fix: change logout from GET to POST with session destruction

[anshul23102]

Summary

Closes #556

The /api/auth/logout route was registered as GET, making it vulnerable to CSRF via image tags, link prefetching, or simple <a> clicks. This change:

• Changes the route method from GET to POST
• Adds req.session.destroy() to fully invalidate the server-side session after req.logout()
• Calls res.clearCookie('connect.sid') to remove the session cookie from the browser

Changes

• backend/routes/auth.js: Route method changed from GET to POST; added session destruction and cookie clearing

Test plan

• POST /api/auth/logout returns 200 and { message: 'Logged out successfully' }
• After logout, the connect.sid cookie is absent from the response
• A subsequent authenticated request using the old session ID is rejected (session destroyed server-side)
• GET /api/auth/logout now returns 404

Could you please add the appropriate GSSoC labels (gssoc26, type:security, level:intermediate) when you get a chance? Thank you!

[netlify]

❌ Deploy Preview for github-spy failed.

Name	Link
🔨 Latest commit	36dffdd
🔍 Latest deploy log	https://app.netlify.com/projects/github-spy/deploys/6a1c0d303e15a300088b2267

[coderabbitai]

Warning

Review limit reached

@mehul-m-prajapati, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 45 minutes and 8 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9dcd1bb6-0258-4bdf-8e6d-9ef40df5bc81

📥 Commits

Reviewing files that changed from the base of the PR and between 4560811 and 36dffdd.

📒 Files selected for processing (1)

• backend/routes/auth.js

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[anshul23102]

Hey @GitMetricsLab, pinging this as part of NSoC'26. Let me know if you have any review feedback. Thanks!

[github-actions]

🎉🎉 Thank you for your contribution! Your PR #578 has been merged! 🎉🎉