From 5bf710a5cebc42aa2c1cdc45625c4d40d5d7cd75 Mon Sep 17 00:00:00 2001
From: giles <giles.bradshaw@sigyl.com>
Date: Mon, 23 Feb 2026 11:31:53 +0000
Subject: [PATCH] Add /auth/sso-logout/ endpoint for cross-app logout

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 bp/auth/routes.py | 9 +++++++++
 shared            | 2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/bp/auth/routes.py b/bp/auth/routes.py
index 68d01b8..8ad7d0f 100644
--- a/bp/auth/routes.py
+++ b/bp/auth/routes.py
@@ -211,4 +211,13 @@ def register(url_prefix="/auth"):
         resp.delete_cookie("sso_hint", domain=".rose-ash.com", path="/")
         return resp
 
+    @auth_bp.get("/sso-logout/")
+    async def sso_logout():
+        """SSO logout: clear federation session + sso_hint, redirect to blog."""
+        qsession.pop(SESSION_USER_KEY, None)
+        from shared.infrastructure.urls import blog_url
+        resp = redirect(blog_url("/"))
+        resp.delete_cookie("sso_hint", domain=".rose-ash.com", path="/")
+        return resp
+
     return auth_bp
diff --git a/shared b/shared
index bfd8d55..d50f01d 160000
--- a/shared
+++ b/shared
@@ -1 +1 @@
-Subproject commit bfd8d55f2725fff6f66de063dd4708e5de5fcaa2
+Subproject commit d50f01d41fb130e80a33bbd056f66d0c926eb229