Skip to content

[BUGFIX] Prevent logout session deletes from wiping analytics#16

Closed
joelev wants to merge 1 commit intosdamico:mainfrom
joelev:fix/auth-logout-revoke-preserve
Closed

[BUGFIX] Prevent logout session deletes from wiping analytics#16
joelev wants to merge 1 commit intosdamico:mainfrom
joelev:fix/auth-logout-revoke-preserve

Conversation

@joelev
Copy link
Copy Markdown
Contributor

@joelev joelev commented Mar 3, 2026

Summary

  • Fixes logout behavior so viewer sessions are invalidated immediately without deleting sessions rows.
  • Prevents analytics loss and FK-related logout failures tied to session row deletion.

Beads

  • bd-1ss

Problem

  • POST /api/logout deleted the current sessions row.
  • Because events.session_id is ON DELETE CASCADE, logout could erase analytics history.
  • Because data_room_page_views.session_id references sessions(id) without delete-cascade, logout could fail with FK violations.

Root Cause

  • Destructive session deletion in api/logout.js.

Changes

  • Updated api/logout.js:
    • Replaced DELETE FROM sessions WHERE id = ... with a non-destructive revocation marker update:
      • UPDATE sessions SET last_seen = created_at - INTERVAL '1 second' WHERE id = ...
  • Updated api/_lib/auth.js:
    • Added revocation guard to session validation query:
      • AND last_seen >= created_at
  • Non-changes:
    • No change to cookie clearing behavior.
    • No change to admin logout flow (admin-auth session deletion remains as-is).
    • No schema/migration changes.

Validation

  • Deterministic Node smoke checks (mocked DB path):
    • Logout path uses UPDATE sessions ... and does not execute DELETE FROM sessions.
    • Session validation query now enforces AND last_seen >= created_at.
  • Build check:
    • npm run build passed
    • Output: Built content/page.html (63624 bytes, 9 slides)

Risk

  • Low-medium auth-path change: session validity now additionally requires last_seen >= created_at.
  • Residual risk: this uses a revocation marker convention (last_seen < created_at) that should remain documented/consistent in future auth changes.

Rollback

  • Revert commit fe22c0a to restore prior logout/session-validation behavior.

@joelev
Copy link
Copy Markdown
Contributor Author

joelev commented Mar 3, 2026

Reviewer checklist:

  • Confirm POST /api/logout no longer deletes from sessions.
  • Confirm logout still clears auth cookies and redirects to /login.html.
  • Confirm getSession now rejects rows marked revoked (last_seen < created_at).
  • Confirm only api/logout.js and api/_lib/auth.js are in scope.

@joelev
Copy link
Copy Markdown
Contributor Author

joelev commented Mar 3, 2026

Closing as duplicate of #15 to keep bead bd-1ss review noise low.

@joelev joelev closed this Mar 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@joelev