[release-11.6.10] auth: Protect from empty session token panic (#115732)

auth: Protect from empty session token panic (#115728)

* Protect from empty session token panic

* Rename returned error

(cherry picked from commit 4c79775b57)

Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>

pkg/services/auth/auth.go

@@ -20,9 +20,10 @@ const (
 
 // Typed errors
 var (
-	ErrUserTokenNotFound       = errors.New("user token not found")
-	ErrInvalidSessionToken     = usertoken.ErrInvalidSessionToken
-	ErrExternalSessionNotFound = errors.New("external session not found")
+	ErrUserTokenNotFound            = errors.New("user token not found")
+	ErrInvalidSessionToken          = usertoken.ErrInvalidSessionToken
+	ErrExternalSessionNotFound      = errors.New("external session not found")
+	ErrExternalSessionTokenNotFound = errors.New("session token was nil")
 )
 
 type (

pkg/services/oauthtoken/oauth_token.go

@@ -648,6 +648,10 @@ func (o *Service) getExternalSession(ctx context.Context, usr identity.Requester
 		return externalSessions[0], nil
 	}
 
+	if sessionToken == nil {
+		return nil, auth.ErrExternalSessionTokenNotFound
+	}
+
 	// For regular users, we use the session token ID to fetch the external session
 	return o.sessionService.GetExternalSession(ctx, sessionToken.ExternalSessionId)
 }