diff --git a/api/src/controllers/auth.ts b/api/src/controllers/auth.ts
index 6c56e89..1bb3dd5 100644
--- a/api/src/controllers/auth.ts
+++ b/api/src/controllers/auth.ts
@@ -234,9 +234,10 @@ const verifyAuthCode = async (
     jwt.verify(code, process.secrets.AUTH_CODE_SECRET, (err, data) => {
       if (err) return resolve(undefined)
 
+      const payload = data as InfoJWT
       const clientInfo: InfoJWT = {
-        clientId: data?.clientId,
-        userId: data?.userId
+        clientId: payload?.clientId,
+        userId: payload?.userId
       }
       if (clientInfo.clientId === clientId) {
         return resolve(clientInfo)
diff --git a/api/src/controllers/web.ts b/api/src/controllers/web.ts
index 527cbe9..b584ab8 100644
--- a/api/src/controllers/web.ts
+++ b/api/src/controllers/web.ts
@@ -106,7 +106,7 @@ const login = async (
   const rateLimiter = RateLimiter.getInstance()
 
   if (!validPass) {
-    const retrySecs = await rateLimiter.consume(req.ip, user?.username)
+    const retrySecs = await rateLimiter.consume(req.ip || 'unknown', user?.username)
     if (retrySecs > 0) throw errors.tooManyRequests(retrySecs)
   }
 
@@ -114,7 +114,7 @@ const login = async (
   if (!validPass) throw errors.invalidPassword
 
   // Reset on successful authorization
-  rateLimiter.resetOnSuccess(req.ip, user.username)
+  rateLimiter.resetOnSuccess(req.ip || 'unknown', user.username)
 
   req.session.loggedIn = true
   req.session.user = {
diff --git a/api/src/middlewares/bruteForceProtection.ts b/api/src/middlewares/bruteForceProtection.ts
index 82edc1a..3d4995f 100644
--- a/api/src/middlewares/bruteForceProtection.ts
+++ b/api/src/middlewares/bruteForceProtection.ts
@@ -3,7 +3,7 @@ import { convertSecondsToHms } from '@sasjs/utils'
 import { RateLimiter } from '../utils'
 
 export const bruteForceProtection: RequestHandler = async (req, res, next) => {
-  const ip = req.ip
+  const ip = req.ip || 'unknown'
   const username = req.body.username
 
   const rateLimiter = RateLimiter.getInstance()
diff --git a/api/src/routes/api/spec/web.spec.ts b/api/src/routes/api/spec/web.spec.ts
index f5529aa..9babb85 100644
--- a/api/src/routes/api/spec/web.spec.ts
+++ b/api/src/routes/api/spec/web.spec.ts
@@ -277,7 +277,7 @@ const performLogin = async (
     .set('x-xsrf-token', csrfToken)
     .send(credentials)
 
-  return { authCookies: header['set-cookie'].join() }
+  return { authCookies: header['set-cookie']?.join() || '' }
 }
 
 const extractCSRF = (text: string) =>
diff --git a/api/src/utils/getTokensFromDB.ts b/api/src/utils/getTokensFromDB.ts
index a527086..4eb3e96 100644
--- a/api/src/utils/getTokensFromDB.ts
+++ b/api/src/utils/getTokensFromDB.ts
@@ -1,5 +1,6 @@
 import jwt from 'jsonwebtoken'
 import User from '../model/User'
+import { InfoJWT } from '../types/InfoJWT'
 
 const isValidToken = async (
   token: string,
@@ -11,7 +12,8 @@ const isValidToken = async (
     jwt.verify(token, key, (err, decoded) => {
       if (err) return reject(false)
 
-      if (decoded?.userId === userId && decoded?.clientId === clientId) {
+      const payload = decoded as InfoJWT
+      if (payload?.userId === userId && payload?.clientId === clientId) {
         return resolve(true)
       }