From 8c473576059f32d49727d52572d6787cd3ea5d7d Mon Sep 17 00:00:00 2001
From: Bradley Shellnut <bradleyshellnut@protonmail.com>
Date: Mon, 17 Jun 2024 17:37:47 -0700
Subject: [PATCH] Fixing a lot of check issues.

---
 src/lib/utils/gameMapper.ts                   |  4 +-
 src/lib/validations/auth.ts                   |  1 -
 .../(app)/(protected)/admin/+layout.server.ts |  8 +--
 .../(protected)/admin/users/+page.server.ts   |  4 +-
 .../collections/[id]/+page.server.ts          |  7 +--
 .../collections/add/+page.server.ts           |  2 +-
 .../(app)/(protected)/list/+layout.server.ts  | 13 +++--
 .../(protected)/list/[id]/+page.server.ts     |  3 +-
 .../(app)/(protected)/profile/+page.server.ts |  3 +-
 .../security/two-factor/+page.server.ts       |  4 +-
 .../(protected)/wishlists/+page.server.ts     | 10 ++--
 .../wishlists/[id]/+page.server.ts            | 12 ++--
 src/routes/(app)/search/+page.server.ts       | 56 ++++++++++---------
 src/routes/(app)/search/+page.svelte          | 15 +++--
 src/routes/(auth)/login/+page.server.ts       | 19 -------
 src/routes/(auth)/login/+page.svelte          | 30 +---------
 src/routes/(auth)/sign-up/+page.server.ts     |  2 +
 src/routes/(auth)/sign-up/+page.svelte        |  4 +-
 src/routes/(auth)/totp/+page.server.ts        | 16 +++---
 src/routes/(auth)/totp/+page.svelte           |  7 +--
 src/routes/api/games/search/+server.ts        |  2 -
 21 files changed, 95 insertions(+), 127 deletions(-)

diff --git a/src/lib/utils/gameMapper.ts b/src/lib/utils/gameMapper.ts
index a2e8898..590abce 100644
--- a/src/lib/utils/gameMapper.ts
+++ b/src/lib/utils/gameMapper.ts
@@ -48,8 +48,8 @@ export function mapAPIGameToBoredGame(game: GameType): Games {
 	return {
 		name: game.name,
 		slug: kebabCase(game.name),
-		thumb_url: game.thumbnail,
-		image_url: game.image,
+		thumb_url: game.thumb_url,
+		image_url: game.image_url,
 		year_published: game.year_published,
 		min_players: game.min_players,
 		max_players: game.max_players,
diff --git a/src/lib/validations/auth.ts b/src/lib/validations/auth.ts
index bc9367c..d5af946 100644
--- a/src/lib/validations/auth.ts
+++ b/src/lib/validations/auth.ts
@@ -10,7 +10,6 @@ export const signUpSchema = userSchema
 		username: true,
 		password: true,
 		confirm_password: true,
-		terms: true,
 	})
 	.superRefine(({ confirm_password, password }, ctx) => {
 		refinePasswords(confirm_password, password, ctx);
diff --git a/src/routes/(app)/(protected)/admin/+layout.server.ts b/src/routes/(app)/(protected)/admin/+layout.server.ts
index 0186128..5cb8b59 100644
--- a/src/routes/(app)/(protected)/admin/+layout.server.ts
+++ b/src/routes/(app)/(protected)/admin/+layout.server.ts
@@ -12,8 +12,8 @@ export const load = loadFlash(async (event) => {
 		redirect(302, '/login', notSignedInMessage, event);
 	}
 
-	const userRoles = await db.query.userRoles.findMany({
-		where: eq(user_roles.user_id, user!.id!),
+	const dbUserRoles = await db.query.userRoles.findMany({
+		where: eq(userRoles.user_id, user!.id!),
 		with: {
 			role: {
 				columns: {
@@ -23,8 +23,8 @@ export const load = loadFlash(async (event) => {
 		},
 	});
 
