feat: implement user logout

Author: raphico

docs/api.md

@@ -97,3 +97,11 @@ Uses the **refresh token cookie** to issue a new access token.
 **Errors**:
 
 - `401 Unauthorized` → missing, invalid, or expired refresh token
+
+### 4. Logout
+
+`POST /auth/logout`
+
+Revokes refresh token (cookie cleared).
+
+**Response** `204 No Content`

internal/domain/token/service.go

@@ -65,6 +65,16 @@ func (s *Service) CreateRefreshToken(ctx context.Context, userId user.UserID) (*
 	return token, nil
 }
 
+func (s *Service) RevokeRefreshToken(ctx context.Context, refreshTok string) error {
+	hash := HashPlaintext(refreshTok)
+
+	if err := s.repo.Revoke(ctx, "auth", hash); err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func (s *Service) RotateTokens(ctx context.Context, refreshTok string) (string, *Token, error) {
 	hash := HashPlaintext(refreshTok)
 

internal/transport/http/router.go

@@ -30,10 +30,7 @@ func NewRouter(log *logger.Logger, userMw *UserMiddleware, userHandler *UserHand
 		r.Group(func(r chi.Router) {
 			r.Use(userMw.RequireAuthMiddleware)
 
-			r.Get("/", func(w http.ResponseWriter, r *http.Request) {
-				w.WriteHeader(http.StatusOK)
-				_, _ = w.Write([]byte("OK"))
-			})
+			r.Post("/auth/logout", userHandler.LogoutUser)
 		})
 
 		r.Get("/health", func(w http.ResponseWriter, r *http.Request) {

internal/transport/http/user_handler.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"time"
 
 	"github.com/raphico/go-device-telemetry-api/internal/config"
 	"github.com/raphico/go-device-telemetry-api/internal/domain/token"
@@ -199,3 +200,45 @@ func (h *UserHandler) RefreshAccessToken(w http.ResponseWriter, r *http.Request)
 
 	WriteJSON(w, http.StatusOK, resp)
 }
+
+type logoutResponse struct {
+	Message string `json:"message"`
+}
+
+func (h *UserHandler) LogoutUser(w http.ResponseWriter, r *http.Request) {
+	cookie, err := r.Cookie("refresh_token")
+
+	if err != nil {
+		w.WriteHeader(http.StatusNoContent)
+		return
+	}
+
+	refreshToken := cookie.Value
+	err = h.tokenService.RevokeRefreshToken(r.Context(), refreshToken)
+	if err != nil {
+		switch {
+		case errors.Is(err, token.ErrTokenNotFound):
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			h.log.Error(fmt.Sprintf("failed to revoke refresh token: %v", err))
+			WriteJSONError(w, http.StatusInternalServerError, "internal_error", "Logout failed, please try again")
+		}
+		return
+	}
+
+	http.SetCookie(w, &http.Cookie{
+		Name:     "refresh_token",
+		Value:    "",
+		Path:     "/",
+		SameSite: http.SameSiteLaxMode,
+		HttpOnly: true,
+		Expires:  time.Unix(0, 0),
+	})
+	if h.cfg.Env == "production" {
+		cookie.Secure = true
+	} else {
+		cookie.Secure = false
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+}