Deleted projects now no longer throw a 500 ISE

N2D4 · N2D4 · commit a6a71d3c0957 · 2025-07-28T23:40:24.000-07:00
diff --git a/apps/backend/src/route-handlers/smart-request.tsx b/apps/backend/src/route-handlers/smart-request.tsx
@@ -245,6 +245,7 @@ const parseAuth = withTraceSpan('smart request parseAuth', async (req: NextReque
   };
   const queriesResults = await rawQueryAll(globalPrismaClient, bundledQueries);
   const project = await queriesResults.project;
+  if (project === null) throw new KnownErrors.CurrentProjectNotFound(projectId);  // this does allow one to probe whether a project exists or not, but that's fine
   const environmentConfig = await queriesResults.environmentRenderedConfig;
 
   // As explained above, as a performance optimization we already fetch the user from the global database optimistically
@@ -267,10 +268,6 @@ const parseAuth = withTraceSpan('smart request parseAuth', async (req: NextReque
   } else if (adminAccessToken) {
     // TODO put the assertion below into the bundled queries above (not so important because this path is quite rare)
     await extractUserFromAdminAccessToken({ token: adminAccessToken, projectId });  // assert that the admin token is valid
-    if (!project) {
-      // this happens if the project is still in the user's managedProjectIds, but has since been deleted
-      throw new KnownErrors.InvalidProjectForAdminAccessToken();
-    }
   } else {
     switch (requestType) {
       case "client": {
@@ -293,12 +290,6 @@ const parseAuth = withTraceSpan('smart request parseAuth', async (req: NextReque
       }
     }
   }
-
-  if (!project) {
-    // This happens when the JWT tokens are still valid, but the project has been deleted
-    // note that we do the check only here as we don't want to leak whether a project exists or not unless its keys have been shown to be valid
-    throw new KnownErrors.ProjectNotFound(projectId);
-  }
   if (!tenancy) {
     throw new KnownErrors.BranchDoesNotExist(branchId);
   }
diff --git a/apps/e2e/tests/backend/endpoints/api/v1/projects.test.ts b/apps/e2e/tests/backend/endpoints/api/v1/projects.test.ts
@@ -1,6 +1,6 @@
 import { isBase64Url } from "@stackframe/stack-shared/dist/utils/bytes";
 import { it } from "../../../../helpers";
-import { Auth, InternalProjectKeys, Project, backendContext, niceBackendFetch } from "../../../backend-helpers";
+import { Auth, InternalApiKey, InternalProjectKeys, Project, backendContext, niceBackendFetch } from "../../../backend-helpers";
 
 
 // TODO some of the tests here test /api/v1/projects/current, the others test /api/v1/internal/projects/current. We should split them into different test files
@@ -1231,6 +1231,109 @@ it("deletes a project with users, teams, and permissions", async ({ expect }) =>
       "headers": Headers { <some fields may have been hidden> },
     }
   `);
+
+  // make sure that the project no longer exists
+  const getProjectResponse = await niceBackendFetch(`/api/v1/projects/current`, {
+    accessType: "admin",
+    method: "GET",
+  });
+  expect(getProjectResponse).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 400,
+      "body": {
+        "code": "CURRENT_PROJECT_NOT_FOUND",
+        "details": { "project_id": "<stripped UUID>" },
+        "error": "The current project with ID <stripped UUID> was not found. Please check the value of the x-stack-project-id header.",
+      },
+      "headers": Headers {
+        "x-stack-known-error": "CURRENT_PROJECT_NOT_FOUND",
+        <some fields may have been hidden>,
+      },
+    }
+  `);
+});
+
+it("does not allow accessing a current project that doesn't exist", async ({ expect }) => {
+  backendContext.set({
+    projectKeys: {
+      projectId: "does-not-exist",
+    },
+  });
+  const response = await niceBackendFetch(`/api/v1/projects/current`, {
+    accessType: "admin",
+    method: "GET",
+  });
+  expect(response).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 400,
+      "body": {
+        "code": "CURRENT_PROJECT_NOT_FOUND",
+        "details": { "project_id": "does-not-exist" },
+        "error": "The current project with ID does-not-exist was not found. Please check the value of the x-stack-project-id header.",
+      },
+      "headers": Headers {
+        "x-stack-known-error": "CURRENT_PROJECT_NOT_FOUND",
+        <some fields may have been hidden>,
+      },
+    }
+  `);
+});
+
+it("does not allow accessing a project with the wrong API keys", async ({ expect }) => {
+  await Project.createAndSwitch();
+  await InternalApiKey.createAndSetProjectKeys();
+  backendContext.set({
+    projectKeys: {
+      projectId: (backendContext.value.projectKeys as any).projectId,
+      publishableClientKey: "fake publishable client key",
+      secretServerKey: "fake secret server key",
+      superSecretAdminKey: "fake admin key",
+    }
+  });
+  const response = await niceBackendFetch(`/api/v1/projects/current`, {
+    accessType: "admin",
+    method: "GET",
+  });
+  expect(response).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 401,
+      "body": {
+        "code": "INVALID_SUPER_SECRET_ADMIN_KEY",
+        "details": { "project_id": "<stripped UUID>" },
+        "error": "The super secret admin key is not valid for the project \\"<stripped UUID>\\". Does the project and/or the key exist?",
+      },
+      "headers": Headers {
+        "x-stack-known-error": "INVALID_SUPER_SECRET_ADMIN_KEY",
+        <some fields may have been hidden>,
+      },
+    }
+  `);
+});
+
+it("does not allow accessing a project without a project ID header", async ({ expect }) => {
+  backendContext.set({ projectKeys: "no-project" });
+  const response = await niceBackendFetch(`/api/v1/projects/current`, {
+    accessType: "admin",
+    method: "GET",
+  });
+  expect(response).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 400,
+      "body": {
+        "code": "ACCESS_TYPE_WITHOUT_PROJECT_ID",
+        "details": { "request_type": "admin" },
+        "error": deindent\`
+          The x-stack-access-type header was 'admin', but the x-stack-project-id header was not provided.
+          
+          For more information, see the docs on REST API authentication: https://docs.stack-auth.com/rest-api/overview#authentication
+        \`,
+      },
+      "headers": Headers {
+        "x-stack-known-error": "ACCESS_TYPE_WITHOUT_PROJECT_ID",
+        <some fields may have been hidden>,
+      },
+    }
+  `);
 });
 
