From 8662fcd6da6ef0e0f29f1dcd706e995ccceee79e Mon Sep 17 00:00:00 2001
From: Samir Boulahtit <samir.boulahtit@wizard.lu>
Date: Fri, 23 Jan 2026 18:59:17 +0100
Subject: [PATCH] fix: clear legacy admin_token cookie with path=/ on logout

Users who logged in before the path isolation change (path=/ to path=/admin)
may have stale cookies that cause authentication conflicts. This fix ensures
both the old path=/ and new path=/admin cookies are cleared on logout.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 app/api/v1/admin/auth.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/app/api/v1/admin/auth.py b/app/api/v1/admin/auth.py
index fb48d185..ad042f33 100644
--- a/app/api/v1/admin/auth.py
+++ b/app/api/v1/admin/auth.py
@@ -113,6 +113,13 @@ def admin_logout(response: Response):
         path="/admin",
     )
 
-    logger.debug("Deleted admin_token cookie")
+    # Also clear legacy cookie with path=/ (from before path isolation was added)
+    # This handles users who logged in before the path=/admin change
+    response.delete_cookie(
+        key="admin_token",
+        path="/",
+    )
+
+    logger.debug("Deleted admin_token cookies (both /admin and / paths)")
 
     return LogoutResponse(message="Logged out successfully")