Logout handles POST /auth/logout. Revokes the current session server-side and clears auth cookies on the client. The patchmon_device_trust cookie is intentionally preserved — "remember this device" must survive logout (that is the whole point of the feature). Trust is killed only by explicit revocat
(w http.ResponseWriter, r *http.Request)
| 1121 | // must survive logout (that is the whole point of the feature). Trust is killed only |
| 1122 | // by explicit revocation, password change, TFA disable, or natural expiry. |
| 1123 | func (h *AuthHandler) Logout(w http.ResponseWriter, r *http.Request) { |
| 1124 | userID, _ := r.Context().Value(middleware.UserIDKey).(string) |
| 1125 | sessionID, _ := r.Context().Value(middleware.SessionIDKey).(string) |
| 1126 | if h.log != nil { |
| 1127 | h.log.Debug("auth request", "method", r.Method, "path", r.URL.Path, "user_id", userID, "session_id", sessionID) |
| 1128 | } |
| 1129 | if sessionID != "" && userID != "" && h.sessions != nil { |
| 1130 | if err := h.sessions.RevokeByID(r.Context(), sessionID, userID); err != nil && h.log != nil { |
| 1131 | h.log.Error("logout revoke session failed", "user_id", userID, "session_id", sessionID, "error", err) |
| 1132 | } |
| 1133 | } |
| 1134 | clearAuthCookies(w, r) |
| 1135 | JSON(w, http.StatusOK, map[string]string{"message": "Logged out"}) |
| 1136 | } |
| 1137 | |
| 1138 | // parseUserAgent extracts browser, OS, and device from user agent string. |
| 1139 | func parseUserAgent(ua string) map[string]string { |
nothing calls this directly
no test coverage detected