convert the authenticated user to POJO in access-token-parser

apps/app/src/server/middlewares/access-token-parser.js

@@ -1,4 +1,5 @@
 import { serializeUserSecurely } from '@growi/core/dist/models/serializers';
+import mongoose from 'mongoose';
 
 import loggerFactory from '~/utils/logger';
 
@@ -14,11 +15,11 @@ module.exports = (crowi) => {
       return next();
     }
 
-    const User = crowi.model('User');
+    const User = mongoose.model('User');
 
     logger.debug('accessToken is', accessToken);
 
-    const user = await User.findUserByApiToken(accessToken);
+    const user = await User.findUserByApiToken(accessToken).lean();
 
     if (user == null) {
       logger.debug('The access token is invalid');

apps/app/src/server/routes/attachment/api.js

@@ -253,9 +253,10 @@ export const routesFactory = (crowi) => {
 
     let attachment;
     try {
-      req.user.deleteImage();
+      const user = await User.findById(req.user._id);
+      await user.deleteImage();
       attachment = await attachmentService.createAttachment(file, req.user, null, AttachmentType.PROFILE_IMAGE);
-      await req.user.updateImage(attachment);
+      await user.updateImage(attachment);
     }
     catch (err) {
       logger.error(err);