From 95117cee214861a05a4f7373b89c00a1c37a8a34 Mon Sep 17 00:00:00 2001
From: Bradley Shellnut <bradleyshellnut@protonmail.com>
Date: Mon, 17 Jun 2024 13:06:45 -0700
Subject: [PATCH] Checking fully authenticated vs not fully authd vs not authd
 at all and performing select actions to login, clear cookie, etc.

---
 src/lib/flashMessages.ts                      |  7 +++++--
 src/lib/server/auth-utils.ts                  | 14 +++++++++-----
 .../(app)/(protected)/admin/+layout.server.ts | 12 ++++++------
 .../(protected)/admin/users/+page.server.ts   |  6 ++----
 .../(protected)/collections/+page.server.ts   |  9 ++++-----
 .../collections/[id]/+page.server.ts          | 12 ++++++------
 .../collections/add/+page.server.ts           |  5 ++---
 .../collections/add/bgg/+page.server.ts       |  4 ++--
 .../(app)/(protected)/list/+layout.server.ts  |  4 ++--
 .../(protected)/list/[id]/+page.server.ts     | 12 ++++++------
 .../(app)/(protected)/profile/+page.server.ts |  4 ++--
 .../security/password/change/+page.server.ts  |  6 +++---
 .../security/two-factor/+page.server.ts       | 12 ++++++------
 .../two-factor/recovery-codes/+page.server.ts |  4 ++--
 .../(protected)/wishlists/+page.server.ts     | 12 ++++++------
 .../wishlists/[id]/+page.server.ts            | 12 ++++++------
 src/routes/(app)/+layout.server.ts            | 19 ++++++++++++++++---
 src/routes/(app)/+page.server.ts              | 16 ++++++++++------
 src/routes/(auth)/login/+page.server.ts       | 18 +++++++++++++-----
 19 files changed, 108 insertions(+), 80 deletions(-)

diff --git a/src/lib/flashMessages.ts b/src/lib/flashMessages.ts
index 8eaf8d0..141ca4b 100644
--- a/src/lib/flashMessages.ts
+++ b/src/lib/flashMessages.ts
@@ -1,5 +1,8 @@
-export const notSignedInMessage = { type: 'error', message: 'You are not signed in' } as const;
+export const notSignedInMessage = {
+	type: 'error',
+	message: 'You are not signed in',
+} as const;
 export const forbiddenMessage = {
 	type: 'error',
-	message: 'You are not allowed to access this'
+	message: 'You are not allowed to access this',
 } as const;
diff --git a/src/lib/server/auth-utils.ts b/src/lib/server/auth-utils.ts
index 79cfa12..9852c14 100644
--- a/src/lib/server/auth-utils.ts
+++ b/src/lib/server/auth-utils.ts
@@ -24,9 +24,13 @@ export async function createPasswordResetToken(userId: string): Promise<string>
  * @returns True if the user is not fully authenticated, otherwise false.
  */
 export function userNotFullyAuthenticated(user: User | null, session: Session | null) {
-	console.log(
-		'userNotFullyAuthenticated?',
-		user && session && (!session.isTwoFactorAuthEnabled || session.isTwoFactorAuthenticated),
-	);
-	return !user || !session || (session.isTwoFactorAuthEnabled && !session.isTwoFactorAuthenticated);
+	return user && session && session.isTwoFactorAuthEnabled && !session.isTwoFactorAuthenticated;
+}
+
+export function userNotAuthenticated(user: User | null, session: Session | null) {
+	return !user || !session || userNotFullyAuthenticated(user, session);
+}
+
+export function userFullyAuthenticated(user: User | null, session: Session | null) {
+	return !userNotAuthenticated(user, session);
 }
diff --git a/src/routes/(app)/(protected)/admin/+layout.server.ts b/src/routes/(app)/(protected)/admin/+layout.server.ts
index 5aeb414..0186128 100644
--- a/src/routes/(app)/(protected)/admin/+layout.server.ts
+++ b/src/routes/(app)/(protected)/admin/+layout.server.ts
@@ -2,18 +2,18 @@ import { redirect, loadFlash } from 'sveltekit-flash-message/server';
 import { forbiddenMessage, notSignedInMessage } from '$lib/flashMessages';
 import { eq } from 'drizzle-orm';
 import db from '../../../../db';
-import { user_roles } from '$db/schema';
-import { userNotFullyAuthenticated } from '$lib/server/auth-utils';
+import { userRoles } from '$db/schema';
+import { userNotAuthenticated } from '$lib/server/auth-utils';
 
 export const load = loadFlash(async (event) => {
 	const { locals } = event;
 	const { user, session } = locals;
-	if (userNotFullyAuthenticated(user, session)) {
+	if (userNotAuthenticated(user, session)) {
 		redirect(302, '/login', notSignedInMessage, event);
 	}
 
-	const userRoles = await db.query.user_roles.findMany({
-		where: eq(user_roles.user_id, user.id),
+	const userRoles = await db.query.userRoles.findMany({
+		where: eq(user_roles.user_id, user!.id!),
 		with: {
 			role: {
 				columns: {
@@ -23,7 +23,7 @@ export const load = loadFlash(async (event) => {
 		},
 	});
 
-	const containsAdminRole = userRoles.some((user_role) => user_role?.role?.name === 'admin');
+	const containsAdminRole = userRoles.some((userRoles) => user_role?.role?.name === 'admin');
 	if (!userRoles?.length || !containsAdminRole) {
 		console.log('Not an admin');
 		redirect(302, '/', forbiddenMessage, event);
diff --git a/src/routes/(app)/(protected)/admin/users/+page.server.ts b/src/routes/(app)/(protected)/admin/users/+page.server.ts
index fa41649..1e5dead 100644
--- a/src/routes/(app)/(protected)/admin/users/+page.server.ts
+++ b/src/routes/(app)/(protected)/admin/users/+page.server.ts
@@ -1,13 +1,11 @@
-import { redirect } from 'sveltekit-flash-message/server';
 import type { PageServerLoad } from './$types';
-import { notSignedInMessage } from '$lib/flashMessages';
 import db from '../../../../../db';
-import { userNotFullyAuthenticated } from '$lib/server/auth-utils';
+import { userNotAuthenticated } from '$lib/server/auth-utils';
 
 export const load: PageServerLoad = async (event) => {
 	const { locals } = event;
 	const { user, session } = locals;
-	if (userNotFullyAuthenticated(user, session)) {
+	if (userNotAuthenticated(user, session)) {
 		return fail(401);
 	}
 
diff --git a/src/routes/(app)/(protected)/collections/+page.server.ts b/src/routes/(app)/(protected)/collections/+page.server.ts
index 306d2e2..bd734aa 100644
--- a/src/routes/(app)/(protected)/collections/+page.server.ts
+++ b/src/routes/(app)/(protected)/collections/+page.server.ts
@@ -3,16 +3,15 @@ import { and, eq } from 'drizzle-orm';
 import { superValidate } from 'sveltekit-superforms/server';
 import { zod } from 'sveltekit-superforms/adapters';
 import { redirect } from 'sveltekit-flash-message/server';
-import { modifyListGameSchema, type ListGame } from '$lib/validations/zod-schemas';
-import { search_schema } from '$lib/zodValidation.js';
+import { modifyListGameSchema } from '$lib/validations/zod-schemas';
 import db from '../../../../db';
 import { collection_items, collections, games } from '$db/schema';
 import { notSignedInMessage } from '$lib/flashMessages';
-import { userNotFullyAuthenticated } from '$lib/server/auth-utils';
+import { userNotAuthenticated } from '$lib/server/auth-utils';
 
 export async function load(event) {
 	const { user, session } = event.locals;
-	if (userNotFullyAuthenticated(user, session)) {
+	if (userNotAuthenticated(user, session)) {
 		redirect(302, '/login', notSignedInMessage, event);
 	}
 
