85cbcbf898
Original task: investigate why "sole admin leaving with an invalid successor returns 400 and does not leave" intermittently returned 401 instead of 400 in the API test suite. Root cause: express-session 1.19.0 wraps res.end and calls req.session.save() asynchronously. Its writetop() helper synchronously flushes headers (including Set-Cookie) and writes the body chunk before save completes, only deferring the final _end until after the store write. With Content-Length set, fetch sees the full body and resolves immediately, so the test's next request (POST /conversations/:id/leave) frequently arrived before connect-pg-simple finished inserting the session row in Postgres. requireAuth then read no session, express-session generated a brand-new sid, and the request was rejected with 401. This was reproduced ~50% of the time across 10 runs and confirmed via server-side logging showing the cookie sid not matching the freshly generated server sid (proving store.get returned nothing). Fix: Explicitly await req.session.save() in the /auth/login and /auth/register handlers after assigning req.session.userId. This guarantees the session is persisted in Postgres before the response is sent, eliminating the race for any client that immediately makes a follow-up authenticated request. Verification: Ran the API test suite 15 consecutive times after the fix; all 15 runs pass cleanly (15/15 tests). The full validation workflow also passes the api-server tests on the post-fix run. Files changed: - artifacts/api-server/src/routes/auth.ts (await session.save in /auth/login and /auth/register) - artifacts/api-server/src/middlewares/auth.ts (no behavior change; diagnostic logging added during debug was removed)