I believe I’ve narrowed it down it down to just this in my testing:
app.use('/app', [requiresAuth(), express.static(path.join(__dirname, 'app'))]);
This is my attempt at serving a single-page-app from a protected route. This will work AFTER the user is logged in (resulting in
GET /app/ 304 , but on initial login, and on refreshing the page with cookies cleared (CMD-SHIFT-R on a Mac in Chrome, for instance) you’ll get
GET /app/ 500 4.563 ms - 1254 Error [ERR_HTTP_HEADERS_SENT]: Cannot set headers after they are sent to the client.
Is there another way to serve static files on a protected route?