feat(auth): rewrite logout action to call /api/auth/logout then clear fa_session

The backend POST invalidates the spring_session row and writes the
LOGOUT audit entry; the client cookie is deleted unconditionally so a
network blip during logout still logs the user out locally.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/src/routes/logout/+page.server.ts

@@ -1,12 +1,30 @@
 import { redirect } from '@sveltejs/kit';
+import { env } from '$env/dynamic/private';
 import type { Actions } from './$types';
 
 export const actions = {
-	default: async ({ cookies }) => {
+	default: async ({ cookies, fetch }) => {
-		// Das Auth-Cookie löschen
+		const sessionId = cookies.get('fa_session');
+
+		// Best-effort backend logout: invalidates the server-side session row
+		// and writes the LOGOUT audit entry. The client cookie is deleted
+		// unconditionally below so a network failure here still logs the user out.
+		if (sessionId) {
+			try {
+				const baseUrl = env.API_INTERNAL_URL || 'http://localhost:8080';
+				await fetch(`${baseUrl}/api/auth/logout`, {
+					method: 'POST',
+					headers: { Cookie: `fa_session=${sessionId}` }
+				});
+			} catch (e) {
+				console.error('Backend logout failed; clearing client cookie anyway', e);
+			}
+		}
+
+		cookies.delete('fa_session', { path: '/' });
+		// Also drop the legacy Basic-auth cookie in case a stale one lingers from before the migration.
 		cookies.delete('auth_token', { path: '/' });
 
-		// Zur Login-Seite werfen
+		throw redirect(303, '/login');
-		throw redirect(302, '/login');
 	}
 } satisfies Actions;