fix: Invoke backend logout API on logout button click to prevent broken authentication

[itsmahbub]

Thanks for submitting a PR! Please check the boxes below:

• I have read the Contributing Guide.
• I have added information to docs/ if required so people know about the feature.
• I have filled in the "Changes" section below.
• I have filled in the "How did you test this code" section below.

Changes

Bug

When a user logs out by clicking the "Log out" button, the logout API (/api/v1/auth/logout/) is not called. As a result, the session token is not invalidated and remains usable for API requests even after user logs out. When the user logs in again, the same token is reused instead of issuing a new one. If a token is leaked, an attacker may continue using the token indefinitely, even after the user logs out.

Solution

Call to logout API is conditional on a configuration variable named Project.cookieAuthEnabled (https://github.com/Flagsmith/flagsmith/blob/main/frontend/common/stores/account-store.js#L359). Logout button click is supposed to clean up the session token in both frontend and backend, not just frontend. To prevent session token persistence after logout, we need to call the logout functionality in backend irrespective of configuration, otherwise, the logout process will remain partial.

How did you test this code?

Before fixing

There is no call to logout API when logout button is clicked.

As a result, the token is not invalidated in the backend.

After applying fix

Logout API is called when logout button is clicked.

[vercel]

Someone is attempting to deploy a commit to the Flagsmith Team on Vercel.

A member of the Team first needs to authorize it.