parse-community · mtrezza · Oct 14, 2025 · Jun 24, 2022 · Mar 12, 2023 · Mar 12, 2023
diff --git a/spec/CloudCode.spec.js b/spec/CloudCode.spec.js
@@ -2014,6 +2014,14 @@ describe('cloud functions', () => {
 
     Parse.Cloud.run('myFunction', {}).then(() => done());
   });
+
+  it('should have request config', async () => {
+    Parse.Cloud.define('myConfigFunction', req => {
+      expect(req.config).toBeDefined();
+      return 'success';
+    });
+    await Parse.Cloud.run('myConfigFunction', {});
+  });
 });
 
 describe('beforeSave hooks', () => {
@@ -2037,6 +2045,16 @@ describe('beforeSave hooks', () => {
     myObject.save().then(() => done());
   });
 
+  it('should have request config', async () => {
+    Parse.Cloud.beforeSave('MyObject', req => {
+      expect(req.config).toBeDefined();
+    });
+
+    const MyObject = Parse.Object.extend('MyObject');
+    const myObject = new MyObject();
+    await myObject.save();
+  });
+
   it('should respect custom object ids (#6733)', async () => {
     Parse.Cloud.beforeSave('TestObject', req => {
       expect(req.object.id).toEqual('test_6733');
@@ -2092,6 +2110,16 @@ describe('afterSave hooks', () => {
     myObject.save().then(() => done());
   });
 
+  it('should have request config', async () => {
+    Parse.Cloud.afterSave('MyObject', req => {
+      expect(req.config).toBeDefined();
+    });
+
+    const MyObject = Parse.Object.extend('MyObject');
+    const myObject = new MyObject();
+    await myObject.save();
+  });
+
   it('should unset in afterSave', async () => {
     Parse.Cloud.afterSave(
       'MyObject',
@@ -2149,6 +2177,17 @@ describe('beforeDelete hooks', () => {
       .then(myObj => myObj.destroy())
       .then(() => done());
   });
+
+  it('should have request config', async () => {
+    Parse.Cloud.beforeDelete('MyObject', req => {
+      expect(req.config).toBeDefined();
+    });
+
+    const MyObject = Parse.Object.extend('MyObject');
+    const myObject = new MyObject();
+    await myObject.save();
+    await myObject.destroy();
+  });
 });
 
 describe('afterDelete hooks', () => {
@@ -2177,6 +2216,17 @@ describe('afterDelete hooks', () => {
       .then(myObj => myObj.destroy())
       .then(() => done());
   });
+
+  it('should have request config', async () => {
+    Parse.Cloud.afterDelete('MyObject', req => {
+      expect(req.ip).toBeDefined();
+    });
+
+    const MyObject = Parse.Object.extend('MyObject');
+    const myObject = new MyObject();
+    await myObject.save();
+    await myObject.destroy();
+  });
 });
 
 describe('beforeFind hooks', () => {
@@ -2484,6 +2534,18 @@ describe('beforeFind hooks', () => {
       .then(() => done());
   });
 
+  it('should have request config', async () => {
+    Parse.Cloud.beforeFind('MyObject', req => {
+      expect(req.config).toBeDefined();
+    });
+
+    const MyObject = Parse.Object.extend('MyObject');
+    const myObject = new MyObject();
+    await myObject.save();
+    const query = new Parse.Query('MyObject');
+    query.equalTo('objectId', myObject.id);
+    await Promise.all([query.get(myObject.id), query.first(), query.find()]);
+  })
   it('should run beforeFind on pointers and array of pointers from an object', async () => {
     const obj1 = new Parse.Object('TestObject');
     const obj2 = new Parse.Object('TestObject2');
@@ -2868,6 +2930,19 @@ describe('afterFind hooks', () => {
       .catch(done.fail);
   });
 
+  it('should have request config', async () => {
+    Parse.Cloud.afterFind('MyObject', req => {
+      expect(req.ip).toBeDefined();
+    });
+
+    const MyObject = Parse.Object.extend('MyObject');
+    const myObject = new MyObject();
+    await myObject.save();
+    const query = new Parse.Query('MyObject');
+    query.equalTo('objectId', myObject.id);
+    await Promise.all([query.get(myObject.id), query.first(), query.find()]);
+  });
+
   it('should validate triggers correctly', () => {
     expect(() => {
       Parse.Cloud.beforeSave('_Session', () => {});
@@ -3355,6 +3430,7 @@ describe('beforeLogin hook', () => {
       expect(req.ip).toBeDefined();
       expect(req.installationId).toBeDefined();
       expect(req.context).toBeDefined();
+      expect(req.config).toBeDefined();
     });
 
     await Parse.User.signUp('tupac', 'shakur');
@@ -3472,6 +3548,7 @@ describe('afterLogin hook', () => {
       expect(req.ip).toBeDefined();
       expect(req.installationId).toBeDefined();
       expect(req.context).toBeDefined();
+      expect(req.config).toBeDefined();
     });
 
     await Parse.User.signUp('testuser', 'p@ssword');
@@ -3674,6 +3751,15 @@ describe('saveFile hooks', () => {
     }
   });
 
+  it('beforeSaveFile should have config', async () => {
+    await reconfigureServer({ filesAdapter: mockAdapter });
+    Parse.Cloud.beforeSave(Parse.File, req => {
+      expect(req.config).toBeDefined();
+    });
+    const file = new Parse.File('popeye.txt', [1, 2, 3], 'text/plain');
+    await file.save({ useMasterKey: true });
+  });
+
   it('beforeSave(Parse.File)  should change values of uploaded file by editing fileObject directly', async () => {
     await reconfigureServer({ filesAdapter: mockAdapter });
     const createFileSpy = spyOn(mockAdapter, 'createFile').and.callThrough();

diff --git a/spec/requestContextMiddleware.spec.js b/spec/requestContextMiddleware.spec.js
@@ -0,0 +1,56 @@
+const { ApolloClient, gql, InMemoryCache } = require('@apollo/client/core');
+const fetch = (...args) => import('node-fetch').then(({ default: fetch }) => fetch(...args));
+describe('requestContextMiddleware', () => {
+  const requestContextMiddleware = (req, res, next) => {
+    req.config.aCustomController = 'aCustomController';
+    next();
+  };
+
+  it('should support dependency injection on rest api', async () => {
+    let called;
+    Parse.Cloud.beforeSave('_User', request => {
+      expect(request.config.aCustomController).toEqual('aCustomController');
+      called = true;
+    });
+    await reconfigureServer({ requestContextMiddleware });
+    const user = new Parse.User();
+    user.setUsername('test');
+    user.setPassword('test');
+    await user.signUp();
+    expect(called).toBeTruthy();
+  });
+  it('should support dependency injection on graphql api', async () => {
+    let called = false;
+    Parse.Cloud.beforeSave('_User', request => {
+      expect(request.config.aCustomController).toEqual('aCustomController');
+      called = true;
+    });
+    await reconfigureServer({
+      requestContextMiddleware,
+      mountGraphQL: true,
+      graphQLPath: '/graphql',
+    });
+    const client = new ApolloClient({
+      uri: 'http://localhost:8378/graphql',
+      cache: new InMemoryCache(),
+      fetch,
+      headers: {
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-Master-Key': 'test',
+      },
+    });
+
+    await client.mutate({
+      mutation: gql`
+        mutation {
+          createUser(input: { fields: { username: "test", password: "test" } }) {
+            user {
+              objectId
+            }
+          }
+        }
+      `,
+    });
+    expect(called).toBeTruthy();
+  });
+});
diff --git a/src/Controllers/HooksController.js b/src/Controllers/HooksController.js
@@ -188,6 +188,8 @@ function wrapToHTTPRequest(hook, key) {
   return req => {
     const jsonBody = {};
     for (var i in req) {
+      // Parse Server config is not serializable
+      if (i === 'config') { continue; }
       jsonBody[i] = req[i];
     }
     if (req.object) {

diff --git a/src/GraphQL/ParseGraphQLServer.js b/src/GraphQL/ParseGraphQLServer.js
@@ -128,13 +128,27 @@ class ParseGraphQLServer {
     );
   }
 
