From 64749af3fc19bb48f0513d328216282aebe9041a Mon Sep 17 00:00:00 2001
From: gilesb <giles.bradshaw@sigyl.com>
Date: Fri, 9 Jan 2026 22:22:22 +0000
Subject: [PATCH] Call /auth/revoke-user on L1s during logout

L2 now calls /auth/revoke-user (revokes by username) instead of
/auth/revoke (revokes by token), because L1 has scoped tokens that
differ from L2's own token.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 server.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/server.py b/server.py
index 2276675..4646d0d 100644
--- a/server.py
+++ b/server.py
@@ -543,17 +543,18 @@ async def logout(request: Request):
         expires_at = datetime.fromtimestamp(claims.get("exp", 0), tz=timezone.utc)
         await db.revoke_token(token_hash, username, expires_at)
 
-        # Revoke token on all attached L1 renderers
+        # Revoke ALL tokens for this user on attached L1 renderers
+        # (L1 may have scoped tokens different from L2's token)
         attached = await db.get_user_renderers(username)
         for l1_url in attached:
             try:
                 requests.post(
-                    f"{l1_url}/auth/revoke",
-                    headers={"Authorization": f"Bearer {token}"},
+                    f"{l1_url}/auth/revoke-user",
+                    json={"username": username, "l2_server": f"https://{DOMAIN}"},
                     timeout=5
                 )
             except Exception as e:
-                logger.warning(f"Failed to revoke token on {l1_url}: {e}")
+                logger.warning(f"Failed to revoke user tokens on {l1_url}: {e}")
 
         # Remove all attachments for this user
         for l1_url in attached: