Only set User header with WebID-TLS.

Closes #523. Breaking change, needs new semver-major.

Author: RubenVerborgh

lib/api/authn/index.js

@@ -16,20 +16,8 @@ function overrideWith (forceUserId) {
   }
 }
 
-/**
- * Sets the `User:` response header if the user has been authenticated.
- */
-function setUserHeader (req, res, next) {
-  let session = req.session
-  let webId = session.identified && session.userId
-
-  res.set('User', webId || '')
-  next()
-}
-
 module.exports = {
   oidc: require('./webid-oidc'),
   tls: require('./webid-tls'),
-  overrideWith,
-  setUserHeader
+  overrideWith
 }

lib/create-app.js

@@ -205,8 +205,6 @@ function initAuthentication (argv, app) {
       // Enforce authentication with WebID-OIDC on all LDP routes
       app.use('/', oidc.rs.authenticate())
 
-      app.use('/', API.authn.setUserHeader)
-
       break
     default:
       throw new TypeError('Unsupported authentication scheme')

test/integration/acl-oidc.js

@@ -79,11 +79,11 @@ describe('ACL HTTP', function () {
         done()
       })
     })
-    it('should have `User` set in the Response Header', function (done) {
+    it('should not have the `User` set in the Response Header', function (done) {
       var options = createOptions('/no-acl/', 'user1')
       request(options, function (error, response, body) {
         assert.equal(error, null)
-        assert.equal(response.statusCode, 403)
+        assert.notProperty(response.headers, 'user')
         done()
       })
     })