feat: upgrading from express 4 to 5

package.json

@@ -27,11 +27,10 @@
     "@parse/fs-files-adapter": "3.0.0",
     "@parse/push-adapter": "6.8.0",
     "bcryptjs": "2.4.3",
-    "body-parser": "1.20.3",
     "commander": "12.1.0",
     "cors": "2.8.5",
     "deepcopy": "2.1.0",
-    "express": "4.21.2",
+    "express": "5.0.1",
     "express-rate-limit": "7.4.1",
     "follow-redirects": "1.15.9",
     "graphql": "16.9.0",
@@ -57,6 +56,7 @@
     "punycode": "2.3.1",
     "rate-limit-redis": "4.2.0",
     "redis": "4.7.0",
+    "router": "2.0.0",
     "semver": "7.6.3",
     "subscriptions-transport-ws": "0.11.0",
     "tv4": "1.3.0",
@@ -128,11 +128,11 @@
     "test:mongodb:7.0.1": "npm run test:mongodb --dbversion=7.0.1",
     "test:mongodb:8.0.3": "npm run test:mongodb --dbversion=8.0.3",
     "test:postgres:testonly": "cross-env PARSE_SERVER_TEST_DB=postgres PARSE_SERVER_TEST_DATABASE_URI=postgres://postgres:password@localhost:5432/parse_server_postgres_adapter_test_database npm run testonly",
-    "pretest": "cross-env MONGODB_VERSION=${MONGODB_VERSION:=5.3.2} MONGODB_TOPOLOGY=${MONGODB_TOPOLOGY:=standalone} mongodb-runner start -t ${MONGODB_TOPOLOGY} --version ${MONGODB_VERSION} -- --port 27017",
-    "testonly": "cross-env MONGODB_VERSION=${MONGODB_VERSION:=5.3.2} MONGODB_TOPOLOGY=${MONGODB_TOPOLOGY:=standalone} TESTING=1 jasmine",
+    "pretest": "cross-env MONGODB_VERSION=${MONGODB_VERSION:=6.0.2} MONGODB_TOPOLOGY=${MONGODB_TOPOLOGY:=standalone} mongodb-runner start -t ${MONGODB_TOPOLOGY} --version ${MONGODB_VERSION} -- --port 27017",
+    "testonly": "cross-env MONGODB_VERSION=${MONGODB_VERSION:=6.0.2} MONGODB_TOPOLOGY=${MONGODB_TOPOLOGY:=standalone} TESTING=1 jasmine",
     "test": "npm run testonly",
-    "posttest": "cross-env mongodb-runner stop --all",
-    "coverage": "cross-env MONGODB_VERSION=${MONGODB_VERSION:=5.3.2} MONGODB_TOPOLOGY=${MONGODB_TOPOLOGY:=standalone} TESTING=1 nyc jasmine",
+    "posttest": "cross-env mongodb-runner stop --all --debug",
+    "coverage": "cross-env MONGODB_VERSION=${MONGODB_VERSION:=6.0.2} MONGODB_TOPOLOGY=${MONGODB_TOPOLOGY:=standalone} TESTING=1 nyc jasmine",
     "start": "node ./bin/parse-server",
     "prettier": "prettier --write {src,spec}/{**/*,*}.js",
     "prepare": "npm run build",

spec/HTTPRequest.spec.js

@@ -2,15 +2,14 @@
 
 const httpRequest = require('../lib/request'),
   HTTPResponse = require('../lib/request').HTTPResponse,
-  bodyParser = require('body-parser'),
   express = require('express');
 
 const port = 13371;
 const httpRequestServer = `http://localhost:${port}`;
 
 function startServer(done) {
   const app = express();
-  app.use(bodyParser.json({ type: '*/*' }));
+  app.use(express.json({ type: '*/*' }));
   app.get('/hello', function (req, res) {
     res.json({ response: 'OK' });
   });

spec/ParseHooks.spec.js

@@ -4,7 +4,6 @@ const request = require('../lib/request');
 const triggers = require('../lib/triggers');
 const HooksController = require('../lib/Controllers/HooksController').default;
 const express = require('express');
-const bodyParser = require('body-parser');
 const auth = require('../lib/Auth');
 const Config = require('../lib/Config');
 
