Barazo default frontend barazo.forum
2
fork

Configure Feed

Select the types of activity you want to include in your feed.

fix(auth): include credentials in logout request (#90)

The logout function was not sending `credentials: 'include'`, so the
HTTP-only refresh cookie was never sent to the backend. The backend
couldn't find the session, returned 204 (no-op), and the cookie was
never cleared. On page refresh, the silent refresh would re-authenticate
using the still-valid cookie.

authored by

Guido X Jansen and committed by
GitHub
2aa3e743 bd82b13c

+9 -2
+9 -2
src/lib/api/client.ts
··· 142 142 return response.json() as Promise<AuthSession> 143 143 } 144 144 145 - export function logout(accessToken: string): Promise<void> { 146 - return apiFetch<void>('/api/auth/session', { 145 + export async function logout(accessToken: string): Promise<void> { 146 + const url = `${API_URL}/api/auth/session` 147 + const response = await fetch(url, { 147 148 method: 'DELETE', 148 149 headers: { Authorization: `Bearer ${accessToken}` }, 150 + credentials: 'include', 149 151 }) 152 + 153 + if (!response.ok && response.status !== 204) { 154 + const body = await response.text().catch(() => 'Unknown error') 155 + throw new ApiError(response.status, `API ${response.status}: ${body}`) 156 + } 150 157 } 151 158 152 159 export function getCurrentUser(accessToken: string): Promise<AuthUser> {