File: packages/payload/src/auth/operations/refresh.ts:87
sessions.find(...) returns undefined if no matching session exists. existingSession.expiresAt is accessed immediately after without a null check — if the session is missing (expired, deleted, or never created), this throws in the refresh token flow.
Severity: HIGH [high confidence]
Pattern:
const existingSession = user.sessions?.find(s => s.id === sessionID);
if (existingSession.expiresAt < Date.now()) { // throws if existingSession is undefinedFix:
const existingSession = user.sessions?.find(s => s.id === sessionID);
if (!existingSession) {
// handle missing session (e.g. return 401)
}
if (existingSession.expiresAt < Date.now()) {
Found via AXIOM — static invariant analysis tool that detects untested null assumptions.
File:
packages/payload/src/auth/operations/refresh.ts:87sessions.find(...)returnsundefinedif no matching session exists.existingSession.expiresAtis accessed immediately after without a null check — if the session is missing (expired, deleted, or never created), this throws in the refresh token flow.Severity: HIGH [high confidence]
Pattern:
Fix:
Found via AXIOM — static invariant analysis tool that detects untested null assumptions.