have a route that requires BasicStrategy and uses session (e.g. /api/login),
have a second route (with no authenticate()) that outputs user information from request.user (from session), e.g.: /api/me.
log-in using the first route
check that you get user information from the second route
log-in with incorrect password using the first route
you get a 401 / Unauthorized status
check the second route: you still get user information from the second route.
Expected result:
User is logged-out and one does not get user information from the second route.
I am not sure if this is a bug of BasicStrategy or a "feature" of Passport.js, but I think users should be forcefully logged out when trying to double-login with incorrect credentials.
Steps to reproduce:
/api/login
),authenticate()
) that outputs user information fromrequest.user
(from session), e.g.:/api/me
.Expected result:
I am not sure if this is a bug of BasicStrategy or a "feature" of Passport.js, but I think users should be forcefully logged out when trying to double-login with incorrect credentials.