diff --git a/migrations/20230714235551_fix-2fa-type.sql b/migrations/20230714235551_fix-2fa-type.sql
new file mode 100644
index 000000000..36144f3f3
--- /dev/null
+++ b/migrations/20230714235551_fix-2fa-type.sql
@@ -0,0 +1 @@
+ALTER TABLE users ALTER COLUMN totp_secret TYPE varchar(32);
\ No newline at end of file
diff --git a/src/auth/email/button_notif.html b/src/auth/email/button_notif.html
index f90364d9b..32fc863d8 100644
--- a/src/auth/email/button_notif.html
+++ b/src/auth/email/button_notif.html
@@ -33,10 +33,10 @@
     </style>
     <style type="text/css">
         u+.modrinth-email .gs{background:#000;mix-blend-mode:screen;display:inline-block;padding:0;margin:0;}u+.modrinth-email .gd{background:#000;mix-blend-mode:difference;display:inline-block;padding:0;margin:0;}p{-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;}u+.modrinth-email a,#MessageViewBody a,a[x-apple-data-detectors]{color:inherit!important;text-decoration:none!important;font-size:inherit!important;font-family:inherit!important;font-weight:inherit!important;line-height:inherit!important;}td.b .klaviyo-image-block{display:inline;vertical-align:middle;}
-        @media only screen and (max-width:599px){.modrinth-email{height:100%!important;margin:0!important;padding:0!important;width:100%!important;}u+.modrinth-email .glist{margin-left:1em!important;}td.ico.v>div.il>a.l.m,td.ico.v .mn-label{padding-right:0!important;padding-bottom:16px!important;}td.x{padding-left:0!important;padding-right:0!important;}.fwm img{max-width:100%!important;height:auto!important;}.aw img{width:auto!important;margin-left:auto!important;margin-right:auto!important;}.ah img{height:auto!important;}td.b.nw>table,td.b.nw a{width:auto!important;}td.stk{border:0!important;}td.u{height:auto!important;}br.sb{display:none!important;}.thd-1 .i-thumbnail{display:inline-block!important;height:auto!important;overflow:hidden!important;}.hd-1{display:block!important;height:auto!important;overflow:visible!important;}.ht-1{display:table!important;height:auto!important;overflow:visible!important;}.hr-1{display:table-row!important;height:auto!important;overflow:visible!important;}.hc-1{display:table-cell!important;height:auto!important;overflow:visible!important;}div.r.pr-16>table>tbody>tr>td,div.r.pr-16>div>table>tbody>tr>td{padding-right:16px!important}div.r.pl-16>table>tbody>tr>td,div.r.pl-16>div>table>tbody>tr>td{padding-left:16px!important}td.b.fw-1>table{width:100%!important}td.fw-1>table>tbody>tr>td>a{display:block!important;width:100%!important;padding-left:0!important;padding-right:0!important;}td.b.fw-1>table{width:100%!important}td.fw-1>table>tbody>tr>td{width:100%!important;padding-left:0!important;padding-right:0!important;}td.b.hvt-D9D9D9>table>tbody>tr>td:hover *{color:#D9D9D9!important}td.b.hvb-00954E>table>tbody>tr>td:hover,td.b.hvb-00954E>table>tbody>tr>td:hover>a{background-color:#00954E!important;}.hvr-fade *{-webkit-transition-duration:0.2s;transition-duration:0.2s;-webkit-transition-property:background-color,color;transition-property:background-color,color;}}
+        @media only screen and (max-width:599px){.modrinth-email{height:100%!important;margin:0!important;padding:0!important;width:100%!important;}u+.modrinth-email .glist{margin-left:1em!important;}td.ico.v>div.il>a.l.m,td.ico.v .mn-label{padding-right:0!important;padding-bottom:16px!important;}td.x{padding-left:0!important;padding-right:0!important;}.fwm img{max-width:100%!important;height:auto!important;}.aw img{width:auto!important;margin-left:auto!important;margin-right:auto!important;}.ah img{height:auto!important;}td.b.nw>table,td.b.nw a{width:auto!important;}td.stk{border:0!important;}td.u{height:auto!important;}br.sb{display:none!important;}.thd-1 .i-thumbnail{display:inline-block!important;height:auto!important;overflow:hidden!important;}.hd-1{display:block!important;height:auto!important;overflow:visible!important;}.ht-1{display:table!important;height:auto!important;overflow:visible!important;}.hr-1{display:table-row!important;height:auto!important;overflow:visible!important;}.hc-1{display:table-cell!important;height:auto!important;overflow:visible!important;}div.r.pr-16>table>tbody>tr>td,div.r.pr-16>div>table>tbody>tr>td{padding-right:16px!important}div.r.pl-16>table>tbody>tr>td,div.r.pl-16>div>table>tbody>tr>td{padding-left:16px!important}td.b.fw-1>table{width:100%!important}td.fw-1>table>tbody>tr>td>a{display:block!important;width:100%!important;padding-left:0!important;padding-right:0!important;}td.b.fw-1>table{width:100%!important}td.fw-1>table>tbody>tr>td{width:100%!important;padding-left:0!important;padding-right:0!important;}}
         @media (prefers-color-scheme:light) and (max-width:599px){.ds-1.hd-1{display:none!important;height:0!important;overflow:hidden!important;}}
         @media (prefers-color-scheme:dark) and (max-width:599px){.ds-1.hd-1{display:block!important;height:auto!important;overflow:visible!important;}}
-        @media (prefers-color-scheme:dark){div.r.db-000000,div.r.db-000000>table{background-color:#000000!important;}div.r.dt-FFFFFE *{color:#FFFFFE!important}.dh-1{display:none!important;max-width:0!important;max-height:0!important;overflow:hidden!important;mso-hide:all!important;}.ds-1{display:block!important;max-width:none!important;max-height:none!important;height:auto!important;overflow:visible!important;mso-hide:all!important;}td.b.dt-000000 *{color:#000000!important}td.b.db-1BD96A>table>tbody>tr>td,td.b.db-1BD96A>table>tbody>tr>td>a{background-color:#1BD96A!important;}td.x.dt-B0BAC5 *{color:#B0BAC5!important}}.hvr-fade *{-webkit-transition-duration:0.2s;transition-duration:0.2s;-webkit-transition-property:background-color,color;transition-property:background-color,color;}td.b.hvt-D9D9D9>table>tbody>tr>td:hover *{color:#000000!important}td.b.hvb-00954E>table>tbody>tr>td:hover,td.b.hvb-00954E>table>tbody>tr>td:hover>a{background-color:#12b95a!important;}
+        @media (prefers-color-scheme:dark){div.r.db-000000,div.r.db-000000>table{background-color:#000000!important;}div.r.dt-FFFFFE *{color:#FFFFFE!important}.dh-1{display:none!important;max-width:0!important;max-height:0!important;overflow:hidden!important;mso-hide:all!important;}.ds-1{display:block!important;max-width:none!important;max-height:none!important;height:auto!important;overflow:visible!important;mso-hide:all!important;}td.b.dt-000000 *{color:#000000!important}td.b.db-1BD96A>table>tbody>tr>td,td.b.db-1BD96A>table>tbody>tr>td>a{background-color:#1BD96A!important;}td.x.dt-B0BAC5 *{color:#B0BAC5!important}}.hvr-fade *{-webkit-transition-duration:0.2s;transition-duration:0.2s;-webkit-transition-property:background-color,color;transition-property:background-color,color;}
     </style>
     <meta name="color-scheme" content="light dark">
     <meta name="supported-color-schemes" content="light dark">
diff --git a/src/auth/flows.rs b/src/auth/flows.rs
index 026b24e81..4fc5bc054 100644
--- a/src/auth/flows.rs
+++ b/src/auth/flows.rs
@@ -773,7 +773,7 @@ pub async fn init(
         url: info.url,
         provider: info.provider,
     }
-    .insert(Utc::now() + Duration::minutes(30), &redis)
+    .insert(Duration::minutes(30), &redis)
     .await?;
 
