feat(api): POST /api/auth/logout
Deletes the session row keyed by the cookie/bearer token and clears the cookie on the client. Best-effort DB delete — logout still succeeds for the client if the row's already gone. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -17,6 +17,43 @@ import (
|
||||
// so an abandoned laptop doesn't stay logged in forever.
|
||||
const sessionCookieMaxAge = 30 * 24 * time.Hour
|
||||
|
||||
func (h *handlers) handleLogout(w http.ResponseWriter, r *http.Request) {
|
||||
// The session token can be on the cookie OR bearer header — RequireUser
|
||||
// accepted either. Re-resolve it here so we can delete the row.
|
||||
token := sessionTokenFromHTTP(r)
|
||||
if token != "" {
|
||||
if err := dbq.New(h.pool).DeleteSessionByTokenHash(r.Context(), auth.HashSessionToken(token)); err != nil {
|
||||
h.logger.Warn("api: delete session failed", "err", err)
|
||||
// Continue — logout is best-effort; the client still gets the
|
||||
// cookie cleared.
|
||||
}
|
||||
}
|
||||
http.SetCookie(w, &http.Cookie{
|
||||
Name: auth.SessionCookieName,
|
||||
Value: "",
|
||||
Path: "/",
|
||||
HttpOnly: true,
|
||||
SameSite: http.SameSiteStrictMode,
|
||||
MaxAge: -1,
|
||||
})
|
||||
w.WriteHeader(http.StatusNoContent)
|
||||
}
|
||||
|
||||
// sessionTokenFromHTTP duplicates the internal helper in internal/auth
|
||||
// because that one is unexported. Cheap to repeat here; keeping the auth
|
||||
// package's internal helper package-private is worth more than DRY.
|
||||
func sessionTokenFromHTTP(r *http.Request) string {
|
||||
if c, err := r.Cookie(auth.SessionCookieName); err == nil && c.Value != "" {
|
||||
return c.Value
|
||||
}
|
||||
h := r.Header.Get("Authorization")
|
||||
const prefix = "bearer "
|
||||
if len(h) > len(prefix) && (h[:7] == "Bearer " || h[:7] == "bearer ") {
|
||||
return h[len(prefix):]
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (h *handlers) handleLogin(w http.ResponseWriter, r *http.Request) {
|
||||
var req LoginRequest
|
||||
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
|
||||
|
||||
Reference in New Issue
Block a user