From 109bc9a0ce38a62a11a8bd65904163b6a959894c Mon Sep 17 00:00:00 2001
From: Florent Vilmart <flovilmart@users.noreply.github.com>
Date: Sat, 17 Sep 2016 15:52:52 -0400
Subject: [PATCH] handling matching api.parse.com when calling
 upgradeToRevocableSession without a sessionToken (#2721)

---
 spec/RevocableSessionsUpgrade.spec.js | 20 ++++++++++++++++++++
 src/Routers/SessionsRouter.js         |  5 +++++
 2 files changed, 25 insertions(+)

diff --git a/spec/RevocableSessionsUpgrade.spec.js b/spec/RevocableSessionsUpgrade.spec.js
index 8151558c..48e1cde1 100644
--- a/spec/RevocableSessionsUpgrade.spec.js
+++ b/spec/RevocableSessionsUpgrade.spec.js
@@ -89,4 +89,24 @@ describe_only_db('mongo')('revocable sessions', () => {
       done();
     });
   });
+
+  it('should not crash without session token #2720', done => {
+    rp.post({
+      url: Parse.serverURL+'/upgradeToRevocableSession',
+      headers: {
+        'X-Parse-Application-Id': Parse.applicationId,
+        'X-Parse-Rest-API-Key': 'rest'
+      },
+      json: true
+    }).then((res) => {
+      fail('should not be able to upgrade a bad token');
+    }, (response) => {
+      expect(response.statusCode).toBe(404);
+      expect(response.error).not.toBeUndefined();
+      expect(response.error.code).toBe(Parse.Error.OBJECT_NOT_FOUND);
+      expect(response.error.error).toEqual('invalid session');
+    }).then(() => {
+      done();
+    });
+  });
 })
\ No newline at end of file
diff --git a/src/Routers/SessionsRouter.js b/src/Routers/SessionsRouter.js
index 0b11a7c3..1cdb5f32 100644
--- a/src/Routers/SessionsRouter.js
+++ b/src/Routers/SessionsRouter.js
@@ -54,6 +54,11 @@ export class SessionsRouter extends ClassesRouter {
     const config = req.config;
     const masterAuth = Auth.master(config)
     const user = req.auth.user;
+    // Issue #2720
+    // Calling without a session token would result in a not found user
+    if (!user) {
+      throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'invalid session');
+    }
     const expiresAt = config.generateSessionExpiresAt();
     const sessionData = {
       sessionToken: 'r:' + newToken(),