fix(auth): add safety verification gate to deserializeUser to prevent stale session crash#681
fix(auth): add safety verification gate to deserializeUser to prevent stale session crash#681Aryan0819 wants to merge 3 commits into
Conversation
Add session middleware with cookie settings
✅ Deploy Preview for github-spy ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
Warning Review limit reached
More reviews will be available in 41 minutes and 41 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
github-actions
Bot
added
gssoc:approved
level:intermediate
quality:clean
type:accessibility
labels
1 participant
Related Issue
Description
🧱 The Architectural Context:
Passport uses session deserialization routines to rebuild user state data from incoming browser cookies on every network request, attaching the verified database document directly to req.user.
❌ The Failure Mechanism:
When an administrator or user deletes an account profile from MongoDB, the web client's active session cookie remains cached locally in their browser. On subsequent API calls, Passport triggers User.findById(id). Because the backend record has been expunged, Mongoose evaluates the query to null.
💥 The Impact:
Passing a raw null downstream means any route execution block attempting to process user profiles (such as evaluating authorization privileges via req.user.role) immediately hits a fatal runtime error: TypeError: Cannot read properties of null. This completely crashes the main Node.js process thread and takes the server infrastructure offline.
✅ The Solution:
Introduced an explicit document existence guard clause directly following the User.findById query in passportConfig.js. If the lookup resolves empty, the execution path intercepts the sequence early and cleanly invokes done(null, false). This commands Express to terminate the stale session and revoke cookie validity without interrupting server uptime.
How Has This Been Tested?
Stale Cookie Runtime Resilience: Simulating an active login session, manually deleted the target user document directly from MongoDB Compass, and re-sent an API request. Verified that the server intercepts the missing reference safely, strips the cookie validation, and redirects with a clean 401 Unauthorized instead of crashing.
Valid Session Continuity: Verified that uncompromised, active account sessions continue to deserialize and authorize access without interruption.
Type of Change