Querying All Sessions Via REST API displays incorrect session tokens

[tomcooperandco]

Issue Description

We are finding that the REST API sessions GET request returns incorrect sessionToken for the numerous sessions associated with the user.

In all JSON objects, the sessionToken field is displayed as the same current sessionToken value.

Steps to reproduce

GET /sessions HTTP/1.1
Host: myapi.herokuapp.com
X-Parse-Application-Id: myapp
X-Parse-Session-Token: r:ea246c1fae8f5d6c152d2d9ec2168f68

returns the following JSON:

{
    "results": [
        {
            "objectId": "cxNm3d8EeS",
            "sessionToken": "r:ea246c1fae8f5d6c152d2d9ec2168f68",
            "user": {
                "__type": "Pointer",
                "className": "_User",
                "objectId": "lUOfchujyU"
            },
            "createdWith": {
                "action": "signup",
                "authProvider": "password"
            },
            "restricted": false,
            "installationId": "c0555fc0-9f50-d9c8-d499-6a413d4a6506",
            "expiresAt": {
                "__type": "Date",
                "iso": "2017-09-30T21:04:02.258Z"
            },
            "createdAt": "2017-07-30T21:04:02.258Z",
            "updatedAt": "2017-07-30T21:04:02.258Z"
        },
        {
            "objectId": "butKoFyNou",
            "sessionToken": "r:ea246c1fae8f5d6c152d2d9ec2168f68",
            "user": {
                "__type": "Pointer",
                "className": "_User",
                "objectId": "lUOfchujyU"
            },
            "createdWith": {
                "action": "login",
                "authProvider": "password"
            },
            "restricted": false,
            "expiresAt": {
                "__type": "Date",
                "iso": "2018-07-30T21:08:20.977Z"
            },
            "createdAt": "2017-07-30T21:08:20.978Z",
            "updatedAt": "2017-07-30T21:08:20.978Z"
        },
        {
            "objectId": "WqAN40t0r1",
            "sessionToken": "r:ea246c1fae8f5d6c152d2d9ec2168f68",
            "user": {
                "__type": "Pointer",
                "className": "_User",
                "objectId": "lUOfchujyU"
            },
            "createdWith": {
                "action": "login",
                "authProvider": "password"
            },
            "restricted": false,
            "expiresAt": {
                "__type": "Date",
                "iso": "2018-08-13T14:37:35.756Z"
            },
            "createdAt": "2017-08-13T14:37:35.757Z",
            "updatedAt": "2017-08-13T14:37:35.757Z"
        }
    ]
}

Expected Results

The session token in all but the top result is different on the database.

Environment Setup

• Server
  • parse-server version (Be specific! Don't say 'latest'.) : 2.6.5
  • Localhost or remote server? (AWS, Heroku, Azure, Digital Ocean, etc): Heroku

[flovilmart]

Thanks for reporting the issue, we’ll have a look. Do you want to try to fix he issue? That’s a good way to get started with the codebase and the solution should be trivial.

[tomcooperandco]

It's outside of my competency level, however my colleague @ian-dowhile might be able...

[montymxb]

@thomascoope I think I see the fix, I'll take care of this.

[montymxb]

Closing as #4332 is currently merged in and will be present in our next release. Thanks again for bringing this to our attention @thomascoope !