It is important to reset the CSRF token when authenticating as a different user, see for instance to https://security.stackexchange.com/a/22936/17247. I may be missing something but it does not appear that this starter app resets the token accordingly.

Same thing with the session itself in general, on logout there is no resetting of the session. (I don't believe that passport's .logout() method does this for you.)