-	const containsAdminRole = userRoles.some((userRoles) => user_role?.role?.name === 'admin');
-	if (!userRoles?.length || !containsAdminRole) {
+	const containsAdminRole = dbUserRoles.some((userRole) => userRole?.role?.name === 'admin');
+	if (!dbUserRoles?.length || !containsAdminRole) {
 		console.log('Not an admin');
 		redirect(302, '/', forbiddenMessage, event);
 	}
diff --git a/src/routes/(app)/(protected)/admin/users/+page.server.ts b/src/routes/(app)/(protected)/admin/users/+page.server.ts
index 1e5dead..b6e7d5a 100644
--- a/src/routes/(app)/(protected)/admin/users/+page.server.ts
+++ b/src/routes/(app)/(protected)/admin/users/+page.server.ts
@@ -1,12 +1,14 @@
+import { redirect } from 'sveltekit-flash-message/server';
 import type { PageServerLoad } from './$types';
 import db from '../../../../../db';
 import { userNotAuthenticated } from '$lib/server/auth-utils';
+import { notSignedInMessage } from '$lib/flashMessages';
 
 export const load: PageServerLoad = async (event) => {
 	const { locals } = event;
 	const { user, session } = locals;
 	if (userNotAuthenticated(user, session)) {
-		return fail(401);
+		redirect(302, '/login', notSignedInMessage, event);
 	}
 
 	const users = await db.query.users.findMany({
diff --git a/src/routes/(app)/(protected)/collections/[id]/+page.server.ts b/src/routes/(app)/(protected)/collections/[id]/+page.server.ts
index 55335d5..b99d52c 100644
--- a/src/routes/(app)/(protected)/collections/[id]/+page.server.ts
+++ b/src/routes/(app)/(protected)/collections/[id]/+page.server.ts
@@ -39,7 +39,7 @@ export async function load(event) {
 			cuid: true,
 			name: true,
 		},
-		where: and(eq(collections.user_id, user.id), eq(collections.cuid, id)),
+		where: and(eq(collections.user_id, user!.id!), eq(collections.cuid, id)),
 	});
 	console.log('collection', collection);
 
@@ -110,7 +110,6 @@ export const actions: Actions = {
 
 		const form = await superValidate(event, zod(modifyListGameSchema));
 
-		const user = event.locals.user;
 		const game = await db.query.games.findFirst({
 			where: eq(games.id, form.data.id),
 		});
@@ -127,7 +126,7 @@ export const actions: Actions = {
 
 		try {
 			const collection = await db.query.collections.findFirst({
-				where: eq(collections.user_id, user.id),
+				where: eq(collections.user_id, user!.id!),
 			});
 
 			if (!collection) {
@@ -187,7 +186,7 @@ export const actions: Actions = {
 
 		try {
 			const collection = await db.query.collections.findFirst({
-				where: eq(collections.user_id, locals.user.id),
+				where: eq(collections.user_id, user!.id!),
 			});
 
 			if (!collection) {
diff --git a/src/routes/(app)/(protected)/collections/add/+page.server.ts b/src/routes/(app)/(protected)/collections/add/+page.server.ts
index 40d590e..174fbbc 100644
--- a/src/routes/(app)/(protected)/collections/add/+page.server.ts
+++ b/src/routes/(app)/(protected)/collections/add/+page.server.ts
@@ -1,4 +1,4 @@
-import { redirect } from '@sveltejs/kit';
+import { redirect } from 'sveltekit-flash-message/server';
 import { notSignedInMessage } from '$lib/flashMessages';
 import { userNotAuthenticated } from '$lib/server/auth-utils';
 
diff --git a/src/routes/(app)/(protected)/list/+layout.server.ts b/src/routes/(app)/(protected)/list/+layout.server.ts
index 3e0f3ad..f0aa34c 100644
--- a/src/routes/(app)/(protected)/list/+layout.server.ts
+++ b/src/routes/(app)/(protected)/list/+layout.server.ts
@@ -1,23 +1,24 @@
-import { fail } from '@sveltejs/kit';
+import { redirect } from 'sveltekit-flash-message/server';
 import { eq } from 'drizzle-orm';
 import db from '../../../../db';
 import { wishlists } from '$db/schema';
 import { userNotAuthenticated } from '$lib/server/auth-utils';
 import { notSignedInMessage } from '$lib/flashMessages';
 
