fix: make deviceVendor optional in session fingerprint validation

Sceat · Sceat · commit a6cb3438dfc8 · 2025-12-17T13:14:14.000+07:00
Desktop browsers don't have deviceVendor (only mobile devices with Apple, Samsung, etc).
This was causing ILLEGAL_SESSION errors for desktop browser logins.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@hydre/auth",
-  "version": "4.2.9",
+  "version": "4.2.10",
   "description": "A light graphql authentication server built on Redis",
   "type": "module",
   "scripts": {
diff --git a/src/session_gate.js b/src/session_gate.js
@@ -21,9 +21,10 @@ export async function create_or_update_session({
   publish = null,
   should_mark_logged_once = false,
 }) {
-  // Validate session fingerprint (must have BOTH device info - stronger security)
+  // Validate session fingerprint (browserName required, deviceVendor optional)
+  // Desktop browsers typically don't have deviceVendor (only mobile devices have vendor info)
   // Check for non-empty trimmed values to prevent empty string bypass
-  if (!session_data.browserName?.trim() || !session_data.deviceVendor?.trim()) {
+  if (!session_data.browserName?.trim()) {
     throw new GraphQLError(ERRORS.ILLEGAL_SESSION)
   }
 

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@hydre/auth",`
`3`		`- "version": "4.2.9",`
	`3`	`+ "version": "4.2.10",`
`4`	`4`	`"description": "A light graphql authentication server built on Redis",`
`5`	`5`	`"type": "module",`
`6`	`6`	`"scripts": {`