fix: possible panic if refresh token has a null session_id (#1822)

## What kind of change does this PR introduce? * Prior to the `auth.sessions` table being created, some refresh tokens can contain a null `session_id`. In those cases, attempting to use those refresh tokens to obtain a new session will result in a panic. * This PR creates a new session for those refresh tokens that do not have a `session_id` to prevent panics from happening. ## What is the current behavior? Please link any relevant issues here. ## What is the new behavior? Feel free to include screenshots if it includes visual changes. ## Additional context Add any other context or screenshots.
supabase · Oct 30, 2024 · a7129df · a7129df
1 parent fa020d0
commit a7129df
Showing 1 changed file with 16 additions and 10 deletions.
diff --git a/internal/api/token_refresh.go b/internal/api/token_refresh.go
@@ -56,19 +56,25 @@ func (a *API) RefreshTokenGrant(ctx context.Context, w http.ResponseWriter, r *h
 			return oauthError("invalid_grant", "Invalid Refresh Token: User Banned")
 		}
 
-		if session != nil {
-			result := session.CheckValidity(retryStart, &token.UpdatedAt, config.Sessions.Timebox, config.Sessions.InactivityTimeout)
+		if session == nil {
+			// a refresh token won't have a session if it's created prior to the sessions table introduced
+			if err := db.Destroy(token); err != nil {
+				return internalServerError("Error deleting refresh token with missing session").WithInternalError(err)
+			}
+			return badRequestError(ErrorCodeSessionNotFound, "Invalid Refresh Token: No Valid Session Found")
+		}
 
-			switch result {
-			case models.SessionValid:
-				// do nothing
+		result := session.CheckValidity(retryStart, &token.UpdatedAt, config.Sessions.Timebox, config.Sessions.InactivityTimeout)
 
-			case models.SessionTimedOut:
-				return oauthError("invalid_grant", "Invalid Refresh Token: Session Expired (Inactivity)")
+		switch result {
+		case models.SessionValid:
+			// do nothing
 
-			default:
-				return oauthError("invalid_grant", "Invalid Refresh Token: Session Expired")
-			}
+		case models.SessionTimedOut:
+			return oauthError("invalid_grant", "Invalid Refresh Token: Session Expired (Inactivity)")
+
+		default:
+			return oauthError("invalid_grant", "Invalid Refresh Token: Session Expired")
 		}
 
 		// Basic checks above passed, now we need to serialize access