From 4351c97ce065d986acfd1aeaf6c4bbb65c513b8c Mon Sep 17 00:00:00 2001 From: gilesb Date: Fri, 9 Jan 2026 18:08:05 +0000 Subject: [PATCH] Revoke tokens on attached L1s when user logs out On logout: 1. Call /auth/revoke on each attached L1 renderer 2. Remove all attachments from user_renderers table 3. Clear L2 cookie This ensures logging out of L2 also logs user out of all L1s. Co-Authored-By: Claude Opus 4.5 --- server.py | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/server.py b/server.py index b183da3..09dfb21 100644 --- a/server.py +++ b/server.py @@ -531,8 +531,28 @@ async def ui_register_submit(request: Request): @app.get("/logout") -async def logout(): - """Handle logout - clear cookie and redirect to home.""" +async def logout(request: Request): + """Handle logout - clear cookie, revoke token on attached L1s, and redirect to home.""" + token = request.cookies.get("auth_token") + username = verify_token(token) if token else None + + # Revoke token on all attached L1 renderers + if username and token: + attached = await db.get_user_renderers(username) + for l1_url in attached: + try: + requests.post( + f"{l1_url}/auth/revoke", + headers={"Authorization": f"Bearer {token}"}, + timeout=5 + ) + except Exception as e: + logger.warning(f"Failed to revoke token on {l1_url}: {e}") + + # Remove all attachments for this user + for l1_url in attached: + await db.detach_renderer(username, l1_url) + response = RedirectResponse(url="/", status_code=302) # Delete both legacy (no domain) and new (shared domain) cookies response.delete_cookie("auth_token")