parse-stack-next 5.3.0 → 5.4.0

data/lib/parse/webhooks.rb

@@ -17,6 +17,7 @@ require_relative "model/object"
 require_relative "webhooks/payload"
 require_relative "webhooks/registration"
 require_relative "webhooks/replay_protection"
+require_relative "webhooks/trigger_audit"
 
 module Parse
   class Object
@@ -83,6 +84,36 @@ module Parse
     # will trigger the Parse::Webhooks application to return the proper error response.
     class ResponseError < StandardError; end
 
+    # The authentication-side triggers (local underscore form). These carry a
+    # +_User+ / +_Session+ as the payload object but are NOT object save/delete
+    # triggers: the router runs no ActiveModel save/create/destroy callbacks for
+    # them, and Parse Server ignores their response body.
+    AUTH_TRIGGERS = %i[
+      before_login after_login after_logout before_password_reset_request
+    ].freeze
+
+    # The LiveQuery triggers (local underscore form). Connection-global or
+    # event-scoped; Parse Server ignores their response body. Delivered over an
+    # HTTP webhook only in a co-located single-process LiveQuery setup.
+    LIVE_QUERY_TRIGGERS = %i[before_connect before_subscribe after_event].freeze
+
+    # Every trigger whose payload is not an object save/delete/find shape.
+    # Parse Server's webhook response handler resolves +{}+ for all of these
+    # (the body is ignored), so the router normalizes their handler result to a
+    # success no-op rather than serializing a returned object into the response.
+    NON_OBJECT_TRIGGERS = (AUTH_TRIGGERS + LIVE_QUERY_TRIGGERS).freeze
+
+    # The +before*+ subset of {NON_OBJECT_TRIGGERS} for which a handler can DENY
+    # the operation. Parse Server only treats an +{error}+ response as a
+    # rejection -- a +{success:false}+ body resolves and lets the login /
+    # connect / subscribe / reset proceed. So, mirroring the +before_save+
+    # convention, the router converts a +false+ return from one of these into a
+    # {ResponseError} (which serializes to +{error}+). +error!+ works for any
+    # trigger; the +after*+ variants fire after the fact and cannot undo it.
+    REJECTABLE_NON_OBJECT_TRIGGERS = %i[
+      before_login before_password_reset_request before_connect before_subscribe
+    ].freeze
+
     include Client::Connectable
     extend Parse::Webhooks::Registration
     # The name of the incoming env containing the webhook key.
@@ -135,6 +166,18 @@ module Parse
           className = className.parse_class
         end
         className = className.to_s
+        # Parse Server has no beforeCreate/afterCreate webhook trigger; the
+        # create variants are ActiveModel callbacks that run inside the
+        # beforeSave/afterSave handler for new objects. Point callers there
+        # rather than registering a route that can never fire.
+        if type == :before_create || type == :after_create
+          save = type == :before_create ? :before_save : :after_save
+          raise ArgumentError,
+                "There is no #{type} webhook. Register `webhook :#{save}` instead — " \
+                "your #{type} ActiveModel callbacks run inside the #{save} handler " \
+                "for new objects (registering #{save} enables BOTH the #{save} and " \
+                "#{type} callbacks)."
+        end
         if routes[type].nil? || block.respond_to?(:call) == false
           raise ArgumentError, "Invalid Webhook registration trigger #{type} #{className}"
         end
@@ -159,6 +202,104 @@ module Parse
         call_route(:function, name, payload)
       end
 
