:sparkles: Notes added for refactor before merge

backend/lib/auth/strategies/jwt.js

         verifyOptions: {
             algorithms: ['HS256'],
         },
+        // check the h object to see if the activeSessions is accessible from it
+        //
+        // check useronlinestatus branch request.server.app
         validate: (decoded, request, h) => {
             // QUESTION: How can we authenticate both Session and Access Tokens here?
+            // Always check rawAccessToken, if it fails, we check the session, if session is valid, then we reissue
+            // if session is NOT valid, DELETE the session (and kick user back to login)
+            // TODO: set up cron job to occassionaly clean up activeSessions
             const token = request.headers.authorization
             try {
                 const validatedJwt = JWT.verify(token, process.env.APP_SECRET)

backend/lib/routes/user/email.js

                         userCredentials.email
                     )
                 })
+                if (!hashedSessionToken.length) {
+                    throw Error('hashedSessionToken not Found!!')
+                }
                 return {
                     ok: true,
                     handler: pluginConfig.handlerType,

backend/lib/routes/user/verifyactivesession.js

                 ).find(hashedToken => {
                     return hashedToken === hash
                 })
+                if (!hashToMatch.length) {
+                    throw Error('hashToMatch Not Found!')
+                }
                 const now = Date.now()
-                // TODO: convert this back to a date object
-                const expiration =
-                    userService.activeSessions[`${hash}`].expiration
+                const expiration = new Date(
+                    userService.activeSessions[`${hash}`].expiration,
+                )
                 if (now > expiration) {
                     delete userService.activeSessions[hashToMatch]
                     throw new Error(
                 if (!hashToMatch) {
                     throw new Error('no record of email in cache')
                 }
-
                 return {
                     ok: true,
                     handler: pluginConfig.handlerType,
                     data: {
                         hashesMatch: hashToMatch === hash,
-                        sessionToken:
-                            userService.activeSessions[`${hash}`].sessionToken,
                     },
                 }
             } catch (err) {

backend/lib/services/user.js

 const apiInstance = new SibApiV3Sdk.TransactionalEmailsApi()
 
 const hashToken = async token => {
-    // QUESTION: How to best create random salt...?
+    // Give it a .env file phrase, NOT RANDOM
     const salt = crypto.randomBytes(16).toString('base64')
+    // const salt = process.env.salt
     try {
         return crypto.createHmac('sha256', salt).update(token).digest('hex')
     } catch (err) {
             // expires: expirationTime in seconds
             // }
         }
+        // Check the hashedCookie which is our hashedSessionToken string
+        // validate whether or not the rawAccessToken is still valid, if valid good to go.
+        // if NOT valid, then we need to reassign accessToken to a newAccessToken
+        // this.activeSessions = {
+        // eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...hashedSessionToken: {
+        // accessToken: 'as;dflkja;;dlfkja;sldkf... rawAccessToken'
+        // }
+        // }
 
         this.pwd = {
             hash: Util.promisify(pwd.hash.bind(pwd)),
      * @returns {Token}
      */
     // TODO: remove testing console.log() messages once onboarding auth is working
+    // REFACTOR: Have this function only do one thing (UNIX philsophy)
     validateSession(hashedSessionToken) {
         console.log('this.activeSessions :=>', this.activeSessions)
         if (!this.activeSessions[hashedSessionToken]) {
                 'hashedSessionToken not in activeSessions registry!',
             )
         }
-
+        // BREAK OUT INTO ANOTHER FUNC
         const rawSessionToken =
             this.activeSessions[hashedSessionToken].sessionToken
         const accessToken = this.activeSessions[hashedSessionToken].accessToken
                 'hashedSessionToken is in activeSessions registry, but rawSessionToken does not exist',
             )
         }
+        // ANOTHER FUNC HERE
         const sessionTokenIsValid = this.validateToken(rawSessionToken)
         console.log('sessionTokenIsValid :=>', sessionTokenIsValid)
         const accessTokenIsValid = this.validateToken(accessToken)
         console.log('accessTokenIsValid :=>', accessTokenIsValid)
 
         // Both sessionToken and accessToken are expired
-        if (!sessionTokenIsValid.payload && !accessTokenIsValid.payload) {
-            console.log('session is expired! kicking you off!')
-            return sessionTokenIsValid
-        }
-        if (sessionTokenIsValid.payload && !accessTokenIsValid.payload) {
+        // createAccessToken()
+        //
+        if (!accessTokenIsValid.payload) {
             console.log(
                 'sessionToken is valid, but accessToken is null or is expired :=>',
             )
                 payload: sessionTokenIsValid.payload,
             })
             this.activeSessions[hashedSessionToken].accessToken = accessToken
-        } else if (!sessionTokenIsValid.payload && accessTokenIsValid.payload) {
-            console.log(
-                'accessToken is valid, but sessionToken has expired :=>',
-            )
-            const newSessionToken = this.createToken({
-                payload: accessTokenIsValid.payload,
-            })
-            this.activeSessions[hashedSessionToken].sessionToken =
-                newSessionToken
         }
         return {
             ...sessionTokenIsValid.payload,

frontend/src/views/OnboardingView.vue

             // TODO: Validate All routes hit by these methods using tokens in headers
             // NOTE: This can be accomplished using sessionData.sessionToken,
             // as it currently has the raw session token in it
+
+            // Move this logic onto the backend and have it
+            // returned in verifySession(hashedSessionToken)
             const userId = await this.grabUserIdByEmail(
                 sessionData.email,
                 sessionData.sessionToken,
                 cookieKey in cookies ? cookies[`${cookieKey}`] : undefined
             return cookieVal
         },
+        // NOTE: sessionToken is flying around far too often
+        // hashedAccessToken
         async verifySession(hashedSessionToken) {
             if (!hashedSessionToken)
                 return console.warn('WARNING :=> sessionToken is not defined')

frontend/src/views/VerifyView.vue

                 hashedToken,
             )
             if (!sessionData.hashesMatch)
-                throw new Error('Hash is not in registry!')
-            else return sessionData.sessionToken
+                throw new Error('Hash is not in activeSessions!')
         },
         async isSessionTokenValid(hash) {
             const sessionTokenIsValid =