fix: move database call used to associate a NodeBB session UUID to its express session id into user.auth.addSession, which is the only time it is called

src/controllers/authentication.js

@@ -379,15 +379,12 @@ authenticationController.onSuccessfulLogin = async function (req, uid) {
 			new Promise((resolve) => {
 				req.session.save(resolve);
 			}),
-			user.auth.addSession(uid, req.sessionID),
+			user.auth.addSession(uid, req.sessionID, uuid),
 			user.updateLastOnlineTime(uid),
 			user.onUserOnline(uid, Date.now()),
 			analytics.increment('logins'),
 			db.incrObjectFieldBy('global', 'loginCount', 1),
 		]);
-		if (uid > 0) {
-			await db.setObjectField(`uid:${uid}:sessionUUID:sessionId`, uuid, req.sessionID);
-		}
 
 		// Force session check for all connected socket.io clients with the same session id
 		sockets.in(`sess_${req.sessionID}`).emit('checkSession', uid);

src/user/auth.js

@@ -106,12 +106,15 @@ module.exports = function (User) {
 		await db.sortedSetRemove(`uid:${uid}:sessions`, expiredSids);
 	}
 
-	User.auth.addSession = async function (uid, sessionId) {
+	User.auth.addSession = async function (uid, sessionId, uuid) {
 		if (!(parseInt(uid, 10) > 0)) {
 			return;
 		}
 		await cleanExpiredSessions(uid);
-		await db.sortedSetAdd(`uid:${uid}:sessions`, Date.now(), sessionId);
+		await Promise.all([
+			db.sortedSetAdd(`uid:${uid}:sessions`, Date.now(), sessionId),
+			db.setObjectField(`uid:${uid}:sessionUUID:sessionId`, uuid, sessionId),
+		]);
 		await revokeSessionsAboveThreshold(uid, meta.config.maxUserSessions);
 	};