Be safer about removals from the active tokens list

cpp/web_server.cpp

@@ -80,21 +80,30 @@ WebServer::WebServer(QObject *parent) : QObject(parent) {}
 }
 
 [[nodiscard]] bool WebServer::validate_token(const QString& token) {
-    // Always 64 characters
+    // Validate token length
     if (token.size() != 64) return false;
-    // Can't validate the active token if there aren't any
+
+    // If there are no active tokens, validation fails
     if (_active_tokens.isEmpty()) return false;
-    // Always present in active_tokens, and not expired
+
+    // Check if the token exists in the active tokens map
     auto it = _active_tokens.find(token);
-    if (it != _active_tokens.end() && it.value() >= QDateTime::currentDateTime()) return true;
+    if (it != _active_tokens.end()) {
-    else {
+        // Check if the token is not expired
+        if (it.value() >= QDateTime::currentDateTime()) return true;
+
+        // Token is expired, erase it safely
         _active_tokens.erase(it);
 
+        // Also remove the token from the person map, if it exists
         auto person_it = _token_person.find(token);
         if (person_it != _token_person.end()) _token_person.erase(person_it);
 
         return false;
     }
+
+    // Token not found
+    return false;
 }
 
 [[nodiscard]] QHttpServerResponse WebServer::verify_session_token(const QHttpServerRequest &request, const QHttpHeaders &headers) {