Implement Logout Endpoint

[ayshadogo]

Description:
Allow users to securely log out by invalidating their refresh token.

Tasks:

• Create POST /api/auth/logout
• Require authentication
• Clear the stored refresh token from the database
• Return 200 OK

Acceptance Criteria:
After logout, using the refresh token returns 403.

---

[Eniola3321]

Hi Maintainers,
I’m interested in working on this issue. I’m a backend developer with experience in Node.js, APIs, and Web3/blockchain concepts.
I’ve reviewed the issue and I’m confident I can contribute a clean solution.
Kindly assign it to me if it’s open. Thanks!

[gelluisaac]

I’m interested in tackling this! I have a strong background in smart contract development and full-stack systems, so I'm well-equipped to handle the requirements here. Could you please assign this to me?

[chiscookeke11]

Hi, I am Okeke Chinedu. I have implemented secure JWT authentication flows with refresh token rotation and invalidation in production systems. I’ve handled similar logout mechanisms where refresh tokens are stored, cleared, and validated server-side to prevent reuse.

ETA: 3–5 hours

Approach:

• Create POST /api/auth/logout (authenticated route)
• Remove/clear stored refresh token from user record in DB
• Return 200 OK on successful logout
• Ensure refresh endpoint checks DB-stored token and returns 403 if invalidated
• Verify post-logout refresh attempts fail as expected

This ensures secure session termination and prevents reuse of invalidated refresh tokens.

[devJaja]

Hello, I'm a smart contract and full stack developer, open for contributions. contributed to over 20 project on OnlyDust and Drips , with expertise in Solidity, Cairo, JavaScript, TypeScript, and RUST. I am passionate about building secure and scalable blockchain solutions, and I would love the opportunity to contribute my skills toward solving this issue

[ussyalfaks]

I would like to contribute by implementing a secure logout endpoint (POST /api/auth/logout) that requires authentication, clears the user’s stored refresh token from the database, and returns 200 OK. I will also ensure that after logout, any attempt to use the old refresh token correctly returns 403, and I will write tests to validate this behavior.

[ryzen-xp]

Hi maintainers 👋
I’m a blockchain developer with strong expertise in Stellar, Rust,TS and Stellar SDK integrations. I’ve worked on multiple Stellar-based smart contract and backend systems.

I understand the scope of this issue and can deliver a reliable, production-quality solution with proper tests and documentation.
Plz assign me !!

ETA: 14 hours

[auracule007]

Hi maintainers, I'm Promise Adedokun. I'm a full-stack developer with 4+ years of experience in building secure authentication systems and backend APIs. I'd like to work on this logout endpoint. I can implement the POST route with proper authentication, clear the refresh token from the database, and ensure that the token becomes invalid for future requests. My ETA is 2-3 hours.

[feyishola]

Hi Maintainer(s),
I have experience implementing secure JWT authentication flows with refresh token management. For this issue, I would create a protected POST /api/auth/logout endpoint that clears the stored refresh token (or its hash) from the database for the authenticated user. This ensures the token can no longer be used, and any subsequent refresh attempt would correctly return a 403 response.

[System625]

Hi there! I'd love to take on issue: Implement Logout Endpoint.

I'm a frontend developer experienced with React, Next.js, TypeScript and Tailwind CSS building scalable web applications.

My approach:

• Create a new authenticated endpoint in an auth-related Endpoint class (e.g., AuthEndpoint or extend existing):
• Register the endpoint in endpoints.yaml or via code.
• Ensure endpoint requires auth.
• On success: delete refresh token entry(s) from AuthKey table (or equivalent if using JWT refresh rotation).
• Client-side: call this POST endpoint with valid access token; clear local tokens after 200.
• Acceptance: Subsequent refresh token use (e.g., via /refresh or auto-refresh) fails → 403 Forbidden (no valid refresh token found).

This securely invalidates the refresh token server-side, preventing reuse and meeting all acceptance criteria.

PR will include:

• New/updated Endpoint method
• Endpoint registration/mapping
• Test snippet or manual verification steps (logout → refresh fails with 403)

ETA: within 24 hours.

Looking forward to your feedback!

Best,
Olamiposi (System625)

[Olowodarey]

Hello, I’m Darey Olowo, a frontend and smart contract developer with experience building and shipping reliable features. I’d like to take on this issue and deliver a solid solution within 24 hours.

[nafiuishaaq]

Hello, I'm a smart contract and full stack developer, open for contributions. contributed to over 20 project on OnlyDust and Drips , with expertise in Solidity, Cairo, JavaScript, TypeScript, and RUST. I am passionate about building secure and scalable blockchain solutions, and I would love the opportunity to contribute my skills toward solving this issue

[nafiuishaaq]

Hello, I'm a smart contract and full stack developer, open for contributions. contributed to over 20 project on OnlyDust and Drips , with expertise in Solidity, Cairo, JavaScript, TypeScript, and RUST. I am passionate about building secure and scalable blockchain solutions, and I would love the opportunity to contribute my skills toward solving this issue

[milah-247]

Hi AysahDogo, the wonderful maintainer,

I’d love to work on this issue to implement the logout endpoint. I’ll create POST /api/auth/logout, ensure it requires authentication, clear the stored refresh token from the database, and return a 200 OK response. After logout, any attempt to use the invalidated refresh token will correctly return 403, meeting the acceptance criteria. This will ensure users can securely log out and maintain the integrity of our authentication system. Please assign this issue to me , I’m ready to start immediately