so getSession takes the req, gets the JWT from it from cookies Then it takes the JWT and verifies the signature using the public key it already has (which is gets from the core when u start the node process). The JWT contains the userId - so no db call there eigher