fix: Validate session in middleware for non-GET requests to /sessions/me

Author: mtrezza

spec/ParseSession.spec.js

@@ -256,4 +256,64 @@ describe('Parse.Session', () => {
     expect(newSession.createdWith.action).toBe('create');
     expect(newSession.createdWith.authProvider).toBeUndefined();
   });
+
+  describe('PUT /sessions/me', () => {
+    it('should return error with invalid session token', async () => {
+      const response = await request({
+        method: 'PUT',
+        url: 'http://localhost:8378/1/sessions/me',
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+          'X-Parse-Session-Token': 'r:invalid-session-token',
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({}),
+      }).catch(e => e);
+      expect(response.status).not.toBe(500);
+      expect(response.data.code).toBe(Parse.Error.INVALID_SESSION_TOKEN);
+    });
+
+    it('should return error without session token', async () => {
+      const response = await request({
+        method: 'PUT',
+        url: 'http://localhost:8378/1/sessions/me',
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({}),
+      }).catch(e => e);
+      expect(response.status).not.toBe(500);
+    });
+  });
+
+  describe('DELETE /sessions/me', () => {
+    it('should return error with invalid session token', async () => {
+      const response = await request({
+        method: 'DELETE',
+        url: 'http://localhost:8378/1/sessions/me',
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+          'X-Parse-Session-Token': 'r:invalid-session-token',
+        },
+      }).catch(e => e);
+      expect(response.status).not.toBe(500);
+      expect(response.data.code).toBe(Parse.Error.INVALID_SESSION_TOKEN);
+    });
+
+    it('should return error without session token', async () => {
+      const response = await request({
+        method: 'DELETE',
+        url: 'http://localhost:8378/1/sessions/me',
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+        },
+      }).catch(e => e);
+      expect(response.status).not.toBe(500);
+    });
+  });
 });

src/middlewares.js

@@ -377,7 +377,7 @@ const handleRateLimit = async (req, res, next) => {
 export const handleParseSession = async (req, res, next) => {
   try {
     const info = req.info;
-    if (req.auth || req.url === '/sessions/me') {
+    if (req.auth || (req.url === '/sessions/me' && req.method === 'GET')) {
       next();
       return;
     }