Problem
Through @seamless-auth/express (0.5.4), an authenticated cookie session can call /auth/users/me (200) but /auth/sessions — and DELETE /auth/sessions/:id, DELETE /auth/sessions — returns 401 {"error":"missing bearer token"} in the same session.
Root cause
listSessions/revokeSession (packages/express/src/handlers/sessions.ts) build the upstream auth via buildServiceAuthorization(req) → req.cookiePayload?.token. req.cookiePayload is populated by createEnsureCookiesMiddleware only for paths in its cookie-requirement map. /sessions appears to be absent from that map (the middleware logs "No cookie requirements for this path"), so cookiePayload is empty → no Authorization is forwarded → the API rejects with "missing bearer token".
/users/me is wired into the map and works, which is the tell.
Fix
Add /sessions, /sessions/:id, and DELETE /sessions to the access-cookie requirement map used by createEnsureCookiesMiddleware (the same set that already covers /users/me).
Notes
- The API's
/sessions works fine directly (Bearer access) — only the adapter forwarding is affected.
- Found by the
seamless verify conformance harness (adapter cookie path); the API-direct path passes.
Problem
Through
@seamless-auth/express(0.5.4), an authenticated cookie session can call/auth/users/me(200) but/auth/sessions— andDELETE /auth/sessions/:id,DELETE /auth/sessions— returns 401{"error":"missing bearer token"}in the same session.Root cause
listSessions/revokeSession(packages/express/src/handlers/sessions.ts) build the upstream auth viabuildServiceAuthorization(req)→req.cookiePayload?.token.req.cookiePayloadis populated bycreateEnsureCookiesMiddlewareonly for paths in its cookie-requirement map./sessionsappears to be absent from that map (the middleware logs "No cookie requirements for this path"), socookiePayloadis empty → noAuthorizationis forwarded → the API rejects with "missing bearer token"./users/meis wired into the map and works, which is the tell.Fix
Add
/sessions,/sessions/:id, andDELETE /sessionsto the access-cookie requirement map used bycreateEnsureCookiesMiddleware(the same set that already covers/users/me).Notes
/sessionsworks fine directly (Bearer access) — only the adapter forwarding is affected.seamless verifyconformance harness (adapter cookie path); the API-direct path passes.