-export async function load({ locals }) {
+export async function load(event) {
+	const { locals } = event;
 	const { user, session } = locals;
 	if (userNotAuthenticated(user, session)) {
-		throw fail(401);
+		redirect(302, '/login', notSignedInMessage, event);
 	}
 
 	try {
-		const userWishlists = await db.query.wishlists.findMany({
-			where: eq(wishlists.user_id, locals.user.id),
+		const dbWishlists = await db.query.wishlists.findMany({
+			where: eq(wishlists.user_id, user!.id!),
 		});
 
 		return {
-			wishlsits: userWishlists,
+			wishlists: dbWishlists,
 		};
 	} catch (e) {
 		console.error(e);
diff --git a/src/routes/(app)/(protected)/list/[id]/+page.server.ts b/src/routes/(app)/(protected)/list/[id]/+page.server.ts
index a0bb620..ff59f4d 100644
--- a/src/routes/(app)/(protected)/list/[id]/+page.server.ts
+++ b/src/routes/(app)/(protected)/list/[id]/+page.server.ts
@@ -1,7 +1,8 @@
-import { type Actions, fail, redirect } from '@sveltejs/kit';
+import { type Actions, fail } from '@sveltejs/kit';
 import { eq } from 'drizzle-orm';
 import { zod } from 'sveltekit-superforms/adapters';
 import { superValidate } from 'sveltekit-superforms/server';
+import { redirect } from 'sveltekit-flash-message/server';
 import db from '../../../../../db';
 import { modifyListGameSchema } from '$lib/validations/zod-schemas';
 import { games, wishlist_items, wishlists } from '$db/schema';
diff --git a/src/routes/(app)/(protected)/profile/+page.server.ts b/src/routes/(app)/(protected)/profile/+page.server.ts
index 3693831..5d0ff87 100644
--- a/src/routes/(app)/(protected)/profile/+page.server.ts
+++ b/src/routes/(app)/(protected)/profile/+page.server.ts
@@ -19,7 +19,7 @@ export const load: PageServerLoad = async (event) => {
 	}
 
 	const dbUser = await db.query.users.findFirst({
-		where: eq(users.id, user.id),
+		where: eq(users.id, user!.id!),
 	});
 
 	const profileForm = await superValidate(zod(profileSchema), {
@@ -85,6 +85,7 @@ export const actions: Actions = {
 				})
 				.where(eq(users.id, user.id));
 		} catch (e) {
+			// @ts-expect-error
 			if (e.message === `AUTH_INVALID_USER_ID`) {
 				// invalid user id
 				console.error(e);
diff --git a/src/routes/(app)/(protected)/profile/security/two-factor/+page.server.ts b/src/routes/(app)/(protected)/profile/security/two-factor/+page.server.ts
index ca8c124..4b61e08 100644
--- a/src/routes/(app)/(protected)/profile/security/two-factor/+page.server.ts
+++ b/src/routes/(app)/(protected)/profile/security/two-factor/+page.server.ts
@@ -92,7 +92,7 @@ export const actions: Actions = {
 		}
 
 		const dbUser = await db.query.users.findFirst({
-			where: eq(users.id, user.id),
+			where: eq(users.id, user!.id!),
 		});
 
 		if (!dbUser?.hashed_password) {
@@ -136,7 +136,7 @@ export const actions: Actions = {
 			return setError(addTwoFactorForm, 'two_factor_code', 'Invalid code');
 		}
 
-		await db.update(users).set({ two_factor_enabled: true }).where(eq(users.id, user.id));
+		await db.update(users).set({ two_factor_enabled: true }).where(eq(users.id, user!.id!));
 
 		redirect(302, '/profile/security/two-factor/recovery-codes');
 	},
diff --git a/src/routes/(app)/(protected)/wishlists/+page.server.ts b/src/routes/(app)/(protected)/wishlists/+page.server.ts
index 8a086f8..9c60379 100644
--- a/src/routes/(app)/(protected)/wishlists/+page.server.ts
+++ b/src/routes/(app)/(protected)/wishlists/+page.server.ts
@@ -10,7 +10,7 @@ import { games, wishlist_items, wishlists } from '$db/schema';
 import { userNotAuthenticated } from '$lib/server/auth-utils';
 
 export async function load(event) {
-	const { params, locals } = event;
+	const { locals } = event;
 	const { user, session } = locals;
 	if (userNotAuthenticated(user, session)) {
 		redirect(302, '/login', notSignedInMessage, event);
@@ -22,7 +22,7 @@ export async function load(event) {
 			name: true,
 			created_at: true,
 		},
-		where: eq(wishlists.user_id, user.id),
+		where: eq(wishlists.user_id, user!.id!),
 	});
 	console.log('wishlists', userWishlists);
 
