fix: clear authjs session cookies on logout callback

The logout callback relied solely on the Clear-Site-Data response header to clear Auth.js session cookies, but browsers ignore Clear-Site-Data on 302 redirect responses. This left authjs.session-token (and friends) in the browser after logout, so the user remained signed in. The callback now also emits explicit Set-Cookie deletions for every authjs.* cookie and for logout_state (matching the path it was set on), which browsers do honor on redirects.

Author: mridang

src/routes/api/auth/logout/callback.ts

@@ -1,6 +1,6 @@
 import { redirect } from '@solidjs/router';
 import { APIEvent } from '@solidjs/start/server';
-import { getCookie } from 'vinxi/http';
+import { deleteCookie, getCookie, parseCookies } from 'vinxi/http';
 
 // noinspection JSUnusedGlobalSymbols
 /**
@@ -23,9 +23,23 @@ export async function GET(event: APIEvent) {
 
   if (state && logoutStateCookie && state === logoutStateCookie) {
     const successUrl = new URL('/logout/success', event.request.url);
+    for (const name of Object.keys(parseCookies(event.nativeEvent))) {
+      if (name.includes('authjs.')) {
+        deleteCookie(event.nativeEvent, name, { path: '/' });
+      }
+    }
+    deleteCookie(event.nativeEvent, 'logout_state', {
+      path: '/api/auth/logout/callback',
+    });
     const response = redirect(successUrl.toString());
-
     response.headers.set('Clear-Site-Data', '"cookies"');
+    const setCookies = event.nativeEvent.node?.res?.getHeader('set-cookie');
+    if (Array.isArray(setCookies)) {
+      for (const sc of setCookies)
+        response.headers.append('set-cookie', String(sc));
+    } else if (typeof setCookies === 'string') {
+      response.headers.append('set-cookie', setCookies);
+    }
     return response;
   } else {
     const errorUrl = new URL('/logout/error', event.request.url);

test/app.spec.ts

@@ -4,3 +4,52 @@ test('app returns 200', async ({ page }) => {
   const response = await page.goto('/');
   expect(response?.status()).toBe(200);
 });
+
+test('GET /api/auth/logout/callback clears authjs.* and logout_state', async ({
+  request,
+  baseURL,
+}) => {
+  const res = await request.get(
+    `${baseURL}/api/auth/logout/callback?state=teststate123`,
+    {
+      headers: {
+        Cookie: [
+          'logout_state=teststate123',
+          'authjs.session-token=fakesession',
+          'authjs.csrf-token=fakecsrf',
+          'authjs.callback-url=http://example.com',
+        ].join('; '),
+      },
+      maxRedirects: 0,
+    },
+  );
+
+  const status = res.status();
+  const location = res.headers()['location'];
+  const setCookies = res
+    .headersArray()
+    .filter((h) => h.name.toLowerCase() === 'set-cookie')
+    .map((h) => h.value) as string[];
+
+  expect(status).toBe(302);
+  expect(location).toMatch(/\/(auth\/)?logout\/success$/);
+  expect(setCookies).toBeDefined();
+  expect(Array.isArray(setCookies)).toBe(true);
+
+  const wasCleared = (name: string) =>
+    setCookies.some(
+      (sc) =>
+        sc.startsWith(`${name}=`) &&
+        (sc.includes('Max-Age=0') || /Expires=Thu, 01 Jan 1970/i.test(sc)),
+    );
+
+  expect(wasCleared('authjs.session-token')).toBe(true);
+  expect(wasCleared('authjs.csrf-token')).toBe(true);
+  expect(wasCleared('authjs.callback-url')).toBe(true);
+  expect(wasCleared('logout_state')).toBe(true);
+
+  const logoutStateCookie = setCookies.find((sc) =>
+    sc.startsWith('logout_state='),
+  );
+  expect(logoutStateCookie).toMatch(/Path=\/api\/auth\/logout\/callback/);
+});