fix: Unexpected string on graphql playground page

[cryingraven]

this fixes the error when activating graphql playground and opening it in the browser. the page is blank.

"${JSON.stringify(this.config.graphQLPath)}" the result -> ""/graphql""
by removing the double quotes
${JSON.stringify(this.config.graphQLPath)} the result -> "/graphql"

and the problem fixed

Summary by CodeRabbit

• Bug Fixes
  • Fixed initialization of the GraphQL embedded sandbox to correctly set the endpoint and headers, preventing escaped/invalid values.
  • Ensures request headers (including authentication) are applied as intended, improving connectivity and reliability in the in-browser GraphQL console.
• Notes
  • No changes to server-side behavior or public APIs.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

🚀 Thanks for opening this pull request!

[coderabbitai]

📝 Walkthrough

Walkthrough

Adjusts how JSON-stringified values are embedded in the generated client-side sandbox code within ParseGraphQLServer.js, removing extra quoting so the EmbeddedSandbox receives plain string values for initialEndpoint and specific headers. No server-side logic or public APIs are changed.

Changes

Cohort / File(s)	Summary of changes
Sandbox value embedding src/GraphQL/ParseGraphQLServer.js	Inlines JSON.stringify results directly (without wrapping quotes) for EmbeddedSandbox initialEndpoint and headers (X-Parse-Application-Id, X-Parse-Master-Key), correcting string literal handling in generated JS. No exported/public API changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks (2 passed, 1 warning)

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The current description explains the root cause and the fix (removing surrounding quotes) but does not follow the repository's required PR template: it lacks the "Closes" issue line, the explicit "Approach" section summarizing the change and affected files, and the Tasks checklist. Because those required template sections are missing, the description is incomplete relative to the repository's expectations.	Update the PR description to use the repository template exactly: add a "Closes:" line linking the related issue (URL or issue number), fill the "Approach" section with a concise summary of what changed (e.g., which file(s) were modified and that JSON.stringify was inlined to remove extra quotes), and complete the "Tasks" checklist (tests, docs, security checks as applicable). Keep the existing reproduction and fix details in the "Approach" or an appropriate section so reviewers can verify the change.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title "fix: Unexpected string on graphql playground page" concisely and accurately summarizes the primary change — a bugfix addressing an unexpected quoted string that broke the GraphQL Playground page — and is specific enough for a reviewer to understand the main purpose of the PR. It is short, on-topic, and avoids unnecessary noise.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[parseplatformorg]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 82fdb0d and 2cc3d73.

📒 Files selected for processing (1)

• src/GraphQL/ParseGraphQLServer.js (1 hunks)

🔇 Additional comments (1)

src/GraphQL/ParseGraphQLServer.js (1)

170-170: Correct fix for double-quoting; resolves the blank page.

Inlining JSON.stringify without surrounding quotes is the right approach here.

[coderabbitai]

⚠️ Potential issue

Do not inject X-Parse-Master-Key into client HTML — critical secret leak.

This renders the master key into a page any viewer can “View Source” and exfiltrate, granting full admin access. Remove it (or strictly gate behind an explicit opt-in and protect the route with auth/IP allowlist). Also avoid sending an undefined value as a header.

Minimal patch:

               headers: {
                 ...options.headers,
-                'X-Parse-Application-Id': ${JSON.stringify(this.parseServer.config.appId)},
-                'X-Parse-Master-Key': ${JSON.stringify(this.parseServer.config.masterKey)},
+                'X-Parse-Application-Id': ${JSON.stringify(this.parseServer.config.appId)},
               },

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	'X-Parse-Application-Id': ${JSON.stringify(this.parseServer.config.appId)},
	'X-Parse-Master-Key': ${JSON.stringify(this.parseServer.config.masterKey)},
	},
	headers: {
	...options.headers,
	'X-Parse-Application-Id': ${JSON.stringify(this.parseServer.config.appId)},
	},

🤖 Prompt for AI Agents

In src/GraphQL/ParseGraphQLServer.js around lines 176 to 178, the code injects
the X-Parse-Master-Key into client-rendered HTML which leaks a critical secret;
remove the master key from any headers sent to clients and only include it for
server-to-server calls behind strict controls. Fix by deleting the
X-Parse-Master-Key header from the client response path (or gate its inclusion
behind an explicit opt-in flag plus auth/IP allowlist), and ensure headers are
only added when values are defined (check for undefined before adding any
header).

[Moumouls]

You are absolutely right, I have this change on my fork, and it seems I forgot to open a PR to parse-server

[Moumouls]

@cryingraven just a reminder that playground path should only be used in dev/local, not in production (because it expose the master key)

[Moumouls]

@mtrezza we should merge this asap

[Moumouls]

close: #9057