Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(auth): make active-session check fail-open; add missing DB migration

Browse Source 
The active_sessions table was never migrated to production — the model
was added to the Prisma schema via db push only. prisma migrate deploy
was a no-op because no migration directories existed.

Without the table, prisma.activeSession.findUnique() throws P2021,
crashing the tRPC handler with 500 on every authenticated request.
This silently emptied all admin pages (users, system-roles, etc.).

Changes:
- Wrap the jti ActiveSession lookup in try-catch so the tRPC handler
  degrades gracefully (fail-open) if the table is temporarily missing
- Add packages/db/prisma/migrations/20260401000000_active_sessions/
  so prisma migrate deploy creates the table on next production deploy
  (idempotent via IF NOT EXISTS — safe if table already exists)

Co-Authored-By: claude-flow <ruv@ruv.net>
This commit is contained in:
Hartmut Nörenberg
2026-04-01 18:38:05 +02:00
parent 0e119cfe73
commit 5bc7cace26
2 changed files with 47 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/web/src/app/api/trpc/[trpc]/route.ts
+11 -6
View File
@@ -25,15 +25,20 @@ const handler = async (req: NextRequest) => {
// Validate active session registry on every authenticated request.
// Sessions kicked by concurrent-session limits or manual logout are rejected immediately.
// Fail-open: if the table doesn't exist yet (pending migration) the check is skipped.
if (session?.user) {
const jti = (session.user as typeof session.user & { jti?: string }).jti;
if (jti) {
const activeSession = await prisma.activeSession.findUnique({ where: { jti } });
if (!activeSession) {
return new Response(JSON.stringify({ error: "Session revoked" }), {
status: 401,
headers: { "Content-Type": "application/json" },
});
try {
const activeSession = await prisma.activeSession.findUnique({ where: { jti } });
if (!activeSession) {
return new Response(JSON.stringify({ error: "Session revoked" }), {
status: 401,
headers: { "Content-Type": "application/json" },
});
}
} catch {
// Table may not exist yet (migration pending) — skip validation rather than crashing.
}
}
}