fix(#411): add runtime null checks in auth controller — defense-in-depth for AuthenticatedRequest

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 15:44:31 -06:00
parent d7de20e586
commit 4d9b75994f
2 changed files with 53 additions and 6 deletions
--- a/apps/api/src/auth/auth.controller.ts
+++ b/apps/api/src/auth/auth.controller.ts
@@ -10,6 +10,7 @@ import {
  Logger,
  HttpException,
  HttpStatus,
+  UnauthorizedException,
 } from "@nestjs/common";
 import { Throttle } from "@nestjs/throttler";
 import type { Request as ExpressRequest, Response as ExpressResponse } from "express";
@@ -33,8 +34,13 @@ export class AuthController {
  @Get("session")
  @UseGuards(AuthGuard)
  getSession(@Request() req: AuthenticatedRequest): AuthSession {
-    // AuthGuard guarantees user and session are present — NestJS returns 401
-    // before this method is reached if the guard rejects.
+    // Defense-in-depth: AuthGuard should guarantee these, but if someone adds
+    // a route with AuthenticatedRequest and forgets @UseGuards(AuthGuard),
+    // TypeScript types won't help at runtime.
+    if (!req.user || !req.session) {
+      throw new UnauthorizedException("Missing authentication context");
+    }
+
    return {
      user: req.user,
      session: {