+      # Evaluate a single registered handler block in the scope of the payload.
+      #
+      # The block runs with `self` bound to the {Parse::Webhooks::Payload}, so a
+      # handler can call `parse_object`, `params`, `error!`, etc. directly --
+      # exactly as it could under the historical `payload.instance_exec(payload,
+      # &block)` invocation. The difference is the return semantics:
+      #
+      # - `return value` returns `value` as the handler result (instead of the
+      #   `LocalJumpError: unexpected return` that bare `instance_exec` raised
+      #   when the block was defined inside a method).
+      # - The legacy idioms still work unchanged: the last expression's value,
+      #   `next value`, and `break value` all return `value`, and `raise`
+      #   propagates untouched (so `error!` / before_save rejections behave the
+      #   same).
+      #
+      # This is achieved by attaching the block as a singleton method on the
+      # per-request payload (so `return` gets method semantics) and removing it
+      # afterward. The payload is a per-request instance, so this neither leaks
+      # nor mutates shared state across threads.
+      #
+      # Arity is matched to the old `instance_exec(payload, ...)` contract: a
+      # zero-arity block (`do ... end` / `proc { }`) is called with no args; a
+      # block that declares a parameter (`do |payload| ... end`) or a splat
+      # receives the payload.
+      #
+      # @param payload [Parse::Webhooks::Payload] the request payload (becomes `self`).
+      # @param block [Proc] the registered handler block.
+      # @return [Object] the handler's result value.
+      def invoke_handler(payload, block)
+        name = :"__parse_webhook_handler_#{block.object_id}__"
+        payload.define_singleton_method(name, &block)
+        handler = payload.method(name)
+        begin
+          # Match the old `payload.instance_exec(payload, &block)` arity
+          # leniency: a zero-arity block is called bare; otherwise it receives
+          # the payload, plus a nil for each additional REQUIRED positional so a
+          # block declaring `|payload, extra|` (or more) does not raise — under
+          # instance_exec those surplus params were silently nil. `arity` is
+          # negative for optional/splat params (e.g. -1 for `|*a|`, -2 for
+          # `|a, *b|`); `~arity` gives the required count in that case.
+          if handler.arity == 0
+            handler.call
+          else
+            required = handler.arity.negative? ? ~handler.arity : handler.arity
+            handler.call(payload, *Array.new([required - 1, 0].max))
+          end
+        ensure
+          singleton = payload.singleton_class
+          if singleton.method_defined?(name) || singleton.private_method_defined?(name)
+            singleton.send(:remove_method, name)
+          end
+        end
+      end
+
+      # Run any {Parse::Webhooks::Payload#after_response} callbacks a handler
+      # registered, AFTER the response has been produced. Prefers the server's
+      # `rack.after_reply` hook (Puma / Unicorn), which fires once the response
+      # is flushed to the socket on the same worker thread; falls back to a
+      # detached thread when the server does not provide it (e.g. WEBrick). Each
+      # callback is isolated so one raising neither aborts the others nor reaches
+      # the client. No-op when nothing was deferred.
+      #
+      # @param env [Hash] the Rack environment (for `rack.after_reply`).
+      # @param payload [Parse::Webhooks::Payload, nil] the request payload.
+      # @return [void]
+      def dispatch_deferred(env, payload)
+        return if payload.nil? || !payload.respond_to?(:deferred_callbacks)
+        callbacks = payload.deferred_callbacks
+        return if callbacks.blank?
+
+        runner = proc do
+          callbacks.each do |cb|
+            begin
+              cb.call
+            rescue => e
+              warn "[Webhooks::after_response] deferred callback raised: #{e.class}: #{e.message}"
+            end
+          end
+        end
+
+        # Enqueueing must never break an otherwise-successful response: this runs
+        # just before `response.finish`, so a raise here (a frozen after_reply
+        # array, thread exhaustion) would discard the buffered reply and surface
+        # as a 500. Failing to schedule deferred work degrades to "not run",
+        # never to a failed response.
+        begin
+          after_reply = env.is_a?(Hash) ? env["rack.after_reply"] : nil
+          if after_reply.respond_to?(:<<)
+            after_reply << runner
+          else
+            Thread.new(&runner)
+          end
+        rescue => e
+          warn "[Webhooks::after_response] could not schedule deferred work: #{e.class}: #{e.message}"
+        end
+        nil
+      end
+
       # Calls the set of registered webhook trigger blocks or the specific function block.
       # This method is usually called when an incoming request from Parse Server is received.
       # @param type (see route)
@@ -219,9 +360,9 @@ module Parse
         end
 
         if registry.is_a?(Array)
-          result = registry.map { |hook| payload.instance_exec(payload, &hook) }.last
+          result = registry.map { |hook| invoke_handler(payload, hook) }.last
         else
-          result = payload.instance_exec(payload, &registry)
+          result = invoke_handler(payload, registry)
         end
 
         if result.is_a?(Parse::Object)
@@ -265,6 +406,30 @@ module Parse
           result = {}
         end
 
