From 0fccbb5fa2d2fb6723dcb898f25e53ee83403799 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Thu, 21 May 2026 21:17:28 +0000
Subject: [PATCH 1/4] fix: handle race condition in
 recordExternalDbSyncDeletion

When concurrent operations delete the same row (e.g., password change
bulk-deletes all tokens while a concurrent sign-out tries to record
deletion of the same token), the INSERT...SELECT in
recordExternalDbSyncDeletion finds 0 rows.

Previously this threw a StackAssertionError. Now:
- insertedCount === 0: log via captureError (race condition, not a bug)
- insertedCount > 1: still throws (data integrity issue)

Affected entity types:
- ProjectUserRefreshToken
- VerificationCode_TEAM_INVITATION

Co-Authored-By: Konstantin Wohlwend <n2d4xc@gmail.com>
---
 apps/backend/src/lib/external-db-sync.ts      | 12 ++-
 .../v1/auth/sessions/current/index.test.ts    | 85 ++++++++++++++++++-
 2 files changed, 94 insertions(+), 3 deletions(-)

diff --git a/apps/backend/src/lib/external-db-sync.ts b/apps/backend/src/lib/external-db-sync.ts
index d638911a86..4142e68d6b 100644
--- a/apps/backend/src/lib/external-db-sync.ts
+++ b/apps/backend/src/lib/external-db-sync.ts
@@ -411,7 +411,11 @@ export async function recordExternalDbSyncDeletion(
       FOR UPDATE
     `);
 
-    if (insertedCount !== 1) {
+    if (insertedCount === 0) {
+      captureError("external-db-sync-deletion-race", new StackAssertionError(
+        `Expected to insert 1 DeletedRow entry for ProjectUserRefreshToken, got 0. This is likely a race condition where the row was already deleted by a concurrent operation.`
+      ));
+    } else if (insertedCount !== 1) {
       throw new StackAssertionError(
         `Expected to insert 1 DeletedRow entry for ProjectUserRefreshToken, got ${insertedCount}.`
       );
@@ -487,7 +491,11 @@ export async function recordExternalDbSyncDeletion(
       FOR UPDATE OF "VerificationCode"
     `);
 
-    if (insertedCount !== 1) {
+    if (insertedCount === 0) {
+      captureError("external-db-sync-deletion-race", new StackAssertionError(
+        `Expected to insert 1 DeletedRow entry for VerificationCode_TEAM_INVITATION, got 0. This is likely a race condition where the row was already deleted by a concurrent operation.`
+      ));
+    } else if (insertedCount !== 1) {
       throw new StackAssertionError(
         `Expected to insert 1 DeletedRow entry for VerificationCode_TEAM_INVITATION, got ${insertedCount}.`
       );
diff --git a/apps/e2e/tests/backend/endpoints/api/v1/auth/sessions/current/index.test.ts b/apps/e2e/tests/backend/endpoints/api/v1/auth/sessions/current/index.test.ts
index 4d38c50046..cbf0c1b5cc 100644
--- a/apps/e2e/tests/backend/endpoints/api/v1/auth/sessions/current/index.test.ts
+++ b/apps/e2e/tests/backend/endpoints/api/v1/auth/sessions/current/index.test.ts
@@ -1,5 +1,88 @@
 import { it } from "../../../../../../../helpers";
-import { Auth, niceBackendFetch } from "../../../../../../backend-helpers";
+import { Auth, backendContext, niceBackendFetch } from "../../../../../../backend-helpers";
+
+it("should not crash when signing out a session that was already deleted by a bulk operation", async ({ expect }) => {
+  // Reproduce: sign up, then admin-delete all refresh tokens (simulating a
+  // concurrent password change), then attempt sign-out with the stale access token.
+  // Before fix: 500 assertion error in recordExternalDbSyncDeletion.
+  // After fix: 401 REFRESH_TOKEN_NOT_FOUND_OR_EXPIRED.
+  const signUpRes = await Auth.Password.signUpWithEmail({ noWaitForEmail: true });
+  const savedAuth = backendContext.value.userAuth;
+
+  // Admin updates the user's password, which bulk-deletes all refresh tokens
+  await niceBackendFetch(`/api/v1/users/${signUpRes.userId}`, {
+    accessType: "admin",
+    method: "PATCH",
+    body: { password: "completely-new-password-12345" },
+  });
+
+  // Try to sign out using the original access token (which still references the
+  // now-deleted refresh token). This should NOT throw a 500 assertion error.
+  const response = await niceBackendFetch("/api/v1/auth/sessions/current", {
+    method: "DELETE",
+    accessType: "client",
+    userAuth: savedAuth,
+  });
+  expect(response.status).not.toBe(500);
+  expect(response).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 401,
+      "body": {
+        "code": "REFRESH_TOKEN_NOT_FOUND_OR_EXPIRED",
+        "error": "Refresh token not found for this project, or the session has expired/been revoked.",
+      },
+      "headers": Headers {
+        "x-stack-known-error": "REFRESH_TOKEN_NOT_FOUND_OR_EXPIRED",
+        <some fields may have been hidden>,
+      },
+    }
+  `);
+});
+
+it("should not crash when deleting a session that was already deleted by a bulk operation", async ({ expect }) => {
+  // Same race condition but via the sessions CRUD DELETE endpoint
+  const signUpRes = await Auth.Password.signUpWithEmail({ noWaitForEmail: true });
+
+  // Create a second session
+  const newSessionRes = await niceBackendFetch("/api/v1/auth/sessions", {
+    accessType: "server",
+    method: "POST",
+    body: { user_id: signUpRes.userId },
+  });
+  expect(newSessionRes.status).toBe(200);
+
+  // List sessions to get the second session's ID
+  const listRes = await niceBackendFetch("/api/v1/auth/sessions", {
+    accessType: "client",
+    method: "GET",
+    query: { user_id: signUpRes.userId },
+  });
+  expect(listRes.status).toBe(200);
+  const nonCurrentSession = listRes.body.items.find((s: any) => !s.is_current_session);
+  expect(nonCurrentSession).toBeDefined();
+
+  // Admin-update user password → bulk-deletes all refresh tokens
+  await niceBackendFetch(`/api/v1/users/${signUpRes.userId}`, {
+    accessType: "admin",
+    method: "PATCH",
+    body: { password: "another-new-password-12345" },
+  });
+
+  // Try to delete the (now-deleted) session via CRUD endpoint
+  const deleteRes = await niceBackendFetch(`/api/v1/auth/sessions/${nonCurrentSession.id}`, {
+    accessType: "client",
+    method: "DELETE",
+    query: { user_id: signUpRes.userId },
+  });
+  expect(deleteRes.status).not.toBe(500);
+  expect(deleteRes).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 404,
+      "body": "Session not found.",
+      "headers": Headers { <some fields may have been hidden> },
+    }
+  `);
+});
 
