From 69032e5301adf2002298f0056deb7087d8474bb7 Mon Sep 17 00:00:00 2001
From: Brian Warner <warner@lothar.com>
Date: Sat, 14 Jul 2012 08:51:39 -0700
Subject: [PATCH] wsapi.js: if the DB doesn't have a token, don't enforce
 equality

This honors the preceding comment about not gratuitously expiring
innocent sessions. Somehow this clause got lost as I was
merging/rebasing this function.
---
 lib/wsapi.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/wsapi.js b/lib/wsapi.js
index e0bb7145f..9d8f8d825 100644
--- a/lib/wsapi.js
+++ b/lib/wsapi.js
@@ -150,7 +150,7 @@ function checkExpiredSession(req, resp, next) {
     // since the server was updated to use lastPasswordResets. Allow the
     // session to pass, otherwise the server upgrade would gratuitously
     // expire innocent sessions.
-    if (token != req.session.lastPasswordReset) {
+    if (token && token != req.session.lastPasswordReset) {
       logger.warn("expired cookie (password changed since issued)");
       req.session.reset();
     }
-- 
GitLab