From e5fd808ab7b956a2431db444174e3f1e2ed2591c Mon Sep 17 00:00:00 2001
From: anshul23102 <anshul23102@iiitd.ac.in>
Date: Wed, 27 May 2026 21:10:37 +0530
Subject: [PATCH] fix: change logout from GET to POST with session destruction

The logout route used GET which allows CSRF attacks via image tags or
link prefetching. Changed to POST and added req.session.destroy() plus
res.clearCookie() to ensure the session is fully invalidated server-side
and the cookie is cleared from the browser on logout.

Fixes #556
---
 backend/routes/auth.js | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/backend/routes/auth.js b/backend/routes/auth.js
index 7c2cda78..297c038f 100644
--- a/backend/routes/auth.js
+++ b/backend/routes/auth.js
@@ -36,14 +36,16 @@ router.post("/login", validateRequest(loginSchema), passport.authenticate('local
 });
 
 // Logout route
-router.get("/logout", (req, res) => {
-
+router.post("/logout", (req, res) => {
     req.logout((err) => {
-
         if (err)
             return res.status(500).json({ message: 'Logout failed', error: err.message });
-        else
+        req.session.destroy((destroyErr) => {
+            if (destroyErr)
+                return res.status(500).json({ message: 'Session cleanup failed', error: destroyErr.message });
+            res.clearCookie('connect.sid');
             res.status(200).json({ message: 'Logged out successfully' });
+        });
     });
 });