 it("should sign out users", async ({ expect }) => {
   await Auth.Password.signUpWithEmail();

From 75429031319e810bfe29bdc5d2c1ef3fa789614e Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Thu, 21 May 2026 21:32:54 +0000
Subject: [PATCH 2/4] fix: handle null userAuth type in test

Co-Authored-By: Konstantin Wohlwend <n2d4xc@gmail.com>
---
 .../endpoints/api/v1/auth/sessions/current/index.test.ts        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/e2e/tests/backend/endpoints/api/v1/auth/sessions/current/index.test.ts b/apps/e2e/tests/backend/endpoints/api/v1/auth/sessions/current/index.test.ts
index cbf0c1b5cc..7d5391db5b 100644
--- a/apps/e2e/tests/backend/endpoints/api/v1/auth/sessions/current/index.test.ts
+++ b/apps/e2e/tests/backend/endpoints/api/v1/auth/sessions/current/index.test.ts
@@ -7,7 +7,7 @@ it("should not crash when signing out a session that was already deleted by a bu
   // Before fix: 500 assertion error in recordExternalDbSyncDeletion.
   // After fix: 401 REFRESH_TOKEN_NOT_FOUND_OR_EXPIRED.
   const signUpRes = await Auth.Password.signUpWithEmail({ noWaitForEmail: true });
-  const savedAuth = backendContext.value.userAuth;
+  const savedAuth = backendContext.value.userAuth ?? undefined;
 
   // Admin updates the user's password, which bulk-deletes all refresh tokens
   await niceBackendFetch(`/api/v1/users/${signUpRes.userId}`, {

From 476bba833d1cc76611f53f76368870556c2ccbdc Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Thu, 21 May 2026 22:37:25 +0000
Subject: [PATCH 3/4] simplify: remove captureError for insertedCount === 0,
 just silently return

Co-Authored-By: Konstantin Wohlwend <n2d4xc@gmail.com>
---
 apps/backend/src/lib/external-db-sync.ts | 16 ++++------------
 1 file changed, 4 insertions(+), 12 deletions(-)

diff --git a/apps/backend/src/lib/external-db-sync.ts b/apps/backend/src/lib/external-db-sync.ts
index 4142e68d6b..e2cd54a256 100644
--- a/apps/backend/src/lib/external-db-sync.ts
+++ b/apps/backend/src/lib/external-db-sync.ts
@@ -411,13 +411,9 @@ export async function recordExternalDbSyncDeletion(
       FOR UPDATE
     `);
 
-    if (insertedCount === 0) {
-      captureError("external-db-sync-deletion-race", new StackAssertionError(
-        `Expected to insert 1 DeletedRow entry for ProjectUserRefreshToken, got 0. This is likely a race condition where the row was already deleted by a concurrent operation.`
-      ));
-    } else if (insertedCount !== 1) {
+    if (insertedCount > 1) {
       throw new StackAssertionError(
-        `Expected to insert 1 DeletedRow entry for ProjectUserRefreshToken, got ${insertedCount}.`
+        `Expected to insert at most 1 DeletedRow entry for ProjectUserRefreshToken, got ${insertedCount}.`
       );
     }
     return;
@@ -491,13 +487,9 @@ export async function recordExternalDbSyncDeletion(
       FOR UPDATE OF "VerificationCode"
     `);
 
-    if (insertedCount === 0) {
-      captureError("external-db-sync-deletion-race", new StackAssertionError(
-        `Expected to insert 1 DeletedRow entry for VerificationCode_TEAM_INVITATION, got 0. This is likely a race condition where the row was already deleted by a concurrent operation.`
-      ));
-    } else if (insertedCount !== 1) {
+    if (insertedCount > 1) {
       throw new StackAssertionError(
-        `Expected to insert 1 DeletedRow entry for VerificationCode_TEAM_INVITATION, got ${insertedCount}.`
+        `Expected to insert at most 1 DeletedRow entry for VerificationCode_TEAM_INVITATION, got ${insertedCount}.`
       );
     }
     return;

From acfb73f6100c49efcc72448f8c5f344379084177 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Thu, 21 May 2026 23:42:41 +0000
Subject: [PATCH 4/4] remove all insertedCount assertions in
 recordExternalDbSyncDeletion

The INSERT...SELECT queries filter by primary key so insertedCount can
only be 0 (race condition - concurrent bulk delete already handled it)
or 1. Neither case warrants an assertion.

Co-Authored-By: Konstantin Wohlwend <n2d4xc@gmail.com>
---
 apps/backend/src/lib/external-db-sync.ts | 70 ++++--------------------
 1 file changed, 10 insertions(+), 60 deletions(-)

diff --git a/apps/backend/src/lib/external-db-sync.ts b/apps/backend/src/lib/external-db-sync.ts
index e2cd54a256..20af7b5e46 100644
--- a/apps/backend/src/lib/external-db-sync.ts
+++ b/apps/backend/src/lib/external-db-sync.ts
@@ -126,7 +126,7 @@ export async function recordExternalDbSyncDeletion(
 
   if (target.tableName === "ProjectUser") {
     assertUuid(target.projectUserId, "projectUserId");
-    const insertedCount = await tx.$executeRaw(Prisma.sql`
+    await tx.$executeRaw(Prisma.sql`
       INSERT INTO "DeletedRow" (
         "id",
         "tenancyId",
@@ -150,18 +150,13 @@ export async function recordExternalDbSyncDeletion(
       FOR UPDATE
     `);
 
-    if (insertedCount !== 1) {
-      throw new StackAssertionError(
-        `Expected to insert 1 DeletedRow entry for ProjectUser, got ${insertedCount}.`
-      );
-    }
     return;
   }
 
   if (target.tableName === "ContactChannel") {
     assertUuid(target.projectUserId, "projectUserId");
     assertUuid(target.contactChannelId, "contactChannelId");
-    const insertedCount = await tx.$executeRaw(Prisma.sql`
+    await tx.$executeRaw(Prisma.sql`
       INSERT INTO "DeletedRow" (
         "id",
         "tenancyId",
@@ -193,17 +188,12 @@ export async function recordExternalDbSyncDeletion(
       FOR UPDATE
     `);
 
-    if (insertedCount !== 1) {
-      throw new StackAssertionError(
-        `Expected to insert 1 DeletedRow entry for ContactChannel, got ${insertedCount}.`
-      );
-    }
     return;
   }
 
   if (target.tableName === "Team") {
     assertUuid(target.teamId, "teamId");
-    const insertedCount = await tx.$executeRaw(Prisma.sql`
+    await tx.$executeRaw(Prisma.sql`
       INSERT INTO "DeletedRow" (
         "id",
         "tenancyId",
@@ -227,18 +217,13 @@ export async function recordExternalDbSyncDeletion(
       FOR UPDATE
     `);
 
-    if (insertedCount !== 1) {
-      throw new StackAssertionError(
-        `Expected to insert 1 DeletedRow entry for Team, got ${insertedCount}.`
-      );
-    }
     return;
   }
 
   if (target.tableName === "TeamMember") {
     assertUuid(target.projectUserId, "projectUserId");
     assertUuid(target.teamId, "teamId");
-    const insertedCount = await tx.$executeRaw(Prisma.sql`
+    await tx.$executeRaw(Prisma.sql`
       INSERT INTO "DeletedRow" (
         "id",
         "tenancyId",
@@ -263,17 +248,12 @@ export async function recordExternalDbSyncDeletion(
       FOR UPDATE
     `);
 