@@ -63,7 +63,7 @@ export const actions: Actions = {
 
 			if (game) {
 				const wishlist = await db.query.wishlists.findFirst({
-					where: eq(wishlists.user_id, locals.user.id),
+					where: eq(wishlists.user_id, user!.id!),
 				});
 
 				if (!wishlist) {
@@ -105,7 +105,7 @@ export const actions: Actions = {
 	},
 	// Remove game from a wishlist
 	remove: async (event) => {
-		const { params, locals } = event;
+		const { locals } = event;
 		const { user, session } = locals;
 		if (userNotAuthenticated(user, session)) {
 			return fail(401);
@@ -129,7 +129,7 @@ export const actions: Actions = {
 
 			if (game) {
 				const wishlist = await db.query.wishlists.findFirst({
-					where: eq(wishlists.user_id, locals.user.id),
+					where: eq(wishlists.user_id, user!.id!),
 				});
 
 				if (!wishlist) {
diff --git a/src/routes/(app)/(protected)/wishlists/[id]/+page.server.ts b/src/routes/(app)/(protected)/wishlists/[id]/+page.server.ts
index 6852147..7d5f996 100644
--- a/src/routes/(app)/(protected)/wishlists/[id]/+page.server.ts
+++ b/src/routes/(app)/(protected)/wishlists/[id]/+page.server.ts
@@ -1,4 +1,4 @@
-import { error, type Actions } from '@sveltejs/kit';
+import { error, type Actions, fail } from '@sveltejs/kit';
 import { and, eq } from 'drizzle-orm';
 import { zod } from 'sveltekit-superforms/adapters';
 import { superValidate } from 'sveltekit-superforms/server';
@@ -17,11 +17,9 @@ export async function load(event) {
 		redirect(302, '/login', notSignedInMessage, event);
 	}
 
-	console.log('Wishlist load User id', locals.user.id);
-
 	try {
 		const wishlist = await db.query.wishlists.findMany({
-			where: and(eq(wishlists.user_id, locals.user.id), eq(wishlists.cuid, id)),
+			where: and(eq(wishlists.user_id, user!.id!), eq(wishlists.cuid, id)),
 		});
 
 		if (!wishlist) {
@@ -66,7 +64,7 @@ export const actions: Actions = {
 
 			if (game) {
 				const wishlist = await db.query.wishlists.findFirst({
-					where: eq(wishlists.user_id, locals.user.id),
+					where: eq(wishlists.user_id, user!.id!),
 				});
 
 				if (!wishlist) {
@@ -98,7 +96,7 @@ export const actions: Actions = {
 		return error(405, 'Method not allowed');
 	},
 	// Delete a wishlist
-	delete: async ({ locals }) => {
+	delete: async (event) => {
 		const { locals } = event;
 		const { user, session } = locals;
 		if (userNotAuthenticated(user, session)) {
@@ -132,7 +130,7 @@ export const actions: Actions = {
 
 			if (game) {
 				const wishlist = await db.query.wishlists.findFirst({
-					where: eq(wishlists.user_id, locals.user.id),
+					where: eq(wishlists.user_id, user!.id!),
 				});
 
 				if (!wishlist) {
diff --git a/src/routes/(app)/search/+page.server.ts b/src/routes/(app)/search/+page.server.ts
index 8d98253..9701617 100644
--- a/src/routes/(app)/search/+page.server.ts
+++ b/src/routes/(app)/search/+page.server.ts
@@ -5,14 +5,13 @@ import kebabCase from 'just-kebab-case';
 import type { GameType, SearchQuery } from '$lib/types';
 import { mapAPIGameToBoredGame } from '$lib/utils/gameMapper.js';
 import { search_schema } from '$lib/zodValidation';
-import type { PageServerLoad } from '../$types.js';
 import type { BggThingDto } from 'boardgamegeekclient/dist/esm/dto/index.js';
 import { createOrUpdateGameMinimal } from '$lib/utils/db/gameUtils';
 
 async function searchForGames(
 	locals: App.Locals,
-	eventFetch,
-	urlQueryParams: SearchQuery
+	eventFetch: typeof fetch,
+	urlQueryParams: URLSearchParams,
 ) {
 	try {
 		console.log('urlQueryParams search games', urlQueryParams);
@@ -21,7 +20,7 @@ async function searchForGames(
 		headers.set('Content-Type', 'application/json');
 		const requestInit: RequestInit = {
 			method: 'GET',
-			headers
+			headers,
 		};
 		const url = `/api/games/search${urlQueryParams ? `?${urlQueryParams}` : ''}`;
 		console.log('Calling internal api', url);
@@ -36,7 +35,7 @@ async function searchForGames(
 		const games = await response.json();
 		console.log('games from DB', games);
 
-		const gameNameSearch = urlQueryParams.get('q');
+		const gameNameSearch = urlQueryParams.get('q') ?? '';
 		let totalCount = games?.length || 0;
 
 		if (
@@ -47,7 +46,7 @@ async function searchForGames(
 			const searchQueryParams = urlQueryParams ? `?${urlQueryParams}` : '';
 			const externalResponse = await eventFetch(
 				`/api/external/search${searchQueryParams}`,
-				requestInit
+				requestInit,
 			);
 
 			console.log('Back from external search', externalResponse);
@@ -65,10 +64,10 @@ async function searchForGames(
 				console.log('totalCount', totalCount);
 				for (const game of gameList) {
 					console.log(
-						`Retrieving simplified external game details for id: ${game.id} with name ${game.name}`
+						`Retrieving simplified external game details for id: ${game.id} with name ${game.name}`,
 					);
 					const externalGameResponse = await eventFetch(
-						`/api/external/game/${game.id}?simplified=true`
+						`/api/external/game/${game.id}?simplified=true`,
 					);
 					if (externalGameResponse.ok) {
 						const externalGame = await externalGameResponse.json();
@@ -82,14 +81,14 @@ async function searchForGames(
 
 		return {
 			totalCount,
-			games
+			games,
 		};
 	} catch (e) {
 		console.log(`Error searching board games ${e}`);
 	}
 	return {
 		totalCount: 0,
-		games: []
+		games: [],
 	};
 }
 
@@ -108,18 +107,21 @@ export const load = async ({ locals, fetch, url }) => {
 	searchParams.order = searchParams.order || defaults.order;
 	searchParams.sort = searchParams.sort || defaults.sort;
 	searchParams.q = searchParams.q || defaults.q;
-	const form = await superValidate({
-		...searchParams,
-		skip: Number(searchParams.skip || defaults.skip),
-		limit: Number(searchParams.limit || defaults.limit),
-		exact: searchParams.exact ? searchParams.exact === 'true' : defaults.exact
-	}, zod(search_schema));
+	const form = await superValidate(
+		{
+			...searchParams,
+			skip: Number(searchParams.skip || defaults.skip),
+			limit: Number(searchParams.limit || defaults.limit),
+			exact: searchParams.exact ? searchParams.exact === 'true' : defaults.exact,
+		},
+		zod(search_schema),
+	);
 
 	const queryParams: SearchQuery = {
 		limit: form.data?.limit,
 		skip: form.data?.skip,
 		q: form.data?.q,
-		exact: form.data?.exact
+		exact: form.data?.exact,
 	};
 
 	try {
@@ -129,8 +131,8 @@ export const load = async ({ locals, fetch, url }) => {
 				searchData: {
 					totalCount: 0,
 					games: [],
-					wishlists: []
-				}
+					wishlists: [],
+				},
 			};
 		}
 
@@ -171,32 +173,32 @@ export const load = async ({ locals, fetch, url }) => {
 			form,
 			// modifyListForm,
 			searchData,
-			wishlists: []
+			wishlists: [],
 		};
 	} catch (e) {
 		console.log(`Error searching board games ${e}`);
 	}
 
