fix: Maintenance key IP mismatch silently downgrades to regular auth instead of rejecting

[mtrezza]

Issue

Closes #10390

When a valid maintenance key is sent from a non-allowed IP address, the request is silently downgraded to regular user auth instead of being rejected with 403. This is inconsistent with master key and read-only master key behavior, which both reject with 403 on IP mismatch.

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, code comments)

Summary by CodeRabbit

• Bug Fixes
  • Fixed authentication middleware to properly enforce IP address restrictions for maintenance keys. Requests using a maintenance key from an unauthorized IP address now correctly return a 403 Unauthorized error instead of proceeding with additional authentication checks.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR fixes an inconsistency where a valid maintenance key from a non-allowed IP address was silently downgraded to regular authentication instead of being rejected. The fix adds proper IP-based allowlist enforcement for maintenance keys, matching master key behavior by throwing a 403 error when the IP is not in the allowlist.

Changes

Cohort / File(s)	Summary
Maintenance Key IP Allowlist Enforcement src/middlewares.js	Modified resolveKeyAuth to throw a 403 unauthorized error when a valid maintenance key is provided but the request IP fails the maintenanceKeyIps allowlist check, instead of silently proceeding with key resolution.
Test Coverage spec/Middlewares.spec.js	Added test case validating that handleParseHeaders rejects maintenance keys from non-allowed IPs with a 403 status and logs an appropriate error message.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat: Add server option readOnlyMasterKeyIps to restrict readOnlyMasterKey by IP #10115: Implements similar IP-based allowlist enforcement for readOnlyMasterKeyIps in the same middleware file, establishing the pattern this PR follows for maintenance key validation.

🚥 Pre-merge checks | ✅ 5 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Engage In Review Feedback	❓ Inconclusive	Repository lacks accessible PR metadata, review comments, and discussion history needed to verify author engagement with feedback.	Access GitHub PR #10391 review comments and discussion threads via GitHub API or web interface to verify engagement with reviewer feedback.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title begins with 'fix:' prefix and accurately describes the main change: addressing maintenance key IP mismatch behavior.
Description check	✅ Passed	The PR description includes issue reference, approach summary, and completed task checkboxes matching the template requirements.
Linked Issues check	✅ Passed	The PR fully addresses issue #10390 by implementing IP-based rejection for maintenance keys with 403 status, matching master key behavior.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the linked issue: a test and middleware logic modification to enforce IP restrictions on maintenance keys.
Security Check	✅ Passed	Pull request implements security fix rejecting requests with valid maintenance keys from non-allowed IP addresses with 403 error, consistent with existing master key patterns.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

spec/Middlewares.spec.js (2)

189-212: Consider consolidating with the existing test at lines 170-187.

The test at lines 170-187 already covers the maintenance key IP rejection scenario with nearly identical setup. The key difference is that this new test also asserts error.status === 403, which is valuable for verifying the HTTP status code.

A few observations:

1. The reconfigureServer() call appears unnecessary since AppCachePut directly overrides the cache entry that the middleware reads from.
2. Consider adding the error.status assertion to the existing test at lines 170-187 instead of creating a new test, or remove the redundant test.

If the intent is to have both tests, consider documenting why both are needed (e.g., different code paths being exercised).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@spec/Middlewares.spec.js` around lines 189 - 212, The new test duplicates the
existing maintenance-key-IP rejection scenario; remove redundancy by merging the
useful assertion into the existing test: delete the new test block and add the
error.status === 403 assertion and the logger.error expectation into the earlier
test (which already uses AppCachePut and fakeReq headers), or if you prefer to
keep both tests, add a comment explaining they exercise different code paths and
remove the unnecessary reconfigureServer() call since AppCachePut already sets
the cache; update the test that contains middlewares.handleParseHeaders,
AppCachePut, fakeReq and logger.error to include the 403 status assertion so the
behavior is covered without duplicate tests.

---

170-178: Minor: Consider renaming maintenanceKey value for clarity.

The maintenanceKey config value is set to 'masterKey' (line 174) which could cause confusion when reading the test. The new test at lines 196-202 uses 'maintenanceKey' as the value, which is clearer.

Proposed fix for clarity

   it('should not succeed and log if the ip does not belong to maintenanceKeyIps list', async () => {
     const logger = require('../lib/logger').logger;
     spyOn(logger, 'error').and.callFake(() => {});
     AppCachePut(fakeReq.body._ApplicationId, {
-      maintenanceKey: 'masterKey',
+      maintenanceKey: 'maintenanceKey',
       maintenanceKeyIps: ['10.0.0.0', '10.0.0.1'],
     });
     fakeReq.ip = '10.0.0.2';
-    fakeReq.headers['x-parse-maintenance-key'] = 'masterKey';
+    fakeReq.headers['x-parse-maintenance-key'] = 'maintenanceKey';

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@spec/Middlewares.spec.js` around lines 170 - 178, Rename the maintenance key
literal used in the test setup for clarity: when calling AppCachePut to seed the
config (function AppCachePut), change the value for maintenanceKey from
'masterKey' to 'maintenanceKey' so it matches the clearer naming used elsewhere
and avoid confusion with the header value; ensure
fakeReq.headers['x-parse-maintenance-key'] and any assertions still reference
the same value and update any related test expectations if needed.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@spec/Middlewares.spec.js`:
- Around line 189-212: The new test duplicates the existing maintenance-key-IP
rejection scenario; remove redundancy by merging the useful assertion into the
existing test: delete the new test block and add the error.status === 403
assertion and the logger.error expectation into the earlier test (which already
uses AppCachePut and fakeReq headers), or if you prefer to keep both tests, add
a comment explaining they exercise different code paths and remove the
unnecessary reconfigureServer() call since AppCachePut already sets the cache;
update the test that contains middlewares.handleParseHeaders, AppCachePut,
fakeReq and logger.error to include the 403 status assertion so the behavior is
covered without duplicate tests.
- Around line 170-178: Rename the maintenance key literal used in the test setup
for clarity: when calling AppCachePut to seed the config (function AppCachePut),
change the value for maintenanceKey from 'masterKey' to 'maintenanceKey' so it
matches the clearer naming used elsewhere and avoid confusion with the header
value; ensure fakeReq.headers['x-parse-maintenance-key'] and any assertions
still reference the same value and update any related test expectations if
needed.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1cf34ebf-83ac-4a75-8898-77f0ddfa99c8

📥 Commits

Reviewing files that changed from the base of the PR and between 5323b08 and b8ee819.

📒 Files selected for processing (2)

• spec/Middlewares.spec.js
• src/middlewares.js

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.51%. Comparing base (f2d06e7) to head (b8ee819).
⚠️ Report is 3 commits behind head on alpha.

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha   #10391      +/-   ##
==========================================
- Coverage   92.52%   92.51%   -0.02%     
==========================================
  Files         192      192              
  Lines       16620    16624       +4     
  Branches      229      229              
==========================================
+ Hits        15377    15379       +2     
- Misses       1221     1223       +2     
  Partials       22       22              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[parseplatformorg]

🎉 This change has been released in version 9.8.0-alpha.2