fix: clear the rt cookie on logout

server/pkg/service/tokens.go

@@ -53,6 +53,13 @@ type tokensResource struct {
 func (rs tokensResource) Routes() chi.Router {
 	r := chi.NewRouter()
 
+	// Protected routes (access token required)
+	r.Group(func(r chi.Router) {
+		r.Use(requireAccessToken(rs.JWTSecret))
+		r.Post("/logout", rs.HandleLogout) // POST /auth/logout - revoke all refresh cookies
+	})
+
+	// Protected routes (refresh token required)
 	r.Group(func(r chi.Router) {
 		r.Use(requireRefreshToken(rs.JWTSecret))
 		r.Post("/refresh", rs.RefreshAccessToken) // POST /auth/refresh - convert refresh token to new token pair
@@ -175,12 +182,23 @@ func (rs tokensResource) HandleLogout(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// Clear the refresh token cookie
+	http.SetCookie(w, &http.Cookie{
+		Name:     "refresh_token",
+		Value:    "",
+		Path:     "/",
+		MaxAge:   -1, // Expires immediately
+		HttpOnly: true,
+		Secure:   true,
+		SameSite: http.SameSiteStrictMode,
+	})
+
 	if err := rs.Tokens.RevokeAllUserRefreshTokens(r.Context(), userID); err != nil {
 		respondError(w, http.StatusInternalServerError, "Failed to logout")
 		return
 	}
 
-	respondJSON(w, http.StatusOK, map[string]string{"status": "logged out"})
+	w.WriteHeader(http.StatusNoContent)
 }
 
 func getTokenFromRequest(r *http.Request) (string, error) {