From 23cfbf7e4bfda0e750701a4ac5fe85304c26d458 Mon Sep 17 00:00:00 2001
From: Jean-Luc Makiola <business@jeanlucmakiola.de>
Date: Sun, 12 Apr 2026 21:54:49 +0200
Subject: [PATCH] fix: redirect to Logto end-session endpoint on logout

After revoking the local session, redirect to Logto's /session/end
so the OIDC session is cleared too. Previously redirected to /login
which immediately re-authenticated via the still-valid Logto session.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/server/index.ts | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/server/index.ts b/src/server/index.ts
index bb91742..285c5ba 100644
--- a/src/server/index.ts
+++ b/src/server/index.ts
@@ -99,7 +99,14 @@ app.get("/login", oidcAuthMiddleware(), async (c) => c.redirect("/"));
 app.get("/callback", async (c) => processOAuthCallback(c));
 app.get("/logout", async (c) => {
 	await revokeSession(c);
-	return c.redirect("/login");
+	const issuer = process.env.OIDC_ISSUER;
+	const postLogoutRedirect = new URL("/", c.req.url).origin;
+	if (issuer) {
+		return c.redirect(
+			`${issuer}/session/end?post_logout_redirect_uri=${encodeURIComponent(postLogoutRedirect)}`,
+		);
+	}
+	return c.redirect("/");
 });
 
 // CORS for OAuth and MCP endpoints (required for claude.ai browser-based flows)