From 7ec5609aac4a7747aa0be91f7ae337d79ae48386 Mon Sep 17 00:00:00 2001
From: giles <giles.bradshaw@sigyl.com>
Date: Tue, 24 Feb 2026 01:26:17 +0000
Subject: [PATCH] Clear session cookie when account signals logout via inbox
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Check did_auth:{device_id} in Redis — if absent while user has
a session cookie, account has logged out. Clear the cookie so
next request triggers prompt=none which won't re-auth.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 app/__init__.py | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/app/__init__.py b/app/__init__.py
index c600f20..5de6621 100644
--- a/app/__init__.py
+++ b/app/__init__.py
@@ -72,8 +72,21 @@ def create_app() -> FastAPI:
         ):
             return await call_next(request)
 
-        # Already logged in
+        # Already logged in — but verify account hasn't logged out
         if get_user_from_cookie(request):
+            device_id = getattr(request.state, "device_id", None)
+            if device_id:
+                try:
+                    from .dependencies import get_redis_client
+                    r = get_redis_client()
+                    if not r.get(f"did_auth:{device_id}"):
+                        # Account logged out — clear our cookie
+                        response = await call_next(request)
+                        response.delete_cookie("artdag_session")
+                        response.delete_cookie("pnone_at")
+                        return response
+                except Exception:
+                    pass
             return await call_next(request)
 
         # Check cooldown — don't re-check within 5 minutes