From 816856b0c6d9f93f0b67ca14c0b6aeda7eff8cab Mon Sep 17 00:00:00 2001 From: Julian Lam Date: Fri, 4 Jun 2021 11:34:49 -0400 Subject: [PATCH] feat: introduce boolean res.locals flag to bypass session reroll (used by session-sharing) The session reroll logic is still standard practice, but in some cases, it is not necessary or causes UX issues. An issue opened in session sharing (julianlam/nodebb-plugin-session-sharing#95) brought this to attention in that parsing the cookie to log in the user caused a reroll (as expected), but caused the session open on other tabs to be mismatched. If "re-validate" was turned on, it basically meant that it was not possible to use NodeBB with multiple tabs. Session sharing now sets `reroll` to `false` if re-validate is enabled. --- src/controllers/authentication.js | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/src/controllers/authentication.js b/src/controllers/authentication.js index 54415ee928..aabbcea44e 100644 --- a/src/controllers/authentication.js +++ b/src/controllers/authentication.js @@ -326,12 +326,16 @@ authenticationController.doLogin = async function (req, uid) { return; } const loginAsync = util.promisify(req.login).bind(req); - const regenerateSession = util.promisify(req.session.regenerate).bind(req.session); - const sessionData = { ...req.session }; - await regenerateSession(); - for (const [prop, value] of Object.entries(sessionData)) { - req.session[prop] = value; + const { reroll } = req.res.locals; + if (reroll !== false) { + const regenerateSession = util.promisify(req.session.regenerate).bind(req.session); + + const sessionData = { ...req.session }; + await regenerateSession(); + for (const [prop, value] of Object.entries(sessionData)) { + req.session[prop] = value; + } } await loginAsync({ uid: uid });