fix: guard against undefined user in getAllPermissions handler

vigneshakaviki · vigneshakaviki · commit bed2e09c0c73 · 2026-04-11T09:51:45.000-07:00
The GET /api/v1/auth/:type route matches /api/v1/auth/resolve, which is whitelisted and skips authentication. When an unauthenticated request hits this route, req.user is undefined and accessing user.isOrganizationAdmin throws a TypeError, returning a 500 error. Added a null check for req.user that returns 401 before accessing any user properties. This fixes the login page hang on fresh Flowise 3.x installs where the UI calls /api/v1/auth/resolve to determine auth state. Fixes #6105
diff --git a/packages/server/src/enterprise/controllers/auth/index.test.ts b/packages/server/src/enterprise/controllers/auth/index.test.ts
@@ -0,0 +1,78 @@
+import { describe, expect, it, beforeEach } from '@jest/globals'
+import { Request, Response, NextFunction } from 'express'
+
+// Mock logger before importing the module under test
+jest.mock('../../../utils/logger', () => ({
+    __esModule: true,
+    default: { warn: jest.fn(), info: jest.fn(), error: jest.fn(), debug: jest.fn() }
+}))
+
+// Mock getRunningExpressApp
+const mockGetRunningExpressApp = jest.fn()
+jest.mock('../../../utils/getRunningExpressApp', () => ({
+    getRunningExpressApp: () => mockGetRunningExpressApp()
+}))
+
+import authController from './index'
+
+describe('auth controller', () => {
+    describe('getAllPermissions', () => {
+        it('should return 401 when req.user is undefined', async () => {
+            const req = {
+                params: { type: 'resolve' },
+                user: undefined
+            } as unknown as Request
+
+            const json = jest.fn()
+            const status = jest.fn().mockReturnValue({ json })
+            const res = { status } as unknown as Response
+            const next = jest.fn() as unknown as NextFunction
+
+            // Mock the running app with identity manager
+            mockGetRunningExpressApp.mockReturnValue({
+                identityManager: {
+                    getPermissions: () => ({ toJSON: () => ({}) }),
+                    getPlatformType: () => 'OPEN_SOURCE'
+                }
+            })
+
+            await authController.getAllPermissions(req, res, next)
+
+            expect(status).toHaveBeenCalledWith(401)
+            expect(json).toHaveBeenCalledWith({ error: 'Unauthorized Access' })
+            expect(next).not.toHaveBeenCalled()
+        })
+
+        it('should return permissions when req.user is present', async () => {
+            const req = {
+                params: { type: 'ROLE' },
+                user: {
+                    isOrganizationAdmin: true,
+                    permissions: [],
+                    features: {}
+                }
+            } as unknown as Request
+
+            const json = jest.fn()
+            const status = jest.fn().mockReturnValue({ json })
+            const res = { status } as unknown as Response
+            const next = jest.fn() as unknown as NextFunction
+
+            const mockPermissions = {
+                chatflows: [{ key: 'chatflows:read', value: 'Read Chatflows' }]
+            }
+
+            mockGetRunningExpressApp.mockReturnValue({
+                identityManager: {
+                    getPermissions: () => ({ toJSON: () => mockPermissions }),
+                    getPlatformType: () => 'OPEN_SOURCE'
+                }
+            })
+
+            await authController.getAllPermissions(req, res, next)
+
+            expect(status).toHaveBeenCalledWith(200)
+            expect(json).toHaveBeenCalledWith(mockPermissions)
+        })
+    })
+})
diff --git a/packages/server/src/enterprise/controllers/auth/index.ts b/packages/server/src/enterprise/controllers/auth/index.ts
@@ -9,7 +9,10 @@ const getAllPermissions = async (req: Request, res: Response, next: NextFunction
         const appServer = getRunningExpressApp()
         const type = req.params.type as string
         const allPermissions = appServer.identityManager.getPermissions().toJSON()
-        const user = req.user as LoggedInUser
+        const user = req.user as LoggedInUser | undefined
+        if (!user) {
+            return res.status(StatusCodes.UNAUTHORIZED).json({ error: 'Unauthorized Access' })
+        }
 
         let permissions: { [key: string]: { key: string; value: string }[] } = allPermissions
 
