fix: refresh-token P2025 race with concurrent sign-out

mantrakp04 · mantrakp04 · commit 22678b9656a9 · 2026-04-22T15:58:14.000-07:00
`generateAccessTokenFromRefreshTokenIfValid` read the refresh-token row upstream and then issued `.update()` on it (plus on `projectUser`). If a concurrent sign-out / session revoke / password change / user delete removed the row between the read and the update, Prisma threw P2025 and the request 500'd (Sentry STACK-BACKEND-146). Switch the two updates to `updateMany` so a missing row is a no-op, then re-check the refresh-token row exists and return null if it doesn't — the refresh route already maps null to RefreshTokenNotFoundOrExpired (401). On the OAuth refresh_token grant path, replace the "ultra-rare race condition" throwErr with the same KnownError so it returns 401 too instead of 500. Adds a regression test that concurrently refreshes and signs out the same session; before the fix it 500s on the first iteration. Fixes https://stackframe-pw.sentry.io/issues/7377768662/
diff --git a/apps/backend/src/lib/tokens.tsx b/apps/backend/src/lib/tokens.tsx
@@ -248,24 +248,24 @@ export async function generateAccessTokenFromRefreshTokenIfValid(options: Refres
   // Get end user IP info for session tracking and event logging
   const ipInfo = await getEndUserIpInfoForEvent();
 
+  // updateMany (instead of update) so a concurrent sign-out / session revocation
+  // that deletes the row between the caller's read and this write does not
+  // surface as a P2025 500. We re-check existence below and return null if the
+  // token was deleted, which the refresh route maps to RefreshTokenNotFoundOrExpired.
   await Promise.all([
-    prisma.projectUser.update({
+    prisma.projectUser.updateMany({
       where: {
-        tenancyId_projectUserId: {
-          tenancyId: options.tenancy.id,
-          projectUserId: options.refreshTokenObj.projectUserId,
-        },
+        tenancyId: options.tenancy.id,
+        projectUserId: options.refreshTokenObj.projectUserId,
       },
       data: withExternalDbSyncUpdate({
         lastActiveAt: now,
       }),
     }),
-    globalPrismaClient.projectUserRefreshToken.update({
+    globalPrismaClient.projectUserRefreshToken.updateMany({
       where: {
-        tenancyId_id: {
-          tenancyId: options.tenancy.id,
-          id: options.refreshTokenObj.id,
-        },
+        tenancyId: options.tenancy.id,
+        id: options.refreshTokenObj.id,
       },
       data: withExternalDbSyncUpdate({
         lastActiveAt: now,
@@ -274,6 +274,17 @@ export async function generateAccessTokenFromRefreshTokenIfValid(options: Refres
     }),
   ]);
 
+  const stillExists = await globalPrismaClient.projectUserRefreshToken.findUnique({
+    where: {
+      tenancyId_id: {
+        tenancyId: options.tenancy.id,
+        id: options.refreshTokenObj.id,
+      },
+    },
+    select: { id: true },
+  });
+  if (!stillExists) return null;
+
   // Log session activity event (used for metrics, geo info, etc.)
   await logEvent(
     [SystemEventTypes.SessionActivity],
diff --git a/apps/backend/src/oauth/model.tsx b/apps/backend/src/oauth/model.tsx
@@ -9,7 +9,7 @@ import { createRefreshTokenObj, decodeAccessToken, generateAccessTokenFromRefres
 import { getPrismaClientForTenancy, globalPrismaClient } from "@/prisma-client";
 import { AuthorizationCode, AuthorizationCodeModel, Client, Falsey, RefreshToken, Token, User } from "@node-oauth/oauth2-server";
 import { KnownErrors } from "@stackframe/stack-shared";
-import { StackAssertionError, StatusError, captureError, throwErr } from "@stackframe/stack-shared/dist/utils/errors";
+import { StackAssertionError, StatusError, captureError } from "@stackframe/stack-shared/dist/utils/errors";
 import { getProjectBranchFromClientId } from ".";
 const PrismaClientKnownRequestError = Prisma.PrismaClientKnownRequestError;
 
