fix: AuthData validation incorrectly triggered on unchanged providers by Copilot · Pull Request #10025 · parse-community/parse-server

Copilot · 2026-01-26T23:00:30Z

Pull Request

Report security issues confidentially.
Any contribution is under this license.
Link this pull request to an issue.

Issue

Multi-provider authData updates fail when code-based adapters strip sensitive fields via afterFind(). Parse Server re-validates unchanged providers, but the stripped fields (e.g., code) cause validation to fail.

// User logs in with code-based provider
const user = await Parse.User.logInWith('gpgames', { 
  authData: { id: 'user1', code: 'C1' } 
});

// Fetch returns { gpgames: { id: 'user1' } } - code stripped by afterFind
await user.fetch({ sessionToken });

// Adding second provider fails - Parse tries to re-validate gpgames without code
user.set('authData', {
  ...user.get('authData'),
  instagram: { id: 'I1', code: 'ic1' }
});
await user.save(); // Error: gpgames code is required

Root cause: hasMutatedAuthData() used isDeepStrictEqual() for change detection. When afterFind() strips fields, the deep comparison treats unchanged providers as mutated.

Approach

The fix changes hasMutatedAuthData in Auth.js to use subset comparison.

Summary by CodeRabbit

Tests
- Added comprehensive tests for multi-provider authentication support and code-based authentication adapters.
Refactor
- Optimized authentication state change detection logic for improved efficiency.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

parseplatformorg · 2026-01-26T23:00:43Z

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Co-authored-by: mtrezza <5673677+mtrezza@users.noreply.github.com>

coderabbitai · 2026-01-27T06:35:09Z

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

🔍 Trigger a full review

📝 Walkthrough

Walkthrough

Fixes authData validation logic to validate only providers with actual changes (id differences or unlinking) rather than all existing providers. Modifies mutation detection from deep equality checks to id-level comparison. Adds test cases validating multi-provider authentication flows where one provider is added while another remains unchanged.

Changes

Cohort / File(s)	Summary
Test Suite: Authentication Adapters `spec/AuthenticationAdaptersV2.spec.js`	Introduces code-based adapter (requires code field; throws "code is required." if missing; strips code via afterFind) and simple adapter (no code requirement). Adds tests verifying login with code-based provider, afterFind field stripping, and multi-provider persistence (adding new provider while keeping existing unchanged).
Core Logic: Auth Data Mutation Detection `src/Auth.js`	Replaces deep equality check (`isDeepStrictEqual`) with id-focused mutation detection: treats unlinking (null values) as mutations, new providers as mutations, and existing providers as mutations only when id differs; ignores other field differences when id matches.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: AuthData validation incorrectly triggered on unchanged providers' directly and clearly describes the main problem being fixed—validation being triggered on unchanged providers—matching the core issue addressed in this PR.
Description check	✅ Passed	The PR description comprehensively covers the issue, approach, root cause, and fix with code examples. It follows the required template structure with Issue, Approach, and Tasks sections, though documentation updates remain pending.
Linked Issues check	✅ Passed	The PR successfully addresses all coding requirements from issue `#9999`: mutation detection now compares only the id field, revalidation is triggered only for modified/new/unlinked providers, and a test validates the multi-provider scenario with a code-based adapter.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the linked issue: src/Auth.js implements the id-based mutation detection logic, and spec/AuthenticationAdaptersV2.spec.js adds the required multi-provider test case. No unrelated changes detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment
Commit unit tests in branch copilot/fix-authdata-validation-issue

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

parse-github-assistant · 2026-01-27T06:35:14Z

🚀 Thanks for opening this pull request!

mtrezza · 2026-01-27T06:38:15Z

@coderabbitai review

coderabbitai · 2026-01-27T06:38:22Z

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

codecov · 2026-01-27T07:30:05Z

Codecov Report

❌ Patch coverage is 80.00000% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 92.54%. Comparing base (e299107) to head (1898b99).
⚠️ Report is 36 commits behind head on alpha.

Files with missing lines	Patch %	Lines
src/Auth.js	80.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha   #10025      +/-   ##
==========================================
- Coverage   92.55%   92.54%   -0.01%     
==========================================
  Files         190      190              
  Lines       15490    15499       +9     
  Branches      176      176              
==========================================
+ Hits        14336    14343       +7     
- Misses       1142     1144       +2     
  Partials       12       12

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

mtrezza · 2026-02-06T01:46:04Z

@coderabbitai is this a breaking change?

coderabbitai · 2026-02-06T01:46:45Z

Tip

For best results, initiate chat on the files or code changes.

@mtrezza: No, this is not a breaking change.

Here's why:

More permissive behavior: The change makes validation LESS strict, not more. Operations that were incorrectly failing (multi-provider updates with code-based adapters) will now succeed.
No API changes: There are no changes to public API signatures, exported functions, or method contracts.
Core security maintained: The validation still occurs when it matters most—when the provider id (the primary identifier from the auth provider) changes, is added, or is unlinked. This preserves the essential security checks.
Bug fix, not feature change: This fixes incorrect behavior where afterFind() stripping sensitive fields caused Parse Server to incorrectly treat unchanged providers as mutated.

Behavioral change clarification: While this is a behavioral change in how mutation detection works, it's not "breaking" in the conventional sense because:

Existing working code will continue to work
Previously valid operations remain valid
Previously invalid operations that were incorrectly failing due to the bug will now succeed

The only theoretical edge case would be if someone had a custom auth adapter that relied on re-validation when non-id fields changed, but that was arguably incorrect behavior being fixed by this PR.

## [9.2.1-alpha.2](9.2.1-alpha.1...9.2.1-alpha.2) (2026-02-06) ### Bug Fixes * AuthData validation incorrectly triggered on unchanged providers ([#10025](#10025)) ([d3d6e9e](d3d6e9e))

parseplatformorg · 2026-02-06T02:04:34Z

🎉 This change has been released in version 9.2.1-alpha.2

# [9.3.0](9.2.0...9.3.0) (2026-02-21) ### Bug Fixes * `Parse.Query.select('authData')` for `_User` class doesn't return auth data ([#10055](#10055)) ([44a5bb1](44a5bb1)) * AuthData validation incorrectly triggered on unchanged providers ([#10025](#10025)) ([d3d6e9e](d3d6e9e)) * Default ACL overwrites custom ACL on `Parse.Object` update ([#10061](#10061)) ([4ef89d9](4ef89d9)) * Default HTML pages for password reset, email verification not found ([#10034](#10034)) ([e299107](e299107)) * Default HTML pages for password reset, email verification not found ([#10041](#10041)) ([a4265bb](a4265bb)) * Incorrect dependency chain of `Parse` uses browser build instead of Node build ([#10067](#10067)) ([1a2521d](1a2521d)) * Unlinking auth provider triggers auth data validation ([#10045](#10045)) ([b6b6327](b6b6327)) ### Features * Add `Parse.File.url` validation with config `fileUpload.allowedFileUrlDomains` against SSRF attacks ([#10044](#10044)) ([4c9c948](4c9c948)) * Add event information to `verifyUserEmails`, `preventLoginWithUnverifiedEmail` to identify invoking signup / login action and auth provider ([#9963](#9963)) ([ed98c15](ed98c15)) * Add support for streaming file upload via `Buffer`, `Readable`, `ReadableStream` ([#10065](#10065)) ([f0feb48](f0feb48)) * Upgrade to parse 8.2.0, @parse/push-adapter 8.3.0 ([#10066](#10066)) ([8b5a14e](8b5a14e))

parseplatformorg · 2026-02-21T15:34:15Z

🎉 This change has been released in version 9.3.0

Initial plan

eb5156c

Copilot AI assigned Copilot and mtrezza Jan 26, 2026

Copilot started work on behalf of mtrezza January 26, 2026 23:00 View session

Copilot AI and others added 2 commits January 26, 2026 23:05

Add test for multi-provider authData issue

629b2da

Co-authored-by: mtrezza <5673677+mtrezza@users.noreply.github.com>

Fix hasMutatedAuthData to only validate when provider id changes

5018858

Co-authored-by: mtrezza <5673677+mtrezza@users.noreply.github.com>

Copilot AI changed the title ~~[WIP] Fix AuthData validation on unlink/no-op updates~~ Fix authData validation incorrectly triggered on unchanged providers Jan 26, 2026

Copilot finished work on behalf of mtrezza January 26, 2026 23:10

Copilot AI requested a review from mtrezza January 26, 2026 23:10

mtrezza marked this pull request as ready for review January 27, 2026 06:34

mtrezza changed the title ~~Fix authData validation incorrectly triggered on unchanged providers~~ Fix: AuthData validation incorrectly triggered on unchanged providers Jan 27, 2026

mtrezza changed the title ~~Fix: AuthData validation incorrectly triggered on unchanged providers~~ fix: AuthData validation incorrectly triggered on unchanged providers Jan 27, 2026

mtrezza mentioned this pull request Jan 27, 2026

AuthData validation is incorrectly triggered on unlink/no-op updates, breaking multi-provider flows #9999

Closed

3 tasks

coderabbitai bot previously approved these changes Jan 27, 2026

View reviewed changes

fix

b11e228

mtrezza dismissed coderabbitai[bot]’s stale review via b11e228 January 27, 2026 07:23

Merge branch 'alpha' into copilot/fix-authdata-validation-issue

9fca78f

mtrezza linked an issue Feb 4, 2026 that may be closed by this pull request

AuthData validation is incorrectly triggered on unlink/no-op updates, breaking multi-provider flows #9999

Closed

3 tasks

Merge branch 'alpha' into copilot/fix-authdata-validation-issue

1898b99

mtrezza merged commit d3d6e9e into alpha Feb 6, 2026
21 of 23 checks passed

mtrezza deleted the copilot/fix-authdata-validation-issue branch February 6, 2026 02:03

parseplatformorg added the state:released-alpha Released as alpha version label Feb 6, 2026

parseplatformorg added the state:released Released as stable version label Feb 21, 2026

Uh oh!

Conversation

Copilot AI commented Jan 26, 2026 • edited by mtrezza Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Pull Request

Issue

Approach

Summary by CodeRabbit

Uh oh!

parseplatformorg commented Jan 26, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ Snyk checks have passed. No issues have been found so far.

Uh oh!

coderabbitai bot commented Jan 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Review skipped

Walkthrough

Changes

Estimated code review effort

Uh oh!

parse-github-assistant bot commented Jan 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

mtrezza commented Jan 27, 2026

Uh oh!

coderabbitai bot commented Jan 27, 2026

Uh oh!

codecov bot commented Jan 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

mtrezza commented Feb 6, 2026

Uh oh!

coderabbitai bot commented Feb 6, 2026

Uh oh!

Uh oh!

parseplatformorg commented Feb 6, 2026

Uh oh!

parseplatformorg commented Feb 21, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Copilot AI commented Jan 26, 2026 •

edited by mtrezza

Loading

parseplatformorg commented Jan 26, 2026 •

edited

Loading

coderabbitai bot commented Jan 27, 2026 •

edited

Loading

parse-github-assistant bot commented Jan 27, 2026 •

edited

Loading

codecov bot commented Jan 27, 2026 •

edited

Loading