 it("makes sure user have the correct managed project ID after project creation", async ({ expect }) => {
@@ -1247,17 +1350,23 @@ it("makes sure user have the correct managed project ID after project creation",
   expect(projectIds[0]).toBe(projectId);
 });
 
-it("makes sure user don't have managed project ID after project deletion", async ({ expect }) => {
+it("removes a deleted project from a user's managed project IDs", async ({ expect }) => {
   backendContext.set({ projectKeys: InternalProjectKeys });
-  const { creatorUserId, adminAccessToken } = await Project.createAndGetAdminToken();
+  const { creatorUserId, adminAccessToken, projectId } = await Project.createAndGetAdminToken();
+
+  backendContext.set({ projectKeys: InternalProjectKeys });
+  const userResponse1 = await niceBackendFetch(`/api/v1/users/${creatorUserId}`, {
+    accessType: "server",
+    method: "GET",
+  });
+  const projectIds1 = userResponse1.body.server_metadata.managedProjectIds;
+  expect(projectIds1.length).toBe(1);
 
   // Delete the project
+  backendContext.set({ projectKeys: { projectId, adminAccessToken } });
   const deleteResponse = await niceBackendFetch(`/api/v1/internal/projects/current`, {
     accessType: "admin",
     method: "DELETE",
-    headers: {
-      'x-stack-admin-access-token': adminAccessToken,
-    }
   });
 
   expect(deleteResponse).toMatchInlineSnapshot(`
@@ -1270,12 +1379,12 @@ it("makes sure user don't have managed project ID after project deletion", async
 
   backendContext.set({ projectKeys: InternalProjectKeys });
 
-  const userResponse = await niceBackendFetch(`/api/v1/users/${creatorUserId}`, {
+  const userResponse2 = await niceBackendFetch(`/api/v1/users/${creatorUserId}`, {
     accessType: "server",
     method: "GET",
   });
-  const projectIds = userResponse.body.server_metadata.managedProjectIds;
-  expect(projectIds.length).toBe(0);
+  const projectIds2 = userResponse2.body.server_metadata.managedProjectIds;
+  expect(projectIds2.length).toBe(0);
 });
 
 it("makes sure other users are not affected by project deletion", async ({ expect }) => {
diff --git a/packages/stack-shared/src/known-errors.tsx b/packages/stack-shared/src/known-errors.tsx
@@ -663,6 +663,19 @@ const ProjectNotFound = createKnownErrorConstructor(
   (json: any) => [json.project_id] as const,
 );
 
+const CurrentProjectNotFound = createKnownErrorConstructor(
+  KnownError,
+  "CURRENT_PROJECT_NOT_FOUND",
+  (projectId: string) => [
+    400,
+    `The current project with ID ${projectId} was not found. Please check the value of the x-stack-project-id header.`,
+    {
+      project_id: projectId,
+    },
+  ] as const,
+  (json: any) => [json.project_id] as const,
+);
+
 const BranchDoesNotExist = createKnownErrorConstructor(
   KnownError,
   "BRANCH_DOES_NOT_EXIST",
@@ -1456,6 +1469,7 @@ export const KnownErrors = {
   ApiKeyNotFound,
   PublicApiKeyCannotBeRevoked,
   ProjectNotFound,
+  CurrentProjectNotFound,
   BranchDoesNotExist,
   SignUpNotEnabled,
   PasswordAuthenticationNotEnabled,