@@ -17,7 +16,7 @@ describe('Hooks', () => {
   beforeEach(done => {
     if (!app) {
       app = express();
-      app.use(bodyParser.json({ type: '*/*' }));
+      app.use(express.json({ type: '*/*' }));
       server = app.listen(port, undefined, done);
     } else {
       done();

spec/vulnerabilities.spec.js

@@ -250,11 +250,10 @@ describe('Vulnerabilities', () => {
 
     it_id('e8b5f1e1-8326-4c70-b5f4-1e8678dfff8d')(it)('denies creating a hook with polluted data', async () => {
       const express = require('express');
-      const bodyParser = require('body-parser');
       const port = 34567;
       const hookServerURL = 'http://localhost:' + port;
       const app = express();
-      app.use(bodyParser.json({ type: '*/*' }));
+      app.use(express.json({ type: '*/*' }));
       const server = await new Promise(resolve => {
         const res = app.listen(port, undefined, () => resolve(res));
       });

src/Controllers/AnalyticsController.js

@@ -5,7 +5,7 @@ export class AnalyticsController extends AdaptableController {
   appOpened(req) {
     return Promise.resolve()
       .then(() => {
-        return this.adapter.appOpened(req.body, req);
+        return this.adapter.appOpened(req.body || {}, req);
       })
       .then(response => {
         return { response: response || {} };
@@ -18,7 +18,7 @@ export class AnalyticsController extends AdaptableController {
   trackEvent(req) {
     return Promise.resolve()
       .then(() => {
-        return this.adapter.trackEvent(req.params.eventName, req.body, req);
+        return this.adapter.trackEvent(req.params.eventName, req.body || {}, req);
       })
       .then(response => {
         return { response: response || {} };

src/ParseServer.js

@@ -1,7 +1,6 @@
 // ParseServer - open-source compatible API Server for Parse apps
 
 var batch = require('./batch'),
-  bodyParser = require('body-parser'),
   express = require('express'),
   middlewares = require('./middlewares'),
   Parse = require('parse/node').Parse,
@@ -272,13 +271,13 @@ class ParseServer {
 
     api.use(
       '/',
-      bodyParser.urlencoded({ extended: false }),
+      express.urlencoded({ extended: false }),
       pages.enableRouter
         ? new PagesRouter(pages).expressRouter()
         : new PublicAPIRouter().expressRouter()
     );
 
-    api.use(bodyParser.json({ type: '*/*', limit: maxUploadSize }));
+    api.use(express.json({ type: '*/*', limit: maxUploadSize }));
     api.use(middlewares.allowMethodOverride);
     api.use(middlewares.handleParseHeaders);
     const routes = Array.isArray(rateLimit) ? rateLimit : [rateLimit];

src/PromiseRouter.js

@@ -9,7 +9,7 @@ import Parse from 'parse/node';
 import express from 'express';
 import log from './logger';
 import { inspect } from 'util';
-const Layer = require('express/lib/router/layer');
+const Layer = require('router/lib/layer');
 
 function validateParameter(key, value) {
   if (key == 'className') {

src/Routers/AggregateRouter.js

@@ -6,7 +6,7 @@ import UsersRouter from './UsersRouter';
 
 export class AggregateRouter extends ClassesRouter {
   handleFind(req) {
-    const body = Object.assign(req.body, ClassesRouter.JSONFromQuery(req.query));
+    const body = Object.assign(req.body || {}, ClassesRouter.JSONFromQuery(req.query));
     const options = {};
     if (body.distinct) {
       options.distinct = String(body.distinct);

src/Routers/AudiencesRouter.js

@@ -8,7 +8,7 @@ export class AudiencesRouter extends ClassesRouter {
   }
 
   handleFind(req) {
-    const body = Object.assign(req.body, ClassesRouter.JSONFromQuery(req.query));
+    const body = Object.assign(req.body || {}, ClassesRouter.JSONFromQuery(req.query));
     const options = ClassesRouter.optionsFromBody(body, req.config.defaultLimit);
 
     return rest

src/Routers/ClassesRouter.js

@@ -19,7 +19,7 @@ export class ClassesRouter extends PromiseRouter {
   }
 
   handleFind(req) {
-    const body = Object.assign(req.body, ClassesRouter.JSONFromQuery(req.query));
+    const body = Object.assign(req.body || {}, ClassesRouter.JSONFromQuery(req.query));
     const options = ClassesRouter.optionsFromBody(body, req.config.defaultLimit);
     if (req.config.maxLimit && body.limit > req.config.maxLimit) {
       // Silently replace the limit on the query with the max configured
@@ -48,7 +48,7 @@ export class ClassesRouter extends PromiseRouter {
 
