handling matching api.parse.com when calling upgradeToRevocableSession without a sessionToken (#2721)

2016-09-17 15:52:52 -04:00
parent 90e9994195
commit 109bc9a0ce
2 changed files with 25 additions and 0 deletions
--- a/src/Routers/SessionsRouter.js
+++ b/src/Routers/SessionsRouter.js
@@ -54,6 +54,11 @@ export class SessionsRouter extends ClassesRouter {
    const config = req.config;
    const masterAuth = Auth.master(config)
    const user = req.auth.user;
+    // Issue #2720
+    // Calling without a session token would result in a not found user
+    if (!user) {
+      throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'invalid session');
+    }
    const expiresAt = config.generateSessionExpiresAt();
    const sessionData = {
      sessionToken: 'r:' + newToken(),