fix: logout deletes all tokens from same browser/IP, not just current

On logout, finds all refresh tokens matching the same user + IP +
user-agent (same browser session) and deletes them all. This cleans
up zombie tokens from previous logins and token rotations that
were showing as stale sessions on the dashboard.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/services/auth.ts

@@ -224,23 +224,24 @@ export async function refreshAccessToken(
 
 export async function logout(refreshTokenRaw: string): Promise<void> {
   const tokenHash = hashToken(refreshTokenRaw);
-  // Delete the current token
   const token = await prisma.refresh_tokens.findFirst({ where: { token_hash: tokenHash } });
+
   if (token) {
-    // Delete the current token and all replaced tokens in its chain
+    // Delete all tokens for this user from the same IP + user agent (same browser session)
     await prisma.refresh_tokens.deleteMany({
       where: {
-        OR: [
+        user_id: token.user_id,
-          { token_hash: tokenHash },
+        ip_address: token.ip_address,
-          { replaced_by_hash: tokenHash },
+        user_agent: token.user_agent,
-        ],
       },
     });
+  } else {
+    // Fallback: just delete by hash
+    await prisma.refresh_tokens.deleteMany({ where: { token_hash: tokenHash } });
   }
-  // Clean up expired tokens for all users
+
-  await prisma.refresh_tokens.deleteMany({
+  // Clean up expired tokens
-    where: { expires_at: { lt: new Date() } },
+  await prisma.refresh_tokens.deleteMany({ where: { expires_at: { lt: new Date() } } });
-  });
 }
 
 export async function verifyAccessToken(token: string): Promise<AuthData | null> {