+        # Auth- and LiveQuery-trigger dispatch (beforeLogin/afterLogin/
+        # afterLogout/beforePasswordResetRequest, beforeConnect/beforeSubscribe/
+        # afterEvent). Parse Server IGNORES the response body for all of these --
+        # its webhook response handler resolves {} regardless -- so the ONLY way
+        # a handler can affect the operation is the error path, and only for the
+        # "before" variants (a login/connect/subscribe/reset can be denied; an
+        # after_* fires after the fact and cannot be undone).
+        #
+        # Crucially, Parse Server treats only an {error} response as a rejection:
+        # a {success:false} body RESOLVES and lets the operation proceed. So a
+        # handler that returns `false` to "deny login" would silently allow it.
+        # We mirror the before_save convention and convert that false into a
+        # ResponseError (=> {error} => Parse Server denies). `error!` works for
+        # any of them (the call! rescue converts it). Every other return value --
+        # including a Parse::Object a handler happened to return (e.g. the _User
+        # from beforeLogin) -- is normalized to a success no-op so we never
+        # serialize an object into the response or the redacted request log.
+        if NON_OBJECT_TRIGGERS.include?(type)
+          if result == false && REJECTABLE_NON_OBJECT_TRIGGERS.include?(type)
+            raise Parse::Webhooks::ResponseError, "#{type} rejected by webhook handler"
+          end
+          result = true
+        end
+
         # Guard-injection: when a handler returns a Hash (or true/nil normalized
         # to {}) for a class with field_guards, Parse Server would otherwise
         # merge the response with the client's original payload and persist
@@ -380,6 +545,40 @@ module Parse
         dup.call!(env)
       end
 
+      # Extract the Parse class name from a webhook request path. Parse Server
+      # registers each trigger at `<endpoint>/<triggerName>/<className>`
+      # (functions at `<endpoint>/<functionName>`), so for a trigger the class
+      # is the last segment and the second-to-last is a known trigger name.
+      # Returns nil for a function path, a path with no recognizable trigger
+      # segment, or a className that fails the conservative charset check
+      # (Parse class names are `[A-Za-z0-9_]`, built-ins prefixed with `_`).
+      # The charset gate keeps an attacker-supplied path (reachable when
+      # `allow_unauthenticated` is set) from injecting an arbitrary routing /
+      # scrub key.
+      #
+      # @param path [String] the request PATH_INFO.
+      # @return [String, nil] the sanitized class name, or nil.
+      def trigger_class_from_path(path)
+        segments = path.to_s.split("/").reject(&:empty?)
+        return nil if segments.size < 2
+        trigger, klass = segments[-2], segments[-1]
+        # register_triggers! builds the URL with the LOCAL snake_case trigger
+        # name (`after_find`), while Parse Server sends the camelCase form in the
+        # body — accept both so the path segment is recognized either way.
+        known = (Parse::API::Hooks::TRIGGER_NAMES + Parse::API::Hooks::TRIGGER_NAMES_LOCAL).map(&:to_s)
+        return nil unless known.include?(trigger)
+        # Allow a leading `@` for the Parse pseudo-classes (`@Connect` for the
+        # connection-global LiveQuery trigger, `@File` for file triggers): the
+        # SDK encodes the className in the per-trigger URL, so beforeConnect
+        # would not route without it. Mirrors the trigger-className validator
+        # (Parse::API::PathSegment.trigger_class_name!). Still anchored and
+        # charset-limited -- this gate keeps an attacker-supplied path (reachable
+        # only under allow_unauthenticated) from injecting an arbitrary routing
+        # / scrub key.
+        return nil unless /\A@?_?[A-Za-z][A-Za-z0-9_]*\z/.match?(klass)
+        klass
+      end
+
       # @!visibility private
       def call!(env)
         request = Rack::Request.new env
@@ -440,8 +639,17 @@ module Parse
           return response.finish
         end
 
+        # Parse Server registers each trigger at
+        # `<endpoint>/<triggerName>/<className>`. For beforeFind/afterFind the
+        # payload body carries NO className anywhere, so the request PATH is the
+        # only authoritative source of the class — without it, find triggers
+        # don't route (parse_class is nil) and afterFind `objects` can't have
+        # their :vector columns stripped. Thread it into the payload here, before
+        # construction, so it is available for both routing and the scrub. Nil
+        # for function requests and for malformed paths.
+        webhook_class = Parse::Webhooks.trigger_class_from_path(request.path)
         begin
-          payload = Parse::Webhooks::Payload.new body_str
+          payload = Parse::Webhooks::Payload.new(body_str, webhook_class)
         rescue => e
           warn "Invalid webhook payload format: #{e}"
           response.write error("Invalid payload format. Should be valid JSON.")
@@ -486,6 +694,10 @@ module Parse
             puts "----------------------------------------------------\n"
           end
           response.write success(result)
+          # Schedule any after_response work to run once this reply is flushed,
+          # off the client's critical path. Registered on the success path so the
+          # deferred work overlaps a response Parse Server will act on.
+          dispatch_deferred(env, payload)
           return response.finish
         rescue Parse::Webhooks::ResponseError, ActiveModel::ValidationError => e
           if payload.trigger?

data/scripts/docker/Dockerfile.parse

@@ -1,4 +1,8 @@
-FROM parseplatform/parse-server:9
+# Pinned to a specific patch release (was the floating `:9` tag, which had
+# cached to a pre-patch 8.4.0 build). 9.9.0 includes the MFA / authData security
+# fixes — GHSA-pfj7-wv7c-22pr (auth-provider validation bypass on login) and
+# GHSA-37mj-c2wf-cx96 / CVE-2026-33627 (TOTP secret leak via /users/me).
+FROM parseplatform/parse-server:9.9.0
 
 # Switch to root to copy and set permissions
 USER root

data/scripts/docker/docker-compose.test.yml

@@ -5,9 +5,37 @@ version: '3.8'
 name: ${PSNEXT_PREFIX:-psnext-it}
 
 services:
+  # Security preflight — TEST STACK ONLY. Runs to completion before any
+  # real service starts (each gates on it via
+  # `service_completed_successfully`). Fails the stack closed when a
+  # `*_BIND` override would expose the stack on the LAN while privileged
+  # credentials are still the committed defaults. Invisible to the normal
+  # loopback run. See scripts/docker/preflight.sh for the rationale and
+  # escape hatches (ALLOW_INSECURE_BIND=1, or set real credentials).
+  preflight:
+    image: busybox:1.36
+    container_name: ${PSNEXT_PREFIX:-psnext-it}-preflight
+    environment:
+      # Resolved binds (compose applies the 127.0.0.1 default here).
+      PARSE_BIND: ${PARSE_BIND:-127.0.0.1}
+      MONGO_BIND: ${MONGO_BIND:-127.0.0.1}
+      REDIS_BIND: ${REDIS_BIND:-127.0.0.1}
+      DASHBOARD_BIND: ${DASHBOARD_BIND:-127.0.0.1}
+      # "1" only when the operator supplied a non-empty override; empty
+      # means the committed default credential is still in force.
+      PARSE_MASTER_KEY_SET: ${PARSE_MASTER_KEY:+1}
+      MONGO_ROOT_PASSWORD_SET: ${MONGO_ROOT_PASSWORD:+1}
+      ALLOW_INSECURE_BIND: ${ALLOW_INSECURE_BIND:-}
+    volumes:
+      - ./preflight.sh:/preflight.sh:ro
+    command: ["sh", "/preflight.sh"]
+
   mongo:
     image: mongo:8
     container_name: ${PSNEXT_PREFIX:-psnext-it}-mongo
+    depends_on:
+      preflight:
+        condition: service_completed_successfully
     # Bind to loopback so the test database isn't reachable from the LAN
     # when a developer runs `docker-compose up`. Override with
     # `MONGO_BIND=0.0.0.0` if you really want it exposed.
@@ -83,6 +111,9 @@ services:
   redis:
     image: redis:7-alpine
     container_name: ${PSNEXT_PREFIX:-psnext-it}-redis
+    depends_on:
+      preflight:
+        condition: service_completed_successfully
     # Loopback-only by default. Used by the cache integration test
     # (cache_redis_integration_test.rb) and the synchronize-create lock
     # tests. Override with `REDIS_BIND=0.0.0.0` if you need to point a

data/scripts/docker/docker-compose.verifyemail.yml

@@ -0,0 +1,4 @@
+services:
+  parse:
+    environment:
+      PARSE_SERVER_VERIFY_USER_EMAILS: "true"

