fix: Middleware route checks do not match routing-equivalent path variants (trailing slash, case)

[mtrezza]

Issue

Express routes case-insensitively and tolerates a trailing slash by default, so variants like /login/, /LOGIN, /sessions/me/, and /upgradeToRevocableSession/ reach the same handlers as their canonical paths. Several middleware checks compared the request path against a route with strict string equality (and some still read req.url, which includes the query string), so they did not recognize these routing-equivalent variants and diverged from how the request is actually dispatched:

• /login — the inbound session token was not dropped on variant paths, so a session/user-zone rate limit could be keyed by the token or user id instead of the client IP, splitting or evading the configured limit (also in /batch sub-requests).
• /sessions/me — the GET fast-path was skipped on variant paths, splitting a user-zone rate-limit window.
• /upgradeToRevocableSession — the legacy-token branch was skipped on variant paths, so a legacy session token was sent to the revocable-session lookup and the upgrade failed.

Approach

Added a shared matchesExactRoute(path, route) helper that matches a path the same way the Express router and the rate limiter do, via path-to-regexp (compiled once per route and cached), and used it at the affected checks instead of strict string comparison.

Tasks

• Add tests

Summary by CodeRabbit

• Bug Fixes

  • Rate-limiting now consistent across equivalent URL variants (trailing slashes and casing), e.g., /login, /login/, /LOGIN, and /sessions/me variants share the same limiter behavior.
  • Legacy session upgrade endpoint now accepts trailing slashes and query strings when upgrading tokens.

• Tests

  • Added tests validating equivalent route variants are treated identically for rate limiting and revocable-session upgrades.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 10e614b3-2e72-4b50-8f9c-54c209af4593

📥 Commits

Reviewing files that changed from the base of the PR and between e254472 and 16a645d.

📒 Files selected for processing (1)

• spec/RevocableSessionsUpgrade.spec.js

---

📝 Walkthrough

Walkthrough

Adds exported matchesExactRoute(path, route) and replaces strict path equality checks in middlewares.js and src/batch.js; includes tests ensuring rate-limit windows are shared across trailing-slash and casing variants for /login and /sessions/me, and adds revocable-upgrade URL-variant tests.

Changes

Route normalization for exact static route matching

Layer / File(s)	Summary
Exact route matcher implementation src/middlewares.js	Adds exported matchesExactRoute(path, route) using a per-route cache of compiled path-to-regexp matchers and guarding non-string paths.
Middleware route matching updates src/middlewares.js	handleParseHeaders and handleParseSession replace strict req.path equality with matchesExactRoute() for /login, (GET) /sessions/me, and /upgradeToRevocableSession, affecting session-token clearing and auth resolution.
Batch sub-request rate-limit integration src/batch.js	Imports matchesExactRoute and uses it instead of strict path equality to decide when to delete info.sessionToken for login sub-requests during batch rate-limit handling.
Rate-limit keying consistency tests spec/RateLimit.spec.js	New exact static route variants test suite adds cases verifying /login vs /login/, /login vs /LOGIN, and /sessions/me vs /sessions/me/ do not split rate-limit windows and are correctly enforced.
Revocable sessions upgrade URL variants tests spec/RevocableSessionsUpgrade.spec.js	Adds tests verifying legacy session tokens are upgraded when calling /upgradeToRevocableSession/, with a query string, and when the path is differently cased.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• parse-community/parse-server#10500: Also modifies route-matching logic in src/middlewares.js for exact static endpoints; directly related to rate-limit route detection changes.
• parse-community/parse-server#10349: Overlaps with batch sub-request handling for /login and rate-limit keying changes in src/batch.js.
• parse-community/parse-server#10213: Related edits to handleParseSession behavior for the /sessions/me endpoint and its early-exit/auth resolution logic.

🚥 Pre-merge checks | ✅ 5 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Engage In Review Feedback	❓ Inconclusive	Could not verify engagement with PR review feedback: GitHub page shows reviewer activity (e.g., coderabbitai) but review comment content/loading fails, so discussion vs resolution can’t be confirmed.	Share the PR review thread/comment text (requested changes/resolution) or ensure the review comments are accessible for inspection, so we can confirm the author engaged before resolving.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main fix addressing routing-equivalent path variants (trailing slash, case) in middleware route checks.
Description check	✅ Passed	The PR description is well-structured with Issue, Approach, and Tasks sections matching the template requirements, detailing the problems and solutions comprehensively.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Security Check	✅ Passed	Security review of affected files: new matchesExactRoute caches path-to-regexp for static routes only; no eval/exec/new Function/child_process/etc found; helps prevent rate-limit/auth bypass.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 OpenGrep (1.22.0)

OpenGrep fatal error (exit code 2): [00.09][ERROR]: Error: exception Unix_error: No such file or directory stat spec/RevocableSessionsUpgrade.spec.js
Raised by primitive operation at UTmp.replace_named_pipe_by_regular_file_if_needed in file "libs/commons/UTmp.ml", line 145, characters 8-27
Called from Scan_CLI.replace_target_roots_by_regular_files_where_needed.(fun) in file "src/osemgrep/cli_scan/Scan_CLI.ml", lines 1086-1087, characters 19-65
Called from List_.fast_map in file "libs/commons/List_.ml", line 81, characters 17-20
Ca

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.61%. Comparing base (880e8e6) to head (16a645d).
⚠️ Report is 1 commits behind head on alpha.

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha   #10501      +/-   ##
==========================================
- Coverage   92.62%   92.61%   -0.01%     
==========================================
  Files         193      193              
  Lines       16941    16947       +6     
  Branches      240      240              
==========================================
+ Hits        15691    15696       +5     
- Misses       1227     1228       +1     
  Partials       23       23              

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/middlewares.js (1)

323-324: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Apply the exact-route helper to /upgradeToRevocableSession as well.

The new /sessions/me guard is normalized, but the legacy-token branch at Line 330 still uses req.url === '/upgradeToRevocableSession'. /upgradeToRevocableSession/ or case variants will hit the same handler yet skip getAuthForLegacySessionToken, so legacy-session upgrades can still diverge on routing-equivalent paths.

♻️ Proposed fix

-    if (
-      info.sessionToken &&
-      req.url === '/upgradeToRevocableSession' &&
-      info.sessionToken.indexOf('r:') != 0
-    ) {
+    if (
+      info.sessionToken &&
+      matchesExactRoute(req.path, '/upgradeToRevocableSession') &&
+      info.sessionToken.indexOf('r:') != 0
+    ) {

Based on the PR context describing Express-equivalent path variants and the adjacent handleParseSession logic.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/middlewares.js` around lines 323 - 324, Replace the strict string
comparison req.url === '/upgradeToRevocableSession' with the normalized helper
matchesExactRoute(req.path, '/upgradeToRevocableSession') wherever legacy-token
logic branches (the branch that calls getAuthForLegacySessionToken) so path
variants like trailing slashes or casing are treated equivalently; update the
condition that gates calling getAuthForLegacySessionToken to use
matchesExactRoute(req.path, '/upgradeToRevocableSession') (and preserve any
method checks) so legacy-session upgrade requests follow the same normalized
routing as the /sessions/me guard.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@src/middlewares.js`:
- Around line 323-324: Replace the strict string comparison req.url ===
'/upgradeToRevocableSession' with the normalized helper
matchesExactRoute(req.path, '/upgradeToRevocableSession') wherever legacy-token
logic branches (the branch that calls getAuthForLegacySessionToken) so path
variants like trailing slashes or casing are treated equivalently; update the
condition that gates calling getAuthForLegacySessionToken to use
matchesExactRoute(req.path, '/upgradeToRevocableSession') (and preserve any
method checks) so legacy-session upgrade requests follow the same normalized
routing as the /sessions/me guard.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2c083dc1-1319-478c-971f-a5ee61df9c67

📥 Commits

Reviewing files that changed from the base of the PR and between c5349e8 and a10169c.

📒 Files selected for processing (1)

• src/middlewares.js

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

spec/RevocableSessionsUpgrade.spec.js (1)

73-73: ⚡ Quick win

Strengthen success assertions in both new tests.

Both lines 73 and 88 use expect(response.status).not.toBe(400), which would pass for any non-400 status, including other error codes (404, 500, etc.). Explicitly assert the success status code (200) for clarity and to catch unexpected failures.

✅ Proposed fix

Apply to both lines 73 and 88:

-    expect(response.status).not.toBe(400);
+    expect(response.status).toBe(200);

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@spec/RevocableSessionsUpgrade.spec.js` at line 73, Replace the weak negative
assertion expect(response.status).not.toBe(400) with an explicit success
assertion expect(response.status).toBe(200) in both new tests; locate the two
occurrences of response.status in the spec (the expectations using expect(...)
with .not.toBe(400)) and change them to use .toBe(200) so failures like 404/500
are caught.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@spec/RevocableSessionsUpgrade.spec.js`:
- Around line 78-91: The existing test verifies that query strings are ignored
by route matching (handles '/upgradeToRevocableSession?foo=bar') but to extend
coverage add a sibling test in RevocableSessionsUpgrade.spec.js that asserts
case-insensitive route matching: call the same request flow used in the current
test but target a differently-cased path (e.g.
'/UpgradeToRevocableSession?foo=bar'), reuse the same headers and assertions
(response.status not 400, response.data.sessionToken defined and starts with
'r:'), and mention handleParseSession/matchesExactRoute in the test comment so
future readers know this is exercising case-insensitive matching.

---

Nitpick comments:
In `@spec/RevocableSessionsUpgrade.spec.js`:
- Line 73: Replace the weak negative assertion
expect(response.status).not.toBe(400) with an explicit success assertion
expect(response.status).toBe(200) in both new tests; locate the two occurrences
of response.status in the spec (the expectations using expect(...) with
.not.toBe(400)) and change them to use .toBe(200) so failures like 404/500 are
caught.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5e9b4a0e-4c32-424c-af68-c8f4d86b7bc5

📥 Commits

Reviewing files that changed from the base of the PR and between a10169c and e254472.

📒 Files selected for processing (2)

• spec/RevocableSessionsUpgrade.spec.js
• src/middlewares.js

🚧 Files skipped from review as they are similar to previous changes (1)

• src/middlewares.js

[parseplatformorg]

🎉 This change has been released in version 9.9.1-alpha.10