Skip to content

fix: File metadata endpoint returns HTTP 200 instead of 403 for invalid app ID#10527

Open
dblythy wants to merge 1 commit into
parse-community:alphafrom
dblythy:fix/metadata-handler-invalid-appid
Open

fix: File metadata endpoint returns HTTP 200 instead of 403 for invalid app ID#10527
dblythy wants to merge 1 commit into
parse-community:alphafrom
dblythy:fix/metadata-handler-invalid-appid

Conversation

@dblythy

@dblythy dblythy commented Jul 4, 2026

Copy link
Copy Markdown
Member

Closes #10108

Summary by CodeRabbit

  • Bug Fixes
    • File metadata requests with an invalid app ID now return a proper authorization error (403 Permission denied) instead of appearing successful.
    • Error responses for invalid application IDs are now returned consistently with a clear status code and message.

@parse-github-assistant

Copy link
Copy Markdown

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

  • Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
  • Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
  • Group code into logical blocks. Add a short comment before each block to explain its purpose.
  • We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
  • Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
  • Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code.

@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The metadataHandler in FilesRouter.js now returns a sanitized HTTP 403 error with message "Invalid application ID." when the app config is missing, instead of returning HTTP 200 with an empty object. The corresponding test in ParseFile.spec.js was updated to expect this new response.

Changes

Metadata Handler Error Response Fix

Layer / File(s) Summary
Sanitized 403 response for invalid app ID
src/Routers/FilesRouter.js, spec/ParseFile.spec.js
metadataHandler now returns a sanitized 403 error ({ error: 'Invalid application ID.' }) via createSanitizedHttpError when config is missing, instead of 200/{}; the test now asserts 403 with { error: 'Permission denied' }.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Possibly related PRs

  • parse-community/parse-server#10106: Also modifies metadataHandler in src/Routers/FilesRouter.js for behavior on invalid/missing app configuration, changing the response from 200 {} to an authorization failure.
🚥 Pre-merge checks | ✅ 5 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description only says 'Closes #10108' and omits the required Issue, Approach, and Tasks sections. Add the template sections for Issue, Approach, and Tasks, and briefly describe the change and completed checklist items.
Engage In Review Feedback ❓ Inconclusive The fix matches the review request, but the repo shows no reply/thread evidence proving the feedback was discussed before resolution. Need the PR comment thread or a linked reply showing the author discussed the feedback before resolving it, or a reviewer note retracting it.
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title matches the PR and follows the required fix: prefix.
Linked Issues check ✅ Passed The code and test changes match #10108 by returning 403 with 'Invalid application ID.' for missing config.
Out of Scope Changes check ✅ Passed Only the router and its matching test were changed, and both are directly related to the linked issue.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Security Check ✅ Passed Changed path now returns a sanitized 403 via createSanitizedHttpError; no new auth bypass, injection, or sensitive-data exposure patterns found.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ast-grep (0.44.0)
spec/ParseFile.spec.js

ast-grep timed out on this file


Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
src/Routers/FilesRouter.js (1)

840-845: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Duplicate invalid-app-ID response pattern across handlers.

This exact three-line block (createSanitizedHttpError + res.status + res.json) now appears in getHandler (Line 214-217), _earlyHeadersMiddleware (Line 324-327), and metadataHandler (Line 841-844). Consider extracting a small private helper (e.g., _sendSanitizedError(res, status, message, config)) to reduce duplication.

♻️ Example helper extraction
+  static _sendSanitizedError(res, status, message, config) {
+    const error = createSanitizedHttpError(status, message, config);
+    res.status(error.status);
+    res.json({ error: error.message });
+  }
+
   async metadataHandler(req, res) {
     try {
       const config = Config.get(req.params.appId);
       if (!config) {
-        const error = createSanitizedHttpError(403, 'Invalid application ID.', config);
-        res.status(error.status);
-        res.json({ error: error.message });
+        FilesRouter._sendSanitizedError(res, 403, 'Invalid application ID.', config);
         return;
       }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/Routers/FilesRouter.js` around lines 840 - 845, The invalid application
ID response logic is duplicated across getHandler, _earlyHeadersMiddleware, and
metadataHandler, so extract the shared createSanitizedHttpError + res.status +
res.json sequence into a small private helper such as _sendSanitizedError in
FilesRouter and replace each repeated block with that helper call. Keep the
helper near the other router methods so the handlers remain readable and
continue passing the same config, status, and message values.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/Routers/FilesRouter.js`:
- Around line 840-845: The invalid application ID response logic is duplicated
across getHandler, _earlyHeadersMiddleware, and metadataHandler, so extract the
shared createSanitizedHttpError + res.status + res.json sequence into a small
private helper such as _sendSanitizedError in FilesRouter and replace each
repeated block with that helper call. Keep the helper near the other router
methods so the handlers remain readable and continue passing the same config,
status, and message values.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 805d9f01-abee-4ba6-bff0-77d500acace0

📥 Commits

Reviewing files that changed from the base of the PR and between 7e9d53a and afd2bc1.

📒 Files selected for processing (2)
  • spec/ParseFile.spec.js
  • src/Routers/FilesRouter.js

@codecov

codecov Bot commented Jul 4, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.68%. Comparing base (cce91e5) to head (afd2bc1).
⚠️ Report is 1 commits behind head on alpha.

Additional details and impacted files
@@            Coverage Diff             @@
##            alpha   #10527      +/-   ##
==========================================
+ Coverage   92.66%   92.68%   +0.01%     
==========================================
  Files         193      193              
  Lines       16981    16982       +1     
  Branches      248      248              
==========================================
+ Hits        15736    15739       +3     
+ Misses       1224     1222       -2     
  Partials       21       21              

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@dblythy dblythy requested review from a team and mtrezza July 4, 2026 13:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix: API response of metadata handler on invalid app ID is different from the file get handler

1 participant