From 549ca1105622b5efb830a9085cf6fc5b804c1f98 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Thu, 1 Oct 2020 16:22:19 -0400
Subject: [PATCH] fix: bug where middlewares seemingly ran in parallel

---
 src/middleware/user.js | 33 +++++++++++++++------------------
 1 file changed, 15 insertions(+), 18 deletions(-)

diff --git a/src/middleware/user.js b/src/middleware/user.js
index bba1db7904..8babf6007f 100644
--- a/src/middleware/user.js
+++ b/src/middleware/user.js
@@ -3,6 +3,7 @@
 const nconf = require('nconf');
 const winston = require('winston');
 const passport = require('passport');
+const util = require('util');
 
 const meta = require('../meta');
 const user = require('../user');
@@ -30,6 +31,8 @@ const passportAuthenticateAsync = function (req, res) {
 
 module.exports = function (middleware) {
 	async function authenticate(req, res) {
+		const loginAsync = util.promisify(req.login).bind(req);
+
 		if (req.loggedIn) {
 			return true;
 		} else if (req.headers.hasOwnProperty('authorization')) {
@@ -38,30 +41,24 @@ module.exports = function (middleware) {
 
 			// If the token received was a master token, a _uid must also be present for all calls
 			if (user.hasOwnProperty('uid')) {
-				req.login(user, async function (err) {
-					if (err) { throw new Error(err); }
-
-					await controllers.authentication.onSuccessfulLogin(req, user.uid);
-					req.uid = user.uid;
-					req.loggedIn = req.uid > 0;
-					return true;
-				});
+				await loginAsync(user);
+				await controllers.authentication.onSuccessfulLogin(req, user.uid);
+				req.uid = user.uid;
+				req.loggedIn = req.uid > 0;
+				return true;
 			} else if (user.hasOwnProperty('master') && user.master === true) {
 				if (req.body.hasOwnProperty('_uid') || req.query.hasOwnProperty('_uid')) {
 					user.uid = req.body._uid || req.query._uid;
 					delete user.master;
 
-					req.login(user, async function (err) {
-						if (err) { throw new Error(err); }
-
-						await controllers.authentication.onSuccessfulLogin(req, user.uid);
-						req.uid = user.uid;
-						req.loggedIn = req.uid > 0;
-						return true;
-					});
-				} else {
-					throw new Error('A master token was received without a corresponding `_uid` in the request body');
+					await loginAsync(user);
+					await controllers.authentication.onSuccessfulLogin(req, user.uid);
+					req.uid = user.uid;
+					req.loggedIn = req.uid > 0;
+					return true;
 				}
+
+				throw new Error('A master token was received without a corresponding `_uid` in the request body');
 			} else {
 				winston.warn('[api/authenticate] Unable to find user after verifying token');
 				return true;