handling matching api.parse.com when calling upgradeToRevocableSession without a sessionToken (#2721)
This commit is contained in:
Florent Vilmart
Drew
@@ -89,4 +89,24 @@ describe_only_db('mongo')('revocable sessions', () => {
|
|||||||
done();
|
done();
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
it('should not crash without session token #2720', done => {
|
||||||
|
rp.post({
|
||||||
|
url: Parse.serverURL+'/upgradeToRevocableSession',
|
||||||
|
headers: {
|
||||||
|
'X-Parse-Application-Id': Parse.applicationId,
|
||||||
|
'X-Parse-Rest-API-Key': 'rest'
|
||||||
|
},
|
||||||
|
json: true
|
||||||
|
}).then((res) => {
|
||||||
|
fail('should not be able to upgrade a bad token');
|
||||||
|
}, (response) => {
|
||||||
|
expect(response.statusCode).toBe(404);
|
||||||
|
expect(response.error).not.toBeUndefined();
|
||||||
|
expect(response.error.code).toBe(Parse.Error.OBJECT_NOT_FOUND);
|
||||||
|
expect(response.error.error).toEqual('invalid session');
|
||||||
|
}).then(() => {
|
||||||
|
done();
|
||||||
|
});
|
||||||
|
});
|
||||||
})
|
})
|
||||||
@@ -54,6 +54,11 @@ export class SessionsRouter extends ClassesRouter {
|
|||||||
const config = req.config;
|
const config = req.config;
|
||||||
const masterAuth = Auth.master(config)
|
const masterAuth = Auth.master(config)
|
||||||
const user = req.auth.user;
|
const user = req.auth.user;
|
||||||
|
// Issue #2720
|
||||||
|
// Calling without a session token would result in a not found user
|
||||||
|
if (!user) {
|
||||||
|
throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'invalid session');
|
||||||
|
}
|
||||||
const expiresAt = config.generateSessionExpiresAt();
|
const expiresAt = config.generateSessionExpiresAt();
|
||||||
const sessionData = {
|
const sessionData = {
|
||||||
sessionToken: 'r:' + newToken(),
|
sessionToken: 'r:' + newToken(),
|
||||||
|
|||||||
Reference in New Issue
Block a user