-	console.log('returning default no data')
+	console.log('returning default no data');
 	return {
 		form,
 		searchData: {
 			totalCount: 0,
-			games: []
+			games: [],
 		},
-		wishlists: []
+		wishlists: [],
 	};
 };
 
 export const actions = {
-	random: async ({ request, locals, fetch }): Promise<any> => {
+	random: async ({ request, locals, fetch }) => {
 		const form = await superValidate(request, zod(search_schema));
 		const queryParams: SearchQuery = {
 			order_by: 'rank',
 			ascending: false,
 			random: true,
 			fields:
-				'id,name,min_age,min_players,max_players,thumb_url,min_playtime,max_playtime,min_age,description'
+				'id,name,min_age,min_players,max_players,thumb_url,min_playtime,max_playtime,min_age,description',
 		};
 
 		const newQueryParams: Record<string, string> = {};
@@ -208,7 +210,7 @@ export const actions = {
 
 		return {
 			form,
-			searchData: await searchForGames(locals, fetch, urlQueryParams)
+			searchData: await searchForGames(locals, fetch, urlQueryParams),
 		};
-	}
+	},
 };
diff --git a/src/routes/(app)/search/+page.svelte b/src/routes/(app)/search/+page.svelte
index cbf0712..754df93 100644
--- a/src/routes/(app)/search/+page.svelte
+++ b/src/routes/(app)/search/+page.svelte
@@ -1,21 +1,28 @@
 <script lang="ts">
 	import { dev } from '$app/environment';
+	import { superForm } from 'sveltekit-superforms';
+	import { zodClient } from 'sveltekit-superforms/adapters';
 	import SuperDebug from 'sveltekit-superforms/client/SuperDebug.svelte';
 	import { createToolbar, melt } from '@melt-ui/svelte';
 	import { LayoutList, LayoutGrid } from 'lucide-svelte';
 	import Game from '$components/Game.svelte';
 	import * as Pagination from "$lib/components/ui/pagination";
 	import GameSearchForm from '$components/search/GameSearchForm.svelte';
+	import { search_schema } from '$lib/zodValidation';
 
 	export let data;
 
-	const { games, totalCount } = data?.searchData;
+	const { games, totalCount } = data.searchData;
 
 	console.log('data found', data);
 	console.log('found games', games);
 	console.log('found totalCount', totalCount);
 
-	let pageSize: number = data.form.limit || 10;
+	const form = superForm(data.form, {
+		validators: zodClient(search_schema),
+	});
+
+	let pageSize: number = form.limit || 10;
 
 	const {
     elements: { root: toolbarRoot },
@@ -72,8 +79,8 @@
 							<Pagination.Ellipsis />
 						</Pagination.Item>
 					{:else}
-						<Pagination.Item isVisible={currentPage == page.value}>
-							<Pagination.Link {page} isActive={currentPage == page.value}>
+						<Pagination.Item isVisible={currentPage === page.value}>
+							<Pagination.Link {page} isActive={currentPage === page.value}>
             		{page.value}
           		</Pagination.Link>
 						</Pagination.Item>
diff --git a/src/routes/(auth)/login/+page.server.ts b/src/routes/(auth)/login/+page.server.ts
index 37449b8..83b2a7a 100644
--- a/src/routes/(auth)/login/+page.server.ts
+++ b/src/routes/(auth)/login/+page.server.ts
@@ -127,22 +127,3 @@ export const actions: Actions = {
 		}
 	},
 };
-
-async function checkRecoveryCode(recoveryCode: string, userId: string) {
-	const userRecoveryCodes = await db.query.recovery_codes.findMany({
-		where: and(eq(recovery_codes.used, false), eq(recovery_codes.userId, userId)),
-	});
-	for (const code of userRecoveryCodes) {
-		const validRecoveryCode = await new Argon2id().verify(code.code, recoveryCode);
-		if (validRecoveryCode) {
-			await db
-				.update(recovery_codes)
-				.set({
-					used: true,
-				})
-				.where(eq(recovery_codes.id, code.id));
-			return true;
-		}
-	}
-	return false;
-}
diff --git a/src/routes/(auth)/login/+page.svelte b/src/routes/(auth)/login/+page.svelte
index 0b0ddde..a819ae0 100644
--- a/src/routes/(auth)/login/+page.svelte
+++ b/src/routes/(auth)/login/+page.svelte
@@ -12,19 +12,18 @@
 	import { boredState } from '$lib/stores/boredState.js';
 
