feat: introduce boolean res.locals flag to bypass session reroll (used by session-sharing)

The session reroll logic is still standard practice, but in some cases, it is not necessary or causes UX issues. An issue opened in session sharing (julianlam/nodebb-plugin-session-sharing#95) brought this to attention in that parsing the cookie to log in the user caused a reroll (as expected), but caused the session open on other tabs to be mismatched. If "re-validate" was turned on, it basically meant that it was not possible to use NodeBB with multiple tabs. Session sharing now sets `reroll` to `false` if re-validate is enabled.
4 years ago · 816856b0c6
parent 6632b2b6c3
commit 816856b0c6
1 changed files with 9 additions and 5 deletions
--- a/src/controllers/authentication.js
+++ b/src/controllers/authentication.js
@ -326,12 +326,16 @@ authenticationController.doLogin = async function (req, uid) {
 		return;
 	}
 	const loginAsync = util.promisify(req.login).bind(req);
-	const regenerateSession = util.promisify(req.session.regenerate).bind(req.session);

-	const sessionData = { ...req.session };
-	await regenerateSession();
-	for (const [prop, value] of Object.entries(sessionData)) {
-		req.session[prop] = value;
+	const { reroll } = req.res.locals;
+	if (reroll !== false) {
+		const regenerateSession = util.promisify(req.session.regenerate).bind(req.session);
+
+		const sessionData = { ...req.session };
+		await regenerateSession();
+		for (const [prop, value] of Object.entries(sessionData)) {
+			req.session[prop] = value;
+		}
 	}

 	await loginAsync({ uid: uid });