Steps to reproduce:

• have a route that requires BasicStrategy and uses session (e.g. /api/login),
• have a second route (with no authenticate()) that outputs user information from request.user (from session), e.g.: /api/me.
• log-in using the first route
• check that you get user information from the second route
• log-in with incorrect password using the first route
• you get a 401 / Unauthorized status
• check the second route: you still get user information from the second route.

Expected result:

• User is logged-out and one does not get user information from the second route.

I am not sure if this is a bug of BasicStrategy or a "feature" of Passport.js, but I think users should be forcefully logged out when trying to double-login with incorrect credentials.