HonzysClawdbot
fix(session-cookie): migrate to __Host- prefix for secure contexts (#294)
c9c4e2a unverified
Raw
History Blame Contribute Delete
1.07 kB
import { NextResponse } from 'next/server'
import { destroySession, getUserFromRequest } from '@/lib/auth'
import { logAuditEvent } from '@/lib/db'
import { getMcSessionCookieName, getMcSessionCookieOptions, isRequestSecure, parseMcSessionCookieHeader } from '@/lib/session-cookie'
export async function POST(request: Request) {
const user = getUserFromRequest(request)
const cookieHeader = request.headers.get('cookie') || ''
const token = parseMcSessionCookieHeader(cookieHeader)
if (token) {
destroySession(token)
}
if (user) {
const ipAddress = request.headers.get('x-forwarded-for') || request.headers.get('x-real-ip') || 'unknown'
logAuditEvent({ action: 'logout', actor: user.username, actor_id: user.id, ip_address: ipAddress })
}
const response = NextResponse.json({ ok: true })
const isSecureRequest = isRequestSecure(request)
const cookieName = getMcSessionCookieName(isSecureRequest)
response.cookies.set(cookieName, '', {
...getMcSessionCookieOptions({ maxAgeSeconds: 0, isSecureRequest }),
})
return response
}