fix: clear session token after logout

src/routes/+layout.server.ts

@@ -1,6 +1,13 @@
 import type{LayoutServerLoad } from './$types'
 
 export const load: LayoutServerLoad = async (event) =>{
+ // Avoid fetching the session during the logout callback.
+ // This prevents Auth.js from attempting to refresh the session token
+ // while we are trying to delete it.
+ if (event.url.pathname.includes('/auth/logout/callback')){
+ return{session: null };
+ }
+
  return{
  session: await event.locals.auth(),
  };

src/routes/auth/logout/callback/+page.server.ts

@@ -1,5 +1,6 @@
 import{redirect } from '@sveltejs/kit'
 import type{PageServerLoad } from './$types'
+import{dev } from '$app/environment'
 
 /**
  * Handles the callback from an external Identity Provider (IdP) after a user
@@ -19,10 +20,15 @@ export const load: PageServerLoad = async (event) =>{
  const logoutStateCookie = event.cookies.get('logout_state');
 
  if (state && logoutStateCookie && state === logoutStateCookie){
- event.setHeaders({
- 'Clear-Site-Data': '"cookies"',
- });
+ const cookieName = dev ? 'authjs.session-token' : '__Secure-authjs.session-token'
+
+ const cookieOptions ={
+ path: '/',
+ secure: !dev
+ };
 
+ event.cookies.delete(cookieName, cookieOptions);
+
  const successUrl = new URL('/auth/logout/success', event.url);
  throw redirect(302, successUrl.toString());
  } else{