From ab2532dee8e2faa47bc71c0349f9af4c1f936572 Mon Sep 17 00:00:00 2001
From: Jennie Robinson Faber <jennie@jenniefaber.com>
Date: Sat, 4 Apr 2026 12:23:01 +0100
Subject: [PATCH] fix: replace member.save() with atomic update in logout

---
 server/api/auth/logout.post.js | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/server/api/auth/logout.post.js b/server/api/auth/logout.post.js
index 077d38a..fc7931a 100644
--- a/server/api/auth/logout.post.js
+++ b/server/api/auth/logout.post.js
@@ -1,11 +1,24 @@
+import { connectDB } from '../../utils/mongoose.js'
+import Member from '../../models/member.js'
+
 export default defineEventHandler(async (event) => {
-  // Clear the auth token cookie (flags must match login for proper clearing)
+  await connectDB()
+
+  // Increment tokenVersion to invalidate all outstanding session tokens
+  try {
+    const member = await requireAuth(event)
+    await Member.findByIdAndUpdate(member._id, { $inc: { tokenVersion: 1 } }, { runValidators: false })
+  } catch {
+    // Already unauthenticated — still clear the cookie
+  }
+
   setCookie(event, 'auth-token', '', {
     httpOnly: true,
     secure: process.env.NODE_ENV === 'production',
     sameSite: 'lax',
-    maxAge: 0 // Expire immediately
+    path: '/',
+    maxAge: 0,
   })
 
   return { message: 'Logged out successfully' }
-})
\ No newline at end of file
+})