fix: replace member.save() with atomic update in logout

server/api/auth/logout.post.js

@@ -1,11 +1,24 @@
+import { connectDB } from '../../utils/mongoose.js'
+import Member from '../../models/member.js'
+
 export default defineEventHandler(async (event) => {
-  // Clear the auth token cookie (flags must match login for proper clearing)
+  await connectDB()
+
+  // Increment tokenVersion to invalidate all outstanding session tokens
+  try {
+    const member = await requireAuth(event)
+    await Member.findByIdAndUpdate(member._id, { $inc: { tokenVersion: 1 } }, { runValidators: false })
+  } catch {
+    // Already unauthenticated — still clear the cookie
+  }
+
   setCookie(event, 'auth-token', '', {
     httpOnly: true,
     secure: process.env.NODE_ENV === 'production',
     sameSite: 'lax',
-    maxAge: 0 // Expire immediately
+    path: '/',
+    maxAge: 0,
   })
 
   return { message: 'Logged out successfully' }
-})
+})