You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is no working logout in the web app. Both the client trigger and the server endpoint are stubs, so a logged-in user cannot sign out. (User-reported as #83 back in 2023; this issue captures the root cause and the two code paths that need work.)
Details
1. Client: the "Logout" menu item does nothing
src/app/Home.tsx renders the AppBar profile menu's logout entry as:
It never clears the seshcookie session and never sends a response, so any client request to it would hang until the socket times out. (Note: src/app/config/rsbuild/shared.config.js already proxies /session and /logout to the backend, but only /session is a real route -- tracked separately in tech-debt entry #51.)
Why it matters
Correctness / user expectation: a visible "Logout" control that does nothing is a broken affordance. The original reporter (logout does not work? #83) hit exactly this while trying to check whether their project was publicly visible.
Security / shared-machine hygiene: there is no supported way to end a session from the UI; the only workaround is clearing cookies manually.
Relevant now: the team is doing a "fix rough edges before deploying" pass over src/app, and this is one of the rougher edges.
Components affected
src/app (Home.tsx -- wire the menu item to a real logout handler: Firebase signOut, then DELETE /session, then redirect to the login page)
src/server (authn.ts -- implement DELETE /session to destroy the seshcookie session / req.logout() and send a response)
Possible approach
In authn.ts, implement the DELETE /session handler: req.logout() (Passport) and/or clear the seshcookie session object, then res.sendStatus(200).
In Home.tsx, add a handleLogout that calls signOut(getAuth()), awaits fetch('/session', { method: 'DELETE' }), and navigates to /. Use it as the menu item's onClick.
Add tests (server route test for DELETE /session; client handler test for the logout flow).
Context
Identified during UI-cleanup work on src/app (the "fix rough edges before deploying" pass). Pre-existing -- the DELETE /session stub and the handleClose-as-logout wiring both predate current work. Supersedes / subsumes #83.
Summary
There is no working logout in the web app. Both the client trigger and the server endpoint are stubs, so a logged-in user cannot sign out. (User-reported as #83 back in 2023; this issue captures the root cause and the two code paths that need work.)
Details
1. Client: the "Logout" menu item does nothing
src/app/Home.tsxrenders the AppBar profile menu's logout entry as:handleClose(src/app/Home.tsx:74) only closes the menu:It never calls Firebase
signOut, never hits the serverDELETE /session, and never redirects. Clicking "Logout" is a no-op.2. Server:
DELETE /sessionis a non-responding stubsrc/server/authn.ts:238:It never clears the
seshcookiesession and never sends a response, so any client request to it would hang until the socket times out. (Note:src/app/config/rsbuild/shared.config.jsalready proxies/sessionand/logoutto the backend, but only/sessionis a real route -- tracked separately in tech-debt entry #51.)Why it matters
src/app, and this is one of the rougher edges.Components affected
src/app(Home.tsx-- wire the menu item to a real logout handler: FirebasesignOut, thenDELETE /session, then redirect to the login page)src/server(authn.ts-- implementDELETE /sessionto destroy theseshcookiesession /req.logout()and send a response)Possible approach
authn.ts, implement theDELETE /sessionhandler:req.logout()(Passport) and/or clear the seshcookie session object, thenres.sendStatus(200).Home.tsx, add ahandleLogoutthat callssignOut(getAuth()), awaitsfetch('/session', { method: 'DELETE' }), and navigates to/. Use it as the menu item'sonClick.DELETE /session; client handler test for the logout flow).Context
Identified during UI-cleanup work on
src/app(the "fix rough edges before deploying" pass). Pre-existing -- theDELETE /sessionstub and thehandleClose-as-logout wiring both predate current work. Supersedes / subsumes #83.