I may be misunderstanding something with how the pendingIQs hash works, but I know that the part && !pendingIQs[iq.id] was preventing the login unauthorized error from being triggered.
But only developers and few community members can open issues there.
It’s ok for common members to report bugs in forums. Then developers file them in JIRA.
Well, there are only 7 bugs listed in JIRA for XIFF now, but as far as i know, XIFF source code was heavily changed (as a codebase of SparkWeb) in svn, so bug tracking system maybe is not reflecting the real picture.