multiple times (last wins?)
• Setting the same header multiple times
• Invalid header names (non-string values)

These tests would ensure robust error handling and clarify expected behavior.

src/Routers/FunctionsRouter.js (3)

18-24: Add HTTP status code range validation.

The current validation only checks if the status code is a number, but doesn't validate it's a valid HTTP status code. Consider adding range validation:

 status(code) { if (typeof code !== 'number') { throw new Error('Status code must be a number'); } + if (code < 100 || code > 599) { + throw new Error('Status code must be between 100 and 599'); + } this._status = code; return this; }

---

26-32: Consider adding header value validation.

The set() method doesn't validate that the value parameter is defined or of an appropriate type. While HTTP headers are typically strings, consider adding basic validation:

 set(name, value) { if (typeof name !== 'string') { throw new Error('Header name must be a string'); } + if (value === undefined || value === null) { + throw new Error('Header value must be defined'); + } this._headers[name] = value; return this; }

---

149-158: Consider defensive copying of headers object.

Line 156 directly assigns the headers object from cloudResponse.getHeaders(), which could lead to unintended mutations if the internal _headers object is modified after resolution. Consider creating a shallow copy:

 if (Object.keys(headers).length > 0) { - response.headers = headers; + response.headers = { ...headers }; }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b05771f and 40040fb.

📒 Files selected for processing (2)

• spec/CloudCode.spec.js (1 hunks)
• src/Routers/FunctionsRouter.js (4 hunks)

🧰 Additional context used

🧠 Learnings (7)

📓 Common learnings

Learnt from: mtrezza Repo: parse-community/parse-server PR: 0 File: :0-0 Timestamp: 2025-11-08T13:46:04.940Z Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required. 

Learnt from: mtrezza Repo: parse-community/parse-server PR: 0 File: :0-0 Timestamp: 2025-11-17T15:02:48.786Z Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers. 

📚 Learning: 2025-10-16T19:27:05.311Z

Learnt from: Moumouls Repo: parse-community/parse-server PR: 9883 File: spec/CloudCodeLogger.spec.js:410-412 Timestamp: 2025-10-16T19:27:05.311Z Learning: In spec/CloudCodeLogger.spec.js, the test "should log cloud function triggers using the silent log level" (around lines 383-420) is known to be flaky and requires the extra `await new Promise(resolve => setTimeout(resolve, 100))` timeout after awaiting `afterSavePromise` for reliability, even though it may appear redundant. 

Applied to files:

• spec/CloudCode.spec.js

📚 Learning: 2025-08-27T09:08:34.252Z

Learnt from: EmpiDev Repo: parse-community/parse-server PR: 9770 File: src/triggers.js:446-454 Timestamp: 2025-08-27T09:08:34.252Z Learning: When analyzing function signature changes in Parse Server codebase, verify that call sites are actually incorrect before flagging them. Passing tests are a strong indicator that function calls are already properly aligned with new signatures. 

Applied to files:

• spec/CloudCode.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza Repo: parse-community/parse-server PR: 9445 File: spec/ParseLiveQuery.spec.js:1340-1375 Timestamp: 2025-05-09T09:59:06.289Z Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise. 

Applied to files:

• spec/CloudCode.spec.js
• src/Routers/FunctionsRouter.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza Repo: parse-community/parse-server PR: 9445 File: spec/ParseLiveQuery.spec.js:1340-1375 Timestamp: 2025-05-09T09:59:06.289Z Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise. 

Applied to files:

• spec/CloudCode.spec.js
• src/Routers/FunctionsRouter.js

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza Repo: parse-community/parse-server PR: 9445 File: spec/ParseLiveQuery.spec.js:1312-1338 Timestamp: 2025-05-04T20:41:05.147Z Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. 

Applied to files:

• spec/CloudCode.spec.js

📚 Learning: 2025-04-30T19:31:35.344Z

Learnt from: RahulLanjewar93 Repo: parse-community/parse-server PR: 9744 File: spec/ParseLiveQuery.spec.js:0-0 Timestamp: 2025-04-30T19:31:35.344Z Learning: In the Parse Server codebase, the functions in QueryTools.js are typically tested through end-to-end behavior tests rather than direct unit tests, even though the functions are exported from the module. 

Applied to files:

• spec/CloudCode.spec.js

🧬 Code graph analysis (1)

src/Routers/FunctionsRouter.js (1)

src/PromiseRouter.js (1)

• headers (143-143)

🔇 Additional comments (5)

spec/CloudCode.spec.js (4)

96-115: LGTM! Well-structured test for custom HTTP status codes.

The test correctly validates that cloud functions can return a custom 201 status code while maintaining the standard result payload structure.

---

117-139: LGTM! Good coverage of custom header functionality.

