req.session.secondFactor is not being cleared at logout. Help!

[dstroot]

How to see the issue:

Log in as bob using "bob, secret", click on account, setup two-factor and then click account again to prompt for the OTP, enter that and view bob's account. Now logout.

Now sign in as "joe, birthday" and click on "account". Boom! You are in with no two factor setup because req.session.secondFactor is set to "totp" already! ???

I instrumented the logout step and I can see that session does not seem to be going away after req.logout()

app.get('/logout', function (req, res) {
  console.log('Second Factor: ' + req.session.secondFactor);
  req.logout();
  console.log('Second Factor: ' + req.session.secondFactor);
  res.redirect('/');
});

Gives:

Second Factor: totp Second Factor: totp

[dstroot]

OK - so I am looking at the whole session and it looks like this:

Before logout():

Session: {"cookie":{"originalMaxAge":null,"expires":null,"httpOnly":true,"path":"/"},"passport":{"user":1},"flash":{},"secondFactor":"totp"}

After logout():

Session: {"cookie":{"originalMaxAge":null,"expires":null,"httpOnly":true,"path":"/"},"passport":{},"flash":{},"secondFactor":"totp"}

I can see that passport is clearing the passport object so I guess the example should put the second factor there?

[dstroot]

I moved the secondFactor into the passport object and also augmented the logout process:

  // Augment Logout to handle second factor
  delete req.session.passport.secondFactor;