data/scripts/docker/preflight.sh

@@ -0,0 +1,76 @@
+#!/bin/sh
+# Preflight guard for the integration stack — TEST STACK ONLY.
+#
+# The Compose defaults bind every service to loopback (127.0.0.1) and fall
+# back to KNOWN, COMMITTED test credentials (master key psnextItMasterKey,
+# Mongo root admin:password, Dashboard admin:admin). That combination is
+# safe on loopback — nothing on the LAN can reach it.
+#
+# It is NOT safe the moment a developer overrides a `*_BIND` to a
+# non-loopback address (e.g. MONGO_BIND=0.0.0.0 to attach a remote client):
+# the stack is then reachable from the LAN while protected only by
+# credentials that are published in this very repository. An admin-
+# credentialed Mongo / Parse master key exposed to a shared network is a
+# real footgun, and the failure is silent — `docker compose up` just works
+# and the developer never sees it.
+#
+# This guard runs first (every other service gates on it via
+# `service_completed_successfully`) and FAILS THE STACK CLOSED whenever a
+# non-loopback bind is combined with still-default privileged credentials.
+# It is invisible to the normal loopback run.
+#
+# Escape hatches (pick one):
+#   1. Keep it loopback     — unset the *_BIND override (the default).
+#   2. Use real secrets     — set PARSE_MASTER_KEY and MONGO_ROOT_PASSWORD
+#                             (inject them with `op run` / `doppler run` —
+#                             see the README "Secret injection" recipe).
+#   3. Acknowledge the risk — ALLOW_INSECURE_BIND=1 on a trusted/isolated
+#                             network where exposure is intentional.
+
+set -eu
+
+# Treat an empty value as loopback: the compose interpolation passes the
+# resolved bind, and an unset override resolves to the 127.0.0.1 default.
+is_loopback() {
+  case "$1" in
+    "" | 127.0.0.1 | ::1 | localhost) return 0 ;;
+    *) return 1 ;;
+  esac
+}
+
+exposed=""
+for pair in "PARSE_BIND=${PARSE_BIND:-}" "MONGO_BIND=${MONGO_BIND:-}" \
+            "REDIS_BIND=${REDIS_BIND:-}" "DASHBOARD_BIND=${DASHBOARD_BIND:-}"; do
+  val=${pair#*=}
+  is_loopback "$val" || exposed="$exposed ${pair%%=*}=$val"
+done
+
+# Privileged credentials are "default" unless BOTH have been overridden.
+# *_SET is "1" only when Compose interpolated a non-empty override
+# (`${VAR:+1}`); empty means the committed default is in force.
+if [ -n "${PARSE_MASTER_KEY_SET:-}" ] && [ -n "${MONGO_ROOT_PASSWORD_SET:-}" ]; then
+  default_creds=0
+else
+  default_creds=1
+fi
+
+if [ -n "$exposed" ] && [ "$default_creds" = "1" ] && [ "${ALLOW_INSECURE_BIND:-}" != "1" ]; then
+  echo "[preflight] REFUSING TO START — non-loopback bind with default credentials." >&2
+  echo "[preflight]" >&2
+  echo "[preflight] Exposed (non-loopback) bind(s):$exposed" >&2
+  echo "[preflight] ...while still using the committed test credentials" >&2
+  echo "[preflight] (master key psnextItMasterKey / Mongo admin:password)." >&2
+  echo "[preflight] This publishes an admin-credentialed stack onto your LAN." >&2
+  echo "[preflight]" >&2
+  echo "[preflight] Resolve ONE of:" >&2
+  echo "[preflight]   1. Keep it loopback   — unset the *_BIND override." >&2
+  echo "[preflight]   2. Set real secrets   — PARSE_MASTER_KEY=... MONGO_ROOT_PASSWORD=..." >&2
+  echo "[preflight]   3. Acknowledge intent — ALLOW_INSECURE_BIND=1 (trusted network only)." >&2
+  exit 1
+fi
+
+if [ -n "$exposed" ]; then
+  echo "[preflight] OK — non-loopback bind(s)$exposed permitted (credentials overridden or ALLOW_INSECURE_BIND=1)."
+else
+  echo "[preflight] OK — all services bound to loopback."
+fi

