You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
have a route that requires BasicStrategy and uses session (e.g. /api/login),
have a second route (with no authenticate()) that outputs user information from request.user (from session), e.g.: /api/me.
log-in using the first route
check that you get user information from the second route
log-in with incorrect password using the first route
you get a 401 / Unauthorized status
check the second route: you still get user information from the second route.
Expected result:
User is logged-out and one does not get user information from the second route.
I am not sure if this is a bug of BasicStrategy or a "feature" of Passport.js, but I think users should be forcefully logged out when trying to double-login with incorrect credentials.
The text was updated successfully, but these errors were encountered:
Steps to reproduce:
/api/login
),authenticate()
) that outputs user information fromrequest.user
(from session), e.g.:/api/me
.Expected result:
I am not sure if this is a bug of BasicStrategy or a "feature" of Passport.js, but I think users should be forcefully logged out when trying to double-login with incorrect credentials.
The text was updated successfully, but these errors were encountered: