From f592ac8a76203b8edab8d10c54b0489e96f4c2b2 Mon Sep 17 00:00:00 2001 From: Manuel Trezza <5673677+mtrezza@users.noreply.github.com> Date: Sun, 14 Dec 2025 01:02:44 +0100 Subject: [PATCH 1/2] fix --- DEPRECATIONS.md | 1 + src/Deprecator/Deprecations.js | 4 +--- src/Options/Definitions.js | 4 ++-- src/Options/docs.js | 2 +- src/Options/index.js | 4 ++-- 5 files changed, 7 insertions(+), 8 deletions(-) diff --git a/DEPRECATIONS.md b/DEPRECATIONS.md index e8fa819095..f731644914 100644 --- a/DEPRECATIONS.md +++ b/DEPRECATIONS.md @@ -16,6 +16,7 @@ The following is a list of deprecations, according to the [Deprecation Policy](h | DEPPS10 | Encode `Parse.Object` in Cloud Function and remove option `encodeParseObjectInCloudFunction` | [#8634](https://github.com/parse-community/parse-server/issues/8634) | 6.2.0 (2023) | 9.0.0 (2026) | removed | - | | DEPPS11 | Replace `PublicAPIRouter` with `PagesRouter` | [#7625](https://github.com/parse-community/parse-server/issues/7625) | 8.0.0 (2025) | 9.0.0 (2026) | removed | - | | DEPPS12 | Database option `allowPublicExplain` defaults to `false` | [#7519](https://github.com/parse-community/parse-server/issues/7519) | 8.5.0 (2025) | 9.0.0 (2026) | removed | - | +| DEPPS13 | Config option `enableInsecureAuthAdapters` defaults to `false` | [#9667](https://github.com/parse-community/parse-server/pull/9667) | 8.0.0 (2025) | 9.0.0 (2026) | removed | - | [i_deprecation]: ## "The version and date of the deprecation." [i_removal]: ## "The version and date of the planned removal." diff --git a/src/Deprecator/Deprecations.js b/src/Deprecator/Deprecations.js index c4d03ca763..cd47d80c4e 100644 --- a/src/Deprecator/Deprecations.js +++ b/src/Deprecator/Deprecations.js @@ -15,6 +15,4 @@ * * If there are no deprecations, this must return an empty array. */ -module.exports = [ - { optionKey: 'enableInsecureAuthAdapters', changeNewDefault: 'false' }, -]; +module.exports = []; diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js index 2e9bfbfd84..0cf047a84c 100644 --- a/src/Options/Definitions.js +++ b/src/Options/Definitions.js @@ -244,9 +244,9 @@ module.exports.ParseServerOptions = { enableInsecureAuthAdapters: { env: 'PARSE_SERVER_ENABLE_INSECURE_AUTH_ADAPTERS', help: - 'Enable (or disable) insecure auth adapters, defaults to true. Insecure auth adapters are deprecated and it is recommended to disable them.', + 'Optional. Enables insecure authentication adapters. Insecure auth adapters are deprecated and will be removed in a future version. Defaults to `false`.', action: parsers.booleanParser, - default: true, + default: false, }, enableSanitizedErrorResponse: { env: 'PARSE_SERVER_ENABLE_SANITIZED_ERROR_RESPONSE', diff --git a/src/Options/docs.js b/src/Options/docs.js index 2380c77199..4e0ce8577d 100644 --- a/src/Options/docs.js +++ b/src/Options/docs.js @@ -44,7 +44,7 @@ * @property {Boolean} enableAnonymousUsers Enable (or disable) anonymous users, defaults to true * @property {Boolean} enableCollationCaseComparison Optional. If set to `true`, the collation rule of case comparison for queries and indexes is enabled. Enable this option to run Parse Server with MongoDB Atlas Serverless or AWS Amazon DocumentDB. If `false`, the collation rule of case comparison is disabled. Default is `false`. * @property {Boolean} enableExpressErrorHandler Enables the default express error handler for all errors - * @property {Boolean} enableInsecureAuthAdapters Enable (or disable) insecure auth adapters, defaults to true. Insecure auth adapters are deprecated and it is recommended to disable them. + * @property {Boolean} enableInsecureAuthAdapters Optional. Enables insecure authentication adapters. Insecure auth adapters are deprecated and will be removed in a future version. Defaults to `false`. * @property {Boolean} enableSanitizedErrorResponse If set to `true`, error details are removed from error messages in responses to client requests, and instead a generic error message is sent. Default is `true`. * @property {String} encryptionKey Key for encrypting your files * @property {Boolean} enforcePrivateUsers Set to true if new users should be created without public read and write access. diff --git a/src/Options/index.js b/src/Options/index.js index 761c7049d1..619a417378 100644 --- a/src/Options/index.js +++ b/src/Options/index.js @@ -167,9 +167,9 @@ export interface ParseServerOptions { /* Configuration for your authentication providers, as stringified JSON. See http://docs.parseplatform.org/parse-server/guide/#oauth-and-3rd-party-authentication :ENV: PARSE_SERVER_AUTH_PROVIDERS */ auth: ?{ [string]: AuthAdapter }; - /* Enable (or disable) insecure auth adapters, defaults to true. Insecure auth adapters are deprecated and it is recommended to disable them. + /* Optional. Enables insecure authentication adapters. Insecure auth adapters are deprecated and will be removed in a future version. Defaults to `false`. :ENV: PARSE_SERVER_ENABLE_INSECURE_AUTH_ADAPTERS - :DEFAULT: true */ + :DEFAULT: false */ enableInsecureAuthAdapters: ?boolean; /* Max file size for uploads, defaults to 20mb :DEFAULT: 20mb */ From 0632e2031115fe3a87b07177065ad8b018094208 Mon Sep 17 00:00:00 2001 From: Manuel Trezza <5673677+mtrezza@users.noreply.github.com> Date: Sun, 14 Dec 2025 01:17:13 +0100 Subject: [PATCH 2/2] test --- spec/SecurityCheckGroups.spec.js | 1 + 1 file changed, 1 insertion(+) diff --git a/spec/SecurityCheckGroups.spec.js b/spec/SecurityCheckGroups.spec.js index aea4468da8..8031733322 100644 --- a/spec/SecurityCheckGroups.spec.js +++ b/spec/SecurityCheckGroups.spec.js @@ -49,6 +49,7 @@ describe('Security Check Groups', () => { config.masterKey = 'insecure'; config.security.enableCheckLog = true; config.allowClientClassCreation = true; + config.enableInsecureAuthAdapters = true; config.graphQLPublicIntrospection = true; await reconfigureServer(config);