The test correctly validates multiple custom headers and properly handles HTTP header case-insensitivity by checking the lowercase versions.

---

166-185: Excellent backward compatibility test.

This test is critical for ensuring existing cloud functions that return objects containing status or result fields continue to work without those fields being misinterpreted as response metadata. The assertions correctly verify the returned object is nested under response.data.result.

---

141-164: The response payload structure in this test is correct. The response.data.result.error access (line 162) follows the standard Parse Server Cloud Function response format, as confirmed by consistent usage across multiple tests in the same file (lines 114, 138, 183-184). No changes needed.

src/Routers/FunctionsRouter.js (1)

177-177: Note: Cloud jobs don't receive custom status/header capability.

The CloudResponse functionality is only implemented for cloud functions (via handleCloudFunction), not for cloud jobs (via handleCloudJob). If this is intentional scope limitation, consider documenting it. If custom status/headers should also apply to jobs, the implementation needs to be extended.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

spec/CloudCode.spec.js (1)

96-322: Nice coverage for the new CloudResponse behavior (status, headers, edge cases).
Optional: consider a tiny helper for the repeated request({ method, url, headers, body }) blocks to keep the suite easier to extend.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 40040fb and 4cdda82.

📒 Files selected for processing (3)

• README.md (1 hunks)
• spec/CloudCode.spec.js (1 hunks)
• src/Routers/FunctionsRouter.js (4 hunks)

🧰 Additional context used

🧠 Learnings (10)

📓 Common learnings

Learnt from: mtrezza Repo: parse-community/parse-server PR: 0 File: :0-0 Timestamp: 2025-11-08T13:46:04.940Z Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required. 

Learnt from: mtrezza Repo: parse-community/parse-server PR: 0 File: :0-0 Timestamp: 2025-11-17T15:02:48.786Z Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers. 

📚 Learning: 2025-10-16T19:27:05.311Z

Learnt from: Moumouls Repo: parse-community/parse-server PR: 9883 File: spec/CloudCodeLogger.spec.js:410-412 Timestamp: 2025-10-16T19:27:05.311Z Learning: In spec/CloudCodeLogger.spec.js, the test "should log cloud function triggers using the silent log level" (around lines 383-420) is known to be flaky and requires the extra `await new Promise(resolve => setTimeout(resolve, 100))` timeout after awaiting `afterSavePromise` for reliability, even though it may appear redundant. 

Applied to files:

• spec/CloudCode.spec.js

📚 Learning: 2025-08-27T09:08:34.252Z

Learnt from: EmpiDev Repo: parse-community/parse-server PR: 9770 File: src/triggers.js:446-454 Timestamp: 2025-08-27T09:08:34.252Z Learning: When analyzing function signature changes in Parse Server codebase, verify that call sites are actually incorrect before flagging them. Passing tests are a strong indicator that function calls are already properly aligned with new signatures. 

Applied to files:

• spec/CloudCode.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza Repo: parse-community/parse-server PR: 9445 File: spec/ParseLiveQuery.spec.js:1340-1375 Timestamp: 2025-05-09T09:59:06.289Z Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise. 

Applied to files:

• spec/CloudCode.spec.js
• src/Routers/FunctionsRouter.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza Repo: parse-community/parse-server PR: 9445 File: spec/ParseLiveQuery.spec.js:1340-1375 Timestamp: 2025-05-09T09:59:06.289Z Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise. 

Applied to files:

• spec/CloudCode.spec.js
• src/Routers/FunctionsRouter.js

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza Repo: parse-community/parse-server PR: 9445 File: spec/ParseLiveQuery.spec.js:1312-1338 Timestamp: 2025-05-04T20:41:05.147Z Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. 

Applied to files:

• spec/CloudCode.spec.js

📚 Learning: 2025-04-30T19:31:35.344Z

Learnt from: RahulLanjewar93 Repo: parse-community/parse-server PR: 9744 File: spec/ParseLiveQuery.spec.js:0-0 Timestamp: 2025-04-30T19:31:35.344Z Learning: In the Parse Server codebase, the functions in QueryTools.js are typically tested through end-to-end behavior tests rather than direct unit tests, even though the functions are exported from the module. 

Applied to files:

• spec/CloudCode.spec.js

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza Repo: parse-community/parse-server PR: 0 File: :0-0 Timestamp: 2025-11-08T13:46:04.940Z Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options. 

Applied to files:

• README.md
• src/Routers/FunctionsRouter.js

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza Repo: parse-community/parse-server PR: 0 File: :0-0 Timestamp: 2025-11-08T13:46:04.940Z Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required. 

