fix: possible panic if refresh token has a null session_id (#1822)

kangmingtay · web-flow · commit a7129df4e1d9 · 2024-10-30T22:29:23.000+08:00
## What kind of change does this PR introduce?
* Prior to the `auth.sessions` table being created, some refresh tokens
can contain a null `session_id`. In those cases, attempting to use those
refresh tokens to obtain a new session will result in a panic.
* This PR creates a new session for those refresh tokens that do not
have a `session_id` to prevent panics from happening.

## What is the current behavior?

Please link any relevant issues here.

## What is the new behavior?

Feel free to include screenshots if it includes visual changes.

## Additional context

Add any other context or screenshots.
diff --git a/internal/api/token_refresh.go b/internal/api/token_refresh.go
@@ -56,19 +56,25 @@ func (a *API) RefreshTokenGrant(ctx context.Context, w http.ResponseWriter, r *h
 			return oauthError("invalid_grant", "Invalid Refresh Token: User Banned")
 		}
 
-		if session != nil {
-			result := session.CheckValidity(retryStart, &token.UpdatedAt, config.Sessions.Timebox, config.Sessions.InactivityTimeout)
+		if session == nil {
+			// a refresh token won't have a session if it's created prior to the sessions table introduced
+			if err := db.Destroy(token); err != nil {
+				return internalServerError("Error deleting refresh token with missing session").WithInternalError(err)
+			}
+			return badRequestError(ErrorCodeSessionNotFound, "Invalid Refresh Token: No Valid Session Found")
+		}
 
-			switch result {
-			case models.SessionValid:
-				// do nothing
+		result := session.CheckValidity(retryStart, &token.UpdatedAt, config.Sessions.Timebox, config.Sessions.InactivityTimeout)
 
-			case models.SessionTimedOut:
-				return oauthError("invalid_grant", "Invalid Refresh Token: Session Expired (Inactivity)")
+		switch result {
+		case models.SessionValid:
+			// do nothing
 
-			default:
-				return oauthError("invalid_grant", "Invalid Refresh Token: Session Expired")
-			}
+		case models.SessionTimedOut:
+			return oauthError("invalid_grant", "Invalid Refresh Token: Session Expired (Inactivity)")
+
+		default:
+			return oauthError("invalid_grant", "Invalid Refresh Token: Session Expired")
 		}
 
 		// Basic checks above passed, now we need to serialize access
