Prevent sendAuthCodeToUser from throwing 500s

ref ENG-2004 There are intermittent 500s from this codepath, seemingly because the user id isn't always valid. I've tested with cookies disabled, and a bunch of different flows but haven't been able to repro the issue. For now the best path seems to be handling the error better, so we get a better stack trace.
2025-03-11 02:12:21 -05:00 · 2025-02-24 16:25:03 +00:00 · 2025-02-24 16:25:03 +00:00 · 9f1fc9a0a7
commit 9f1fc9a0a7
parent e0b00cbd04
2 changed files with 55 additions and 2 deletions
--- a/ghost/session-service/lib/session-service.js
+++ b/ghost/session-service/lib/session-service.js
@ -235,13 +235,17 @@ module.exports = function createSessionService({
    async function sendAuthCodeToUser(req, res) {
        const session = await getSession(req, res);
        const token = await generateAuthCodeForUser(req, res);
-        const user = await findUserById({id: session.user_id});

-        if (!user) {
+        let user;
+        try {
+            user = await findUserById({id: session.user_id});
+        } catch (error) {
+            // User session likely doesn't contain a valid user ID
            throw new BadRequestError({
                message: 'Could not fetch user from the session.'
            });
        }
+
        const recipient = user.get('email');
        const siteTitle = getSettingsCache('title');
        const siteLogo = getBlogLogo();
--- a/ghost/session-service/test/SessionService.test.js
+++ b/ghost/session-service/test/SessionService.test.js
@ -517,4 +517,53 @@ describe('SessionService', function () {
        should.equal(req.session.user_id, 'egg');
        should.equal(req.session.verified, true);
    });
+
+    it('Throws if the user id is invalid', async function () {
+        const getSession = async (req) => {
+            if (req.session) {
+                return req.session;
+            }
+            req.session = {
+                user_id: 'user-123',
+                ip: '0.0.0.0',
+                user_agent: 'Fake'
+            };
+            return req.session;
+        };
+
+        const findUserById = sinon.stub().rejects(new Error('User not found'));
+
+        const mailer = {
+            send: sinon.stub().resolves()
+        };
+
+        const getSettingsCache = sinon.stub().returns('site-title');
+        const getBlogLogo = sinon.stub().returns('logo.png');
+        const urlUtils = {
+            urlFor: sinon.stub().returns('https://example.com')
+        };
+
+        const t = sinon.stub().callsFake(text => text);
+
+        const sessionService = SessionService({
+            getSession,
+            findUserById,
+            getSettingsCache,
+            getBlogLogo,
+            urlUtils,
+            mailer,
+            t,
+            labs: {
+                isSet: () => false
+            }
+        });
+
+        const req = Object.create(express.request);
+        const res = Object.create(express.response);
+
+        await should(sessionService.sendAuthCodeToUser(req, res, {id: 'invalid'}))
+            .rejectedWith({
+                message: 'Could not fetch user from the session.'
+            });
+    });
 });