Applied to files:

• src/Routers/FunctionsRouter.js

📚 Learning: 2025-12-02T06:55:53.808Z

Learnt from: mtrezza Repo: parse-community/parse-server PR: 0 File: :0-0 Timestamp: 2025-12-02T06:55:53.808Z Learning: When reviewing Parse Server PRs that add or modify Parse Server options, always verify that changes are properly reflected in three files: src/Options/index.js (where changes originate), src/Options/Definitions.js, and src/Options/docs.js. The correct workflow is: make changes in index.js first, then run `npm run definitions` to automatically replicate the changes to Definitions.js and docs.js. 

Applied to files:

• src/Routers/FunctionsRouter.js

🔇 Additional comments (2)

src/Routers/FunctionsRouter.js (2)

147-172: Clarify/confirm semantics for “error” statuses vs thrown errors.
Custom status/headers are only applied in the success() path. If a function sets res.status(401) and then throws, the status won’t be honored (it’ll go through normal error handling). If that’s intended, it’s worth documenting explicitly (or adding a test to lock it in).

---

183-249: Response plumbing looks clean; signature change is pragmatic.
Passing cloudResponse as an optional second argument keeps (req) => {} handlers unaffected and matches the Express-like API described in the README/tests.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

src/Routers/FunctionsRouter.js (2)

43-48: Consider simplifying header value coercion logic.

The current header value handling works correctly but could be more readable. The logic converts values to strings, wraps in an array for validation, then stores the converted value. Consider extracting this to a helper method for clarity:

_normalizeHeaderValue(value) { const normalized = Array.isArray(value) ? value.map(v => String(v)) : String(value); const values = Array.isArray(normalized) ? normalized : [normalized]; if (values.some(v => /[\r\n]/.test(v))) { throw new Error('Header value must not contain CRLF'); } return normalized; }

This is optional—the current implementation is functional and well-tested.

---

1-1: Suggest updating PR title to follow Angular commit convention more precisely.

Based on learnings, the PR title should follow the format: type(scope): description where the scope identifies the subsystem and the description is action-oriented.

Suggested title:

feat(cloud-functions): enable custom HTTP status and headers in cloud functions 

This clearly conveys:

• Type: feat (new feature)
• Scope: cloud-functions (the subsystem affected)
• Impact: Developers can now set custom HTTP status codes and headers from cloud functions

As per coding guidelines, this makes a more meaningful changelog entry for developers.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4cdda82 and 71fba5f.

📒 Files selected for processing (3)

• README.md (2 hunks)
• spec/CloudCode.spec.js (1 hunks)
• src/Routers/FunctionsRouter.js (4 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• README.md

🧰 Additional context used

🧠 Learnings (11)

📓 Common learnings

Learnt from: mtrezza Repo: parse-community/parse-server PR: 0 File: :0-0 Timestamp: 2025-11-08T13:46:04.940Z Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required. 

Learnt from: mtrezza Repo: parse-community/parse-server PR: 0 File: :0-0 Timestamp: 2025-11-17T15:02:48.786Z Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers. 

📚 Learning: 2025-10-16T19:27:05.311Z

Learnt from: Moumouls Repo: parse-community/parse-server PR: 9883 File: spec/CloudCodeLogger.spec.js:410-412 Timestamp: 2025-10-16T19:27:05.311Z Learning: In spec/CloudCodeLogger.spec.js, the test "should log cloud function triggers using the silent log level" (around lines 383-420) is known to be flaky and requires the extra `await new Promise(resolve => setTimeout(resolve, 100))` timeout after awaiting `afterSavePromise` for reliability, even though it may appear redundant. 

Applied to files:

• spec/CloudCode.spec.js

📚 Learning: 2025-08-27T09:08:34.252Z

Learnt from: EmpiDev Repo: parse-community/parse-server PR: 9770 File: src/triggers.js:446-454 Timestamp: 2025-08-27T09:08:34.252Z Learning: When analyzing function signature changes in Parse Server codebase, verify that call sites are actually incorrect before flagging them. Passing tests are a strong indicator that function calls are already properly aligned with new signatures. 

Applied to files:

• spec/CloudCode.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza Repo: parse-community/parse-server PR: 9445 File: spec/ParseLiveQuery.spec.js:1340-1375 Timestamp: 2025-05-09T09:59:06.289Z Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise. 

Applied to files:

• spec/CloudCode.spec.js
• src/Routers/FunctionsRouter.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza Repo: parse-community/parse-server PR: 9445 File: spec/ParseLiveQuery.spec.js:1340-1375 Timestamp: 2025-05-09T09:59:06.289Z Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise. 

Applied to files:

• spec/CloudCode.spec.js
• src/Routers/FunctionsRouter.js

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza Repo: parse-community/parse-server PR: 9445 File: spec/ParseLiveQuery.spec.js:1312-1338 Timestamp: 2025-05-04T20:41:05.147Z Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. 