   // Returns a promise for a {response} object.
   handleGet(req) {
-    const body = Object.assign(req.body, ClassesRouter.JSONFromQuery(req.query));
+    const body = Object.assign(req.body || {}, ClassesRouter.JSONFromQuery(req.query));
     const options = {};
 
     for (const key of Object.keys(body)) {
@@ -117,7 +117,7 @@ export class ClassesRouter extends PromiseRouter {
       req.config,
       req.auth,
       this.className(req),
-      req.body,
+      req.body || {},
       req.info.clientSDK,
       req.info.context
     );
@@ -130,7 +130,7 @@ export class ClassesRouter extends PromiseRouter {
       req.auth,
       this.className(req),
       where,
-      req.body,
+      req.body || {},
       req.info.clientSDK,
       req.info.context
     );

src/Routers/CloudCodeRouter.js

@@ -77,7 +77,7 @@ export class CloudCodeRouter extends PromiseRouter {
   }
 
   static createJob(req) {
-    const { job_schedule } = req.body;
+    const { job_schedule } = req.body || {};
     validateJobSchedule(req.config, job_schedule);
     return rest.create(
       req.config,
@@ -91,7 +91,7 @@ export class CloudCodeRouter extends PromiseRouter {
 
   static editJob(req) {
     const { objectId } = req.params;
-    const { job_schedule } = req.body;
+    const { job_schedule } = req.body || {};
     validateJobSchedule(req.config, job_schedule);
     return rest
       .update(

src/Routers/FilesRouter.js

@@ -1,5 +1,4 @@
 import express from 'express';
-import BodyParser from 'body-parser';
 import * as Middlewares from '../middlewares';
 import Parse from 'parse/node';
 import Config from '../Config';
@@ -45,7 +44,7 @@ export class FilesRouter {
 
     router.post(
       '/files/:filename',
-      BodyParser.raw({
+      express.raw({
         type: () => {
           return true;
         },

src/Routers/FunctionsRouter.js

@@ -58,7 +58,7 @@ export class FunctionsRouter extends PromiseRouter {
   }
 
   static handleCloudJob(req) {
-    const jobName = req.params.jobName || req.body.jobName;
+    const jobName = req.params.jobName || req.body?.jobName;
     const applicationId = req.config.applicationId;
     const jobHandler = jobStatusHandler(req.config);
     const jobFunction = triggers.getJob(jobName, applicationId);

src/Routers/GlobalConfigRouter.js

@@ -46,8 +46,8 @@ export class GlobalConfigRouter extends PromiseRouter {
         "read-only masterKey isn't allowed to update the config."
       );
     }
-    const params = req.body.params;
-    const masterKeyOnly = req.body.masterKeyOnly || {};
+    const params = req.body.params || {};
+    const masterKeyOnly = req.body?.masterKeyOnly || {};
     // Transform in dot notation to make sure it works
     const update = Object.keys(params).reduce((acc, key) => {
       acc[`params.${key}`] = params[key];

src/Routers/GraphQLRouter.js

@@ -19,7 +19,7 @@ export class GraphQLRouter extends PromiseRouter {
         "read-only masterKey isn't allowed to update the GraphQL config."
       );
     }
-    const data = await req.config.parseGraphQLController.updateGraphQLConfig(req.body.params);
+    const data = await req.config.parseGraphQLController.updateGraphQLConfig(req.body.params || {});
     return {
       response: data,
     };

src/Routers/HooksRouter.js

@@ -12,7 +12,7 @@ export class HooksRouter extends PromiseRouter {
   }
 
   handlePost(req) {
-    return this.createHook(req.body, req.config);
+    return this.createHook(req.body || {}, req.config);
   }
 
   handleGetFunctions(req) {
@@ -66,11 +66,11 @@ export class HooksRouter extends PromiseRouter {
 
   handleUpdate(req) {
     var hook;
-    if (req.params.functionName && req.body.url) {
+    if (req.params.functionName && req.body?.url) {
       hook = {};
       hook.functionName = req.params.functionName;
       hook.url = req.body.url;
-    } else if (req.params.className && req.params.triggerName && req.body.url) {
+    } else if (req.params.className && req.params.triggerName && req.body?.url) {
       hook = {};
       hook.className = req.params.className;
       hook.triggerName = req.params.triggerName;
@@ -82,7 +82,7 @@ export class HooksRouter extends PromiseRouter {
   }
 
   handlePut(req) {
-    var body = req.body;
+    var body = req.body || {};
     if (body.__op == 'Delete') {
       return this.handleDelete(req);
     } else {

src/Routers/IAPValidationRouter.js

@@ -68,8 +68,8 @@ function getFileForProductIdentifier(productIdentifier, req) {
 
 export class IAPValidationRouter extends PromiseRouter {
   handleRequest(req) {
-    let receipt = req.body.receipt;
-    const productIdentifier = req.body.productIdentifier;
+    let receipt = req.body?.receipt;
+    const productIdentifier = req.body?.productIdentifier;
 
     if (!receipt || !productIdentifier) {
       // TODO: Error, malformed request
@@ -84,7 +84,7 @@ export class IAPValidationRouter extends PromiseRouter {
       }
     }
 
