diff --git a/backend/linkpulse/dependencies.py b/backend/linkpulse/dependencies.py index cedd093..8738efc 100644 --- a/backend/linkpulse/dependencies.py +++ b/backend/linkpulse/dependencies.py @@ -72,8 +72,11 @@ class SessionDependency: if session is None or session.is_expired(revoke=True): if self.required: logger.debug("Session Cookie Revoked", token=session_token) - response.set_cookie("session", "", max_age=0) - raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Unauthorized") + response.delete_cookie("session") + headers = {"set-cookie": response.headers["set-cookie"]} + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, detail="Unauthorized", headers=headers + ) return None return session diff --git a/backend/linkpulse/routers/auth.py b/backend/linkpulse/routers/auth.py index 7039cd8..3f0aca6 100644 --- a/backend/linkpulse/routers/auth.py +++ b/backend/linkpulse/routers/auth.py @@ -126,7 +126,7 @@ async def logout( count = Session.delete().where(Session.user == session.user).execute() logger.debug("All sessions deleted", user=session.user.email, count=count, source_token=session.token) - response.set_cookie("session", "", max_age=0) + response.delete_cookie("session", "", max_age=0) @router.post("/api/register") diff --git a/backend/linkpulse/tests/test_auth.py b/backend/linkpulse/tests/test_auth.py index cede613..157b35b 100644 --- a/backend/linkpulse/tests/test_auth.py +++ b/backend/linkpulse/tests/test_auth.py @@ -1,4 +1,5 @@ from datetime import datetime, timedelta +from wsgiref import headers import pytest import structlog @@ -76,6 +77,6 @@ def test_auth_logout_expired(expired_session): # Attempt to logout response = client.post("/api/logout") assert response.status_code == status.HTTP_401_UNAUTHORIZED - assert client.cookies.get("session") is None + assert response.headers.get("set-cookie") is not None # TODO: Ensure ?all=True doesn't do anything either