Applied to files:

• spec/CloudCode.spec.js

📚 Learning: 2025-04-30T19:31:35.344Z

Learnt from: RahulLanjewar93 Repo: parse-community/parse-server PR: 9744 File: spec/ParseLiveQuery.spec.js:0-0 Timestamp: 2025-04-30T19:31:35.344Z Learning: In the Parse Server codebase, the functions in QueryTools.js are typically tested through end-to-end behavior tests rather than direct unit tests, even though the functions are exported from the module. 

Applied to files:

• spec/CloudCode.spec.js

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza Repo: parse-community/parse-server PR: 0 File: :0-0 Timestamp: 2025-11-08T13:46:04.940Z Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required. 

Applied to files:

• src/Routers/FunctionsRouter.js

📚 Learning: 2025-12-02T06:55:53.808Z

Learnt from: mtrezza Repo: parse-community/parse-server PR: 0 File: :0-0 Timestamp: 2025-12-02T06:55:53.808Z Learning: When reviewing Parse Server PRs that add or modify Parse Server options, always verify that changes are properly reflected in three files: src/Options/index.js (where changes originate), src/Options/Definitions.js, and src/Options/docs.js. The correct workflow is: make changes in index.js first, then run `npm run definitions` to automatically replicate the changes to Definitions.js and docs.js. 

Applied to files:

• src/Routers/FunctionsRouter.js

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza Repo: parse-community/parse-server PR: 0 File: :0-0 Timestamp: 2025-11-08T13:46:04.940Z Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options. 

Applied to files:

• src/Routers/FunctionsRouter.js

📚 Learning: 2025-11-17T15:02:48.786Z

Learnt from: mtrezza Repo: parse-community/parse-server PR: 0 File: :0-0 Timestamp: 2025-11-17T15:02:48.786Z Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers. 

Applied to files:

• src/Routers/FunctionsRouter.js

🔇 Additional comments (3)

spec/CloudCode.spec.js (1)

96-413: Excellent test coverage for CloudResponse feature.

The test suite comprehensively covers:

• ✅ Happy paths: custom status codes, custom headers, combined usage
• ✅ Backward compatibility: functions that don't use the response object
• ✅ Edge cases: multiple calls (last-value semantics)
• ✅ Security validations: NaN, out-of-range status, prototype pollution headers (__proto__, constructor, prototype), CRLF injection
• ✅ Input validation: type checking for status and header names/values

All tests follow Parse Server best practices with async/await patterns (as per learnings). Well done!

src/Routers/FunctionsRouter.js (2)

12-63: Robust CloudResponse implementation with comprehensive validation.

The CloudResponse class properly addresses all security concerns:

• ✅ Object.create(null) prevents prototype pollution
• ✅ Number.isInteger() rejects NaN, floats, and Infinity
• ✅ Status range validation (100-599) enforces valid HTTP codes
• ✅ Header name validation prevents prototype pollution and empty names
• ✅ CRLF validation prevents header injection attacks
• ✅ Fluent interface supports method chaining

The implementation is secure and well-designed.

---

159-184: Clean integration maintaining backward compatibility.

The CloudResponse integration is well-implemented:

• The cloudResponse parameter is optional (2nd argument), so existing cloud functions that only accept (request) continue to work unchanged
• Line 167: Proper null-safety check before accessing custom response data
• Line 174: Defensive copy of headers prevents external mutation
• Lines 170-176: Conditional application ensures default behavior when no custom response is set

Backward compatibility is confirmed by the test "returns normal response when response object is not used" (spec lines 166-185).

Also applies to: 195-262

[mtrezza]

See #9980

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.55%. Comparing base (d5e76b0) to head (71fba5f).
⚠️ Report is 9 commits behind head on alpha.

Additional details and impacted files

@@ Coverage Diff @@ ## alpha #9979 +/- ## ========================================== + Coverage 92.54% 92.55% +0.01%  ========================================== Files 190 190 Lines 15434 15469 +35 Branches 176 176 ========================================== + Hits 14283 14318 +35  Misses 1139 1139 Partials 12 12 

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[hajjarjoseph]

Codecov Report

✅ All modified and coverable lines are covered by tests. ✅ Project coverage is 92.55%. Comparing base (d5e76b0) to head (71fba5f). ⚠️ Report is 1 commits behind head on alpha.
Additional details and impacted files

☔ View full report in Codecov by Sentry. 📢 Have feedback on the report? Share it here.
🚀 New features to boost your workflow:

@mtrezza did you check the changes here? Will you go with #9980? Thank you :-)

[mtrezza]

@hajjarjoseph I think we'll go with #9980, it also contains a new express-style syntax for composing the response. Would you want to test out that PR before we merge - if you have a use case for it?

[hajjarjoseph]

@hajjarjoseph I think we'll go with #9980, it also contains a new express-style syntax for composing the response. Would you want to test out that PR before we merge - if you have a use case for it?

All good 👍