fix: return error if session id does not exist (supabase#1538)

## What kind of change does this PR introduce? * return error if session id doesn't exist in the db ## What is the current behavior? Please link any relevant issues here. ## What is the new behavior? Feel free to include screenshots if it includes visual changes. ## Additional context Add any other context or screenshots.
LashaJini · Nov 13, 2024 · 26549b1 · 26549b1
1 parent 0bf3ce7
commit 26549b1
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/internal/api/auth.go b/internal/api/auth.go
@@ -123,8 +123,11 @@ func (a *API) maybeLoadUserOrSession(ctx context.Context) (context.Context, erro
 			return ctx, forbiddenError(ErrorCodeBadJWT, "invalid claim: session_id claim must be a UUID").WithInternalError(err)
 		}
 		session, err = models.FindSessionByID(db, sessionId, false)
-		if err != nil && !models.IsNotFoundError(err) {
-			return ctx, forbiddenError(ErrorCodeSessionNotFound, "Session from session_id claim in JWT does not exist")
+		if err != nil {
+			if models.IsNotFoundError(err) {
+				return ctx, forbiddenError(ErrorCodeSessionNotFound, "Session from session_id claim in JWT does not exist")
+			}
+			return ctx, err
 		}
 		ctx = withSession(ctx, session)
 	}

diff --git a/internal/api/auth_test.go b/internal/api/auth_test.go
@@ -158,6 +158,19 @@ func (ts *AuthTestSuite) TestMaybeLoadUserOrSession() {
 			ExpectedUser:    u,
 			ExpectedSession: s,
 		},
+		{
+			Desc: "Session ID doesn't exist",
+			UserJwtClaims: &AccessTokenClaims{
+				StandardClaims: jwt.StandardClaims{
+					Subject: u.ID.String(),
+				},
+				Role:      "authenticated",
+				SessionId: "73bf9ee0-9e8c-453b-b484-09cb93e2f341",
+			},
+			ExpectedError:   forbiddenError(ErrorCodeSessionNotFound, "Session from session_id claim in JWT does not exist"),
+			ExpectedUser:    u,
+			ExpectedSession: nil,
+		},
 	}
 
 	for _, c := range cases {