 	export let data;
-	export let form;
 
 	const superLoginForm = superForm(data.form, {
 		onSubmit: () => boredState.update((n) => ({ ...n, loading: true })),
   	onResult: () => boredState.update((n) => ({ ...n, loading: false })),
 		flashMessage: {
 			module: flashModule,
-			onError: ({ result, message }) => {
+			onError: ({ result, flashMessage }) => {
 				// Error handling for the flash message:
 				// - result is the ActionResult
 				// - message is the flash store (not the status message store)
 				const errorMessage = result.error.message
-				message.set({ type: 'error', message: errorMessage });
+				flashMessage.set({ type: 'error', message: errorMessage });
 			}
 		},
 		syncFlashMessage: false,
@@ -34,7 +33,7 @@
 		delayMs: 0,
 	});
 
-	const { form: loginForm, errors, enhance } = superLoginForm;
+	const { form: loginForm, enhance } = superLoginForm;
 </script>
 
 <svelte:head>
@@ -62,15 +61,6 @@
 			</Form.Control>
 			<Form.FieldErrors />
 		</Form.Field>
-		{#if form?.twoFactorRequired}
-			<Form.Field form={superLoginForm} name="totpToken">
-				<Form.Control let:attrs>
-					<Form.Label for="totpToken">Two Factor Code or Recovery Code</Form.Label>
-					<Input {...attrs} autocomplete="one-time-code" bind:value={$loginForm.totpToken} />
-				</Form.Control>
-				<Form.FieldErrors />
-			</Form.Field>
-		{/if}
 		<Form.Button>Login</Form.Button>
 		<p class="px-8 text-center text-sm text-muted-foreground">
 			By clicking continue, you agree to our
@@ -86,20 +76,6 @@
 </div>
 
 <style lang="postcss">
-	.loading {
-		position: fixed;
-		top: 50%;
-		left: 50%;
-		transform: translate(-50%, -50%);
-		z-index: 101;
-		display: grid;
-		place-items: center;
-		gap: 1rem;
-
-		h3 {
-			color: white;
-		}
-	}
 	.login {
 		display: flex;
 		margin-top: 1.5rem;
diff --git a/src/routes/(auth)/sign-up/+page.server.ts b/src/routes/(auth)/sign-up/+page.server.ts
index ca27a03..4f84e81 100644
--- a/src/routes/(auth)/sign-up/+page.server.ts
+++ b/src/routes/(auth)/sign-up/+page.server.ts
@@ -116,6 +116,8 @@ export const actions: Actions = {
 			session = await lucia.createSession(user[0].id, {
 				ip_country: event.locals.ip,
 				ip_address: event.locals.country,
+				twoFactorAuthEnabled: false,
+				isTwoFactorAuthenticated: false,
 			});
 			sessionCookie = lucia.createSessionCookie(session.id);
 		} catch (e: any) {
diff --git a/src/routes/(auth)/sign-up/+page.svelte b/src/routes/(auth)/sign-up/+page.svelte
index 6214703..c7296d0 100644
--- a/src/routes/(auth)/sign-up/+page.svelte
+++ b/src/routes/(auth)/sign-up/+page.svelte
@@ -20,9 +20,9 @@
 		onResult: () => boredState.update((n) => ({ ...n, loading: false })),
 		flashMessage: {
 			module: flashModule,
-			onError: ({ result, message }) => {
+			onError: ({ result, flashMessage }) => {
 				const errorMessage = result.error.message;
-				message.set({ type: 'error', message: errorMessage });
+				flashMessage.set({ type: 'error', message: errorMessage });
 			}
 		},
 		taintedMessage: null,
diff --git a/src/routes/(auth)/totp/+page.server.ts b/src/routes/(auth)/totp/+page.server.ts
index 0366d43..f1c79a0 100644
--- a/src/routes/(auth)/totp/+page.server.ts
+++ b/src/routes/(auth)/totp/+page.server.ts
@@ -10,7 +10,7 @@ import { RateLimiter } from 'sveltekit-rate-limiter/server';
 import db from '../../../db';
 import { lucia } from '$lib/server/auth';
 import { totpSchema } from '$lib/validations/auth';
-import { users, recovery_codes } from '$db/schema';
+import { users, recoveryCodes } from '$db/schema';
 import type { PageServerLoad } from './$types';
 import { notSignedInMessage } from '$lib/flashMessages';
 
