Skip to content

fix(auth): prevent nil pointer panic in refreshSession with cookie-based tokens#654

Merged
omercnet merged 2 commits intodescope:mainfrom
Asafrose:fix-session-token-bug
Jan 5, 2026
Merged

fix(auth): prevent nil pointer panic in refreshSession with cookie-based tokens#654
omercnet merged 2 commits intodescope:mainfrom
Asafrose:fix-session-token-bug

Conversation

@Asafrose
Copy link
Contributor

@Asafrose Asafrose commented Jan 5, 2026

Summary

  • Fixed a panic in refreshSession when tokens are managed via cookies instead of response body
  • When SessionJWTViaCookie is enabled, extractTokens returns empty results, leaving sToken as nil
  • This caused a nil pointer panic at line 444: info.SessionToken.RefreshExpiration = token.Expiration
  • Added cookie extraction fallback for session token, mirroring existing logic for refresh token

Root Cause

In generateAuthenticationInfoWithRefreshToken:

  1. extractJWTResponse and extractTokens return 0 tokens when tokens are delivered via cookies
  2. sToken remains nil after the token extraction loop
  3. The code already had fallback logic to extract refreshToken from cookies (lines 816-826), but was missing the same for sToken
  4. Back in refreshSession, accessing info.SessionToken.RefreshExpiration panics

Fix

Added session token extraction from cookies when sToken is nil, combined into a single loop with the existing refresh token extraction for efficiency.

Test plan

  • Added TestRefreshSessionWithTokenViaCookie - tests the cookie-only token scenario
  • All existing refresh session tests pass
  • Full auth test suite passes

🤖 Generated with Claude Code

@Asafrose @claude
fix(auth): extract session token from cookies in refreshSession
711cd8b 
When tokens are managed via cookies instead of response body,
extractTokens returns empty, leaving sToken as nil. This caused
a panic at line 444 when accessing info.SessionToken.RefreshExpiration.

The fix adds cookie extraction logic for sToken (session token) when
it's nil, mirroring the existing fallback logic for refreshToken.

Also adds a dedicated test for the cookie-only token scenario.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@Asafrose Asafrose changed the title fix(auth): extract session token from cookies in refreshSession fix(auth): prevent nil pointer panic in refreshSession with cookie-based tokens Jan 5, 2026
@shilgapira shilgapira enabled auto-merge (squash) January 5, 2026 11:38
Copilot AI reviewed Jan 5, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a critical nil pointer panic in refreshSession (and selectTenant) that occurs when tokens are delivered via cookies instead of the response body. When SessionJWTViaCookie is enabled, the response body contains only cookie metadata (path, domain) without the actual JWT tokens, causing extractTokens to return an empty array and leaving sToken as nil.

Key Changes:

  • Added session token extraction from cookies when sToken is nil or empty
  • Consolidated token extraction into a single cookie loop for both session and refresh tokens
  • Added comprehensive test coverage for the cookie-only token scenario

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
descope/internal/auth/auth.go Adds cookie-based session token extraction (lines 816-823) and consolidates cookie extraction loop to handle both session and refresh tokens efficiently
descope/internal/auth/auth_test.go Adds test case TestRefreshSessionWithTokenViaCookie that validates the fix by simulating a response with tokens only in cookies and no tokens in the response body

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Asafrose @claude
refactor: address PR review comments
ff54676 
- Add early loop exit when both tokens are found
- Add RefreshExpiration assertion in test

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
auto-merge was automatically disabled January 5, 2026 12:14

Head branch was pushed to by a user without write access

@shilgapira shilgapira enabled auto-merge (squash) January 5, 2026 12:24
@omercnet omercnet disabled auto-merge January 5, 2026 12:48
@omercnet omercnet merged commit ef2d74d into descope:main Jan 5, 2026
8 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@shilgapira shilgapira shilgapira approved these changes

@dorsha dorsha Awaiting requested review from dorsha

@asafshen asafshen Awaiting requested review from asafshen

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Asafrose @shilgapira @omercnet