data/scripts/start-parse.sh

@@ -64,6 +64,52 @@ export PARSE_SERVER_ALLOW_CUSTOM_OBJECT_ID="${PARSE_SERVER_ALLOW_CUSTOM_OBJECT_I
 export PARSE_SERVER_LIVE_QUERY="${PARSE_SERVER_LIVE_QUERY:-{\"classNames\":[\"Song\",\"Album\",\"User\",\"_User\",\"TestLiveQuery\"]}}"
 export PARSE_SERVER_START_LIVE_QUERY_SERVER="${PARSE_SERVER_START_LIVE_QUERY_SERVER:-true}"
 
+# Push configuration — test-stack only. Points at a no-op adapter bind-mounted
+# from test/cloud (see test/cloud/dummy-push-adapter.js). It does NOT deliver to
+# any real device gateway; it lets Parse Server accept `POST /parse/push` and
+# create/complete a real `_PushStatus` so the push send+status lifecycle is
+# integration-testable offline. Without this, `POST /push` returns code 115
+# "Missing push configuration". DO NOT use a no-op adapter in a deployed
+# environment — it silently drops every notification.
+export PARSE_SERVER_PUSH="${PARSE_SERVER_PUSH:-{\"adapter\":\"/parse-server/cloud/dummy-push-adapter.js\"}}"
+
+# MFA / 2FA configuration — test-stack only. Enables Parse Server's built-in
+# TOTP MFA adapter so the Parse::MFA / two_factor_auth integration tests can
+# enroll a user (authData.mfa.{secret,token}) and log in with a time-based code.
+# Params match rotp's defaults (SHA1 / 6 digits / 30s period) so codes generated
+# client-side validate server-side.
+#
+# NOTE: the `auth` option is the one Parse Server option that CANNOT be passed
+# as a JSON env var — its Definitions entry has no objectParser, so
+# PARSE_SERVER_AUTH_PROVIDERS is taken as a raw string and never JSON-parsed
+# (the MFA adapter then receives `undefined` options and 500s). It must come
+# from a config file, which parse-server JSON-parses natively. We write a
+# minimal config file holding only the `auth` block and pass it to parse-server
+# below; env vars still provide — and take precedence for — everything else
+# (parse-server applies env first, then fills gaps from the file).
+PARSE_AUTH_CONFIG_FILE="${PARSE_AUTH_CONFIG_FILE:-/tmp/psnext-parse-auth-config.json}"
+cat > "$PARSE_AUTH_CONFIG_FILE" <<'AUTHCFG'
+{ "auth": { "mfa": { "options": ["TOTP"], "digits": 6, "period": 30, "algorithm": "SHA1" } } }
+AUTHCFG
+
+# Email — test-stack only. Captures outgoing mail into an `EmailCapture` class
+# (see test/cloud/capturing-email-adapter.js) instead of sending it, so the
+# client-side password-reset / verification integration tests can assert
+# delivery and read back the reset link. `PARSE_PUBLIC_SERVER_URL` is required
+# for Parse Server to build those links. Email verification is NOT enabled, so
+# ordinary signups still work without a verification round-trip. DO NOT use a
+# capturing adapter in a deployed environment — it drops every email.
+export PARSE_SERVER_EMAIL_ADAPTER="${PARSE_SERVER_EMAIL_ADAPTER:-/parse-server/cloud/capturing-email-adapter.js}"
+export PARSE_PUBLIC_SERVER_URL="${PARSE_PUBLIC_SERVER_URL:-http://localhost:${PARSE_HOST_PORT:-29337}/parse}"
+export PARSE_SERVER_APP_NAME="${PARSE_SERVER_APP_NAME:-parse-stack-next-it}"
+# Keep email verification OFF. Configuring an email adapter otherwise flips
+# Parse Server into requiring verification, which makes signup return a user
+# with NO session token until the address is verified — breaking the
+# signup-on-save suite. Password reset does not need verification, only the
+# adapter + public URL above.
+export PARSE_SERVER_VERIFY_USER_EMAILS="${PARSE_SERVER_VERIFY_USER_EMAILS:-false}"
+export PARSE_SERVER_PREVENT_LOGIN_WITH_UNVERIFIED_EMAIL="${PARSE_SERVER_PREVENT_LOGIN_WITH_UNVERIFIED_EMAIL:-false}"
+
 # File upload — test-stack only. Authenticated session-token uploads are
 # permitted; public/anonymous uploads are NOT (mirrors a typical hardened
 # Parse Server config). The client_rest_files integration tests assert
@@ -92,15 +138,17 @@ echo "Looking for parse-server..."
 which node
 ls -la /parse-server/
 