@@ -99,15 +99,17 @@ export const actions: Actions = {
 		try {
 			const totpToken = form?.data?.totpToken;
 
-			if (dbUser?.two_factor_enabled && dbUser?.two_factor_secret !== '' && !totpToken) {
+			const twoFactorSecretPopulated =
+				dbUser?.two_factor_secret !== '' && dbUser?.two_factor_secret !== null;
+			if (dbUser?.two_factor_enabled && !twoFactorSecretPopulated && !totpToken) {
 				return fail(400, {
 					form,
 				});
-			} else if (dbUser?.two_factor_enabled && dbUser?.two_factor_secret !== '' && totpToken) {
+			} else if (twoFactorSecretPopulated && totpToken) {
 				console.log('totpToken', totpToken);
 				const validOTP = await new TOTPController().verify(
 					totpToken,
-					decodeHex(dbUser.two_factor_secret),
+					decodeHex(dbUser.two_factor_secret ?? ''),
 				);
 				console.log('validOTP', validOTP);
 
@@ -152,17 +154,17 @@ export const actions: Actions = {
 
 async function checkRecoveryCode(recoveryCode: string, userId: string) {
 	const userRecoveryCodes = await db.query.recoveryCodes.findMany({
-		where: and(eq(recovery_codes.used, false), eq(recovery_codes.userId, userId)),
+		where: and(eq(recoveryCodes.used, false), eq(recoveryCodes.userId, userId)),
 	});
 	for (const code of userRecoveryCodes) {
 		const validRecoveryCode = await new Argon2id().verify(code.code, recoveryCode);
 		if (validRecoveryCode) {
 			await db
-				.update(recovery_codes)
+				.update(recoveryCodes)
 				.set({
 					used: true,
 				})
-				.where(eq(recovery_codes.id, code.id));
+				.where(eq(recoveryCodes.id, code.id));
 			return true;
 		}
 	}
diff --git a/src/routes/(auth)/totp/+page.svelte b/src/routes/(auth)/totp/+page.svelte
index 36dc95e..fbf29ed 100644
--- a/src/routes/(auth)/totp/+page.svelte
+++ b/src/routes/(auth)/totp/+page.svelte
@@ -12,19 +12,18 @@
 	import { boredState } from '$lib/stores/boredState.js';
 
 	export let data;
-	export let form;
 
 	const superTotpForm = superForm(data.form, {
 		onSubmit: () => boredState.update((n) => ({ ...n, loading: true })),
 		onResult: () => boredState.update((n) => ({ ...n, loading: false })),
 		flashMessage: {
 			module: flashModule,
-			onError: ({ result, message }) => {
+			onError: ({ result, flashMessage }) => {
 				// Error handling for the flash message:
 				// - result is the ActionResult
 				// - message is the flash store (not the status message store)
 				const errorMessage = result.error.message
-				message.set({ type: 'error', message: errorMessage });
+				flashMessage.set({ type: 'error', message: errorMessage });
 			}
 		},
 		syncFlashMessage: false,
@@ -34,7 +33,7 @@
 		delayMs: 0,
 	});
 
-	const { form: totpForm, errors, enhance } = superTotpForm;
+	const { form: totpForm, enhance } = superTotpForm;
 </script>
 
 <svelte:head>
diff --git a/src/routes/api/games/search/+server.ts b/src/routes/api/games/search/+server.ts
index 9ea4893..1df29da 100644
--- a/src/routes/api/games/search/+server.ts
+++ b/src/routes/api/games/search/+server.ts
@@ -23,8 +23,6 @@ export const GET = async ({ url, locals }) => {
 		error(400, 'Invalid request');
 	}
 
-	const { q, limit, skip, order, exact } = searchGames;
-
 	const q = searchParams?.q?.trim() || '';
 	const limit = parseInt(searchParams?.limit) || 10;
 	const skip = parseInt(searchParams?.skip) || 0;