From 958d923c40fda9859ebf10bcf2520dff5ddd42e2 Mon Sep 17 00:00:00 2001
From: Kolja Lampe <razzeee@gmail.com>
Date: Thu, 26 Dec 2024 01:15:57 +0100
Subject: [PATCH] Harden logout

---
 backend/app/logins.py | 29 +++++++++++++++++++----------
 1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/backend/app/logins.py b/backend/app/logins.py
index fa3067882..feb694cc8 100644
--- a/backend/app/logins.py
+++ b/backend/app/logins.py
@@ -966,18 +966,27 @@ def do_refresh_dev_flatpaks(
 @router.post("/logout", tags=["auth"])
 def do_logout(request: Request, login: LoginStatusDep):
     """
-    Clear the login state.  This will discard tokens which access socials,
+    Clear the login state. This will discard tokens which access socials,
     and will clear the session cookie so that the user is not logged in.
     """
-    if login.state == LoginState.LOGGED_OUT:
-        return {}
-
-    # Clear the login ID
-    del request.session["user-id"]
-    if login.state.logging_in():
-        # Also clear any pending login-flow from the session
-        del request.session["active-login-flow"]
-        del request.session["active-login-flow-intermediate"]
+    try:
+        if login.state == LoginState.LOGGED_OUT:
+            return {}
+
+        # Clear the login ID
+        if "user-id" in request.session:
+            del request.session["user-id"]
+
+        if login.state.logging_in():
+            # Also clear any pending login-flow from the session
+            if "active-login-flow" in request.session:
+                del request.session["active-login-flow"]
+            if "active-login-flow-intermediate" in request.session:
+                del request.session["active-login-flow-intermediate"]
+
+    except KeyError as e:
+        raise HTTPException(status_code=500, detail=f"Session error: {str(e)}")
+
     return {}