In my secureRoutesMiddleware above I do

req.session = session

, would it be secure to also do

req.currentUserId = session.getUserId()

or is it a security risk to use it in my code like this

if (req.currentUserId === 'foo'){ return 'bar' }

?