fix: AuthData validation incorrectly triggered on unchanged providers

[Copilot]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.
• Link this pull request to an issue.

Issue

Multi-provider authData updates fail when code-based adapters strip sensitive fields via afterFind(). Parse Server re-validates unchanged providers, but the stripped fields (e.g., code) cause validation to fail.

// User logs in with code-based provider
const user = await Parse.User.logInWith('gpgames', { 
  authData: { id: 'user1', code: 'C1' } 
});

// Fetch returns { gpgames: { id: 'user1' } } - code stripped by afterFind
await user.fetch({ sessionToken });

// Adding second provider fails - Parse tries to re-validate gpgames without code
user.set('authData', {
  ...user.get('authData'),
  instagram: { id: 'I1', code: 'ic1' }
});
await user.save(); // Error: gpgames code is required

Root cause: hasMutatedAuthData() used isDeepStrictEqual() for change detection. When afterFind() strips fields, the deep comparison treats unchanged providers as mutated.

Approach

The fix changes hasMutatedAuthData in Auth.js to use subset comparison.

Summary by CodeRabbit

• Tests

  • Added comprehensive tests for multi-provider authentication support and code-based authentication adapters.

• Refactor

  • Optimized authentication state change detection logic for improved efficiency.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

📝 Walkthrough

Walkthrough

Fixes authData validation logic to validate only providers with actual changes (id differences or unlinking) rather than all existing providers. Modifies mutation detection from deep equality checks to id-level comparison. Adds test cases validating multi-provider authentication flows where one provider is added while another remains unchanged.

Changes

Cohort / File(s)	Summary
Test Suite: Authentication Adapters spec/AuthenticationAdaptersV2.spec.js	Introduces code-based adapter (requires code field; throws "code is required." if missing; strips code via afterFind) and simple adapter (no code requirement). Adds tests verifying login with code-based provider, afterFind field stripping, and multi-provider persistence (adding new provider while keeping existing unchanged).
Core Logic: Auth Data Mutation Detection src/Auth.js	Replaces deep equality check (isDeepStrictEqual) with id-focused mutation detection: treats unlinking (null values) as mutations, new providers as mutations, and existing providers as mutations only when id differs; ignores other field differences when id matches.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: AuthData validation incorrectly triggered on unchanged providers' directly and clearly describes the main problem being fixed—validation being triggered on unchanged providers—matching the core issue addressed in this PR.
Description check	✅ Passed	The PR description comprehensively covers the issue, approach, root cause, and fix with code examples. It follows the required template structure with Issue, Approach, and Tasks sections, though documentation updates remain pending.
Linked Issues check	✅ Passed	The PR successfully addresses all coding requirements from issue #9999: mutation detection now compares only the id field, revalidation is triggered only for modified/new/unlinked providers, and a test validates the multi-provider scenario with a code-based adapter.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the linked issue: src/Auth.js implements the id-based mutation detection logic, and spec/AuthenticationAdaptersV2.spec.js adds the required multi-provider test case. No unrelated changes detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch copilot/fix-authdata-validation-issue

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[parse-github-assistant]

🚀 Thanks for opening this pull request!

[mtrezza]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[codecov]

Codecov Report

❌ Patch coverage is 80.00000% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 92.54%. Comparing base (e299107) to head (1898b99).
⚠️ Report is 3 commits behind head on alpha.

Files with missing lines	Patch %	Lines
src/Auth.js	80.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha   #10025      +/-   ##
==========================================
- Coverage   92.55%   92.54%   -0.01%     
==========================================
  Files         190      190              
  Lines       15490    15499       +9     
  Branches      176      176              
==========================================
+ Hits        14336    14343       +7     
- Misses       1142     1144       +2     
  Partials       12       12              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mtrezza]

@coderabbitai is this a breaking change?

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@mtrezza: No, this is not a breaking change.

Here's why:

1. More permissive behavior: The change makes validation LESS strict, not more. Operations that were incorrectly failing (multi-provider updates with code-based adapters) will now succeed.

2. No API changes: There are no changes to public API signatures, exported functions, or method contracts.

3. Core security maintained: The validation still occurs when it matters most—when the provider id (the primary identifier from the auth provider) changes, is added, or is unlinked. This preserves the essential security checks.

4. Bug fix, not feature change: This fixes incorrect behavior where afterFind() stripping sensitive fields caused Parse Server to incorrectly treat unchanged providers as mutated.

Behavioral change clarification: While this is a behavioral change in how mutation detection works, it's not "breaking" in the conventional sense because:

• Existing working code will continue to work
• Previously valid operations remain valid
• Previously invalid operations that were incorrectly failing due to the bug will now succeed

The only theoretical edge case would be if someone had a custom auth adapter that relied on re-validation when non-id fields changed, but that was arguably incorrect behavior being fixed by this PR.

[parseplatformorg]

🎉 This change has been released in version 9.2.1-alpha.2