From 0b1ec20c5c061c340db2e7feac2229d79d960296 Mon Sep 17 00:00:00 2001
From: Richard Hansen <rhansen@rhansen.org>
Date: Sat, 18 Dec 2021 16:54:23 -0500
Subject: [PATCH] express: Move `preAuthorize` middleware before
 express-session

---
 src/node/hooks/express.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/node/hooks/express.js b/src/node/hooks/express.js
index 807127a01..1e2fc4481 100644
--- a/src/node/hooks/express.js
+++ b/src/node/hooks/express.js
@@ -201,11 +201,11 @@ exports.restartServer = async () => {
       secure: 'auto',
     },
   });
-  app.use(exports.sessionMiddleware);
 
-  app.use(cookieParser(settings.sessionKey, {}));
   // If webaccess.preAuthorize explicitly grants access, webaccess.checkAccess will skip all checks.
   app.use(webaccess.preAuthorize);
+  app.use(exports.sessionMiddleware);
+  app.use(cookieParser(settings.sessionKey, {}));
   app.use(webaccess.checkAccess);
 
   await Promise.all([