@@ -23,7 +22,7 @@ export async function load(event) {
 				name: true,
 				created_at: true,
 			},
-			where: eq(collections.user_id, user.id),
+			where: eq(collections.user_id, user!.id!),
 		});
 		console.log('collections', userCollections);
 
diff --git a/src/routes/(app)/(protected)/collections/[id]/+page.server.ts b/src/routes/(app)/(protected)/collections/[id]/+page.server.ts
index 7f3a9f8..55335d5 100644
--- a/src/routes/(app)/(protected)/collections/[id]/+page.server.ts
+++ b/src/routes/(app)/(protected)/collections/[id]/+page.server.ts
@@ -8,14 +8,14 @@ import db from '../../../../../db';
 import { notSignedInMessage } from '$lib/flashMessages.js';
 import { collections, games, collection_items } from '$db/schema';
 import { search_schema } from '$lib/zodValidation';
-import { userNotFullyAuthenticated } from '$lib/server/auth-utils';
+import { userNotAuthenticated } from '$lib/server/auth-utils';
 
 export async function load(event) {
 	const { locals, params, url } = event;
 	const { user, session } = locals;
 	const { id } = params;
 
-	if (userNotFullyAuthenticated(user, session)) {
+	if (userNotAuthenticated(user, session)) {
 		redirect(302, '/login', notSignedInMessage, event);
 	}
 	const searchParams = Object.fromEntries(url?.searchParams);
@@ -104,7 +104,7 @@ export const actions: Actions = {
 	add: async (event) => {
 		const { locals } = event;
 		const { user, session } = locals;
-		if (userNotFullyAuthenticated(user, session)) {
+		if (userNotAuthenticated(user, session)) {
 			return fail(401);
 		}
 
@@ -153,7 +153,7 @@ export const actions: Actions = {
 	create: async (event) => {
 		const { locals } = event;
 		const { user, session } = locals;
-		if (userNotFullyAuthenticated(user, session)) {
+		if (userNotAuthenticated(user, session)) {
 			return fail(401);
 		}
 		return error(405, 'Method not allowed');
@@ -162,7 +162,7 @@ export const actions: Actions = {
 	delete: async (event) => {
 		const { locals } = event;
 		const { user, session } = locals;
-		if (userNotFullyAuthenticated(user, session)) {
+		if (userNotAuthenticated(user, session)) {
 			return fail(401);
 		}
 		return error(405, 'Method not allowed');
@@ -171,7 +171,7 @@ export const actions: Actions = {
 	remove: async (event) => {
 		const { locals } = event;
 		const { user, session } = locals;
-		if (userNotFullyAuthenticated(user, session)) {
+		if (userNotAuthenticated(user, session)) {
 			return fail(401);
 		}
 		const form = await superValidate(event, zod(modifyListGameSchema));
diff --git a/src/routes/(app)/(protected)/collections/add/+page.server.ts b/src/routes/(app)/(protected)/collections/add/+page.server.ts
index 936d098..40d590e 100644
--- a/src/routes/(app)/(protected)/collections/add/+page.server.ts
+++ b/src/routes/(app)/(protected)/collections/add/+page.server.ts
@@ -1,12 +1,11 @@
 import { redirect } from '@sveltejs/kit';
-import type { PageServerLoad } from '../$types';
 import { notSignedInMessage } from '$lib/flashMessages';
-import { userNotFullyAuthenticated } from '$lib/server/auth-utils';
+import { userNotAuthenticated } from '$lib/server/auth-utils';
 
 export async function load(event) {
 	const { locals } = event;
 	const { user, session } = locals;
-	if (userNotFullyAuthenticated(user, session)) {
+	if (userNotAuthenticated(user, session)) {
 		redirect(302, '/login', notSignedInMessage, event);
 	}
 
diff --git a/src/routes/(app)/(protected)/collections/add/bgg/+page.server.ts b/src/routes/(app)/(protected)/collections/add/bgg/+page.server.ts
index c1b1798..4150aea 100644
--- a/src/routes/(app)/(protected)/collections/add/bgg/+page.server.ts
+++ b/src/routes/(app)/(protected)/collections/add/bgg/+page.server.ts
@@ -3,13 +3,13 @@ import { superValidate } from 'sveltekit-superforms/server';
 import { zod } from 'sveltekit-superforms/adapters';
 import type { PageServerLoad } from '../$types';
 import { BggForm } from '$lib/zodValidation';
-import { userNotFullyAuthenticated } from '$lib/server/auth-utils';
+import { userNotAuthenticated } from '$lib/server/auth-utils';
 import { notSignedInMessage } from '$lib/flashMessages';
 
