test: GraphQL endpoint is exempt from routeAllowList by design (parse-community#10480)

Author: mtrezza

README.md

@@ -73,6 +73,11 @@ A big _thank you_ 🙏 to our [sponsors](#sponsors) and [backers](#backers) who
     - [Restricting File URL Domains](#restricting-file-url-domains)
   - [Idempotency Enforcement](#idempotency-enforcement)
   - [Installations](#installations)
+    - [Options](#options)
+      - [`duplicateDeviceTokenActionEnforceAuth`](#duplicatedevicetokenactionenforceauth)
+      - [`duplicateDeviceTokenAction`](#duplicatedevicetokenaction)
+      - [`duplicateDeviceTokenMergePriority`](#duplicatedevicetokenmergepriority)
+    - [Configuration example](#configuration-example)
   - [Localization](#localization)
     - [Pages](#pages)
       - [Localization with Directory Structure](#localization-with-directory-structure)
@@ -314,7 +319,7 @@ The client keys used with Parse are no longer necessary with Parse Server. If yo
 
 ## Route Allow List
 
-The `routeAllowList` option restricts which API routes are accessible to external clients. When set, all external requests are denied by default unless the route matches one of the configured regex patterns. This is useful for apps where all logic runs in Cloud Code and clients should not access the API directly.
+The `routeAllowList` option restricts which REST API routes are accessible to external clients. When set, all external REST API requests are denied by default unless the route matches one of the configured regex patterns. This is useful for apps where all logic runs in Cloud Code and clients should not access the REST API directly.
 
 Internal calls from Cloud Code, Cloud Jobs, and triggers are not affected. Master key and maintenance key requests bypass the restriction.
 
@@ -334,7 +339,7 @@ const server = ParseServer({
 
 Each entry is a regex pattern matched against the normalized route identifier. Patterns are auto-anchored with `^` and `$` for full-match semantics. For example, `classes/Chat` matches only `classes/Chat`, not `classes/ChatRoom`. Use `classes/Chat.*` to match both.
 
-Setting an empty array `[]` blocks all external non-master-key requests (full lockdown). Not setting the option preserves current behavior (all routes accessible).
+Setting an empty array `[]` blocks all external non-master-key REST API requests (full lockdown of REST API routes). Not setting the option preserves current behavior (all routes accessible).
 
 ### Covered Routes
 
@@ -395,6 +400,9 @@ The following table lists all route groups covered by `routeAllowList` with exam
 > [!NOTE]
 > File routes are not covered by `routeAllowList`. File upload access is controlled via the `fileUpload` option. File download and metadata access is controlled via the `fileDownload` option.
 
+> [!NOTE]
+> The GraphQL API is not covered by `routeAllowList`. `routeAllowList` gates the REST API per route, while every GraphQL operation is transported over a single endpoint with the operation, target class, and field set encoded in the request body — so per-route allow-list semantics do not compose with it.
+
 ## Email Verification and Password Reset
 
 Verifying user email addresses and enabling password reset via email requires an email adapter. There are many email adapters provided and maintained by the community. The following is an example configuration with an example email adapter. See the [Parse Server Options][server-options] for more details and a full list of available options.

spec/RouteAllowList.spec.js

@@ -314,6 +314,67 @@ describe('routeAllowList', () => {
       }
     });
 
+    describe('GraphQL exemption', () => {
+      // routeAllowList is a path-based REST API control. The GraphQL endpoint
+      // collapses every operation onto a single URL (graphQLPath), so a
+      // per-route allow-list cannot meaningfully gate individual GraphQL
+      // operations.
+      const gqlRequest = body =>
+        require('../lib/request')({
+          method: 'POST',
+          url: 'http://localhost:8378/graphql',
+          headers: {
+            'Content-Type': 'application/json',
+            'X-Parse-Application-Id': 'test',
+            'X-Parse-Javascript-Key': 'test',
+          },
+          body: JSON.stringify(body),
+        });
+
+      it('reaches GraphQL endpoint when routeAllowList is empty array', async () => {
+        await reconfigureServer({ mountGraphQL: true, routeAllowList: [] });
+        const restRequest = require('../lib/request');
+        await expectAsync(
+          restRequest({
+            method: 'GET',
+            url: 'http://localhost:8378/1/classes/GameScore',
+            headers: {
+              'X-Parse-Application-Id': 'test',
+              'X-Parse-REST-API-Key': 'rest',
+            },
+          })
+        ).toBeRejectedWith(
+          jasmine.objectContaining({
+            data: jasmine.objectContaining({ code: Parse.Error.OPERATION_FORBIDDEN }),
+          })
+        );
+        const response = await gqlRequest({ query: '{ health }' });
+        expect(response.data.data.health).toBeTrue();
+      });
+
+      it('reaches GraphQL endpoint when routeAllowList contains only REST routes', async () => {
+        await reconfigureServer({
+          mountGraphQL: true,
+          routeAllowList: ['classes/AllowedClass'],
+        });
+        const response = await gqlRequest({ query: '{ health }' });
+        expect(response.data.data.health).toBeTrue();
+      });
+
+      it('keeps class CLP enforced through GraphQL when routeAllowList is empty array', async () => {
+        await reconfigureServer({ mountGraphQL: true, routeAllowList: [] });
+        const { updateCLP } = require('./support/dev');
+        const obj = new Parse.Object('CLPGuarded');
+        await obj.save(null, { useMasterKey: true });
+        await updateCLP({ find: {}, get: {}, create: {}, update: {}, delete: {} }, 'CLPGuarded');
+        const response = await gqlRequest({
+          query: '{ cLPGuardeds { edges { node { objectId } } } }',
+        });
+        expect(response.data.errors).toBeDefined();
+        expect(response.data.errors[0].extensions.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
+      });
+    });
+
     it_id('229cab22-dad3-4d08-8de5-64d813658596')(it)('should block all route groups when not in allow list', async () => {
       await reconfigureServer({
         routeAllowList: ['classes/GameScore'],

