Remember me tokens now nuked upon full account logout.

src/controllers/api/account/loginController.js

@@ -39,7 +39,7 @@ module.exports.post = async function(req, res){
             const data = matchedData(req); 
 
             //try to authenticate the session, throwing an error and breaking the current code block if user is un-authorized
-            await sessionUtils.authenticateSession(data.user, data.pass, req);
+            const userDB = await sessionUtils.authenticateSession(data.user, data.pass, req);
 
             //If the user already has a remember me token
             if(data.rememberme != null && data.rememberme.id != null){
@@ -57,18 +57,21 @@ module.exports.post = async function(req, res){
                 //requires second DB call, but this enforces password requirement for toke generation while ensuring we only
                 //need one function in the userModel for authentication, even if the second woulda just been a wrapper.
                 //Less attack surface is less attack surface, and this isn't something thats going to be getting constantly called
-                const authToken = await rememberMeModel.genToken(data.user, data.pass);
+                const authToken = await rememberMeModel.genToken(userDB, data.pass);
 
-                //Check config for protocol
-                const secure = config.protocol.toLowerCase() == "https";
+                //If we properly authed
+                if(authToken != null){
+                    //Check config for protocol
+                    const secure = config.protocol.toLowerCase() == "https";
 
-                //Create expiration date for cookies (180 days)
-                const expires = new Date(Date.now() + (1000 * 60 * 60 * 24 * 180));
+                    //Create expiration date for cookies (180 days)
+                    const expires = new Date(Date.now() + (1000 * 60 * 60 * 24 * 180));
 
-                //Set remember me ID and token as browser-side cookies for safe-keeping
-                res.cookie("rememberme.id", authToken.id, {sameSite: 'strict', httpOnly: true, secure, expires});
-                //This should be the servers last interaction with the plaintext token before saving the hashed copy, and dropping it out of RAM
-                res.cookie("rememberme.token", authToken.token, {sameSite: 'strict', httpOnly: true, secure, expires});
+                    //Set remember me ID and token as browser-side cookies for safe-keeping
+                    res.cookie("rememberme.id", authToken.id, {sameSite: 'strict', httpOnly: true, secure, expires});
+                    //This should be the servers last interaction with the plaintext token before saving the hashed copy, and dropping it out of RAM
+                    res.cookie("rememberme.token", authToken.token, {sameSite: 'strict', httpOnly: true, secure, expires});
+                }
             }
 
             //Tell the browser everything is dandy

src/controllers/api/account/logoutController.js

@@ -34,7 +34,7 @@ module.exports.post = async function(req, res){
                 const data = matchedData(req); 
                 
                 //If the user has a remember me token id they've submitted with the request
-                if(data.rememberme.id){
+                if(data.rememberme != null && data.rememberme.id != null){
                     //Find the associated token and nuke it
                     await rememberMeModel.deleteOne({id: data.rememberme.id})
                 }