fix: return error if refresh token doesn't have a session_id

supabase · Oct 30, 2024 · a19b74c · a19b74c
1 parent dc12b92
commit a19b74c
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 28 deletions.
diff --git a/internal/api/token_refresh.go b/internal/api/token_refresh.go
@@ -56,19 +56,25 @@ func (a *API) RefreshTokenGrant(ctx context.Context, w http.ResponseWriter, r *h
 			return oauthError("invalid_grant", "Invalid Refresh Token: User Banned")
 		}
 
-		if session != nil {
-			result := session.CheckValidity(retryStart, &token.UpdatedAt, config.Sessions.Timebox, config.Sessions.InactivityTimeout)
+		if session == nil {
+			// a refresh token won't have a session if it's created prior to the sessions table introduced
+			if err := db.Destroy(token); err != nil {
+				return internalServerError("Error deleting refresh token with missing session").WithInternalError(err)
+			}
+			return badRequestError(ErrorCodeSessionNotFound, "Invalid Refresh Token: No Valid Session Found")
+		}
 
-			switch result {
-			case models.SessionValid:
-				// do nothing
+		result := session.CheckValidity(retryStart, &token.UpdatedAt, config.Sessions.Timebox, config.Sessions.InactivityTimeout)
 
-			case models.SessionTimedOut:
-				return oauthError("invalid_grant", "Invalid Refresh Token: Session Expired (Inactivity)")
+		switch result {
+		case models.SessionValid:
+			// do nothing
 
-			default:
-				return oauthError("invalid_grant", "Invalid Refresh Token: Session Expired")
-			}
+		case models.SessionTimedOut:
+			return oauthError("invalid_grant", "Invalid Refresh Token: Session Expired (Inactivity)")
+
+		default:
+			return oauthError("invalid_grant", "Invalid Refresh Token: Session Expired")
 		}
 
 		// Basic checks above passed, now we need to serialize access

diff --git a/internal/models/user.go b/internal/models/user.go
@@ -667,24 +667,6 @@ func FindUserWithRefreshToken(tx *storage.Connection, token string, forUpdate bo
 		}
 	}
 
-	if session == nil {
-		// the refresh token doesn't have a session so we just create one for it
-		// this is to accomodate refresh tokens that were created prior to the creation of the sessions table
-		session, err = NewSession(user.ID, nil)
-		if err != nil {
-			return nil, nil, nil, errors.Wrap(err, "error instantiating new session for refresh token")
-		}
-		if err := tx.Create(session); err != nil {
-			return nil, nil, nil, errors.Wrap(err, "error creating new session for refresh token")
-		}
-
-		// backfill the existing token with the session id
-		refreshToken.SessionId = &session.ID
-		if err := tx.UpdateOnly(refreshToken, "session_id"); err != nil {
-			return nil, nil, nil, errors.Wrap(err, "error updating refresh token with session id")
-		}
-	}
-
 	return user, refreshToken, session, nil
 }