@darkauth/client: expose RP-initiated logout (end_session_endpoint) — logout() is still local-only

[markwylde]

Summary

The server-side RP-initiated logout work from #160 / #161 shipped (GET /api/logout as end_session_endpoint, advertised in /.well-known/openid-configuration), but the JS client SDK @darkauth/client does not expose any way to use it.

As of the latest published version (1.22.2), logout() is still local-only — it just clears in-memory / localStorage / sessionStorage tokens:

// @darkauth/client@1.22.2 dist/index.js
export function logout() {
    memorySession = null;
    memoryRefreshToken = null;
    clearStoredIdToken();
    clearStoredAccessToken();
    clearStoredDrk();
    sessionStorage.removeItem("zk_eph_priv_jwk");
    sessionStorage.removeItem("pkce_verifier");
    sessionStorage.removeItem(OAUTH_STATE_KEY);
    localStorage.removeItem(REFRESH_TOKEN_KEY);
}

There is no endSession export, and the Config type has no endSessionEndpoint field. So relying apps that call logout() still leave the DarkAuth SSO session alive — the next "Sign in" silently re-authenticates.

What's needed

An SDK helper that performs the redirect to the end_session_endpoint, e.g.:

• endSession({ postLogoutRedirectUri, state }) (or an option on logout()) that:
  • resolves end_session_endpoint (from discovery / .well-known/openid-configuration, with a config override),
  • appends id_token_hint (the stored id token), post_logout_redirect_uri, state, and client_id,
  • clears local tokens, then redirects the browser to that URL.

Context

Consuming this in Atlas (RP-initiated logout / finding F12). The server side is unblocked; we just need the SDK to expose the endpoint. Right now we'd have to construct the redirect URL by hand.