User not logged-out when trying to log-in with incorrect password (BasicStrategy)
emilis opened this issue · 0 comments
emilis commented
Steps to reproduce:
- have a route that requires BasicStrategy and uses session (e.g.
/api/login), - have a second route (with no
authenticate()) that outputs user information fromrequest.user(from session), e.g.:/api/me. - log-in using the first route
- check that you get user information from the second route
- log-in with incorrect password using the first route
- you get a 401 / Unauthorized status
- check the second route: you still get user information from the second route.
Expected result:
- User is logged-out and one does not get user information from the second route.
I am not sure if this is a bug of BasicStrategy or a "feature" of Passport.js, but I think users should be forcefully logged out when trying to double-login with incorrect credentials.