mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(auth): verify BetterAuth sessions via cookie headers

Browse Source
This commit is contained in:
Jason Woltje
2026-02-18 22:39:54 -06:00
parent af299abdaf
commit 0c2a6b14cf
3 changed files with 224 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

104
apps/api/src/auth/auth.service.ts
View File

@@ -21,6 +21,10 @@ interface VerifiedSession {
session: Record<string, unknown>;
}
interface SessionHeaderCandidate {
headers: Record<string, string>;
}
@Injectable()
export class AuthService {
private readonly logger = new Logger(AuthService.name);
@@ -103,36 +107,27 @@ export class AuthService {
* Only known-safe auth errors return null; everything else propagates as 500.
*/
async verifySession(token: string): Promise<VerifiedSession | null> {
try {
// TODO(#411): BetterAuth getSession returns opaque types — replace when upstream exports typed interfaces
const session = await this.auth.api.getSession({
headers: {
authorization: `Bearer ${token}`,
},
});
let sawNonError = false;
if (!session) {
return null;
}
for (const candidate of this.buildSessionHeaderCandidates(token)) {
try {
// TODO(#411): BetterAuth getSession returns opaque types — replace when upstream exports typed interfaces
const session = await this.auth.api.getSession(candidate);
return {
user: session.user as Record<string, unknown>,
session: session.session as Record<string, unknown>,
};
} catch (error: unknown) {
// Only known-safe auth errors return null
if (error instanceof Error) {
const msg = error.message.toLowerCase();
const isExpectedAuthError =
msg.includes("invalid token") ||
msg.includes("token expired") ||
msg.includes("session expired") ||
msg.includes("session not found") ||
msg.includes("invalid session") ||
msg === "unauthorized" ||
msg === "expired";
if (!session) {
continue;
}
return {
user: session.user as Record<string, unknown>,
session: session.session as Record<string, unknown>,
};
} catch (error: unknown) {
if (error instanceof Error) {
if (this.isExpectedAuthError(error.message)) {
continue;
}
if (!isExpectedAuthError) {
// Infrastructure or unexpected — propagate as 500
const safeMessage = (error.stack ?? error.message).replace(
/Bearer\s+\S+/gi,
@@ -141,14 +136,57 @@ export class AuthService {
this.logger.error("Session verification failed due to unexpected error", safeMessage);
throw error;
}
// Non-Error thrown values — log once for observability, treat as auth failure
if (!sawNonError) {
const errorDetail = typeof error === "string" ? error : JSON.stringify(error);
this.logger.warn("Session verification received non-Error thrown value", errorDetail);
sawNonError = true;
}
}
// Non-Error thrown values — log for observability, treat as auth failure
if (!(error instanceof Error)) {
const errorDetail = typeof error === "string" ? error : JSON.stringify(error);
this.logger.warn("Session verification received non-Error thrown value", errorDetail);
}
return null;
}
return null;
}
private buildSessionHeaderCandidates(token: string): SessionHeaderCandidate[] {
const encodedToken = encodeURIComponent(token);
return [
{
headers: {
cookie: `__Secure-better-auth.session_token=${encodedToken}`,
},
},
{
headers: {
cookie: `better-auth.session_token=${encodedToken}`,
},
},
{
headers: {
cookie: `__Host-better-auth.session_token=${encodedToken}`,
},
},
{
headers: {
authorization: `Bearer ${token}`,
},
},
];
}
private isExpectedAuthError(message: string): boolean {
const normalized = message.toLowerCase();
return (
normalized.includes("invalid token") ||
normalized.includes("token expired") ||
normalized.includes("session expired") ||
normalized.includes("session not found") ||
normalized.includes("invalid session") ||
normalized === "unauthorized" ||
normalized === "expired"
);
}
/**