-    if (insertedCount !== 1) {
-      throw new StackAssertionError(
-        `Expected to insert 1 DeletedRow entry for TeamMember, got ${insertedCount}.`
-      );
-    }
     return;
   }
 
   if (target.tableName === "TeamMemberDirectPermission") {
     assertUuid(target.permissionDbId, "permissionDbId");
-    const insertedCount = await tx.$executeRaw(Prisma.sql`
+    await tx.$executeRaw(Prisma.sql`
       INSERT INTO "DeletedRow" (
         "id",
         "tenancyId",
@@ -302,17 +282,12 @@ export async function recordExternalDbSyncDeletion(
       FOR UPDATE
     `);
 
-    if (insertedCount !== 1) {
-      throw new StackAssertionError(
-        `Expected to insert 1 DeletedRow entry for TeamMemberDirectPermission, got ${insertedCount}.`
-      );
-    }
     return;
   }
 
   if (target.tableName === "ProjectUserDirectPermission") {
     assertUuid(target.permissionDbId, "permissionDbId");
-    const insertedCount = await tx.$executeRaw(Prisma.sql`
+    await tx.$executeRaw(Prisma.sql`
       INSERT INTO "DeletedRow" (
         "id",
         "tenancyId",
@@ -340,17 +315,12 @@ export async function recordExternalDbSyncDeletion(
       FOR UPDATE
     `);
 
-    if (insertedCount !== 1) {
-      throw new StackAssertionError(
-        `Expected to insert 1 DeletedRow entry for ProjectUserDirectPermission, got ${insertedCount}.`
-      );
-    }
     return;
   }
 
   if (target.tableName === "UserNotificationPreference") {
     assertUuid(target.notificationPreferenceId, "notificationPreferenceId");
-    const insertedCount = await tx.$executeRaw(Prisma.sql`
+    await tx.$executeRaw(Prisma.sql`
       INSERT INTO "DeletedRow" (
         "id",
         "tenancyId",
@@ -377,17 +347,12 @@ export async function recordExternalDbSyncDeletion(
       FOR UPDATE
     `);
 
-    if (insertedCount !== 1) {
-      throw new StackAssertionError(
-        `Expected to insert 1 DeletedRow entry for UserNotificationPreference, got ${insertedCount}.`
-      );
-    }
     return;
   }
 
   if (target.tableName === "ProjectUserRefreshToken") {
     assertUuid(target.refreshTokenId, "refreshTokenId");
-    const insertedCount = await tx.$executeRaw(Prisma.sql`
+    await tx.$executeRaw(Prisma.sql`
       INSERT INTO "DeletedRow" (
         "id",
         "tenancyId",
@@ -411,17 +376,12 @@ export async function recordExternalDbSyncDeletion(
       FOR UPDATE
     `);
 
-    if (insertedCount > 1) {
-      throw new StackAssertionError(
-        `Expected to insert at most 1 DeletedRow entry for ProjectUserRefreshToken, got ${insertedCount}.`
-      );
-    }
     return;
   }
 
   if (target.tableName === "ProjectUserOAuthAccount") {
     assertUuid(target.oauthAccountId, "oauthAccountId");
-    const insertedCount = await tx.$executeRaw(Prisma.sql`
+    await tx.$executeRaw(Prisma.sql`
       INSERT INTO "DeletedRow" (
         "id",
         "tenancyId",
@@ -445,11 +405,6 @@ export async function recordExternalDbSyncDeletion(
       FOR UPDATE
     `);
 
-    if (insertedCount !== 1) {
-      throw new StackAssertionError(
-        `Expected to insert 1 DeletedRow entry for ProjectUserOAuthAccount, got ${insertedCount}.`
-      );
-    }
     return;
   }
 
@@ -458,7 +413,7 @@ export async function recordExternalDbSyncDeletion(
     assertNonEmptyString(target.verificationCodeProjectId, "verificationCodeProjectId");
     assertNonEmptyString(target.verificationCodeBranchId, "verificationCodeBranchId");
     assertUuid(target.verificationCodeId, "verificationCodeId");
-    const insertedCount = await tx.$executeRaw(Prisma.sql`
+    await tx.$executeRaw(Prisma.sql`
       INSERT INTO "DeletedRow" (
         "id",
         "tenancyId",
@@ -487,11 +442,6 @@ export async function recordExternalDbSyncDeletion(
       FOR UPDATE OF "VerificationCode"
     `);
 
-    if (insertedCount > 1) {
-      throw new StackAssertionError(
-        `Expected to insert at most 1 DeletedRow entry for VerificationCode_TEAM_INVITATION, got ${insertedCount}.`
-      );
-    }
     return;
   }
 }