 export const load: PageServerLoad = async (event) => {
 	const { locals } = event;
 	const { user, session } = locals;
-	if (userNotFullyAuthenticated(user, session)) {
+	if (userNotAuthenticated(user, session)) {
 		redirect(302, '/login', notSignedInMessage, event);
 	}
 
diff --git a/src/routes/(app)/(protected)/list/+layout.server.ts b/src/routes/(app)/(protected)/list/+layout.server.ts
index 867507d..3e0f3ad 100644
--- a/src/routes/(app)/(protected)/list/+layout.server.ts
+++ b/src/routes/(app)/(protected)/list/+layout.server.ts
@@ -2,12 +2,12 @@ import { fail } from '@sveltejs/kit';
 import { eq } from 'drizzle-orm';
 import db from '../../../../db';
 import { wishlists } from '$db/schema';
-import { userNotFullyAuthenticated } from '$lib/server/auth-utils';
+import { userNotAuthenticated } from '$lib/server/auth-utils';
 import { notSignedInMessage } from '$lib/flashMessages';
 
 export async function load({ locals }) {
 	const { user, session } = locals;
-	if (userNotFullyAuthenticated(user, session)) {
+	if (userNotAuthenticated(user, session)) {
 		throw fail(401);
 	}
 
diff --git a/src/routes/(app)/(protected)/list/[id]/+page.server.ts b/src/routes/(app)/(protected)/list/[id]/+page.server.ts
index a3a6723..a0bb620 100644
--- a/src/routes/(app)/(protected)/list/[id]/+page.server.ts
+++ b/src/routes/(app)/(protected)/list/[id]/+page.server.ts
@@ -5,13 +5,13 @@ import { superValidate } from 'sveltekit-superforms/server';
 import db from '../../../../../db';
 import { modifyListGameSchema } from '$lib/validations/zod-schemas';
 import { games, wishlist_items, wishlists } from '$db/schema';
-import { userNotFullyAuthenticated } from '$lib/server/auth-utils';
+import { userNotAuthenticated } from '$lib/server/auth-utils';
 import { notSignedInMessage } from '$lib/flashMessages';
 
 export async function load(event) {
 	const { params, locals } = event;
 	const { user, session } = locals;
-	if (userNotFullyAuthenticated(user, session)) {
+	if (userNotAuthenticated(user, session)) {
 		redirect(302, '/login', notSignedInMessage, event);
 	}
 
@@ -44,7 +44,7 @@ export const actions: Actions = {
 	add: async (event) => {
 		const { params, locals } = event;
 		const { user, session } = locals;
-		if (userNotFullyAuthenticated(user, session)) {
+		if (userNotAuthenticated(user, session)) {
 			return fail(401);
 		}
 		const form = await superValidate(event, zod(modifyListGameSchema));
@@ -102,7 +102,7 @@ export const actions: Actions = {
 	create: async (event) => {
 		const { locals } = event;
 		const { user, session } = locals;
-		if (userNotFullyAuthenticated(user, session)) {
+		if (userNotAuthenticated(user, session)) {
 			return fail(401);
 		}
 	},
@@ -110,7 +110,7 @@ export const actions: Actions = {
 	delete: async (event) => {
 		const { locals } = event;
 		const { user, session } = locals;
-		if (userNotFullyAuthenticated(user, session)) {
+		if (userNotAuthenticated(user, session)) {
 			return fail(401);
 		}
 	},
@@ -118,7 +118,7 @@ export const actions: Actions = {
 	remove: async (event) => {
 		const { locals } = event;
 		const { user, session } = locals;
-		if (userNotFullyAuthenticated(user, session)) {
+		if (userNotAuthenticated(user, session)) {
 			return fail(401);
 		}
 	},
diff --git a/src/routes/(app)/(protected)/profile/+page.server.ts b/src/routes/(app)/(protected)/profile/+page.server.ts
index da68048..3693831 100644
--- a/src/routes/(app)/(protected)/profile/+page.server.ts
+++ b/src/routes/(app)/(protected)/profile/+page.server.ts
@@ -9,12 +9,12 @@ import { notSignedInMessage } from '$lib/flashMessages';
 import db from '../../../../db';
 import type { PageServerLoad } from './$types';
 import { users } from '$db/schema';
-import { userNotFullyAuthenticated } from '$lib/server/auth-utils';
+import { userNotAuthenticated } from '$lib/server/auth-utils';
 
