SECURITY ISSUE WITH v0.10.0~0.10.2

[pilcrowonpaper]

CRITICAL SECURITY ISSUE IN VERSION 10

UPDATE TO V0.10.3 OR VERSION 12

While finishing v0.11.0 (now v0.12.0), I've discovered a critical security issue with v0.10.0 ~ 0.10.2. getUserSession() and functions that used it (including the main handleServerSession()) DID NOT validate the access token properly. It only checked if the access token existed in the database, and did not check for the expiry time.

IMPORTANT NOTE: Expired sessions are removed automatically on refresh, so unless the user deleted the cookie from the dev console, it's unlikely someone was able to used an expired session

I have deprecated the versions affected, released v0.10.3 which patches this issue and removes getUserSession(), and released v0.12.0. I recommend updating to v0.12.0.

I'm really sorry for not checking the code hard enough