The login handler should fetch the user by username and not rely on the req.user object. There are actually a couple of changes needed

• add a call to the user repository to fetch the user by username
• move the password check inside the if user condition, otherwise it might fail
• remove the userIdCheck middleware
• implement the same logic for the register handler