Server now deletes associated remember-me token on user requested log-outs.

2025-10-21 00:21:44 -04:00 · 2025-10-21 00:21:44 -04:00 · 1d5a087d79
parent 61ec3ffc52
commit 1d5a087d79
2 changed files with 27 additions and 4 deletions
--- a/src/controllers/api/account/loginController.js
+++ b/src/controllers/api/account/loginController.js
@ -63,7 +63,7 @@ module.exports.post = async function(req, res){
                const secure = config.protocol.toLowerCase() == "https";

                //Create expiration date for cookies (180 days)
-                const expires = new Date(Date.now() + (1000 * 60 * 60 * 24 * 180))
+                const expires = new Date(Date.now() + (1000 * 60 * 60 * 24 * 180));

                //Set remember me ID and token as browser-side cookies for safe-keeping
                res.cookie("rememberme.id", authToken.id, {sameSite: 'strict', httpOnly: true, secure, expires});
--- a/src/controllers/api/account/logoutController.js
+++ b/src/controllers/api/account/logoutController.js
@ -15,13 +15,36 @@ You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>.*/

 //local imports
-const accountUtils = require('../../../utils/sessionUtils');
-const {exceptionHandler, errorHandler} = require('../../../utils/loggerUtils');
+const rememberMeModel = require('../../../schemas/user/rememberMeSchema');
+const sessionUtils = require('../../../utils/sessionUtils');
+const {exceptionHandler} = require('../../../utils/loggerUtils');
+const {validationResult, matchedData} = require('express-validator');

 module.exports.post = async function(req, res){
    if(req.session.user){
        try{
-            accountUtils.killSession(req.session);
+            sessionUtils.killSession(req.session);
+
+            //Check validation results
+            const validResult = validationResult(req);
+
+            //if we don't have errors
+            if(validResult.isEmpty()){
+                //Pull sanatzied/validated data
+                const data = matchedData(req); 
+                
+                //If the user has a remember me token id they've submitted with the request
+                if(data.rememberme.id){
+                    //Find the associated token and nuke it
+                    await rememberMeModel.deleteOne({id: data.rememberme.id})
+                }
+            }
+
+            //Clear out remember me tokens
+            res.clearCookie("rememberme.id");
+            res.clearCookie("rememberme.token");
+
+            //Return status
            return res.sendStatus(200);
        }catch(err){
            return exceptionHandler(res, err);