Skip to content

fix(auth): logout clears guest cookie#2

Merged
omkarbhad merged 1 commit into
mainfrom
fix/guest-logout
May 9, 2026
Merged

fix(auth): logout clears guest cookie#2
omkarbhad merged 1 commit into
mainfrom
fix/guest-logout

Conversation

@omkarbhad
Copy link
Copy Markdown
Collaborator

@omkarbhad omkarbhad commented May 9, 2026

Summary

Guests had no working logout. Clicking sign-out hit GET /api/auth/logout → magnova-auth federated signout → no magnova session for a guest → bounced back, guest cookie still set → validateSessionOrGuest re-created the same guest user → infinite "logged in as guest" state.

Two-line fix really:

  • POST /api/auth/logout now clears graphini_guest_id alongside graphini_session.
  • authStore.logout() POSTs instead of GETs, then force-reloads to /.

GET path stays for federated OAuth signout. Nothing currently calls it; available if we add a "sign out everywhere" affordance later.

Test plan

  • Incognito → app → guest cookie set → click sign out → both cookies cleared, page at /, sidebar shows "Guest User" label not a stale signed-in state
  • Sign up local account → log in → click sign out → graphini_session cleared, no stale guest cookie
  • Real user with active session before this change can still sign out cleanly
  • Guest→real-user merge at login still works (unchanged code path)

@omkarbhad
fix(auth): logout clears guest cookie too
9b73fc7 
Guests had no working logout. The client called GET /api/auth/logout
which routes to magnova-auth's federated signout — guests have no
magnova session, so they bounced through an external provider that
returned indeterminate state and landed back on graphini with their
graphini_guest_id cookie still set. validateSessionOrGuest then
re-created the same guest user on the next request, making logout a
no-op.

Two changes:

1. POST /api/auth/logout now clears both graphini_session AND
   graphini_guest_id (via the existing clearGuestCookieHeader helper).
   Idempotent — either or both may be present; clearing both is safe.
   GET still serves federated signout for OAuth users who specifically
   want their upstream session terminated.

2. authStore.logout() POSTs instead of GETs. The POST response carries
   the Set-Cookie that actually removes the cookies; we then
   window.location.href = '/' to force a clean reload. The previous
   client-side `document.cookie = 'graphini_session=; Path=/; Max-Age=0'`
   was redundant (server clears it) and never touched the guest cookie
   (which is HttpOnly, not deletable from JS anyway).

The federated-signout GET path stays for completeness; nothing in the
current UI calls it. If we want OAuth users to also terminate their
magnova session at logout, a separate authStore.federatedLogout() can
be added later.

Reuses clearGuestCookieHeader and clearLocalSessionCookie from
$lib/server/auth — no new server primitives.
@vercel
Copy link
Copy Markdown

vercel Bot commented May 9, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
graphini Error Error May 9, 2026 1:38pm

@omkarbhad omkarbhad merged commit 6c872af into main May 9, 2026
2 of 5 checks passed
@omkarbhad omkarbhad deleted the fix/guest-logout branch May 9, 2026 13:38
@omkarbhad omkarbhad mentioned this pull request May 9, 2026
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@omkarbhad