Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(auth): make active-session check fail-open; add missing DB migration

Browse Source 
The active_sessions table was never migrated to production — the model
was added to the Prisma schema via db push only. prisma migrate deploy
was a no-op because no migration directories existed.

Without the table, prisma.activeSession.findUnique() throws P2021,
crashing the tRPC handler with 500 on every authenticated request.
This silently emptied all admin pages (users, system-roles, etc.).

Changes:
- Wrap the jti ActiveSession lookup in try-catch so the tRPC handler
  degrades gracefully (fail-open) if the table is temporarily missing
- Add packages/db/prisma/migrations/20260401000000_active_sessions/
  so prisma migrate deploy creates the table on next production deploy
  (idempotent via IF NOT EXISTS — safe if table already exists)

Co-Authored-By: claude-flow <ruv@ruv.net>
This commit is contained in:
Hartmut Nörenberg
2026-04-01 18:38:05 +02:00
parent 0e119cfe73
commit 5bc7cace26
2 changed files with 47 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/web/src/app/api/trpc/[trpc]/route.ts
+5
View File
@@ -25,9 +25,11 @@ const handler = async (req: NextRequest) => {
// Validate active session registry on every authenticated request. // Validate active session registry on every authenticated request.
// Sessions kicked by concurrent-session limits or manual logout are rejected immediately. // Sessions kicked by concurrent-session limits or manual logout are rejected immediately.
// Fail-open: if the table doesn't exist yet (pending migration) the check is skipped.
if (session?.user) { if (session?.user) {
const jti = (session.user as typeof session.user & { jti?: string }).jti; const jti = (session.user as typeof session.user & { jti?: string }).jti;
if (jti) { if (jti) {
try {
const activeSession = await prisma.activeSession.findUnique({ where: { jti } }); const activeSession = await prisma.activeSession.findUnique({ where: { jti } });
if (!activeSession) { if (!activeSession) {
return new Response(JSON.stringify({ error: "Session revoked" }), { return new Response(JSON.stringify({ error: "Session revoked" }), {
@@ -35,6 +37,9 @@ const handler = async (req: NextRequest) => {
headers: { "Content-Type": "application/json" }, headers: { "Content-Type": "application/json" },
}); });
} }
} catch {
// Table may not exist yet (migration pending) — skip validation rather than crashing.
}
} }
} }
packages/db/prisma/migrations/20260401000000_active_sessions/migration.sql
+36
View File
@@ -0,0 +1,36 @@
-- CreateTable: active_sessions (JWT session registry)
-- Supports concurrent-session limits and manual session revocation.
-- Using IF NOT EXISTS guards for idempotency when table was pre-created via db push.
CREATE TABLE IF NOT EXISTS "active_sessions" (
"id" TEXT NOT NULL,
"userId" TEXT NOT NULL,
"jti" TEXT NOT NULL,
"createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
"lastSeenAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
"userAgent" TEXT,
"ipAddress" TEXT,
CONSTRAINT "active_sessions_pkey" PRIMARY KEY ("id")
);
-- CreateIndex
CREATE UNIQUE INDEX IF NOT EXISTS "active_sessions_jti_key" ON "active_sessions"("jti");
-- CreateIndex
CREATE INDEX IF NOT EXISTS "active_sessions_userId_createdAt_idx" ON "active_sessions"("userId", "createdAt");
-- AddForeignKey (skip if already exists)
DO $$
BEGIN
IF NOT EXISTS (
SELECT 1 FROM information_schema.table_constraints
WHERE constraint_name = 'active_sessions_userId_fkey'
AND table_name = 'active_sessions'
) THEN
ALTER TABLE "active_sessions"
ADD CONSTRAINT "active_sessions_userId_fkey"
FOREIGN KEY ("userId") REFERENCES "users"("id")
ON DELETE CASCADE ON UPDATE CASCADE;
END IF;
END $$;