From b00527633aa0f4384edebb55c4f92c33eb8bb4e7 Mon Sep 17 00:00:00 2001
From: Radical <radical@radical.fun>
Date: Sat, 5 Jul 2025 02:41:40 +0200
Subject: [PATCH] fix: return 404 when refresh token cookie is invalid

---
 src/api/v1/auth/logout.rs | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/api/v1/auth/logout.rs b/src/api/v1/auth/logout.rs
index d5898d3..524a644 100644
--- a/src/api/v1/auth/logout.rs
+++ b/src/api/v1/auth/logout.rs
@@ -13,8 +13,11 @@ use crate::{
 /// requires auth: kinda, needs refresh token set but no access token is technically required
 ///
 /// ### Responses
+/// 
 /// 200 Logged out
+/// 
 /// 404 Refresh token is invalid
+/// 
 /// 401 Unauthorized (no refresh token found)
 ///
 #[get("/logout")]
@@ -27,12 +30,16 @@ pub async fn res(req: HttpRequest, data: web::Data<Data>) -> Result<HttpResponse
 
     let mut conn = data.pool.get().await?;
 
-    delete(refresh_tokens::table)
+    let deleted = delete(refresh_tokens::table)
         .filter(dsl::token.eq(refresh_token))
         .execute(&mut conn)
         .await?;
 
     refresh_token_cookie.make_removal();
 
+    if deleted == 0 {
+        return Ok(HttpResponse::NotFound().cookie(refresh_token_cookie).finish())
+    }
+
     Ok(HttpResponse::Ok().cookie(refresh_token_cookie).finish())
 }