From 9714ae3b700cda3b33dd97ccb87b9feccd8ce6de Mon Sep 17 00:00:00 2001
From: Sem Bauke <semboot699@gmail.com>
Date: Fri, 24 Apr 2026 17:08:10 +0200
Subject: [PATCH] fix(api): remove legacy get-session-user endpoint (#67089)

---
 api/src/routes/protected/user.test.ts | 14 ++------------
 api/src/routes/protected/user.ts      |  8 --------
 api/src/routes/public/user.test.ts    |  2 +-
 3 files changed, 3 insertions(+), 21 deletions(-)

diff --git a/api/src/routes/protected/user.test.ts b/api/src/routes/protected/user.test.ts
index 95eb5f4c58f..ba65621d858 100644
--- a/api/src/routes/protected/user.test.ts
+++ b/api/src/routes/protected/user.test.ts
@@ -187,7 +187,7 @@ const lockedProfileUI = {
 };
 
 // These are not part of the schema, but are added to the user object by
-// get-session-user's handler
+// session-user's handler
 const computedProperties = {
   calendar: {},
   completedChallengeCount: 0,
@@ -198,7 +198,7 @@ const computedProperties = {
   profileUI: lockedProfileUI
 };
 
-// The following appears in get-session-user responses, but not
+// The following appears in session-user responses, but not
 // get-public-profile
 const sessionOnlyData = {
   currentChallengeId: testUserData.currentChallengeId,
@@ -1639,16 +1639,6 @@ Thanks and regards,
         expect(response.statusCode).toBe(200);
         expect(response.body).toStrictEqual({ user: {}, result: '' });
       });
-
-      test('GET legacy endpoint returns 200 with empty user object for unauthenticated users', async () => {
-        const response = await superRequest('/user/get-session-user', {
-          method: 'GET',
-          setCookies
-        });
-
-        expect(response.statusCode).toBe(200);
-        expect(response.body).toStrictEqual({ user: {}, result: '' });
-      });
     });
   });
 });
diff --git a/api/src/routes/protected/user.ts b/api/src/routes/protected/user.ts
index 332998f1aaa..79df42d2c6e 100644
--- a/api/src/routes/protected/user.ts
+++ b/api/src/routes/protected/user.ts
@@ -837,14 +837,6 @@ export const userGetRoutes: FastifyPluginCallbackTypebox = (
     }
   };
 
-  fastify.get(
-    '/user/get-session-user',
-    {
-      schema: schemas.getSessionUser
-    },
-    getSessionUserHandler
-  );
-
   fastify.get(
     '/user/session-user',
     {
diff --git a/api/src/routes/public/user.test.ts b/api/src/routes/public/user.test.ts
index e5c7cdc6cc5..40b457e4643 100644
--- a/api/src/routes/public/user.test.ts
+++ b/api/src/routes/public/user.test.ts
@@ -391,7 +391,7 @@ describe('userRoutes', () => {
           expect(response.statusCode).toBe(200);
         });
         // TODO: create a list of public properties like the api-server and use that
-        // to restrict the output of this and get-session-user.
+        // to restrict the output of this and session-user.
         test('returns 200 status code with public user object', async () => {
           const testUser =
             await fastifyTestInstance.prisma.user.findFirstOrThrow({