From c20b053606be1e04df3c8ee781edd3e2d88b1631 Mon Sep 17 00:00:00 2001
From: Tobias Wilken <tooangel@tooangel.de>
Date: Sat, 24 Jan 2026 12:38:20 +0100
Subject: [PATCH] fix: remove sess: prefix from session ID lookup

connect-mongo v4+ stores sessions without the 'sess:' prefix.
The sessionAuth middleware was still using the old prefix format,
causing webapp authentication to fail with 'Invalid session ID'.
---
 src/middleware/sessionAuth.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/middleware/sessionAuth.js b/src/middleware/sessionAuth.js
index 4524afc..a9e5ec3 100644
--- a/src/middleware/sessionAuth.js
+++ b/src/middleware/sessionAuth.js
@@ -39,9 +39,9 @@ export async function sessionAuthMiddleware(req, res, next) {
 
   try {
     // Query MongoDB session store to get session data
-    // Session ID in MongoDB is prefixed with "sess:"
+    // Note: connect-mongo v4+ stores sessions without prefix
     const sessionDoc = await database.sessions.findOne({
-      _id: `sess:${sessionId}`,
+      _id: sessionId,
     });
 
     if (!sessionDoc || !sessionDoc.session) {