From 5a0bfafc0e8f390cca3afec3f5f37243b0c8bbb4 Mon Sep 17 00:00:00 2001
From: Francis Lessard <flessard@propage.com>
Date: Tue, 1 Mar 2016 15:43:00 -0500
Subject: [PATCH] Become on non existing user

Fix bug where become return invalid session if the pointer to user
doesn't exist
---
 spec/ParseUser.spec.js     | 34 ++++++++++++++++++++++++++++++++++
 src/Routers/UsersRouter.js |  3 ++-
 2 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/spec/ParseUser.spec.js b/spec/ParseUser.spec.js
index 58c9e8f319..fbee8a2488 100644
--- a/spec/ParseUser.spec.js
+++ b/spec/ParseUser.spec.js
@@ -177,6 +177,40 @@ describe('Parse.User testing', () => {
     });
   });
 
+ it("become on non existing user", (done) => {
+    var user = null;
+    var sessionToken = null;
+    var userPointer = null;
+
+    Parse.Promise.as().then(function() {
+      return Parse.User.signUp("9090", "-----");
+
+    }).then(function(newUser) {
+      equal(Parse.User.current(), newUser);
+
+      user = newUser;
+      userPointer = user.toPointer();
+      sessionToken = newUser.getSessionToken();
+      ok(sessionToken);
+
+            var u = Parse.Object.fromJSON(userPointer);
+      return u.destroy({useMasterKey:true});
+
+    }).then(function() {
+      return Parse.User.become(sessionToken);
+    }).then((user) => {
+      ok(false, "Shouldn't have been able to log in with non existing user.");
+    }, function(error) {
+      ok(error);
+      return Parse.Promise.as();
+    }).then(function() {
+      done();
+    }, function(error) {
+      ok(false, error);
+      done();
+    });
+  });
+ 
   it("cannot save non-authed user", (done) => {
     var user = new Parse.User();
     user.set({
diff --git a/src/Routers/UsersRouter.js b/src/Routers/UsersRouter.js
index 21dc80ba3f..2d2a947679 100644
--- a/src/Routers/UsersRouter.js
+++ b/src/Routers/UsersRouter.js
@@ -61,7 +61,8 @@ export class UsersRouter extends ClassesRouter {
       .then((response) => {
         if (!response.results ||
           response.results.length == 0 ||
-          !response.results[0].user) {
+          !response.results[0].user || 
+          ( response.results[0].user.__type && response.results[0].user.__type === 'Pointer' )) {
           throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'invalid session token');
         } else {
           let user = response.results[0].user;