src/Options/Definitions.js

@@ -583,7 +583,7 @@ module.exports.ParseServerOptions = {
   },
   routeAllowList: {
     env: 'PARSE_SERVER_ROUTE_ALLOW_LIST',
-    help: '(Optional) Restricts external client access to a list of allowed API routes.<br><br>When this option is set, all external non-master-key requests are denied by default. Only routes matching at least one of the configured regex patterns are allowed through. Internal calls from Cloud Code, Cloud Jobs, and triggers are not affected.<br><br>Each entry is a regex pattern string matched against the normalized route identifier (request path with mount prefix and leading slash stripped). Patterns are auto-anchored with `^` and `$` for full-match semantics.<br><br><b>Examples of normalized route identifiers:</b><ul><li>`classes/GameScore` (class CRUD)</li><li>`classes/GameScore/abc123` (object by ID)</li><li>`users` (user operations)</li><li>`login` (login endpoint)</li><li>`functions/sendEmail` (Cloud Function)</li><li>`jobs/cleanup` (Cloud Job)</li><li>`push` (push notifications)</li><li>`config` (client config)</li><li>`installations` (installations)</li><li>`files/picture.jpg` (file operations)</li></ul><b>Example patterns:</b><ul><li>`classes/ChatMessage` matches only `classes/ChatMessage`</li><li>`classes/Chat.*` matches `classes/ChatMessage`, `classes/ChatRoom`, etc.</li><li>`functions/.*` matches all Cloud Functions</li></ul>Setting an empty array `[]` blocks all external non-master-key requests (full lockdown).<br><br>When setting the option via an environment variable, the notation is a comma-separated string, for example `"classes/ChatMessage,users,functions/.*"`.<br><br>Defaults to `undefined` which means the feature is inactive and all routes are accessible.',
+    help: '(Optional) Restricts external client access to a list of allowed REST API routes.<br><br>When this option is set, all external non-master-key REST API requests are denied by default. Only routes matching at least one of the configured regex patterns are allowed through. Internal calls from Cloud Code, Cloud Jobs, and triggers are not affected.<br><br>Each entry is a regex pattern string matched against the normalized route identifier (request path with mount prefix and leading slash stripped). Patterns are auto-anchored with `^` and `$` for full-match semantics.<br><br><b>Examples of normalized route identifiers:</b><ul><li>`classes/GameScore` (class CRUD)</li><li>`classes/GameScore/abc123` (object by ID)</li><li>`users` (user operations)</li><li>`login` (login endpoint)</li><li>`functions/sendEmail` (Cloud Function)</li><li>`jobs/cleanup` (Cloud Job)</li><li>`push` (push notifications)</li><li>`config` (client config)</li><li>`installations` (installations)</li></ul><b>Example patterns:</b><ul><li>`classes/ChatMessage` matches only `classes/ChatMessage`</li><li>`classes/Chat.*` matches `classes/ChatMessage`, `classes/ChatRoom`, etc.</li><li>`functions/.*` matches all Cloud Functions</li></ul>Setting an empty array `[]` blocks all external non-master-key REST API requests (full lockdown of REST API routes).<br><br>When setting the option via an environment variable, the notation is a comma-separated string, for example `"classes/ChatMessage,users,functions/.*"`.<br><br>Defaults to `undefined` which means the feature is inactive and all routes are accessible.<br><br><b>Note:</b> File routes and the GraphQL API are not covered by this option.',
     action: parsers.arrayParser,
   },
   scheduledPush: {