From bfdf64975c5606d0c7b61e188be7a2f405b1c472 Mon Sep 17 00:00:00 2001 From: Marcel Date: Sun, 17 May 2026 20:53:20 +0200 Subject: [PATCH] feat(auth): rewrite logout action to call /api/auth/logout then clear fa_session The backend POST invalidates the spring_session row and writes the LOGOUT audit entry; the client cookie is deleted unconditionally so a network blip during logout still logs the user out locally. Co-Authored-By: Claude Sonnet 4.6 --- frontend/src/routes/logout/+page.server.ts | 26 ++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/frontend/src/routes/logout/+page.server.ts b/frontend/src/routes/logout/+page.server.ts index 43147f4f..6085b00f 100644 --- a/frontend/src/routes/logout/+page.server.ts +++ b/frontend/src/routes/logout/+page.server.ts @@ -1,12 +1,30 @@ import { redirect } from '@sveltejs/kit'; +import { env } from '$env/dynamic/private'; import type { Actions } from './$types'; export const actions = { - default: async ({ cookies }) => { - // Das Auth-Cookie löschen + default: async ({ cookies, fetch }) => { + const sessionId = cookies.get('fa_session'); + + // Best-effort backend logout: invalidates the server-side session row + // and writes the LOGOUT audit entry. The client cookie is deleted + // unconditionally below so a network failure here still logs the user out. + if (sessionId) { + try { + const baseUrl = env.API_INTERNAL_URL || 'http://localhost:8080'; + await fetch(`${baseUrl}/api/auth/logout`, { + method: 'POST', + headers: { Cookie: `fa_session=${sessionId}` } + }); + } catch (e) { + console.error('Backend logout failed; clearing client cookie anyway', e); + } + } + + cookies.delete('fa_session', { path: '/' }); + // Also drop the legacy Basic-auth cookie in case a stale one lingers from before the migration. cookies.delete('auth_token', { path: '/' }); - // Zur Login-Seite werfen - throw redirect(302, '/login'); + throw redirect(303, '/login'); } } satisfies Actions;