 export const load: PageServerLoad = async (event) => {
 	const { locals } = event;
 	const { user, session } = locals;
-	if (userNotFullyAuthenticated(user, session)) {
+	if (userNotAuthenticated(user, session)) {
 		redirect(302, '/login', notSignedInMessage, event);
 	}
 
diff --git a/src/routes/(app)/(protected)/profile/security/password/change/+page.server.ts b/src/routes/(app)/(protected)/profile/security/password/change/+page.server.ts
index 630fba4..b0c6f95 100644
--- a/src/routes/(app)/(protected)/profile/security/password/change/+page.server.ts
+++ b/src/routes/(app)/(protected)/profile/security/password/change/+page.server.ts
@@ -11,13 +11,13 @@ import { lucia } from '$lib/server/auth.js';
 import { users } from '$db/schema';
 import { notSignedInMessage } from '$lib/flashMessages';
 import type { Cookie } from 'lucia';
-import { userNotFullyAuthenticated } from '$lib/server/auth-utils';
+import { userNotAuthenticated } from '$lib/server/auth-utils';
 
 export const load: PageServerLoad = async (event) => {
 	const form = await superValidate(event, zod(changeUserPasswordSchema));
 	const { locals } = event;
 	const { user, session } = locals;
-	if (userNotFullyAuthenticated(user, session)) {
+	if (userNotAuthenticated(user, session)) {
 		redirect(302, '/login', notSignedInMessage, event);
 	}
 
@@ -35,7 +35,7 @@ export const actions: Actions = {
 	default: async (event) => {
 		const { locals } = event;
 		const { user, session } = locals;
-		if (userNotFullyAuthenticated(user, session)) {
+		if (userNotAuthenticated(user, session)) {
 			return fail(401);
 		}
 
diff --git a/src/routes/(app)/(protected)/profile/security/two-factor/+page.server.ts b/src/routes/(app)/(protected)/profile/security/two-factor/+page.server.ts
index 9859763..ca8c124 100644
--- a/src/routes/(app)/(protected)/profile/security/two-factor/+page.server.ts
+++ b/src/routes/(app)/(protected)/profile/security/two-factor/+page.server.ts
@@ -13,7 +13,7 @@ import { addTwoFactorSchema, removeTwoFactorSchema } from '$lib/validations/acco
 import { notSignedInMessage } from '$lib/flashMessages';
 import db from '../../../../../../db';
 import { recoveryCodes, users } from '$db/schema';
-import { userNotFullyAuthenticated } from '$lib/server/auth-utils';
+import { userNotAuthenticated } from '$lib/server/auth-utils';
 
 export const load: PageServerLoad = async (event) => {
 	const addTwoFactorForm = await superValidate(event, zod(addTwoFactorSchema));
@@ -21,12 +21,12 @@ export const load: PageServerLoad = async (event) => {
 
 	const { locals } = event;
 	const { user, session } = locals;
-	if (userNotFullyAuthenticated(user, session)) {
+	if (userNotAuthenticated(user, session)) {
 		redirect(302, '/login', notSignedInMessage, event);
 	}
 
 	const dbUser = await db.query.users.findFirst({
-		where: eq(users.id, user.id),
+		where: eq(users.id, user!.id!),
 	});
 
 	if (dbUser?.two_factor_enabled) {
@@ -46,10 +46,10 @@ export const load: PageServerLoad = async (event) => {
 			two_factor_secret: encodeHex(twoFactorSecret),
 			two_factor_enabled: false,
 		})
-		.where(eq(users.id, user.id));
+		.where(eq(users.id, user!.id!));
 
 	const issuer = 'bored-game';
-	const accountName = user.email || user.username;
+	const accountName = user!.email! || user!.username!;
 	// pass the website's name and the user identifier (e.g. email, username)
 	const totpUri = createTOTPKeyURI(issuer, accountName, twoFactorSecret);
 
