fix: #9397, trash the active session on account lockout, if there is one

src/controllers/authentication.js

@@ -397,6 +397,9 @@ authenticationController.onSuccessfulLogin = async function (req, uid) {
 	}
 };
 
+const destroyAsync = util.promisify((req, callback) => req.session.destroy(callback));
+const logoutAsync = util.promisify((req, callback) => req.logout(callback));
+
 authenticationController.localLogin = async function (req, username, password, next) {
 	if (!username) {
 		return next(new Error('[[error:invalid-username]]'));
@@ -431,10 +434,18 @@ authenticationController.localLogin = async function (req, username, password, n
 			return next(new Error('[[error:local-login-disabled]]'));
 		}
 
+		try {
 			const passwordMatch = await user.isPasswordCorrect(uid, password, req.ip);
 			if (!passwordMatch) {
 				return next(new Error('[[error:invalid-login-credentials]]'));
 			}
+		} catch (e) {
+			if (req.loggedIn) {
+				await logoutAsync(req);
+				await destroyAsync(req);
+			}
+			throw e;
+		}
 
 		next(null, userData, '[[success:authentication-successful]]');
 	} catch (err) {
@@ -442,9 +453,6 @@ authenticationController.localLogin = async function (req, username, password, n
 	}
 };
 
-const destroyAsync = util.promisify((req, callback) => req.session.destroy(callback));
-const logoutAsync = util.promisify((req, callback) => req.logout(callback));
-
 authenticationController.logout = async function (req, res, next) {
 	if (!req.loggedIn || !req.sessionID) {
 		res.clearCookie(nconf.get('sessionKey'), meta.configs.cookie.get());
@@ -456,7 +464,6 @@ authenticationController.logout = async function (req, res, next) {
 	try {
 		await user.auth.revokeSession(sessionID, uid);
 		await logoutAsync(req);
-
 		await destroyAsync(req);
 		res.clearCookie(nconf.get('sessionKey'), meta.configs.cookie.get());