Fixes issue #4150: Session management

[flovilmart]

No description provided.

[codecov]

Codecov Report

Merging #4152 into master will increase coverage by 0.04%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #4152      +/-   ##
==========================================
+ Coverage   92.13%   92.17%   +0.04%     
==========================================
  Files         116      116              
  Lines        8044     8051       +7     
==========================================
+ Hits         7411     7421      +10     
+ Misses        633      630       -3

Impacted Files	Coverage Δ
src/RestWrite.js	93.16% <100%> (+0.46%)	⬆️
src/Push/PushWorker.js	95.08% <0%> (+1.63%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ba0a51d...5cc266b. Read the comment docs.

[miguel-s]

Hi @flovilmart

We have been testing this fix on our own server and have found two things:

1. it successfully blocks updating of sessions (with PUT)
2. it does not prevent creating new sessions with a different user object (with POST). As far as we can see the user pointer saved in sessionData gets accidentally overwritten with the user pointer in the request data in the for-loop on line 673. To fix this issue we have added the user key to the if condition on line 674 like this if (key === 'objectId' || key === 'user').

With your fix and this change we are unable to reproduce issue #4150.

[flovilmart]

@miguel-s thanks for debunking it, do you wanna make a PR on my PR with the additional tests so we can merge it?

[flovilmart]

Thanks @miguel-s , I'll let @acinader give the final review OK :)

[flovilmart]

@natanrolnik , can you have a look?

[acinader]

you don't need the catch after the done since you catch up a level....

[flovilmart]

right it was just to be safe, I can remove.