fix: remove logout as session tokens are HttpOnly

Author: hrideshmg

docs/auth.md

@@ -140,18 +140,6 @@ curl -X POST http://localhost:5000/ \
   }'
 ```
 
-### Logout
-
-```graphql
-mutation {
-  logout(sessionToken: "your_session_token_here")
-}
-```
-
-This invalidates the specified session for the current user.
-
-**Returns:** `true` if successful, `false` if not authenticated
-
 ## Bot Management
 ### Creating Bots (Admin Only)
 
@@ -180,16 +168,6 @@ mutation {
 
 Bots use API keys instead of session tokens. Include the API key in the `Authorization` header in the same format as before.
 
-### Deleting Bots (Admin Only)
-
-```graphql
-mutation {
-  deleteBot(apiKeyId: 1)
-}
-```
-
-**Returns:** `true` if successful
-
 
 ## Permission Checking in Code
 
@@ -246,17 +224,6 @@ The GitHub account is not part of the specified organization. Either:
 
 ### GraphQL Mutations
 
-#### `logout(sessionToken: String!): Boolean!`
-
-Invalidate the specified session for current user.
-
-**Input:**
-- `sessionToken`: The session token to invalidate
-
-**Returns:** `true` if successful, `false` if not authenticated
-
----
-
 #### `createBot(name: String!): String!` 🔒 Admin only
 
 Create a new bot with API key.
@@ -266,17 +233,6 @@ Create a new bot with API key.
 
 **Returns:** The API key string (only shown once!)
 
----
-
-#### `deleteBot(apiKeyId: Int!): Boolean!` 🔒 Admin only
-
-Delete a bot and revoke its API key.
-
-**Input:**
-- `apiKeyId`: ID of the API key to delete
-
-**Returns:** `true` if successful
-
 ## Example
 
 ### Complete Member Authentication Flow

src/auth/session.rs

@@ -73,23 +73,6 @@ impl SessionService {
         Ok(result)
     }
 
-    pub async fn delete_session_by_token(pool: &PgPool, token: &str) -> Result<(), String> {
-        let token_hash = Self::hash_token(token);
-
-        sqlx::query(
-            r#"
-            DELETE FROM Sessions
-            WHERE token_hash = $1
-            "#,
-        )
-        .bind(token_hash)
-        .execute(pool)
-        .await
-        .map_err(|e| format!("Failed to delete session: {}", e))?;
-
-        Ok(())
-    }
-
     pub async fn cleanup_expired_sessions(pool: &PgPool) -> Result<u64, String> {
         let now = chrono::Utc::now().with_timezone(&Kolkata);
 

src/graphql/mutations/auth_mutations.rs

@@ -12,24 +12,6 @@ pub struct AuthMutations;
 
 #[Object]
 impl AuthMutations {
-    /// Logout - invalidate session
-    #[graphql(name = "logout")]
-    async fn logout(&self, ctx: &Context<'_>, session_token: String) -> Result<bool> {
-        let pool = ctx.data::<Arc<PgPool>>().expect("Pool must be in context.");
-        let auth = ctx
-            .data::<AuthContext>()
-            .expect("AuthContext must be in context.");
-
-        if auth.is_authenticated() {
-            SessionService::delete_session_by_token(pool.as_ref(), &session_token)
-                .await
-                .map_err(|e| format!("Failed to logout: {}", e))?;
-            Ok(true)
-        } else {
-            Ok(false)
-        }
-    }
-
     /// Create a new bot with API key (Admin only)
     #[graphql(name = "createBot", guard = "AdminGuard")]
     async fn create_bot(&self, ctx: &Context<'_>, name: String) -> Result<ApiKeyResponse> {
@@ -50,16 +32,4 @@ impl AuthMutations {
 
         Ok(ApiKeyResponse { api_key })
     }
-
-    /// Delete a bot (Admin only)
-    #[graphql(name = "deleteBot", guard = "AdminGuard")]
-    async fn delete_bot(&self, ctx: &Context<'_>, api_key_id: i32) -> Result<bool> {
-        let pool = ctx.data::<Arc<PgPool>>().expect("Pool must be in context.");
-
-        ApiKeyService::delete_api_key(pool.as_ref(), api_key_id)
-            .await
-            .map_err(|e| format!("Failed to delete bot: {}", e))?;
-
-        Ok(true)
-    }
 }

src/main.rs

@@ -159,7 +159,7 @@ fn setup_cors() -> CorsLayer {
     ];
 
     CorsLayer::new()
-        // TODO 2: https://github.com/amfoss/root/issues/151, enabling all origins for the time being
+        // TODO 2: https://github.com/amfoss/root/issues/151
         .allow_credentials(true)
         .allow_origin(origins)
         .allow_methods([Method::GET, Method::POST, Method::OPTIONS])