-# Try different ways to start parse-server
+# Try different ways to start parse-server. The config file argument supplies
+# the `auth` (MFA) block; every other option still comes from the environment.
+echo "  Auth config file: $PARSE_AUTH_CONFIG_FILE"
 if [ -f "/parse-server/bin/parse-server" ]; then
   echo "Using /parse-server/bin/parse-server"
-  exec /parse-server/bin/parse-server
+  exec /parse-server/bin/parse-server "$PARSE_AUTH_CONFIG_FILE"
 elif [ -f "/usr/src/app/bin/parse-server" ]; then
   echo "Using /usr/src/app/bin/parse-server"
-  exec /usr/src/app/bin/parse-server
+  exec /usr/src/app/bin/parse-server "$PARSE_AUTH_CONFIG_FILE"
 else
   echo "Trying with node and index.js"
   cd /parse-server
-  exec node ./bin/parse-server
+  exec node ./bin/parse-server "$PARSE_AUTH_CONFIG_FILE"
 fi

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: parse-stack-next
 version: !ruby/object:Gem::Version
-  version: 5.3.0
+  version: 5.4.0
 platform: ruby
 authors:
 - Adrian Curtin
@@ -250,9 +250,16 @@ files:
 - docs/mongodb_direct_guide.md
 - docs/mongodb_index_optimization_guide.md
 - docs/usage_guide.md
+- docs/webhooks_guide.md
 - docs/yard-template/default/fulldoc/html/css/common.css
 - docs/yard-template/default/fulldoc/html/css/full_list.css
+- examples/README.md
+- examples/basic_client.rb
+- examples/basic_server.rb
+- examples/live_query_listener.rb
+- examples/rag_chatbot.rb
 - examples/transaction_example.rb
+- examples/webhook_server.rb
 - lib/parse-stack-next.rb
 - lib/parse-stack.rb
 - lib/parse/acl_scope.rb
@@ -319,6 +326,7 @@ files:
 - lib/parse/embeddings/openai.rb
 - lib/parse/embeddings/provider.rb
 - lib/parse/embeddings/qwen.rb
+- lib/parse/embeddings/spend_cap.rb
 - lib/parse/embeddings/voyage.rb
 - lib/parse/graphql.rb
 - lib/parse/graphql/scalars.rb
@@ -399,6 +407,8 @@ files:
 - lib/parse/retrieval/agent_tool.rb
 - lib/parse/retrieval/chunk.rb
 - lib/parse/retrieval/chunker.rb
+- lib/parse/retrieval/reranker.rb
+- lib/parse/retrieval/reranker/cohere.rb
 - lib/parse/retrieval/retriever.rb
 - lib/parse/schema.rb
 - lib/parse/schema/index_migrator.rb
@@ -418,17 +428,21 @@ files:
 - lib/parse/two_factor_auth.rb
 - lib/parse/two_factor_auth/user_extension.rb
 - lib/parse/vector_search.rb
+- lib/parse/vector_search/hybrid.rb
 - lib/parse/webhooks.rb
 - lib/parse/webhooks/payload.rb
 - lib/parse/webhooks/registration.rb
 - lib/parse/webhooks/replay_protection.rb
+- lib/parse/webhooks/trigger_audit.rb
 - parse-stack-next.gemspec
 - scripts/debug-ips.js
 - scripts/docker/Dockerfile.parse
 - scripts/docker/atlas-init.js
 - scripts/docker/docker-compose.atlas.yml
 - scripts/docker/docker-compose.test.yml
+- scripts/docker/docker-compose.verifyemail.yml
 - scripts/docker/mongo-init.js
+- scripts/docker/preflight.sh
 - scripts/eval_mcp_with_lm_studio.rb
 - scripts/start-parse.sh
 - scripts/start_mcp_server.rb