From c480fd450b8e1ee3317fda69dad9e0aaef9f52ce Mon Sep 17 00:00:00 2001
From: ekzyis <ek@stacker.news>
Date: Wed, 22 Nov 2023 05:16:59 +0100
Subject: [PATCH] Cleanup multi_auth.* cookies if no next account available

---
 pages/api/signout.js | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/pages/api/signout.js b/pages/api/signout.js
index 10301c32..55d40b16 100644
--- a/pages/api/signout.js
+++ b/pages/api/signout.js
@@ -32,18 +32,18 @@ export default (req, res) => {
   // remove JWT pointed to by cookie pointer
   cookies.push(cookie.serialize(`multi_auth.${userId}`, '', { ...cookieOptions, expires: 0, maxAge: 0 }))
 
-  // update multi_auth cookie
+  // update multi_auth cookie and check if there are more accounts available
   const oldMultiAuth = b64Decode(req.cookies.multi_auth)
   const newMultiAuth = oldMultiAuth.filter(({ id }) => id !== Number(userId))
-  cookies.push(cookie.serialize('multi_auth', b64Encode(newMultiAuth), { ...cookieOptions, httpOnly: false }))
-
-  // switch to next available account
-  if (!newMultiAuth.length) {
-    // no next account available
+  if (newMultiAuth.length === 0) {
+    // no next account available. cleanup: remove multi_auth + pointer cookie
+    cookies.push(cookie.serialize('multi_auth', '', { ...cookieOptions, httpOnly: false, expires: 0, maxAge: 0 }))
+    cookies.push(cookie.serialize('multi_auth.user-id', '', { ...cookieOptions, httpOnly: false, expires: 0, maxAge: 0 }))
     res.setHeader('Set-Cookie', cookies)
     res.status(204).end()
     return
   }
+  cookies.push(cookie.serialize('multi_auth', b64Encode(newMultiAuth), { ...cookieOptions, httpOnly: false }))
 
   const newUserId = newMultiAuth[0].id
   const newUserJWT = req.cookies[`multi_auth.${newUserId}`]