+  /**
+   * @static
+   * Allow developers to customize each request with inversion of control/dependency injection
+   */
+  applyRequestContextMiddleware(api, options) {
+    if (options.requestContextMiddleware) {
+      if (typeof options.requestContextMiddleware !== 'function') {
+        throw new Error('requestContextMiddleware must be a function');
+      }
+      api.use(options.requestContextMiddleware);
+    }
+  }
+
   applyGraphQL(app) {
     if (!app || !app.use) {
       requiredParameter('You must provide an Express.js app instance!');
     }
     app.use(this.config.graphQLPath, corsMiddleware());
     app.use(this.config.graphQLPath, handleParseHeaders);
     app.use(this.config.graphQLPath, handleParseSession);
+    this.applyRequestContextMiddleware(app, this.parseServer.config);
     app.use(this.config.graphQLPath, handleParseErrors);
     app.use(
       this.config.graphQLPath,

diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js
@@ -514,6 +514,11 @@ module.exports.ParseServerOptions = {
     env: 'PARSE_SERVER_READ_ONLY_MASTER_KEY',
     help: 'Read-only key, which has the same capabilities as MasterKey without writes',
   },
+  requestContextMiddleware: {
+    env: 'PARSE_SERVER_REQUEST_CONTEXT_MIDDLEWARE',
+    help:
+      'Options to customize the request context using inversion of control/dependency injection.',
+  },
   requestKeywordDenylist: {
     env: 'PARSE_SERVER_REQUEST_KEYWORD_DENYLIST',
     help:

diff --git a/src/Options/docs.js b/src/Options/docs.js
diff --git a/src/Options/index.js b/src/Options/index.js
@@ -342,6 +342,8 @@ export interface ParseServerOptions {
   /* Options to limit repeated requests to Parse Server APIs. This can be used to protect sensitive endpoints such as `/requestPasswordReset` from brute-force attacks or Parse Server as a whole from denial-of-service (DoS) attacks.<br><br>ℹ️ Mind the following limitations:<br>- rate limits applied per IP address; this limits protection against distributed denial-of-service (DDoS) attacks where many requests are coming from various IP addresses<br>- if multiple Parse Server instances are behind a load balancer or ran in a cluster, each instance will calculate it's own request rates, independent from other instances; this limits the applicability of this feature when using a load balancer and another rate limiting solution that takes requests across all instances into account may be more suitable<br>- this feature provides basic protection against denial-of-service attacks, but a more sophisticated solution works earlier in the request flow and prevents a malicious requests to even reach a server instance; it's therefore recommended to implement a solution according to architecture and user case.
   :DEFAULT: [] */
   rateLimit: ?(RateLimitOptions[]);
+  /* Options to customize the request context using inversion of control/dependency injection.*/
+  requestContextMiddleware: ?(req: any, res: any, next: any) => void;
 }
 
 export interface RateLimitOptions {

diff --git a/src/ParseServer.ts b/src/ParseServer.ts
@@ -279,6 +279,18 @@ class ParseServer {
     }
   }
 
