The POST /auth/test-session endpoint (auth.routes.js:249-272) stores the raw req.body.user object and an arbitrary mode string directly into the session without validating mode against an allowlist or sanitizing the user object. Any caller who can reach this endpoint (it is enabled when NODE_ENV !== 'production' or when ALLOW_TEST_SESSION_AUTH=true) can inject an arbitrary user identity and mode value into a real session.
The
POST /auth/test-sessionendpoint (auth.routes.js:249-272) stores the rawreq.body.userobject and an arbitrarymodestring directly into the session without validatingmodeagainst an allowlist or sanitizing the user object. Any caller who can reach this endpoint (it is enabled whenNODE_ENV !== 'production'or whenALLOW_TEST_SESSION_AUTH=true) can inject an arbitrary user identity and mode value into a real session.