feat: introduce boolean res.locals flag to bypass session reroll (used by session-sharing)

The session reroll logic is still standard practice, but in some cases, it is not necessary or causes UX issues. An issue opened in session sharing (julianlam/nodebb-plugin-session-sharing#95) brought this to attention in that parsing the cookie to log in the user caused a reroll (as expected), but caused the session open on other tabs to be mismatched. If "re-validate" was turned on, it basically meant that it was not possible to use NodeBB with multiple tabs.

Session sharing now sets `reroll` to `false` if re-validate is enabled.

src/controllers/authentication.js

@@ -326,6 +326,9 @@ authenticationController.doLogin = async function (req, uid) {
 		return;
 	}
 	const loginAsync = util.promisify(req.login).bind(req);
+
+	const { reroll } = req.res.locals;
+	if (reroll !== false) {
 		const regenerateSession = util.promisify(req.session.regenerate).bind(req.session);
 
 		const sessionData = { ...req.session };
@@ -333,6 +336,7 @@ authenticationController.doLogin = async function (req, uid) {
 		for (const [prop, value] of Object.entries(sessionData)) {
 			req.session[prop] = value;
 		}
+	}
 
 	await loginAsync({ uid: uid });
 	await authenticationController.onSuccessfulLogin(req, uid);