+  /**
+   * @static
+   * Allow developers to customize each request with inversion of control/dependency injection
+   */
+  static applyRequestContextMiddleware(api, options) {
+    if (options.requestContextMiddleware) {
+      if (typeof options.requestContextMiddleware !== 'function') {
+        throw new Error('requestContextMiddleware must be a function');
+      }
+      api.use(options.requestContextMiddleware);
+    }
+  }
   /**
    * @static
    * Create an express app for the parse server
@@ -326,7 +338,7 @@ class ParseServer {
       middlewares.addRateLimit(route, options);
     }
     api.use(middlewares.handleParseSession);
-
+    this.applyRequestContextMiddleware(api, options);
     const appRouter = ParseServer.promiseRouter({ appId });
     api.use(appRouter.expressRouter());
 

diff --git a/src/Routers/FunctionsRouter.js b/src/Routers/FunctionsRouter.js
@@ -73,6 +73,7 @@ export class FunctionsRouter extends PromiseRouter {
       headers: req.config.headers,
       ip: req.config.ip,
       jobName,
+      config: req.config,
       message: jobHandler.setMessage.bind(jobHandler),
     };
 
@@ -129,6 +130,7 @@ export class FunctionsRouter extends PromiseRouter {
     params = parseParams(params, req.config);
     const request = {
       params: params,
+      config: req.config,
       master: req.auth && req.auth.isMaster,
       user: req.auth && req.auth.user,
       installationId: req.info.installationId,

diff --git a/src/cloud-code/Parse.Cloud.js b/src/cloud-code/Parse.Cloud.js
@@ -670,6 +670,7 @@ module.exports = ParseCloud;
  * @property {String} triggerName The name of the trigger (`beforeSave`, `afterSave`, ...)
  * @property {Object} log The current logger inside Parse Server.
  * @property {Parse.Object} original If set, the object, as currently stored.
+ * @property {Object} config The Parse Server config.
  */
 
 /**
@@ -684,6 +685,7 @@ module.exports = ParseCloud;
  * @property {Object} headers The original HTTP headers for the request.
  * @property {String} triggerName The name of the trigger (`beforeSave`, `afterSave`)
  * @property {Object} log The current logger inside Parse Server.
+ * @property {Object} config The Parse Server config.
  */
 
 /**
@@ -721,6 +723,7 @@ module.exports = ParseCloud;
  * @property {String} triggerName The name of the trigger (`beforeSave`, `afterSave`, ...)
  * @property {Object} log The current logger inside Parse Server.
  * @property {Boolean} isGet wether the query a `get` or a `find`
+ * @property {Object} config The Parse Server config.
  */
 
 /**
@@ -734,6 +737,7 @@ module.exports = ParseCloud;
  * @property {Object} headers The original HTTP headers for the request.
  * @property {String} triggerName The name of the trigger (`beforeSave`, `afterSave`, ...)
  * @property {Object} log The current logger inside Parse Server.
+ * @property {Object} config The Parse Server config.
  */
 
 /**
@@ -742,12 +746,14 @@ module.exports = ParseCloud;
  * @property {Boolean} master If true, means the master key was used.
  * @property {Parse.User} user If set, the user that made the request.
  * @property {Object} params The params passed to the cloud function.
+ * @property {Object} config The Parse Server config.
  */
 
 /**
  * @interface Parse.Cloud.JobRequest
  * @property {Object} params The params passed to the background job.
  * @property {function} message If message is called with a string argument, will update the current message to be stored in the job status.
+ * @property {Object} config The Parse Server config.
  */
 
 /**

diff --git a/src/triggers.js b/src/triggers.js
@@ -266,6 +266,7 @@ export function getRequestObject(
     log: config.loggerController,
     headers: config.headers,
     ip: config.ip,
+    config,
   };
 
   if (originalParseObject) {
@@ -312,6 +313,7 @@ export function getRequestQueryObject(triggerType, auth, query, count, config, c
     headers: config.headers,
     ip: config.ip,
     context: context || {},
+    config,
   };
 
   if (!auth) {
@@ -976,6 +978,7 @@ export function getRequestFileObject(triggerType, auth, fileObject, config) {
     log: config.loggerController,
     headers: config.headers,
     ip: config.ip,
+    config,
   };
 
   if (!auth) {