Skip to content

Commit 2a9fdab

Browse files
mtrezzamtrezza
authored
fix: Validate session in middleware for non-GET requests to /sessions/me (#10213)
1 parent d826dc7 commit 2a9fdab

File tree

2 files changed

+65
-1
lines changed

2 files changed

+65
-1
lines changed

spec/ParseSession.spec.js

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -256,4 +256,68 @@ describe('Parse.Session', () => {
256256
expect(newSession.createdWith.action).toBe('create');
257257
expect(newSession.createdWith.authProvider).toBeUndefined();
258258
});
259+
260+
describe('PUT /sessions/me', () => {
261+
it('should return error with invalid session token', async () => {
262+
const response = await request({
263+
method: 'PUT',
264+
url: 'http://localhost:8378/1/sessions/me',
265+
headers: {
266+
'X-Parse-Application-Id': 'test',
267+
'X-Parse-REST-API-Key': 'rest',
268+
'X-Parse-Session-Token': 'r:invalid-session-token',
269+
'Content-Type': 'application/json',
270+
},
271+
body: JSON.stringify({}),
272+
}).catch(e => e);
273+
expect(response.status).not.toBe(500);
274+
expect(response.data.code).toBe(Parse.Error.INVALID_SESSION_TOKEN);
275+
});
276+
277+
it('should return error without session token', async () => {
278+
const response = await request({
279+
method: 'PUT',
280+
url: 'http://localhost:8378/1/sessions/me',
281+
headers: {
282+
'X-Parse-Application-Id': 'test',
283+
'X-Parse-REST-API-Key': 'rest',
284+
'Content-Type': 'application/json',
285+
},
286+
body: JSON.stringify({}),
287+
}).catch(e => e);
288+
expect(response.status).toBeGreaterThanOrEqual(400);
289+
expect(response.status).toBeLessThan(500);
290+
expect(response.data?.code).toBeDefined();
291+
});
292+
});
293+
294+
describe('DELETE /sessions/me', () => {
295+
it('should return error with invalid session token', async () => {
296+
const response = await request({
297+
method: 'DELETE',
298+
url: 'http://localhost:8378/1/sessions/me',
299+
headers: {
300+
'X-Parse-Application-Id': 'test',
301+
'X-Parse-REST-API-Key': 'rest',
302+
'X-Parse-Session-Token': 'r:invalid-session-token',
303+
},
304+
}).catch(e => e);
305+
expect(response.status).not.toBe(500);
306+
expect(response.data.code).toBe(Parse.Error.INVALID_SESSION_TOKEN);
307+
});
308+
309+
it('should return error without session token', async () => {
310+
const response = await request({
311+
method: 'DELETE',
312+
url: 'http://localhost:8378/1/sessions/me',
313+
headers: {
314+
'X-Parse-Application-Id': 'test',
315+
'X-Parse-REST-API-Key': 'rest',
316+
},
317+
}).catch(e => e);
318+
expect(response.status).toBeGreaterThanOrEqual(400);
319+
expect(response.status).toBeLessThan(500);
320+
expect(response.data?.code).toBeDefined();
321+
});
322+
});
259323
});

src/middlewares.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -377,7 +377,7 @@ const handleRateLimit = async (req, res, next) => {
377377
export const handleParseSession = async (req, res, next) => {
378378
try {
379379
const info = req.info;
380-
if (req.auth || req.url === '/sessions/me') {
380+
if (req.auth || (req.url === '/sessions/me' && req.method === 'GET')) {
381381
next();
382382
return;
383383
}

0 commit comments

Comments
 (0)