diff --git a/src/controllers/authentication.js b/src/controllers/authentication.js index 47a06ffe42..21b067f58e 100644 --- a/src/controllers/authentication.js +++ b/src/controllers/authentication.js @@ -397,6 +397,9 @@ authenticationController.onSuccessfulLogin = async function (req, uid) { } }; +const destroyAsync = util.promisify((req, callback) => req.session.destroy(callback)); +const logoutAsync = util.promisify((req, callback) => req.logout(callback)); + authenticationController.localLogin = async function (req, username, password, next) { if (!username) { return next(new Error('[[error:invalid-username]]')); @@ -431,9 +434,17 @@ authenticationController.localLogin = async function (req, username, password, n return next(new Error('[[error:local-login-disabled]]')); } - const passwordMatch = await user.isPasswordCorrect(uid, password, req.ip); - if (!passwordMatch) { - return next(new Error('[[error:invalid-login-credentials]]')); + try { + const passwordMatch = await user.isPasswordCorrect(uid, password, req.ip); + if (!passwordMatch) { + return next(new Error('[[error:invalid-login-credentials]]')); + } + } catch (e) { + if (req.loggedIn) { + await logoutAsync(req); + await destroyAsync(req); + } + throw e; } next(null, userData, '[[success:authentication-successful]]'); @@ -442,9 +453,6 @@ authenticationController.localLogin = async function (req, username, password, n } }; -const destroyAsync = util.promisify((req, callback) => req.session.destroy(callback)); -const logoutAsync = util.promisify((req, callback) => req.logout(callback)); - authenticationController.logout = async function (req, res, next) { if (!req.loggedIn || !req.sessionID) { res.clearCookie(nconf.get('sessionKey'), meta.configs.cookie.get()); @@ -456,7 +464,6 @@ authenticationController.logout = async function (req, res, next) { try { await user.auth.revokeSession(sessionID, uid); await logoutAsync(req); - await destroyAsync(req); res.clearCookie(nconf.get('sessionKey'), meta.configs.cookie.get());