User not logged-out when trying to log-in with incorrect password (BasicStrategy)

Steps to reproduce:
- have a route that requires BasicStrategy and uses session (e.g. `/api/login`),
- have a second route (with no `authenticate()`) that outputs user information from `request.user` (from session), e.g.: `/api/me`.
- log-in using the first route
- check that you get user information from the second route
- log-in with incorrect password using the first route
- you get a 401 / Unauthorized status
- check the second route: you still get user information from the second route.

Expected result:
- User is logged-out and one does not get user information from the second route.

I am not sure if this is a bug of BasicStrategy or a "feature" of Passport.js, but I think users should be forcefully logged out when trying to double-login with incorrect credentials.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

User not logged-out when trying to log-in with incorrect password (BasicStrategy) #47

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

User not logged-out when trying to log-in with incorrect password (BasicStrategy) #47

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions