Skip to content

Adapter: /sessions (list & revoke) return 401 — access cookie not forwarded #40

Description

@Bccorb

Problem

Through @seamless-auth/express (0.5.4), an authenticated cookie session can call /auth/users/me (200) but /auth/sessions — and DELETE /auth/sessions/:id, DELETE /auth/sessions — returns 401 {"error":"missing bearer token"} in the same session.

Root cause

listSessions/revokeSession (packages/express/src/handlers/sessions.ts) build the upstream auth via buildServiceAuthorization(req)req.cookiePayload?.token. req.cookiePayload is populated by createEnsureCookiesMiddleware only for paths in its cookie-requirement map. /sessions appears to be absent from that map (the middleware logs "No cookie requirements for this path"), so cookiePayload is empty → no Authorization is forwarded → the API rejects with "missing bearer token".

/users/me is wired into the map and works, which is the tell.

Fix

Add /sessions, /sessions/:id, and DELETE /sessions to the access-cookie requirement map used by createEnsureCookiesMiddleware (the same set that already covers /users/me).

Notes

  • The API's /sessions works fine directly (Bearer access) — only the adapter forwarding is affected.
  • Found by the seamless verify conformance harness (adapter cookie path); the API-direct path passes.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions