Remember me tokens now nuked upon full account logout.

2025-10-21 07:59:15 -04:00 · 2025-10-21 07:59:15 -04:00 · bc0657a702
parent 3fb71ffb78
commit bc0657a702
5 changed files with 26 additions and 16 deletions
--- a/src/controllers/api/account/loginController.js
+++ b/src/controllers/api/account/loginController.js
@ -39,7 +39,7 @@ module.exports.post = async function(req, res){
            const data = matchedData(req); 

            //try to authenticate the session, throwing an error and breaking the current code block if user is un-authorized
-            await sessionUtils.authenticateSession(data.user, data.pass, req);
+            const userDB = await sessionUtils.authenticateSession(data.user, data.pass, req);

            //If the user already has a remember me token
            if(data.rememberme != null && data.rememberme.id != null){
@ -57,8 +57,10 @@ module.exports.post = async function(req, res){
                //requires second DB call, but this enforces password requirement for toke generation while ensuring we only
                //need one function in the userModel for authentication, even if the second woulda just been a wrapper.
                //Less attack surface is less attack surface, and this isn't something thats going to be getting constantly called
-                const authToken = await rememberMeModel.genToken(data.user, data.pass);
+                const authToken = await rememberMeModel.genToken(userDB, data.pass);

+                //If we properly authed
+                if(authToken != null){
                    //Check config for protocol
                    const secure = config.protocol.toLowerCase() == "https";

@ -70,6 +72,7 @@ module.exports.post = async function(req, res){
                    //This should be the servers last interaction with the plaintext token before saving the hashed copy, and dropping it out of RAM
                    res.cookie("rememberme.token", authToken.token, {sameSite: 'strict', httpOnly: true, secure, expires});
                }
+            }

            //Tell the browser everything is dandy
            return res.sendStatus(200);
--- a/src/controllers/api/account/logoutController.js
+++ b/src/controllers/api/account/logoutController.js
@ -34,7 +34,7 @@ module.exports.post = async function(req, res){
                const data = matchedData(req); 
                
                //If the user has a remember me token id they've submitted with the request
-                if(data.rememberme.id){
+                if(data.rememberme != null && data.rememberme.id != null){
                    //Find the associated token and nuke it
                    await rememberMeModel.deleteOne({id: data.rememberme.id})
                }
--- a/src/schemas/user/rememberMeSchema.js
+++ b/src/schemas/user/rememberMeSchema.js
@ -27,7 +27,6 @@ const crypto = require("node:crypto");
 const {mongoose} = require('mongoose');

 //Local Imports
-const {userModel} = require('./userSchema');
 const hashUtil = require('../../utils/hashUtils');
 const loggerUtils = require('../../utils/loggerUtils');

@ -88,9 +87,13 @@ rememberMeToken.methods.checkToken = async function(token){
 }

 //statics
-rememberMeToken.statics.genToken = async function(user, pass){
-    //Authenticate user and pull document
-    const userDB = await userModel.authenticate(user, pass);
+rememberMeToken.statics.genToken = async function(userDB, pass){
+    //Normally I'd use userModel auth, but this saves on DB calls and keeps us from having to refrence the userModel directly
+    //Saving us from circular depedency hell
+    //Plus this is only really getting called along-side other auth, theres already going to be an error message if this is wrong XP
+    if(!await userDB.checkPass(pass)){
+        return;
+    }

    try{
        //Generate a cryptographically secure string of 32 bytes in hexidecimal
--- a/src/schemas/user/userSchema.js
+++ b/src/schemas/user/userSchema.js
@ -28,6 +28,7 @@ const permissionModel = require('../permissionSchema');
 const emoteModel = require('../emoteSchema');
 const emailChangeModel = require('./emailChangeSchema');
 const playlistSchema = require('../channel/media/playlistSchema');
+const rememberMeModel = require('./rememberMeSchema');
 //Utils
 const hashUtil = require('../../utils/hashUtils');
 const mailUtil = require('../../utils/mailUtils');
@ -807,6 +808,9 @@ userSchema.methods.tattooIPRecord = async function(ip){
 * @param {String} reason - Reason to kill user sessions
 */
 userSchema.methods.killAllSessions = async function(reason = "A full log-out from all devices was requested for your account."){
+    //Nuke all related remember me tokens
+    await rememberMeModel.deleteMany({user: this._id});
+
    //get authenticated sessions
    var sessions = await this.getAuthenticatedSessions();

--- a/src/utils/sessionUtils.js
+++ b/src/utils/sessionUtils.js
@ -145,7 +145,7 @@ module.exports.authenticateSession = async function(identifier, secret, req, use
        }

        //return user
-        return userDB.user;
+        return userDB;
    }catch(err){
        //Failed attempts at good tokens are handled by the token schema by dropping the users effected tokens and screaming bloody murder
        //Failed attempts with bad tokens don't need to be handled as it's not like attacking a bad UUID is going to get you anywhere anywho