Skip to content

fix: Creating a session can delete another user's session#10582

Merged
mtrezza merged 1 commit into
parse-community:alphafrom
mtrezza:fix/session-dedup-cross-user-delete
Jul 14, 2026
Merged

fix: Creating a session can delete another user's session#10582
mtrezza merged 1 commit into
parse-community:alphafrom
mtrezza:fix/session-dedup-cross-user-delete

Conversation

@mtrezza

@mtrezza mtrezza commented Jul 14, 2026

Copy link
Copy Markdown
Member

Issue

RestWrite.destroyDuplicatedSessions() runs the _Session deduplication delete without the if (this.response) return; guard that the other write-pipeline steps (runDatabaseOperation, runAfterSaveTrigger) use. On a non-master POST /classes/_Session create, handleSession() has already created the caller's own session and set this.response, but the dedup then issues a master-privileged delete keyed on the client-supplied user and installationId from the request body instead of the server-generated session data. As a result, creating a session can delete another user's _Session record for the supplied installationId.

Tasks

  • Add tests

Summary by CodeRabbit

  • Bug Fixes
    • Improved session handling to prevent valid user sessions from being deleted during duplicate-session cleanup.
    • Preserved existing session authentication when a new session is created with a matching installation identifier.
    • Added safeguards against unintended session changes after an earlier response has been generated.

@parse-github-assistant

Copy link
Copy Markdown

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

  • Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
  • Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
  • Group code into logical blocks. Add a short comment before each block to explain its purpose.
  • We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
  • Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
  • Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code.

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 10e1b2e0-9290-4144-87c8-d6fbb4e832d0

📥 Commits

Reviewing files that changed from the base of the PR and between d76845f and 718b5aa.

📒 Files selected for processing (2)
  • spec/ParseSession.spec.js
  • src/RestWrite.js

📝 Walkthrough

Walkthrough

Session deduplication now skips deletion when an earlier response exists. A new test verifies that creating a session for another user with a shared installation ID preserves the original session record and authentication token.

Changes

Session deduplication

Layer / File(s) Summary
Preserve existing sessions and validate authentication
src/RestWrite.js, spec/ParseSession.spec.js
destroyDuplicatedSessions returns early when this.response is set, and the session test confirms the victim’s session remains present and can authenticate requests.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 7
✅ Passed checks (7 passed)
Check name Status Explanation
Title check ✅ Passed The title matches the fix prefix requirement and accurately summarizes the session deletion issue.
Description check ✅ Passed The description includes an Issue section and completed Tasks, but it omits the template's Approach section.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Security Check ✅ Passed The patch removes a cross-user session-deletion path by skipping dedup after _Session responses exist, and the tests verify user-supplied session fields are ignored.
Engage In Review Feedback ✅ Passed GitHub shows “No reviews” on PR #10582, so there were no feedback comments to ignore. citeturn3view0
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codecov

codecov Bot commented Jul 14, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.69%. Comparing base (d76845f) to head (718b5aa).

Additional details and impacted files
@@            Coverage Diff             @@
##            alpha   #10582      +/-   ##
==========================================
- Coverage   92.70%   92.69%   -0.01%     
==========================================
  Files         193      193              
  Lines       17025    17027       +2     
  Branches      248      248              
==========================================
+ Hits        15783    15784       +1     
- Misses       1221     1222       +1     
  Partials       21       21              

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@mtrezza

mtrezza commented Jul 14, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai full review

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown
✅ Action performed

Full review finished.

@mtrezza mtrezza merged commit 0df8779 into parse-community:alpha Jul 14, 2026
23 of 25 checks passed
@mtrezza mtrezza deleted the fix/session-dedup-cross-user-delete branch July 14, 2026 16:31
parseplatformorg pushed a commit that referenced this pull request Jul 14, 2026
## [9.10.1-alpha.2](9.10.1-alpha.1...9.10.1-alpha.2) (2026-07-14)

### Bug Fixes

* Creating a session can delete another user's session ([#10582](#10582)) ([0df8779](0df8779))
@parseplatformorg

Copy link
Copy Markdown
Contributor

🎉 This change has been released in version 9.10.1-alpha.2

@parseplatformorg parseplatformorg added the state:released-alpha Released as alpha version label Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

state:released-alpha Released as alpha version

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants