From 1d5a087d79a302167b8a9bac24062c66a0521798 Mon Sep 17 00:00:00 2001
From: rainbow napkin <ourforest@tuta.io>
Date: Tue, 21 Oct 2025 00:21:44 -0400
Subject: [PATCH] Server now deletes associated remember-me token on user
 requested log-outs.

---
 .../api/account/loginController.js            |  2 +-
 .../api/account/logoutController.js           | 29 +++++++++++++++++--
 2 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/src/controllers/api/account/loginController.js b/src/controllers/api/account/loginController.js
index 910ff5e..293842c 100644
--- a/src/controllers/api/account/loginController.js
+++ b/src/controllers/api/account/loginController.js
@@ -63,7 +63,7 @@ module.exports.post = async function(req, res){
                 const secure = config.protocol.toLowerCase() == "https";
 
                 //Create expiration date for cookies (180 days)
-                const expires = new Date(Date.now() + (1000 * 60 * 60 * 24 * 180))
+                const expires = new Date(Date.now() + (1000 * 60 * 60 * 24 * 180));
 
                 //Set remember me ID and token as browser-side cookies for safe-keeping
                 res.cookie("rememberme.id", authToken.id, {sameSite: 'strict', httpOnly: true, secure, expires});
diff --git a/src/controllers/api/account/logoutController.js b/src/controllers/api/account/logoutController.js
index 0499469..1964edc 100644
--- a/src/controllers/api/account/logoutController.js
+++ b/src/controllers/api/account/logoutController.js
@@ -15,13 +15,36 @@ You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
 
 //local imports
-const accountUtils = require('../../../utils/sessionUtils');
-const {exceptionHandler, errorHandler} = require('../../../utils/loggerUtils');
+const rememberMeModel = require('../../../schemas/user/rememberMeSchema');
+const sessionUtils = require('../../../utils/sessionUtils');
+const {exceptionHandler} = require('../../../utils/loggerUtils');
+const {validationResult, matchedData} = require('express-validator');
 
 module.exports.post = async function(req, res){
     if(req.session.user){
         try{
-            accountUtils.killSession(req.session);
+            sessionUtils.killSession(req.session);
+
+            //Check validation results
+            const validResult = validationResult(req);
+
+            //if we don't have errors
+            if(validResult.isEmpty()){
+                //Pull sanatzied/validated data
+                const data = matchedData(req); 
+                
+                //If the user has a remember me token id they've submitted with the request
+                if(data.rememberme.id){
+                    //Find the associated token and nuke it
+                    await rememberMeModel.deleteOne({id: data.rememberme.id})
+                }
+            }
+
+            //Clear out remember me tokens
+            res.clearCookie("rememberme.id");
+            res.clearCookie("rememberme.token");
+
+            //Return status
             return res.sendStatus(200);
         }catch(err){
             return exceptionHandler(res, err);