@@ -71,7 +71,7 @@ export const actions: Actions = {
 	enableTwoFactor: async (event) => {
 		const { locals } = event;
 		const { user, session } = locals;
-		if (userNotFullyAuthenticated(user, session)) {
+		if (userNotAuthenticated(user, session)) {
 			return fail(401);
 		}
 
diff --git a/src/routes/(app)/(protected)/profile/security/two-factor/recovery-codes/+page.server.ts b/src/routes/(app)/(protected)/profile/security/two-factor/recovery-codes/+page.server.ts
index 08a2a10..98ecd96 100644
--- a/src/routes/(app)/(protected)/profile/security/two-factor/recovery-codes/+page.server.ts
+++ b/src/routes/(app)/(protected)/profile/security/two-factor/recovery-codes/+page.server.ts
@@ -6,12 +6,12 @@ import { redirect } from 'sveltekit-flash-message/server';
 import { notSignedInMessage } from '$lib/flashMessages';
 import type { PageServerLoad } from '../../../$types';
 import { recoveryCodes, users } from '$db/schema';
-import { userNotFullyAuthenticated } from '$lib/server/auth-utils';
+import { userNotAuthenticated } from '$lib/server/auth-utils';
 
 export const load: PageServerLoad = async (event) => {
 	const { locals } = event;
 	const { user, session } = locals;
-	if (userNotFullyAuthenticated(user, session)) {
+	if (userNotAuthenticated(user, session)) {
 		redirect(302, '/login', notSignedInMessage, event);
 	}
 
diff --git a/src/routes/(app)/(protected)/wishlists/+page.server.ts b/src/routes/(app)/(protected)/wishlists/+page.server.ts
index 3576214..8a086f8 100644
--- a/src/routes/(app)/(protected)/wishlists/+page.server.ts
+++ b/src/routes/(app)/(protected)/wishlists/+page.server.ts
@@ -7,12 +7,12 @@ import { modifyListGameSchema } from '$lib/validations/zod-schemas';
 import db from '../../../../db';
 import { notSignedInMessage } from '$lib/flashMessages.js';
 import { games, wishlist_items, wishlists } from '$db/schema';
-import { userNotFullyAuthenticated } from '$lib/server/auth-utils';
+import { userNotAuthenticated } from '$lib/server/auth-utils';
 
 export async function load(event) {
 	const { params, locals } = event;
 	const { user, session } = locals;
-	if (userNotFullyAuthenticated(user, session)) {
+	if (userNotAuthenticated(user, session)) {
 		redirect(302, '/login', notSignedInMessage, event);
 	}
 
@@ -41,7 +41,7 @@ export const actions: Actions = {
 	add: async (event) => {
 		const { locals } = event;
 		const { user, session } = locals;
-		if (userNotFullyAuthenticated(user, session)) {
+		if (userNotAuthenticated(user, session)) {
 			return fail(401);
 		}
 		const form = await superValidate(event, zod(modifyListGameSchema));
@@ -89,7 +89,7 @@ export const actions: Actions = {
 	create: async (event) => {
 		const { locals } = event;
 		const { user, session } = locals;
-		if (userNotFullyAuthenticated(user, session)) {
+		if (userNotAuthenticated(user, session)) {
 			return fail(401);
 		}
 		return error(405, 'Method not allowed');
@@ -98,7 +98,7 @@ export const actions: Actions = {
 	delete: async (event) => {
 		const { locals } = event;
 		const { user, session } = locals;
-		if (userNotFullyAuthenticated(user, session)) {
+		if (userNotAuthenticated(user, session)) {
 			return fail(401);
 		}
 		return error(405, 'Method not allowed');
@@ -107,7 +107,7 @@ export const actions: Actions = {
 	remove: async (event) => {
 		const { params, locals } = event;
 		const { user, session } = locals;
-		if (userNotFullyAuthenticated(user, session)) {
+		if (userNotAuthenticated(user, session)) {
 			return fail(401);
 		}
 		const form = await superValidate(event, zod(modifyListGameSchema));
diff --git a/src/routes/(app)/(protected)/wishlists/[id]/+page.server.ts b/src/routes/(app)/(protected)/wishlists/[id]/+page.server.ts
index 7b9b997..6852147 100644
--- a/src/routes/(app)/(protected)/wishlists/[id]/+page.server.ts
+++ b/src/routes/(app)/(protected)/wishlists/[id]/+page.server.ts
@@ -7,13 +7,13 @@ import { modifyListGameSchema } from '$lib/validations/zod-schemas';
 import db from '../../../../../db';
 import { notSignedInMessage } from '$lib/flashMessages.js';
 import { games, wishlist_items, wishlists } from '$db/schema';
-import { userNotFullyAuthenticated } from '$lib/server/auth-utils';
+import { userNotAuthenticated } from '$lib/server/auth-utils';
 
