Skip to content

Fix logout not revoking the refresh token#79

Merged
ICubE01 merged 3 commits into
mainfrom
bugfix/logout
Jun 29, 2026
Merged

Fix logout not revoking the refresh token#79
ICubE01 merged 3 commits into
mainfrom
bugfix/logout

Conversation

@ICubE01

@ICubE01 ICubE01 commented Jun 29, 2026

Copy link
Copy Markdown
Owner

Summary

  • Logging out now actually revokes the server-side refresh token. The request went to /api/auth/logout, but the refresh_token cookie is path-scoped to /api/auth/refresh, so it was never sent and the token was never destroyed — a "logged out" session could still be refreshed. Logout is now DELETE /api/auth/refresh.

Backend

Bugfix

  • AuthController.logout moved from POST /api/auth/logout to DELETE /api/auth/refresh so the path-scoped refresh_token cookie is included in the request.
  • SecurityConfig: permit DELETE /api/auth/refresh (replacing the POST /api/auth/logout matcher).

Refactor

  • Rename AuthService.logout to AuthService.destroyRefreshToken.
  • Rename MeResponse to UserAuthDto.

Frontend

Bugfix

  • useAuth.logout now calls DELETE /api/auth/refresh instead of POST /api/auth/logout.

Refactor

  • Rename the MeResponse type to UserAuthDto.

ICubE01 added 3 commits June 30, 2026 03:36
- Refresh token cookie was not being sent due to cookie's path: `POST /api/auth/refresh`
- Logout path was `POST /api/auth/logout`
- Now modified to `DELETE /api/auth/refresh`, representing that the refresh token is being destroyed
@ICubE01
ICubE01 merged commit 20b1285 into main Jun 29, 2026
2 checks passed
@ICubE01
ICubE01 deleted the bugfix/logout branch June 29, 2026 18:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant