User Logout

Overview Description

The user logout feature securely terminates user sessions by clearing authentication cookies, invalidating session records, and optionally flushing all user sessions. It handles both main user sessions and representative user sessions, ensuring complete session cleanup for security purposes.

Activity Diagram

flowchart TD
    A[User requests logout] --> B[Validate authentication]
    B --> C{User authenticated?}
    C -->|No| D[Return unauthorized error]
    C -->|Yes| E[Get user session info]
    
    E --> F[Clear main user cookies]
    F --> G[Clear representative user cookies]
    G --> H[Invalidate session records]
    
    H --> I{Session flush needed?}
    I -->|Yes| J[Flush all user sessions]
    I -->|No| K[Continue with normal logout]
    
    J --> L[Clear all session data]
    K --> M[Return success response]
    L --> M
    
    D --> N[Return error response]
    
    style A fill:#e1f5fe
    style M fill:#c8e6c9
    style D fill:#ffcdd2
    style N fill:#ffcdd2

Sequence Diagram

Successful Logout

sequenceDiagram
    participant Client
    participant LogoutController
    participant AuthService
    participant Database
    
    Client->>LogoutController: GET /api/auth/logout
    Note over Client,LogoutController: With authentication cookies
    
    LogoutController->>LogoutController: Validate user authentication
    LogoutController->>AuthService: logout()
    
    AuthService->>Database: Get user session information
    Database-->>AuthService: Session data
    
    AuthService->>AuthService: Clear authentication cookies
    AuthService->>Database: Invalidate session records
    Database-->>AuthService: Sessions invalidated
    
    AuthService-->>LogoutController: Logout completed
    
    LogoutController->>Client: 200 OK + Clear-Cookie headers

Session Flush (Fallback)

sequenceDiagram
    participant Client
    participant LogoutController
    participant AuthService
    participant Database
    
    Client->>LogoutController: GET /api/auth/logout
    Note over Client,LogoutController: Authentication error occurs
    
    LogoutController->>LogoutController: Validate user authentication
    LogoutController->>AuthService: logout()
    
    AuthService->>Database: Get user session information
    Database-->>AuthService: Error or no sessions found
    
    AuthService->>AuthService: Fallback to session flush
    AuthService->>Database: Flush all user sessions
    Database-->>AuthService: All sessions cleared
    
    AuthService-->>LogoutController: Logout completed with flush
    
    LogoutController->>Client: 200 OK + Clear-Cookie headers

Steps

1. Authentication Validation: Verify user is properly authenticated
2. Session Retrieval: Get current user session information
3. Cookie Cleanup: Clear all authentication-related cookies
4. Session Invalidation: Mark session records as invalid in database
5. Optional Flush: If normal logout fails, flush all user sessions
6. Response: Return success response with cookie clearing headers

Database Related Tables & Fields

erDiagram
    sessions {
        varchar id PK "Session ID"
        bigint user_id FK "User ID"
        string ip_address "User's IP address"
        text user_agent "User's browser agent"
        text payload "Session data"
        int last_activity "Last activity timestamp"
    }
    
    users {
        bigint id PK "Primary key"
        varchar name "User's full name"
        varchar email UK "User's email address"
        varchar uid "Firebase UID"
        varchar payment_provider_customer_id "Payment provider customer ID"
        tinyint status "User status (1: active, 0: inactive)"
        varchar remember_token "Laravel remember token"
        timestamp created_at "Creation timestamp"
        timestamp updated_at "Last update timestamp"
        timestamp deleted_at "Soft delete timestamp"
        boolean is_first_login "First login flag"
    }
    
    sessions ||--o{ users : "belongs to"

API Endpoint

• URL: GET /api/v1/general/auth/logout
• Headers:
  • Cookie: {authentication_cookies}
• Authentication: Required (user must be logged in)

Response

Success Response

• Status: 200 OK
• Headers:
  • Set-Cookie: {cookie_name}=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/
  • Multiple Set-Cookie headers for each authentication cookie
• Body:

  {
    "message": "Logged out successfully"
  }
  

Error Response

• Status: 401 Unauthorized
• Body:

  {
    "error": "User not authenticated"
  }
  

Error Handling

Additional Notes

• Cookie Security: All authentication cookies are cleared with secure flags
• Session Cleanup: Both main and representative user sessions are terminated
• Fallback Mechanism: Session flush ensures logout even if normal cleanup fails
• Multi-session Support: Handles users with multiple active sessions
• Representative Users: Supports logout for users acting on behalf of others
• Complete Cleanup: Ensures no residual authentication data remains
• Security Best Practice: Immediate session termination prevents unauthorized access