Skip to content

Add JSON format support to session destroy for native API clients #2439

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rosa merged 1 commit into from
Jan 27, 2026
+52 −1
Merged

Add JSON format support to session destroy for native API clients #2439

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion app/controllers/sessions_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,11 @@ def create

def destroy
terminate_session
redirect_to_logout_url

respond_to do |format|
format.html { redirect_to_logout_url }
format.json { head :no_content }
end
end

private
Expand Down
16 changes: 16 additions & 0 deletions docs/API.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,22 @@ __Error responses:__
| `401 Unauthorized` | Invalid `pending_authentication_token` or `code` |
| `429 Too Many Requests` | Rate limit exceeded |


#### Delete server-side session (_log out_)

To log out and destroy the server-side session:

```bash
curl -X DELETE \
-H "Accept: application/json" \
-H "Cookie: session_token=eyJfcmFpbHMi..." \
https://app.fizzy.do/session
```

__Response:__

Returns `204 No Content` on success.

## Caching

Most endpoints return [ETag](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/ETag) and [Cache-Control](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cache-Control) headers. You can use these to avoid re-downloading unchanged data.
Expand Down
20 changes: 20 additions & 0 deletions test/controllers/api_test.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,26 @@ class ApiTest < ActionDispatch::IntegrationTest
end
end

test "logout with user credentials" do
identity = identities(:david)

untenanted do
post session_path(format: :json), params: { email_address: identity.email_address }
magic_link = MagicLink.last

assert_difference -> { identity.sessions.count }, +1 do
post session_magic_link_path(format: :json), params: { code: magic_link.code, pending_authentication_token: @response.parsed_body["pending_authentication_token"] }
end
assert cookies[:session_token].present?

assert_difference -> { identity.sessions.count }, -1 do
delete session_path(format: :json)
end
assert_response :no_content
assert_not cookies[:session_token].present?
end
end

test "authenticate with valid access token" do
get boards_path(format: :json), env: @davids_bearer_token
assert_response :success
Expand Down
11 changes: 11 additions & 0 deletions test/controllers/sessions_controller_test.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,4 +117,15 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
assert_response :unprocessable_entity
end
end

test "destroy via JSON" do
sign_in_as :kevin

untenanted do
delete session_path(format: :json)

assert_response :no_content
assert_not cookies[:session_token].present?
end
end
end