So you are logged in when there's a non-null object in auth session and you are logged out when there isn't. Simple.
Here's the setup.
Whatever you pass to request.auth.session.set() will be available in request.auth.credentials. But it will only be there on secured routes. That tripped me up a bit. I figured it should always be there for every route.
onPostAuth always happens even if you aren't authenticated.
The output below shows that for the favicon request there was nothing in auth credentials even though I am authenticated. But the private request did have my creds.