fix: redact session tokens from session API

[RachanaB5]

Summary

• stop returning raw sessionToken values from the sessions API
• add a shared safe session select object
• add regression coverage to ensure session tokens are not included

Security Impact

Prevents sensitive NextAuth session tokens from being exposed through authenticated API responses.

Testing

• npm test -- --runTestsByPath lib/__tests__/sessionResponse.test.ts
• git diff --check

closes #1543

Summary by CodeRabbit

• Improvements

  • Session API endpoint now returns a restricted set of session fields (id, expires, and userId) for more controlled data handling.

• Tests

  • Added test coverage to verify session response field constraints.

[vercel]

@RachanaB5 is attempting to deploy a commit to the Nisshchaya's projects Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: ddf20de6-547c-459f-b3d3-57b7e8fcfabc

📥 Commits

Reviewing files that changed from the base of the PR and between 6b078b6 and 49b46d7.

📒 Files selected for processing (3)

• app/api/auth/sessions/route.ts
• lib/__tests__/sessionResponse.test.ts
• lib/utils/sessionResponse.ts

---

📝 Walkthrough

Walkthrough

The PR adds a secure session response design to the sessions API endpoint. A new SAFE_SESSION_SELECT constant explicitly enumerates allowed session fields (id, expires, userId), which is applied to the database query to prevent sensitive sessionToken values from reaching the client. A test regression verifies the safe selection contract.

Changes

Session Token Exposure Fix

Layer / File(s)	Summary
Safe session response contract lib/utils/sessionResponse.ts	Exports SAFE_SESSION_SELECT as a const selection object with id, expires, and userId fields.
Safe session regression test lib/__tests__/sessionResponse.test.ts	Jest test verifies SAFE_SESSION_SELECT contains only the three allowed fields and excludes sessionToken.
Sessions endpoint safe selection app/api/auth/sessions/route.ts	Imports and applies SAFE_SESSION_SELECT to the prisma.session.findMany query to constrain response fields.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• [`Session API exposes raw session tokens #1543](link): Session API exposes raw session tokens — This PR directly addresses the vulnerability by implementing the exact fix described: adding SAFE_SESSION_SELECT, restricting the selection to id, expires, and userId, and adding a regression test to ensure sessionToken` is never included.

Suggested labels

security, level:critical, gssoc:approved

Poem

🐰 A rabbit hops through sessions bright,
Guards the token, hides from sight,
Only id, expires flow,
Safe metadata steals the show!
No more tokens in the breeze, 🔐

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: redact session tokens from session API' accurately and concisely describes the main change—preventing session tokens from being returned by the sessions API.
Linked Issues check	✅ Passed	All requirements from issue #1543 are met: added SAFE_SESSION_SELECT with id/expires/userId, integrated it into the sessions endpoint, and added regression test verifying sessionToken exclusion.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with the security fix: adding the safe selection object, integrating it into the API, and adding regression tests—no extraneous modifications.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🎉 Thanks for your contribution, @RachanaB5!

Your PR has passed our automated GSSoC quality checks. Here's a quick summary:

Check	Status
PR description	✅ Provided
PR title	✅ Meaningful
Linked issue	✅ Found
Change size	✅ Looks good (19 lines across 3 file(s))

A maintainer will review your PR soon. Please be patient and available for feedback. 💪

GSSoC'26 automation · Maintainer: @nisshchayarathi

[github-actions]

🎉 Thanks for your contribution, @RachanaB5!

Your PR has passed our automated GSSoC quality checks. Here's a quick summary:

Check	Status
PR description	✅ Provided
PR title	✅ Meaningful
Linked issue	✅ Found
Change size	✅ Looks good (19 lines across 3 file(s))

A maintainer will review your PR soon. Please be patient and available for feedback. 💪

GSSoC'26 automation · Maintainer: @nisshchayarathi