-    if (process.env.TESTING == '1' && req.body.bypassAppStoreValidation) {
+    if (process.env.TESTING == '1' && req.body?.bypassAppStoreValidation) {
       return getFileForProductIdentifier(productIdentifier, req);
     }
 

src/Routers/InstallationsRouter.js

@@ -10,7 +10,7 @@ export class InstallationsRouter extends ClassesRouter {
   }
 
   handleFind(req) {
-    const body = Object.assign(req.body, ClassesRouter.JSONFromQuery(req.query));
+    const body = Object.assign(req.body || {}, ClassesRouter.JSONFromQuery(req.query));
     const options = ClassesRouter.optionsFromBody(body, req.config.defaultLimit);
     return rest
       .find(

src/Routers/PagesRouter.js

@@ -113,7 +113,7 @@ export class PagesRouter extends PromiseRouter {
 
   resendVerificationEmail(req) {
     const config = req.config;
-    const username = req.body.username;
+    const username = req.body?.username;
 
     if (!config) {
       this.invalidRequest();
@@ -187,7 +187,7 @@ export class PagesRouter extends PromiseRouter {
       this.invalidRequest();
     }
 
-    const { username, new_password, token: rawToken } = req.body;
+    const { username, new_password, token: rawToken } = req.body || {};
     const token = rawToken && typeof rawToken !== 'string' ? rawToken.toString() : rawToken;
 
     if ((!username || !token || !new_password) && req.xhr === false) {

src/Routers/PublicAPIRouter.js

@@ -45,7 +45,7 @@ export class PublicAPIRouter extends PromiseRouter {
   }
 
   resendVerificationEmail(req) {
-    const username = req.body.username;
+    const username = req.body?.username;
     const appId = req.params.appId;
     const config = Config.get(appId);
 
@@ -154,7 +154,7 @@ export class PublicAPIRouter extends PromiseRouter {
       return this.missingPublicServerURL();
     }
 
-    const { username, new_password, token: rawToken } = req.body;
+    const { username, new_password, token: rawToken } = req.body || {};
     const token = rawToken && typeof rawToken !== 'string' ? rawToken.toString() : rawToken;
 
     if ((!username || !token || !new_password) && req.xhr === false) {

src/Routers/PushRouter.js

@@ -26,7 +26,7 @@ export class PushRouter extends PromiseRouter {
     });
     let pushStatusId;
     pushController
-      .sendPush(req.body, where, req.config, req.auth, objectId => {
+      .sendPush(req.body || {}, where, req.config, req.auth, objectId => {
         pushStatusId = objectId;
         resolve({
           headers: {

src/Routers/SchemasRouter.js

@@ -77,18 +77,18 @@ async function createSchema(req) {
       "read-only masterKey isn't allowed to create a schema."
     );
   }
-  if (req.params.className && req.body.className) {
+  if (req.params.className && req.body?.className) {
     if (req.params.className != req.body.className) {
       return classNameMismatchResponse(req.body.className, req.params.className);
     }
   }
 
-  const className = req.params.className || req.body.className;
+  const className = req.params.className || req.body?.className;
   if (!className) {
     throw new Parse.Error(135, `POST ${req.path} needs a class name.`);
   }
 
-  return await internalCreateSchema(className, req.body, req.config);
+  return await internalCreateSchema(className, req.body || {}, req.config);
 }
 
 function modifySchema(req) {
@@ -99,12 +99,12 @@ function modifySchema(req) {
       "read-only masterKey isn't allowed to update a schema."
     );
   }
-  if (req.body.className && req.body.className != req.params.className) {
+  if (req.body?.className && req.body.className != req.params.className) {
     return classNameMismatchResponse(req.body.className, req.params.className);
   }
   const className = req.params.className;
 
-  return internalUpdateSchema(className, req.body, req.config);
+  return internalUpdateSchema(className, req.body || {}, req.config);
 }
 
 const deleteSchema = req => {