Class LogoutHandler
POST /api/v2/auth/logout.
The endpoint is idempotent — calling it without a session still returns
{"ok": true} so SPAs can fire-and-forget on tab close. When a session
does exist it is invalidated; the CSRF token need not be rotated explicitly
because session.invalidate() discards the entire session including all
CSRF state.
IllegalStateException from session.invalidate() is silently
swallowed: TypicalLoginAssist.logout() may already have invalidated the
session internally, and the contract is "idempotent ok".
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionvoidhandle(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res) Processes one/api/v2/auth/logoutPOST request.
-
Constructor Details
-
LogoutHandler
public LogoutHandler()Default constructor. The handler is stateless and intended to be instantiated once by the API manager and shared across concurrent requests.
-
-
Method Details
-
handle
public void handle(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res) throws IOException Processes one/api/v2/auth/logoutPOST request.Invokes
TypicalLoginAssist.logout()(swallowing failures so the call remains idempotent) and then invalidates the underlyingHttpSessionwhen one exists. Rejects non-POSTmethods withV2ErrorCode.METHOD_NOT_ALLOWED; otherwise always writes a success envelope of{"ok": true}.- Parameters:
req- the incoming HTTP requestres- the HTTP response to write to- Throws:
IOException- if writing the envelope fails
-