import: Use the correct author ID when using sessions

There are two different ways an author ID becomes associated with a
user: either bound to a token or bound to a session ID. (The token and
session ID come from the `token` and `sessionID` cookies, or, in the
case of socket.io messages, from the `token` and `sessionID` message
properties.) When `settings.requireSession` is true or the user is
accessing a group pad, the session ID should be used. Otherwise the
token should be used.

Before this change, the `/p/:pad/import` handler was always using the
token, even when `settings.requireSession` was true. This caused the
following error because a different author ID was bound to the token
versus the session ID:

> Unable to import file into ${pad}. Author ${authorID} exists but he
> never contributed to this pad

This bug was reported in issue #4006. PR #4012 worked around the
problem by binding the same author ID to the token as well as the
session ID.

This change does the following:
  * Modifies the import handler to use the session ID to obtain the
    author ID (when appropriate).
  * Expands the documentation for the SecurityManager checkAccess
    function.
  * Removes the workaround from PR #4012.
  * Cleans up the `bin/createUserSession.js` test script.

src/node/db/AuthorManager.js

@@ -77,17 +77,6 @@ exports.createAuthorIfNotExistsFor = async function(authorMapper, name)
   return author;
 };
 
-/**
- * Sets the token <> AuthorID relationship.
- * Discussion at https://github.com/ether/etherpad-lite/issues/4006
- * @param {String} token The token (generated by a client)
- * @param {String} authorID The authorID (returned by the Security Manager)
- */
-exports.setToken2Author = async function(token, authorID)
-{
-  await db.set("token2author:"+token, authorID);
-}
-
 /**
  * Returns the AuthorID for a mapper. We can map using a mapperkey,
  * so far this is token2author and mapper2author

src/node/db/SecurityManager.js

@@ -31,15 +31,25 @@ const WRONG_PASSWORD = Object.freeze({accessStatus: 'wrongPassword'});
 const NEED_PASSWORD = Object.freeze({accessStatus: 'needPassword'});
 
 /**
- * This function controlls the access to a pad, it checks if the user can access a pad.
- * @param padID the pad the user wants to access
- * @param sessionCookie the session the user has (set via api)
- * @param token a random token representing the author, of the form
- *              t.randomstring_of_lenght_20. The random string is generated by
- *              the client.
- *              Used for every pad in the web UI. Not used for the HTTP API.
- * @param password the password the user has given to access this pad, can be null
- * @return {accessStatus: grant|deny|wrongPassword|needPassword, authorID: a.xxxxxx})
+ * Determines whether the user can access a pad.
+ *
+ * @param padID identifies the pad the user wants to access.
+ * @param sessionCookie identifies the sessions the user created via the HTTP API, if any.
+ *     Note: The term "session" used here is unrelated to express-session.
+ * @param token is a random token of the form t.randomstring_of_length_20 generated by the client
+ *     when using the web UI (not the HTTP API). This token is only used if settings.requireSession
+ *     is false and the user is accessing a public pad. If there is not an author already associated
+ *     with this token then a new author object is created (including generating an author ID) and
+ *     associated with this token.
+ * @param password is the password the user has given to access this pad. It can be null.
+ * @return {accessStatus: grant|deny|wrongPassword|needPassword, authorID: a.xxxxxx}. The caller
+ *     must use the author ID returned in this object when making any changes associated with the
+ *     author.
+ *
+ * WARNING: Tokens and session IDs MUST be kept secret, otherwise users will be able to impersonate
+ * each other (which might allow them to gain privileges).
+ *
+ * TODO: Add a hook so that plugins can make access decisions.
  */
 exports.checkAccess = async function(padID, sessionCookie, token, password)
 {