joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

handling matching api.parse.com when calling upgradeToRevocableSession without a sessionToken (#2721)

Browse Source
This commit is contained in:
Florent Vilmart
2016-09-17 15:52:52 -04:00
committed by Drew
parent 90e9994195
commit 109bc9a0ce
2 changed files with 25 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
spec/RevocableSessionsUpgrade.spec.js
View File

@@ -89,4 +89,24 @@ describe_only_db('mongo')('revocable sessions', () => {
done();
});
});
it('should not crash without session token #2720', done => {
rp.post({
url: Parse.serverURL+'/upgradeToRevocableSession',
headers: {
'X-Parse-Application-Id': Parse.applicationId,
'X-Parse-Rest-API-Key': 'rest'
},
json: true
}).then((res) => {
fail('should not be able to upgrade a bad token');
}, (response) => {
expect(response.statusCode).toBe(404);
expect(response.error).not.toBeUndefined();
expect(response.error.code).toBe(Parse.Error.OBJECT_NOT_FOUND);
expect(response.error.error).toEqual('invalid session');
}).then(() => {
done();
});
});
})

5
src/Routers/SessionsRouter.js
View File

@@ -54,6 +54,11 @@ export class SessionsRouter extends ClassesRouter {
const config = req.config;
const masterAuth = Auth.master(config)
const user = req.auth.user;
// Issue #2720
// Calling without a session token would result in a not found user
if (!user) {
throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'invalid session');
}
const expiresAt = config.generateSessionExpiresAt();
const sessionData = {
sessionToken: 'r:' + newToken(),