Replace outdated http request dependency with Node 18's `fetch`

[dblythy]

New Feature / Enhancement Checklist

• I am not disclosing a vulnerability.
• I am not just asking a question.
• I have searched through existing issues.

Current Limitation

Our docs state:

You can use your favorite npm module to make HTTP requests, such as request. Parse Server also supports Parse.Cloud.httpRequest for legacy reasons

Why should we continue to support a legacy HTTP module, which hasn't been updated in 3 years, where there are more popular solutions that constantly update their security issues and vulnerabilities?

The http module also uses deprecated methods, such as querystring and parse.

Also request is archived, so we shouldn't recommend that either.

We've seen Parse.Cloud.httpRequest be the source of many issues

Feature / Enhancement Description

Migrate to a dedicated HTTP library, such as axios

Example Use Case

Log Parse.Cloud.httpRequest is depreciated. Please migrate to different HTTP request solution

Alternatives / Workarounds

• Keep the legacy library as is.
• Set Parse.Cloud.httpRequest as an alias to axios.

3rd Party References

[parse-github-assistant]

Thanks for opening this issue!

• 🎉 We are excited about your ideas for improvement!

[dblythy]

Related: #6361, #7232

[mtrezza]

Do we even need to offer Parse.Cloud.httpRequest? Any dev can (and many maybe already do) choose their own library depending on its capabilities. What is the benefit for devs in having this method? This seems to be a legacy convenience method, because some years back it was more complex to make a simple http request, but today there are libs available that abstract the complexity away.

[dblythy]

I would say there is no real reason why we should offer it. Perhaps we should remove it entirely from V5 as a breaking change?

[mtrezza]

Maybe we could deprecate the method in v5 and remove it entirely in v6? If the method has security issues, then we could think about investing some time into using axios during the deprecation.

[uzaysan]

httpRequest has issues. Sometimes request fails or constructed in worng way and server returns 4XX response. Axios works fine. I think we should remove it.

[mtrezza]

If it is already severely broken in the way that you describe, where requests sometimes fail, we probably should make a small change to use axios, even while it's being deprecated. Because deprecation means it will still be available for a year. Not sure how broken it is though.

[uzaysan]

If it is already severely broken in the way that you describe, where requests sometimes fail, we probably should make a small change to use axios, even while it's being deprecated. Because deprecation means it will still be available for a year. Not sure how broken it is though.

On the back4app support group on slack someone faced this problem. Syntax was correct but server wasn't returning the response it should. İ suggested him to use node-fetch or axios to see if problem is under default httpRequest and he said problem is fixed when using axios. And like you said, one can easily add their preferred http library. Maintaining a default one should be avoided in my opinion.

[mtrezza]

I see. I think we have 3 options:

• a) Remove it immediately with Parse Server 5, which will break many deployments for which http currently works fine (I understand it only has issues with specific requests?)
• b) Deprecate it in v5 and remove it in v6
• c) Same as (b) and additionally replace the http library with axios while deprecating it

Which would you prefer?

[uzaysan]

I think option b makes sense. Option c is also possible but imo there is no point of fixing a bug of a deprecated feature.