From 05be28d7f376fc053fb476e077c14a2c63e35551 Mon Sep 17 00:00:00 2001
From: Haelnorr <lockedonohoe@gmail.com>
Date: Sat, 7 Feb 2026 17:58:02 +1100
Subject: [PATCH] fixed fatal bug after access token expires

---
 hwsauth/logout.go         | 16 ++++++++++------
 hwsauth/reauthenticate.go | 37 ++++++++++++++++++++++++-------------
 2 files changed, 34 insertions(+), 19 deletions(-)

diff --git a/hwsauth/logout.go b/hwsauth/logout.go
index 08fcfa4..ca3b4c2 100644
--- a/hwsauth/logout.go
+++ b/hwsauth/logout.go
@@ -33,13 +33,17 @@ func (auth *Authenticator[T, TX]) Logout(tx TX, w http.ResponseWriter, r *http.R
 	if err != nil {
 		return errors.Wrap(err, "auth.getTokens")
 	}
-	err = aT.Revoke(jwt.DBTransaction(tx))
-	if err != nil {
-		return errors.Wrap(err, "aT.Revoke")
+	if aT != nil {
+		err = aT.Revoke(jwt.DBTransaction(tx))
+		if err != nil {
+			return errors.Wrap(err, "aT.Revoke")
+		}
 	}
-	err = rT.Revoke(jwt.DBTransaction(tx))
-	if err != nil {
-		return errors.Wrap(err, "rT.Revoke")
+	if rT != nil {
+		err = rT.Revoke(jwt.DBTransaction(tx))
+		if err != nil {
+			return errors.Wrap(err, "rT.Revoke")
+		}
 	}
 	cookies.DeleteCookie(w, "access", "/")
 	cookies.DeleteCookie(w, "refresh", "/")
diff --git a/hwsauth/reauthenticate.go b/hwsauth/reauthenticate.go
index ce9db58..394aca1 100644
--- a/hwsauth/reauthenticate.go
+++ b/hwsauth/reauthenticate.go
@@ -34,7 +34,7 @@ func (auth *Authenticator[T, TX]) RefreshAuthTokens(tx TX, w http.ResponseWriter
 	rememberMe := map[string]bool{
 		"session": false,
 		"exp":     true,
-	}[aT.TTL]
+	}[rT.TTL]
 	// issue new tokens for the user
 	err = jwt.SetTokenCookies(w, r, auth.tokenGenerator, rT.SUB, true, rememberMe, auth.SSL)
 	if err != nil {
@@ -55,13 +55,20 @@ func (auth *Authenticator[T, TX]) getTokens(
 ) (*jwt.AccessToken, *jwt.RefreshToken, error) {
 	// get the existing tokens from the cookies
 	atStr, rtStr := jwt.GetTokenCookies(r)
-	aT, err := auth.tokenGenerator.ValidateAccess(jwt.DBTransaction(tx), atStr)
-	if err != nil {
-		return nil, nil, errors.Wrap(err, "tokenGenerator.ValidateAccess")
+	var aT *jwt.AccessToken
+	var rT *jwt.RefreshToken
+	var err error
+	if atStr != "" {
+		aT, err = auth.tokenGenerator.ValidateAccess(jwt.DBTransaction(tx), atStr)
+		if err != nil {
+			return nil, nil, errors.Wrap(err, "tokenGenerator.ValidateAccess")
+		}
 	}
-	rT, err := auth.tokenGenerator.ValidateRefresh(jwt.DBTransaction(tx), rtStr)
-	if err != nil {
-		return nil, nil, errors.Wrap(err, "tokenGenerator.ValidateRefresh")
+	if rtStr != "" {
+		rT, err = auth.tokenGenerator.ValidateRefresh(jwt.DBTransaction(tx), rtStr)
+		if err != nil {
+			return nil, nil, errors.Wrap(err, "tokenGenerator.ValidateRefresh")
+		}
 	}
 	return aT, rT, nil
 }
@@ -72,13 +79,17 @@ func revokeTokenPair(
 	aT *jwt.AccessToken,
 	rT *jwt.RefreshToken,
 ) error {
-	err := aT.Revoke(tx)
-	if err != nil {
-		return errors.Wrap(err, "aT.Revoke")
+	if aT != nil {
+		err := aT.Revoke(tx)
+		if err != nil {
+			return errors.Wrap(err, "aT.Revoke")
+		}
 	}
-	err = rT.Revoke(tx)
-	if err != nil {
-		return errors.Wrap(err, "rT.Revoke")
+	if rT != nil {
+		err := rT.Revoke(tx)
+		if err != nil {
+			return errors.Wrap(err, "rT.Revoke")
+		}
 	}
 	return nil
 }