fix: clear the rt cookie on logout

2025-04-02 12:43:32 +03:00 · 2025-04-02 12:43:32 +03:00 · 700f2e4090
commit 700f2e4090
parent 998176c3f9
1 changed files with 19 additions and 1 deletions
--- a/server/pkg/service/tokens.go
+++ b/server/pkg/service/tokens.go
@ -53,6 +53,13 @@ type tokensResource struct {
 func (rs tokensResource) Routes() chi.Router {
 	r := chi.NewRouter()

+	// Protected routes (access token required)
+	r.Group(func(r chi.Router) {
+		r.Use(requireAccessToken(rs.JWTSecret))
+		r.Post("/logout", rs.HandleLogout) // POST /auth/logout - revoke all refresh cookies
+	})
+
+	// Protected routes (refresh token required)
 	r.Group(func(r chi.Router) {
 		r.Use(requireRefreshToken(rs.JWTSecret))
 		r.Post("/refresh", rs.RefreshAccessToken) // POST /auth/refresh - convert refresh token to new token pair
@ -175,12 +182,23 @@ func (rs tokensResource) HandleLogout(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	// Clear the refresh token cookie
+	http.SetCookie(w, &http.Cookie{
+		Name:     "refresh_token",
+		Value:    "",
+		Path:     "/",
+		MaxAge:   -1, // Expires immediately
+		HttpOnly: true,
+		Secure:   true,
+		SameSite: http.SameSiteStrictMode,
+	})
+
 	if err := rs.Tokens.RevokeAllUserRefreshTokens(r.Context(), userID); err != nil {
 		respondError(w, http.StatusInternalServerError, "Failed to logout")
 		return
 	}

-	respondJSON(w, http.StatusOK, map[string]string{"status": "logged out"})
+	w.WriteHeader(http.StatusNoContent)
 }

 func getTokenFromRequest(r *http.Request) (string, error) {