From aec822adc2a01b3bd8c1b2d55a2d2551cd1c6891 Mon Sep 17 00:00:00 2001
From: BOHA <boha@boha.cz>
Date: Mon, 23 Mar 2026 20:44:28 +0100
Subject: [PATCH] fix: clearCookie must match setCookie options for browser to
 clear it
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

clearCookie was missing httpOnly, secure, sameSite — browser ignored
the Set-Cookie header because the options didn't match the original
cookie attributes. Cookie persisted after logout, allowing F5 to
re-authenticate via silent refresh.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/routes/admin/auth.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/routes/admin/auth.ts b/src/routes/admin/auth.ts
index 295b0f5..161317f 100644
--- a/src/routes/admin/auth.ts
+++ b/src/routes/admin/auth.ts
@@ -158,7 +158,7 @@ export default async function authRoutes(fastify: FastifyInstance): Promise<void
     const result = await refreshAccessToken(refreshTokenRaw, request);
 
     if (result.type === 'error') {
-      reply.clearCookie('refresh_token', { path: '/api/admin' });
+      reply.clearCookie('refresh_token', { path: '/api/admin', httpOnly: true, secure: config.isProduction, sameSite: 'strict' });
       return error(reply, result.message, result.status);
     }
 
@@ -177,7 +177,7 @@ export default async function authRoutes(fastify: FastifyInstance): Promise<void
       await logout(refreshTokenRaw);
     }
 
-    reply.clearCookie('refresh_token', { path: '/api/admin' });
+    reply.clearCookie('refresh_token', { path: '/api/admin', httpOnly: true, secure: config.isProduction, sameSite: 'strict' });
     return success(reply, null, 200, 'Odhlášení úspěšné');
   });