Skip to content

/logout endpoint should support browser redirects like /login does #1

New issue
New issue
Open
Open
/logout endpoint should support browser redirects like /login does#1
Labels
bugSomething isn't workingenhancementNew feature or requestgood first issueGood for newcomers
@sgaunet

Description

@sgaunet
sgaunet
opened on Nov 7, 2025

Problem

The /logout endpoint currently always returns JSON response ({"success":true,"message":"Logout successful"}), even when called from browser form submissions. This is inconsistent with the /login endpoint behavior and creates a poor user experience.

Current Behavior

  • /logout handler (internal/auth/handlers.go:108-140) always returns JSON
  • Browser form submissions receive JSON response instead of being redirected
  • Users see raw JSON in their browser after logout

Expected Behavior

  • /logout should implement content negotiation similar to /login
  • Browser form submissions should redirect to /login page
  • API calls with Content-Type: application/json or Accept: application/json headers should receive JSON response
  • Consistent behavior between login and logout flows

Proposed Solution

Update LogoutHandler to match the pattern used in LoginHandler:

// After revoking session and clearing cookie...

// Check if this is a browser form submission or API call
acceptHeader := r.Header.Get("Accept")
contentType := r.Header.Get("Content-Type")

// If JSON was sent or JSON is explicitly requested, return JSON
if contentType == "application/json" || acceptHeader == "application/json" {
    w.Header().Set("Content-Type", "application/json")
    json.NewEncoder(w).Encode(LoginResponse{
        Success: true,
        Message: "Logout successful",
    })
    return
}

// Otherwise, redirect to login page (browser form submission)
http.Redirect(w, r, "/login", http.StatusSeeOther)

Files to Modify

  • internal/auth/handlers.go (lines 134-139)

Testing Checklist

  • Browser form submission redirects to /login
  • API call with Content-Type: application/json returns JSON
  • API call with Accept: application/json returns JSON
  • Session cookie is properly cleared in all cases
  • Session is revoked in store before response
  • Existing tests pass
  • New tests added for browser vs API flows

References

  • Current logout implementation: internal/auth/handlers.go:108-140
  • Login implementation for comparison: internal/auth/handlers.go:28-105
  • Form submissions using logout: internal/server/handlers.go:131, 208

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingenhancementNew feature or requestgood first issueGood for newcomers

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions