fix(auth): delete request.session if user is not logged in from auth0

app.js

@@ -18,7 +18,7 @@ if (!process.env.DISABLE_DATADOG) {
     hooks: {
       request: (span, req) => {
         // @ts-ignore ts(2339): Property 'session' does not exist on type 'IncomingMessage'. // it's added by a middleware
-        const userId = req.session?.whydUid;
+        const userId = req.session?.whydUid; // from legacy auth/session
         span.setTag('customer.id', userId);
       },
     },

app/controllers/admin/test.js

@@ -56,7 +56,7 @@ exports.controller = function (request, reqParams, response) {
       return response.renderText('test file not found: ' + reqParams.action);
     const p = {
       loggedUser: request.getUser(),
-      session: request.session,
+      session: request.session, // legacy auth/session
       cookie: 'whydSid=' + (request.getCookies() || {})['whydSid'], // legacy auth/session
     };
     const tests = testFile.makeTests(p);

app/controllers/api/login.js

@@ -43,7 +43,7 @@ exports.handleRequest = function (request, form, response, ignorePassword) {
   }
 
   function renderForm(form) {
-    delete request.session;
+    delete request.session; // legacy auth/session
     if (form.ajax) renderJSON(form);
     else response.renderHTML(loggingTemplate.renderLoginPage(form));
   }

app/controllers/private/register.js

@@ -170,6 +170,7 @@ exports.registerInvitedUser = function (request, user, response) {
     userModel.removeInvite(user.inviteCode);
 
     function loginAndRedirectTo(url) {
+      // legacy auth/session
       request.session = request.session || {};
       request.session.whydUid = storedUser.id || storedUser._id; // CREATING SESSION
       if (user.ajax) {

app/lib/auth0/features.js

@@ -35,15 +35,8 @@ exports.makeAuthFeatures = (env) => {
     getAuthenticatedUser(request) {
       const oidcUser = getAuthenticatedUser(request);
       if (!oidcUser) {
-        // @ts-ignore // session should be provided by 'express-session'
-        request.session?.destroy(function (err) {
-          if (err) {
-            console.error(
-              '[getAuthenticatedUser] error from request.session.destroy()',
-              err,
-            );
-          }
-        });
+        // @ts-ignore // introduced for legacy auth/session, still used for whydUid
+        delete request.session;
       }
       return oidcUser ? mapToOpenwhydUser(oidcUser) : null;
     },

app/lib/my-http-wrapper/http/Application.js

@@ -60,7 +60,7 @@ const makeBodyParser = (uploadSettings) =>
 const makeStatsUpdater = () =>
   function statsUpdater(req, res, next) {
     const startDate = new Date();
-    const userId = (req.session || {}).whydUid;
+    const userId = (req.session || {}).whydUid; // from legacy auth/session
     const userAgent = req.headers['user-agent'];
 
     if (userId) {