fix(FE) : add full session logout

server/api/auth/clear-session.post.ts

@@ -0,0 +1,77 @@
+// server/api/auth/clear-session.post.ts
+// Endpoint to forcefully clear session cookies and logout from Keycloak
+export default defineEventHandler(async (event) => {
+  try {
+    const config = useRuntimeConfig();
+    console.log('🧹 Clear session endpoint called');
+
+    // Get the current session to retrieve ID token for Keycloak logout
+    const sessionCookie = getCookie(event, 'user_session');
+    let idToken = null;
+
+    if (sessionCookie) {
+      try {
+        // Try to decode JWT-based session from cookie
+        const sessionJson = Buffer.from(sessionCookie, 'base64').toString('utf-8');
+        const session = JSON.parse(sessionJson);
+        idToken = session.idToken;
+        console.log('🔑 ID token found for Keycloak logout');
+      } catch (error) {
+        console.warn('⚠️ Could not parse session cookie (might be old format)');
+        // Continue anyway to clear cookies
+      }
+    }
+
+    // Clear all auth-related cookies
+    console.log('🧹 Clearing all session cookies...');
+    deleteCookie(event, 'user_session');
+    deleteCookie(event, 'oauth_state');
+    
+    // Also clear with different path variations
+    deleteCookie(event, 'user_session', { path: '/' });
+    deleteCookie(event, 'oauth_state', { path: '/' });
+
+    console.log('✅ Local session cleared successfully');
+
+    // Build Keycloak logout URL
+    const logoutPath = config.keycloakLogoutUri || `${config.keycloakIssuer}/protocol/openid-connect/logout`;
+    const logoutUrl = new URL(logoutPath);
+    
+    const postLogoutRedirectUri = config.postLogoutRedirectUri || `${config.public.authUrl}/LoginPage?logout=success`;
+    
+    logoutUrl.searchParams.set('client_id', config.keycloakClientId);
+    logoutUrl.searchParams.set('post_logout_redirect_uri', postLogoutRedirectUri);
+    
+    // Add ID token hint if available for proper Keycloak session termination
+    if (idToken) {
+      logoutUrl.searchParams.set('id_token_hint', idToken);
+      console.log('🔑 Added id_token_hint to Keycloak logout URL');
+    }
+    
+    console.log('🔗 Keycloak logout URL:', logoutUrl.toString());
+    
+    return {
+      success: true,
+      logoutUrl: logoutUrl.toString(),
+      message: 'Session cleared successfully. Redirecting to Keycloak logout...'
+    };
+
+  } catch (error: any) {
+    console.error('❌ Clear session error:', error);
+    
+    // Even on error, provide a basic logout URL
+    const config = useRuntimeConfig();
+    const postLogoutRedirectUri = config.postLogoutRedirectUri || `${config.public.authUrl}/LoginPage?logout=success`;
+    const logoutPath = config.keycloakLogoutUri || `${config.keycloakIssuer}/protocol/openid-connect/logout`;
+    const fallbackLogoutUrl = new URL(logoutPath);
+    fallbackLogoutUrl.searchParams.set('client_id', config.keycloakClientId);
+    fallbackLogoutUrl.searchParams.set('post_logout_redirect_uri', postLogoutRedirectUri);
+    
+    return {
+      success: false,
+      logoutUrl: fallbackLogoutUrl.toString(),
+      error: 'Error during session cleanup',
+      message: error.message
+    };
+  }
+});