Fix Set-Cookie header not propagating into HTTPException, use delete_cookie helper

backend/linkpulse/dependencies.py

@@ -72,8 +72,11 @@ class SessionDependency:
         if session is None or session.is_expired(revoke=True):
             if self.required:
                 logger.debug("Session Cookie Revoked", token=session_token)
-                response.set_cookie("session", "", max_age=0)
-                raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Unauthorized")
+                response.delete_cookie("session")
+                headers = {"set-cookie": response.headers["set-cookie"]}
+                raise HTTPException(
+                    status_code=status.HTTP_401_UNAUTHORIZED, detail="Unauthorized", headers=headers
+                )
             return None
 
         return session

backend/linkpulse/routers/auth.py

@@ -126,7 +126,7 @@ async def logout(
         count = Session.delete().where(Session.user == session.user).execute()
         logger.debug("All sessions deleted", user=session.user.email, count=count, source_token=session.token)
 
-    response.set_cookie("session", "", max_age=0)
+    response.delete_cookie("session", "", max_age=0)
 
 
 @router.post("/api/register")

backend/linkpulse/tests/test_auth.py

@@ -1,4 +1,5 @@
 from datetime import datetime, timedelta
+from wsgiref import headers
 
 import pytest
 import structlog
@@ -76,6 +77,6 @@ def test_auth_logout_expired(expired_session):
         # Attempt to logout
         response = client.post("/api/logout")
         assert response.status_code == status.HTTP_401_UNAUTHORIZED
-        assert client.cookies.get("session") is None
+        assert response.headers.get("set-cookie") is not None
 
         # TODO: Ensure ?all=True doesn't do anything either