     let url = info.provider.get_redirect_url(state)?;
@@ -845,7 +845,7 @@ pub async fn auth_callback(
 
                 if user.totp_secret.is_some() {
                     let flow = Flow::Login2FA { user_id: user.id }
-                        .insert(Utc::now() + Duration::minutes(30), &redis)
+                        .insert(Duration::minutes(30), &redis)
                         .await?;
 
                     let redirect_url = format!(
@@ -1164,7 +1164,7 @@ pub async fn create_account_with_password(
         user_id,
         confirm_email: new_account.email.clone(),
     }
-    .insert(Utc::now() + Duration::hours(24), &redis)
+    .insert(Duration::hours(24), &redis)
     .await?;
 
     send_email_verify(
@@ -1253,7 +1253,7 @@ pub async fn login_password(
 
     if user.totp_secret.is_some() {
         let flow = Flow::Login2FA { user_id: user.id }
-            .insert(Utc::now() + Duration::minutes(30), &redis)
+            .insert(Duration::minutes(30), &redis)
             .await?;
 
         Ok(HttpResponse::Ok().json(serde_json::json!({
@@ -1381,7 +1381,7 @@ pub async fn begin_2fa_flow(
             user_id: user.id.into(),
             secret: encoded.to_string(),
         }
-        .insert(Utc::now() + Duration::minutes(30), &redis)
+        .insert(Duration::minutes(30), &redis)
         .await?;
 
