From 5637c90d2d76bfe08c4fa0c9ab11c88ef50bb43e Mon Sep 17 00:00:00 2001
From: brobert <borja@brobert.net>
Date: Mon, 13 Oct 2025 00:45:59 +0200
Subject: [PATCH] fix: evita refrescar cookie durante /api/logout y limpia
 cookie

Co-authored-by: aider (openrouter/openai/gpt-5) <aider@aider.chat>
---
 apps/web/src/hooks.server.ts              | 21 ++++++++++++---------
 apps/web/src/routes/api/logout/+server.ts |  5 +++--
 2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/apps/web/src/hooks.server.ts b/apps/web/src/hooks.server.ts
index e342e33..a9d7854 100644
--- a/apps/web/src/hooks.server.ts
+++ b/apps/web/src/hooks.server.ts
@@ -9,6 +9,7 @@ function toIsoSql(d: Date): string {
 
 export const handle: Handle = async ({ event, resolve }) => {
 	// Sesión por cookie 'sid'
+	const isLogout = event.url.pathname === '/api/logout' || event.url.pathname.startsWith('/api/logout/');
 	const sid = event.cookies.get('sid');
 	if (sid) {
 		try {
@@ -48,17 +49,19 @@ export const handle: Handle = async ({ event, resolve }) => {
 					} catch {}
 				}
 
-				// Refrescar cookie (idle)
-				event.cookies.set('sid', sid, {
-					path: '/',
-					httpOnly: true,
-					sameSite: 'lax',
-					secure: isProd(),
-					maxAge: Math.floor(sessionIdleTtlMs / 1000)
-				});
+				// Refrescar cookie (idle) excepto durante /api/logout
+				if (!isLogout) {
+					event.cookies.set('sid', sid, {
+						path: '/',
+						httpOnly: true,
+						sameSite: 'lax',
+						secure: isProd(),
+						maxAge: Math.floor(sessionIdleTtlMs / 1000)
+					});
+				}
 			} else {
 				// Sesión inválida/expirada
-				event.cookies.delete('sid', { path: '/' });
+				event.cookies.delete('sid', { path: '/', httpOnly: true, sameSite: 'lax', secure: isProd() });
 			}
 		} catch {
 			// En caso de error de DB, no romper la request; continuar sin sesión
diff --git a/apps/web/src/routes/api/logout/+server.ts b/apps/web/src/routes/api/logout/+server.ts
index 9b1f832..52d84b0 100644
--- a/apps/web/src/routes/api/logout/+server.ts
+++ b/apps/web/src/routes/api/logout/+server.ts
@@ -1,6 +1,7 @@
 import type { RequestHandler } from './$types';
 import { getDb } from '$lib/server/db';
 import { sha256Hex } from '$lib/server/crypto';
+import { isProd } from '$lib/server/env';
 
 export const POST: RequestHandler = async (event) => {
 	const sid = event.cookies.get('sid');
@@ -22,7 +23,7 @@ export const POST: RequestHandler = async (event) => {
 			// Ignorar errores de DB en logout
 		}
 	}
-	// Limpiar cookie
-	event.cookies.delete('sid', { path: '/' });
+	// Limpiar cookie (asegurar mismos atributos que al crearla)
+	event.cookies.delete('sid', { path: '/', httpOnly: true, sameSite: 'lax', secure: isProd() });
 	return new Response(null, { status: 204 });
 };