fix: response hook logic

After some more thought, a response hook should be checking for
whether headers are sent, and executing (or not executing) the
default logic in that case.

Before, we were relying on hooks to call data.next() to continue
execution, but it makes more sense to have the listener either
send a response or not, and handle the behaviour afterwards.

src/middleware/user.js

@@ -16,31 +16,26 @@ const controllers = {
 };
 
 module.exports = function (middleware) {
-	function authenticate(req, res, next, callback) {
+	async function authenticate(req, res, next, callback) {
 		if (req.loggedIn) {
 			return next();
 		}
-		if (plugins.hasListeners('response:middleware.authenticate')) {
-			return plugins.fireHook('response:middleware.authenticate', {
-				req: req,
-				res: res,
-				next: function (err) {
-					if (err) {
-						return next(err);
-					}
-
-					auth.setAuthVars(req, res, function () {
-						if (req.loggedIn && req.user && req.user.uid) {
-							return next();
-						}
-
-						callback();
-					});
-				},
+
+		await plugins.fireHook('response:middleware.authenticate', {
+			req: req,
+			res: res,
+			next: function () {},	// no-op for backwards compatibility
+		});
+
+		if (!res.headersSent) {
+			auth.setAuthVars(req, res, function () {
+				if (req.loggedIn && req.user && req.user.uid) {
+					return next();
+				}
+
+				callback();
 			});
 		}
-
-		callback();
 	}
 
 	middleware.authenticate = function middlewareAuthenticate(req, res, next) {