fix(auth): include credentials in logout request (#90)
The logout function was not sending `credentials: 'include'`, so the
HTTP-only refresh cookie was never sent to the backend. The backend
couldn't find the session, returned 204 (no-op), and the cookie was
never cleared. On page refresh, the silent refresh would re-authenticate
using the still-valid cookie.
authored by