@@ -105,10 +105,16 @@ export class OAuthModel implements AuthorizationCodeModel {
 
     const refreshTokenObj = await this._getOrCreateRefreshTokenObj(client, user, scope);
 
-    return await generateAccessTokenFromRefreshTokenIfValid({
+    const accessToken = await generateAccessTokenFromRefreshTokenIfValid({
       tenancy,
       refreshTokenObj,
-    }) ?? throwErr("Get or create refresh token failed; returned refreshTokenObj that's invalid (or maybe it's an ultra-rare race condition and it became invalid in since the function call?)", { refreshTokenObj });  // TODO fix the ultra-rare race condition — although unless we're at gigascale this should basically never happen
+    });
+    if (!accessToken) {
+      // Either the refresh token became invalid between _getOrCreateRefreshTokenObj and now
+      // (e.g. a concurrent sign-out deleted the row), or the user was deleted mid-flight.
+      throw new KnownErrors.RefreshTokenNotFoundOrExpired();
+    }
+    return accessToken;
   }
 
   async _getOrCreateRefreshTokenObj(client: Client, user: User, scope: string[]) {
diff --git a/apps/e2e/tests/backend/endpoints/api/v1/auth/sessions/current/refresh-race.test.ts b/apps/e2e/tests/backend/endpoints/api/v1/auth/sessions/current/refresh-race.test.ts
@@ -0,0 +1,52 @@
+import { randomUUID } from "node:crypto";
+import { generatedEmailSuffix } from "../../../../../../../helpers";
+import { it } from "../../../../../../../helpers";
+import { Auth, backendContext, createMailbox, niceBackendFetch } from "../../../../../../backend-helpers";
+
+// Reproduces Sentry STACK-BACKEND-146:
+// PrismaClientKnownRequestError P2025 on projectUserRefreshToken.update()
+// caused by the refresh endpoint reading the token, then calling update()
+// after a concurrent sign-out has deleted the row.
+it("reproduces P2025 when a refresh races with a sign-out of the same session", { timeout: 120_000 }, async ({ expect }) => {
+  // Fire many refresh+signout pairs concurrently to hit the race window
+  // between findFirst(refreshToken) and projectUserRefreshToken.update().
+  const ATTEMPTS = 10;
+  const crashes: any[] = [];
+
+  for (let i = 0; i < ATTEMPTS; i++) {
+    backendContext.set({
+      mailbox: createMailbox(`refresh-race--${randomUUID()}${generatedEmailSuffix}`),
+      userAuth: null,
+    });
+    await Auth.Password.signUpWithEmail();
+    const rt = backendContext.value.userAuth!.refreshToken!;
+
+    const refreshP = niceBackendFetch("/api/v1/auth/sessions/current/refresh", {
+      method: "POST",
+      accessType: "client",
+      headers: { "x-stack-refresh-token": rt },
+    });
+    const signOutP = niceBackendFetch("/api/v1/auth/sessions/current", {
+      method: "DELETE",
+      accessType: "client",
+    });
+
+    const [refreshRes] = await Promise.all([refreshP, signOutP]);
+
+    // Acceptable outcomes:
+    //   200 (refresh won the race)
+    //   401 REFRESH_TOKEN_NOT_FOUND_OR_EXPIRED (sign-out won cleanly)
+    // Bug outcome: 500 with Prisma P2025 bubbling out as an unhandled error.
+    if (refreshRes.status !== 200 && refreshRes.status !== 401) {
+      crashes.push({ status: refreshRes.status, body: refreshRes.body });
+    } else if (
+      typeof refreshRes.body === "object" &&
+      refreshRes.body !== null &&
+      JSON.stringify(refreshRes.body).includes("P2025")
+    ) {
+      crashes.push({ status: refreshRes.status, body: refreshRes.body });
+    }
+  }
+
+  expect(crashes).toEqual([]);
+});