 export async function load(event) {
 	const { params, locals } = event;
 	const { user, session } = locals;
 	const { id } = params;
-	if (userNotFullyAuthenticated(user, session)) {
+	if (userNotAuthenticated(user, session)) {
 		redirect(302, '/login', notSignedInMessage, event);
 	}
 
@@ -44,7 +44,7 @@ export const actions: Actions = {
 	add: async (event) => {
 		const { locals } = event;
 		const { user, session } = locals;
-		if (userNotFullyAuthenticated(user, session)) {
+		if (userNotAuthenticated(user, session)) {
 			return fail(401);
 		}
 		const form = await superValidate(event, zod(modifyListGameSchema));
@@ -92,7 +92,7 @@ export const actions: Actions = {
 	create: async (event) => {
 		const { locals } = event;
 		const { user, session } = locals;
-		if (userNotFullyAuthenticated(user, session)) {
+		if (userNotAuthenticated(user, session)) {
 			return fail(401);
 		}
 		return error(405, 'Method not allowed');
@@ -101,7 +101,7 @@ export const actions: Actions = {
 	delete: async ({ locals }) => {
 		const { locals } = event;
 		const { user, session } = locals;
-		if (userNotFullyAuthenticated(user, session)) {
+		if (userNotAuthenticated(user, session)) {
 			return fail(401);
 		}
 		return error(405, 'Method not allowed');
@@ -110,7 +110,7 @@ export const actions: Actions = {
 	remove: async (event) => {
 		const { locals } = event;
 		const { user, session } = locals;
-		if (userNotFullyAuthenticated(user, session)) {
+		if (userNotAuthenticated(user, session)) {
 			return fail(401);
 		}
 		const form = await superValidate(event, zod(modifyListGameSchema));
diff --git a/src/routes/(app)/+layout.server.ts b/src/routes/(app)/+layout.server.ts
index 028bc42..5aa2068 100644
--- a/src/routes/(app)/+layout.server.ts
+++ b/src/routes/(app)/+layout.server.ts
@@ -1,10 +1,23 @@
 import { loadFlash } from 'sveltekit-flash-message/server';
 import type { LayoutServerLoad } from '../$types';
+import { userFullyAuthenticated, userNotFullyAuthenticated } from '$lib/server/auth-utils';
+import { lucia } from '$lib/server/auth';
+
+export const load: LayoutServerLoad = loadFlash(async (event) => {
+	const { url, locals, cookies } = event;
+	const { user, session } = locals;
+
+	if (userNotFullyAuthenticated(user, session)) {
+		await lucia.invalidateSession(locals.session!.id!);
+		const sessionCookie = lucia.createBlankSessionCookie();
+		cookies.set(sessionCookie.name, sessionCookie.value, {
+			path: '.',
+			...sessionCookie.attributes,
+		});
+	}
 
-export const load: LayoutServerLoad = loadFlash(async ({ url, locals }) => {
-	console.log('user from app', locals.user);
 	return {
 		url: url.pathname,
-		user: locals.user
+		user: userFullyAuthenticated(user, session) ? locals.user : null,
 	};
 });
diff --git a/src/routes/(app)/+page.server.ts b/src/routes/(app)/+page.server.ts
index 700111a..2bf4a35 100644
--- a/src/routes/(app)/+page.server.ts
+++ b/src/routes/(app)/+page.server.ts
@@ -3,8 +3,12 @@ import { eq } from 'drizzle-orm';
 import type { PageServerLoad } from './$types';
 import db from '../../db';
 import { collections, wishlists } from '$db/schema';
+import { userFullyAuthenticated } from '$lib/server/auth-utils';
+
+export const load: PageServerLoad = async (event) => {
+	const { locals, url } = event;
+	const { user, session } = locals;
 
-export const load: PageServerLoad = async ({ locals, url }) => {
 	const image = {
 		url: `${
 			new URL(url.pathname, url.origin).href
@@ -37,21 +41,21 @@ export const load: PageServerLoad = async ({ locals, url }) => {
 		},
 	});
 
-	const user = locals.user;
-	if (user) {
+	if (userFullyAuthenticated(user, session)) {
+		console.log('Sending back user details');
 		const userWishlists = await db.query.wishlists.findMany({
 			columns: {
 				cuid: true,
 				name: true,
 			},
-			where: eq(wishlists.user_id, user.id),
+			where: eq(wishlists.user_id, user!.id!),
 		});
 		const userCollection = await db.query.collections.findMany({
 			columns: {
 				cuid: true,
 				name: true,
 			},
-			where: eq(collections.user_id, user.id),
+			where: eq(collections.user_id, user!.id!),
 		});
 
 		console.log('Wishlists', userWishlists);
@@ -59,5 +63,5 @@ export const load: PageServerLoad = async ({ locals, url }) => {
 		return { metaTagsChild: metaTags, user, wishlists: userWishlists, collections: userCollection };
 	}
 
-	return { metaTagsChild: metaTags, user: locals.user, wishlists: [], collections: [] };
+	return { metaTagsChild: metaTags, user: null, wishlists: [], collections: [] };
 };
diff --git a/src/routes/(auth)/login/+page.server.ts b/src/routes/(auth)/login/+page.server.ts
index c1576bc..37449b8 100644
--- a/src/routes/(auth)/login/+page.server.ts
+++ b/src/routes/(auth)/login/+page.server.ts
@@ -1,8 +1,6 @@
 import { fail, error, type Actions } from '@sveltejs/kit';
 import { and, eq } from 'drizzle-orm';
 import { Argon2id } from 'oslo/password';
-import { decodeHex } from 'oslo/encoding';
-import { TOTPController } from 'oslo/otp';
 import { zod } from 'sveltekit-superforms/adapters';
 import { setError, superValidate } from 'sveltekit-superforms/server';
 import { redirect } from 'sveltekit-flash-message/server';
@@ -10,15 +8,25 @@ import { RateLimiter } from 'sveltekit-rate-limiter/server';
 import db from '../../../db';
 import { lucia } from '$lib/server/auth';
 import { signInSchema } from '$lib/validations/auth';
-import { users, recoveryCodes, type Users } from '$db/schema';
+import { users, type Users } from '$db/schema';
 import type { PageServerLoad } from './$types';
+import { userFullyAuthenticated, userNotFullyAuthenticated } from '$lib/server/auth-utils';
 
 export const load: PageServerLoad = async (event) => {
-	if (event.locals.user) {
+	const { locals, cookies } = event;
+	const { user, session } = event.locals;
+
+	if (userFullyAuthenticated(user, session)) {
 		const message = { type: 'success', message: 'You are already signed in' } as const;
 		throw redirect('/', message, event);
+	} else if (userNotFullyAuthenticated(user, session)) {
+		await lucia.invalidateSession(locals.session!.id!);
+		const sessionCookie = lucia.createBlankSessionCookie();
+		cookies.set(sessionCookie.name, sessionCookie.value, {
+			path: '.',
+			...sessionCookie.attributes,
+		});
 	}
-
 	const form = await superValidate(event, zod(signInSchema));
 
 	return {