         Ok(HttpResponse::Ok().json(serde_json::json!({
@@ -1514,7 +1514,7 @@ pub async fn remove_2fa(
     req: HttpRequest,
     pool: Data<PgPool>,
     redis: Data<deadpool_redis::Pool>,
-    login: web::Json<Login2FA>,
+    login: web::Json<Remove2FA>,
     session_queue: Data<AuthQueue>,
 ) -> Result<HttpResponse, ApiError> {
     let (scopes, user) =
@@ -1604,7 +1604,7 @@ pub async fn reset_password_begin(
 
     if let Some(user) = user {
         let flow = Flow::ForgotPassword { user_id: user.id }
-            .insert(Utc::now() + Duration::hours(24), &redis)
+            .insert(Duration::hours(24), &redis)
             .await?;
 
         if let Some(email) = user.email {
@@ -1820,7 +1820,7 @@ pub async fn set_email(
         user_id: user.id.into(),
         confirm_email: email.email.clone(),
     }
-    .insert(Utc::now() + Duration::hours(24), &redis)
+    .insert(Duration::hours(24), &redis)
     .await?;
 
     send_email_verify(
@@ -1863,7 +1863,7 @@ pub async fn resend_verify_email(
             user_id: user.id.into(),
             confirm_email: email.clone(),
         }
-        .insert(Utc::now() + Duration::hours(24), &redis)
+        .insert(Duration::hours(24), &redis)
         .await?;
 
         send_email_verify(email, flow, "We need to verify your email address.")?;
@@ -1940,6 +1940,6 @@ fn send_email_verify(
         "Verify your email",
         opener,
         "Please visit the following link below to verify your email. If the button does not work, you can copy the link and paste it into your browser. This link expires in 24 hours.",
-        Some(("Reset password", &format!("{}/{}?flow={}", dotenvy::var("SITE_VERIFY_EMAIL_PATH")?,  dotenvy::var("SITE_RESET_PASSWORD_PATH")?, flow))),
+        Some(("Verify email", &format!("{}/{}?flow={}", dotenvy::var("SITE_URL")?,  dotenvy::var("SITE_VERIFY_EMAIL_PATH")?, flow))),
     )
 }
diff --git a/src/auth/session.rs b/src/auth/session.rs
index 27af05e1d..d33bd6207 100644
--- a/src/auth/session.rs
+++ b/src/auth/session.rs
@@ -167,7 +167,7 @@ pub async fn delete(
     let session = DBSession::get(info.into_inner().0, &**pool, &redis).await?;
 
     if let Some(session) = session {
-        if session.user_id != current_user.id.into() {
+        if session.user_id == current_user.id.into() {
             let mut transaction = pool.begin().await?;
             DBSession::remove(session.id, &mut transaction).await?;
             DBSession::clear_cache(
diff --git a/src/database/models/flow_item.rs b/src/database/models/flow_item.rs
index 8349a4c4a..8cf44b0f8 100644
--- a/src/database/models/flow_item.rs
+++ b/src/database/models/flow_item.rs
@@ -1,7 +1,7 @@
 use super::ids::*;
 use crate::auth::flows::AuthProvider;
 use crate::database::models::DatabaseError;
-use chrono::{DateTime, Timelike, Utc};
+use chrono::Duration;
 use rand::distributions::Alphanumeric;
 use rand::Rng;
 use rand_chacha::rand_core::SeedableRng;
@@ -38,7 +38,7 @@ pub enum Flow {
 impl Flow {
     pub async fn insert(
         &self,
-        expires: DateTime<Utc>,
+        expires: Duration,
         redis: &deadpool_redis::Pool,
     ) -> Result<String, DatabaseError> {
         let mut redis = redis.get().await?;
@@ -53,7 +53,7 @@ impl Flow {
             .arg(format!("{}:{}", FLOWS_NAMESPACE, flow))
             .arg(serde_json::to_string(&self)?)
             .arg("EX")
-            .arg(expires.second())
+            .arg(expires.num_seconds())
             .query_async::<_, ()>(&mut redis)
             .await?;
 
diff --git a/src/models/pats.rs b/src/models/pats.rs
index b96aa2ce0..f3c9e8f63 100644
--- a/src/models/pats.rs
+++ b/src/models/pats.rs
@@ -79,10 +79,10 @@ bitflags::bitflags! {
 
         // read a user's sessions
         const SESSION_READ = 1 << 28;
-        // delete a session22
+        // delete a session
         const SESSION_DELETE = 1 << 29;
 
-        const ALL = 0b11111111111111111111111111111;
+        const ALL = 0b111111111111111111111111111111;
         const NOT_RESTRICTED = 0b00000011111111111111100111;
         const NONE = 0b0;
     }