auth logout does not revoke API key server-side

[umag]

Description

The swamp auth logout command only deletes the local ~/.config/swamp/auth.json file. It does not call any server-side API to revoke or delete the API key. The AuthCredentials interface stores an apiKeyId field (described as "The API key ID for revocation" in auth_credentials.ts:27), but it is never used.

Steps to Reproduce

1. Run swamp auth login to authenticate and create an API key
2. Copy ~/.config/swamp/auth.json to a backup location
3. Run swamp auth logout
4. Restore the backup auth.json to ~/.config/swamp/auth.json
5. Run swamp auth whoami — the API key still works

Alternatively, read the source:

1. Open src/cli/commands/auth_logout.ts (lines 34-48)
2. Observe it calls repo.delete() which removes the local file only
3. Search for any server-side revocation call:

   grep -rn "revoke\|deleteApiKey\|delete.*api.key" src/
   

   Returns nothing.
4. Open src/infrastructure/http/swamp_club_client.ts — no deleteApiKey or revokeApiKey method exists

Expected Behavior

swamp auth logout should revoke the API key on the server using the stored apiKeyId before deleting the local credentials file. After logout, the API key should no longer be accepted by swamp.club.

Actual Behavior

Only the local file is deleted. The API key remains valid on the server indefinitely. If an attacker has copied auth.json (via malware, backup exposure, or shared filesystem), running logout does not invalidate their copy.

// auth_logout.ts lines 34-48 — only local deletion
const repo = new AuthRepository();
const credentials = await repo.load();
if (!credentials) { /* already logged out */ return; }
await repo.delete();  // Only deletes ~/.config/swamp/auth.json

Impact

If a user's machine is compromised and the attacker copies auth.json, the user has no way to invalidate the stolen API key. Running swamp auth logout gives a false sense of security — the attacker retains access to swamp.club indefinitely. Additionally, each swamp auth login creates a new API key without revoking old ones, so stale keys accumulate on the server over time.

Summary of Fix

This affects auth_logout.ts and swamp_club_client.ts. The fix would involve:

• Adding a deleteApiKey(apiKeyId) or revokeApiKey(apiKeyId) method to SwampClubClient that calls the BetterAuth API key deletion endpoint
• Updating auth logout to call this method using the stored apiKeyId before deleting the local file
• Handling the case where the server call fails gracefully (still delete local file, but warn the user to revoke manually via the web UI)
• Optionally, listing and revoking old CLI API keys during auth login for the same hostname

Environment

• swamp version: 20260225.011820.0-sha.4c63442a
• OS: All supported platforms
• Source commit: 4c63442

[github-actions]

Hi @umag, thanks for opening this issue!

We appreciate you taking the time to report it. A maintainer will review it as soon as possible.

In the meantime, please make sure you've included all relevant details (steps to reproduce, expected vs actual behaviour, swamp version, etc.) to help us triage it quickly.

[stack72]

Closing as per #568 with how it will work going forward