fix: preserve multi-instance session data on login/logout with tests …

[Tony133]

Proposal:

When using multiple Authenticator instances with clearSessionOnLogin: false, logging in or out with one instance would inadvertently destroy the session data of other instances.

This happened because request.session.regenerate() was called without arguments in both logIn and logOut, which wipes the entire session — including passport keys belonging to other instances (e.g. passport-a being lost when logging in via passport-b).

Changes Made:

• In SecureSessionManager:

  • logIn: the else branch (triggered when clearSessionOnLogin: false) called request.session.regenerate() with no arguments, destroying all existing session data.

  • logOut: similarly called request.session.regenerate() unconditionally, logging out all instances instead of just the current one.

  • When clearSessionOnLogin is false, instead of calling regenerate() blindly:

    • Read the existing session data via (request.session as any).data?.() before regenerating
    • Call request.session.regenerate() to get a new secure session ID
    • Restore the saved data with request.session.set(), omitting only the key being logged out (in logOut)

• Updated tests with better type checking

• Update @fastify/secure-session dependency in the package.json

Note:

• session.data() is used because Object.keys(request.session) only returns internal metadata fields (changed, deleted), not the actual session data. The method is available on both @fastify/session and @fastify/secure-session, though only declared in the types of the latter.

---

This PR should close this PRs:

• chore(deps-dev): bump fastify from 5.7.2 to 5.8.4 #1389
• chore(deps-dev): bump the npm_and_yarn group across 1 directory with 2 updates #1386
• chore(deps-dev): bump @fastify/secure-session from 8.0.0 to 8.3.0 #1367