Cleaned up remember-me error handling.

src/controllers/api/account/loginController.js

@@ -39,7 +39,7 @@ module.exports.post = async function(req, res){
             const data = matchedData(req); 
 
             //try to authenticate the session, throwing an error and breaking the current code block if user is un-authorized
-            await sessionUtils.authenticateSession(data.user, data.pass, req);
+            const userDB = await sessionUtils.authenticateSession(data.user, data.pass, req);
 
             //If the user already has a remember me token
             if(data.rememberme != null && data.rememberme.id != null){
@@ -57,18 +57,21 @@ module.exports.post = async function(req, res){
                 //requires second DB call, but this enforces password requirement for toke generation while ensuring we only
                 //need one function in the userModel for authentication, even if the second woulda just been a wrapper.
                 //Less attack surface is less attack surface, and this isn't something thats going to be getting constantly called
-                const authToken = await rememberMeModel.genToken(data.user, data.pass);
+                const authToken = await rememberMeModel.genToken(userDB, data.pass);
 
-                //Check config for protocol
+                //If we properly authed
-                const secure = config.protocol.toLowerCase() == "https";
+                if(authToken != null){
+                    //Check config for protocol
+                    const secure = config.protocol.toLowerCase() == "https";
 
-                //Create expiration date for cookies (180 days)
+                    //Create expiration date for cookies (180 days)
-                const expires = new Date(Date.now() + (1000 * 60 * 60 * 24 * 180));
+                    const expires = new Date(Date.now() + (1000 * 60 * 60 * 24 * 180));
 
-                //Set remember me ID and token as browser-side cookies for safe-keeping
+                    //Set remember me ID and token as browser-side cookies for safe-keeping
-                res.cookie("rememberme.id", authToken.id, {sameSite: 'strict', httpOnly: true, secure, expires});
+                    res.cookie("rememberme.id", authToken.id, {sameSite: 'strict', httpOnly: true, secure, expires});
-                //This should be the servers last interaction with the plaintext token before saving the hashed copy, and dropping it out of RAM
+                    //This should be the servers last interaction with the plaintext token before saving the hashed copy, and dropping it out of RAM
-                res.cookie("rememberme.token", authToken.token, {sameSite: 'strict', httpOnly: true, secure, expires});
+                    res.cookie("rememberme.token", authToken.token, {sameSite: 'strict', httpOnly: true, secure, expires});
+                }
             }
 
             //Tell the browser everything is dandy

src/controllers/api/account/logoutController.js

@@ -34,7 +34,7 @@ module.exports.post = async function(req, res){
                 const data = matchedData(req); 
                 
                 //If the user has a remember me token id they've submitted with the request
-                if(data.rememberme.id){
+                if(data.rememberme != null && data.rememberme.id != null){
                     //Find the associated token and nuke it
                     await rememberMeModel.deleteOne({id: data.rememberme.id})
                 }

src/schemas/user/rememberMeSchema.js

@@ -27,7 +27,6 @@ const crypto = require("node:crypto");
 const {mongoose} = require('mongoose');
 
 //Local Imports
-const {userModel} = require('./userSchema');
 const hashUtil = require('../../utils/hashUtils');
 const loggerUtils = require('../../utils/loggerUtils');
 
@@ -88,9 +87,13 @@ rememberMeToken.methods.checkToken = async function(token){
 }
 
 //statics
-rememberMeToken.statics.genToken = async function(user, pass){
+rememberMeToken.statics.genToken = async function(userDB, pass){
-    //Authenticate user and pull document
+    //Normally I'd use userModel auth, but this saves on DB calls and keeps us from having to refrence the userModel directly
-    const userDB = await userModel.authenticate(user, pass);
+    //Saving us from circular depedency hell
+    //Plus this is only really getting called along-side other auth, theres already going to be an error message if this is wrong XP
+    if(!await userDB.checkPass(pass)){
+        return;
+    }
 
     try{
         //Generate a cryptographically secure string of 32 bytes in hexidecimal

src/schemas/user/userSchema.js

@@ -28,6 +28,7 @@ const permissionModel = require('../permissionSchema');
 const emoteModel = require('../emoteSchema');
 const emailChangeModel = require('./emailChangeSchema');
 const playlistSchema = require('../channel/media/playlistSchema');
+const rememberMeModel = require('./rememberMeSchema');
 //Utils
 const hashUtil = require('../../utils/hashUtils');
 const mailUtil = require('../../utils/mailUtils');
@@ -807,6 +808,9 @@ userSchema.methods.tattooIPRecord = async function(ip){
  * @param {String} reason - Reason to kill user sessions
  */
 userSchema.methods.killAllSessions = async function(reason = "A full log-out from all devices was requested for your account."){
+    //Nuke all related remember me tokens
+    await rememberMeModel.deleteMany({user: this._id});
+
     //get authenticated sessions
     var sessions = await this.getAuthenticatedSessions();
 

src/utils/loggerUtils.js

@@ -64,8 +64,8 @@ module.exports.errorHandler = function(res, msg, type = "Generic", status = 400)
  * @param {Error} err - Exception to handle
  */
 module.exports.localExceptionHandler = function(err){
-        //If we're being verbose
+        //If we're being verbose and this isn't just a basic bitch
-        if(config.verbose){
+        if(!err.custom && config.verbose){
                 //Log the error
                 module.exports.dumpError(err);
         }

src/utils/sessionUtils.js

@@ -145,7 +145,7 @@ module.exports.authenticateSession = async function(identifier, secret, req, use
         }
 
         //return user
-        return userDB.user;
+        return userDB;
     }catch(err){
         //Failed attempts at good tokens are handled by the token schema by dropping the users effected tokens and screaming bloody murder
         //Failed attempts with bad tokens don't need to be handled as it's not like attacking a bad UUID is going to get you anywhere anywho
@@ -214,6 +214,12 @@ module.exports.processExpiredAttempts = function(){
     }
 }
 
+/**
+ * Express Middleware for handling remember-me authentication tokens
+ * @param {express.Request} req - Express Request Object
+ * @param {express.Response} res - Express Response Object
+ * @param {function} next  - Function to call upon next middleware
+ */
 module.exports.rememberMeMiddleware = function(req, res, next){
     //if we have an un-authenticated user
     if(req.session.user == null || req.session.user == ""){
@@ -236,8 +242,11 @@ module.exports.rememberMeMiddleware = function(req, res, next){
                         res.clearCookie('rememberme.id');
                         res.clearCookie('rememberme.token');
 
-                        //Bitch, Moan, and guess what? That's fuckin' right! COMPLAIN!!!!
+                        //Quietly handle exceptions without pestering the user
-                        return loggerUtils.exceptionHandler(res, err);
+                        loggerUtils.localExceptionHandler(err);
+
+                        //Go on with life
+                        next();
                     });
             }else{
                 //Jump to next middleware, this looks gross but it's only because they made me use .then like a bunch of fucking dicks