handling matching api.parse.com when calling upgradeToRevocableSession without a sessionToken (parse-community#2721)

Author: flovilmart

spec/RevocableSessionsUpgrade.spec.js

@@ -89,4 +89,24 @@ describe_only_db('mongo')('revocable sessions', () => {
       done();
     });
   });
+
+  it('should not crash without session token #2720', done => {
+    rp.post({
+      url: Parse.serverURL+'/upgradeToRevocableSession',
+      headers: {
+        'X-Parse-Application-Id': Parse.applicationId,
+        'X-Parse-Rest-API-Key': 'rest'
+      },
+      json: true
+    }).then((res) => {
+      fail('should not be able to upgrade a bad token');
+    }, (response) => {
+      expect(response.statusCode).toBe(404);
+      expect(response.error).not.toBeUndefined();
+      expect(response.error.code).toBe(Parse.Error.OBJECT_NOT_FOUND);
+      expect(response.error.error).toEqual('invalid session');
+    }).then(() => {
+      done();
+    });
+  });
 })

src/Routers/SessionsRouter.js

@@ -54,6 +54,11 @@ export class SessionsRouter extends ClassesRouter {
     const config = req.config;
     const masterAuth = Auth.master(config)
     const user = req.auth.user;
+    // Issue #2720
+    // Calling without a session token would result in a not found user
+    if (!user) {
+      throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'invalid session');
+    }
     const expiresAt = config.generateSessionExpiresAt();
     const sessionData = {
       sessionToken: 'r:' + newToken(),