Skip to main content

Overview

Aurora uses Auth.js (NextAuth.js) for session management. Logout is handled entirely on the client side through Auth.js, and does not require a backend API endpoint.

Client-Side Logout

To log out a user, use the Auth.js signOut function: 
import { signOut } from "next-auth/react"

// Simple logout (redirects to home)
await signOut()

// Logout with custom redirect
await signOut({ callbackUrl: '/sign-in' })

// Logout without redirect
await signOut({ redirect: false })

Full Example

import { signOut } from "next-auth/react"
import { useRouter } from "next/navigation"

function LogoutButton() {
  const router = useRouter()
  
  const handleLogout = async () => {
    try {
      await signOut({ 
        redirect: false 
      })
      
      // Optionally clear any local state
      localStorage.clear()
      
      // Navigate to sign-in page
      router.push('/sign-in')
    } catch (error) {
      console.error('Logout failed:', error)
    }
  }
  
  return (
    <button onClick={handleLogout}>
      Sign Out
    </button>
  )
}

What Happens During Logout

  1. Session Cleared: Auth.js clears the session from cookies/storage
  2. Token Invalidated: The session token is removed
  3. Client State Reset: User authentication state is cleared
  4. Redirect (optional): User is redirected to the specified URL

Session Cleanup

Auth.js automatically handles:
  • Clearing session cookies
  • Removing JWT tokens
  • Invalidating the session on the server
  • Broadcasting logout to all tabs (if configured)

API Integration

After logout:
  • The X-User-ID header will no longer be sent with requests
  • API endpoints requiring authentication will return 401 Unauthorized
  • User must log in again to access protected resources

Security Considerations

Client-Side Logout

While logout is client-side, the session token is invalidated and cannot be reused.

Session Expiration

Sessions automatically expire based on Auth.js configuration. Default settings:
  • Session Max Age: 30 days (configurable)
  • Idle Timeout: Session expires after inactivity period

Multiple Devices

Logging out on one device does not automatically log out other devices. To implement global logout:
  1. Store session IDs in the database
  2. Invalidate all sessions on logout
  3. Check session validity on each request

Example: Logout with Confirmation

import { signOut } from "next-auth/react"

function LogoutWithConfirmation() {
  const handleLogout = async () => {
    const confirmed = confirm('Are you sure you want to sign out?')
    
    if (confirmed) {
      await signOut({
        callbackUrl: '/sign-in',
        redirect: true
      })
    }
  }
  
  return (
    <button 
      onClick={handleLogout}
      className="text-red-600 hover:text-red-800"
    >
      Sign Out
    </button>
  )
}

Troubleshooting

Logout Not Working

If logout fails to clear the session:
  1. Check Auth.js configuration in app/api/auth/[...nextauth]/route.ts
  2. Verify cookies are being cleared in browser DevTools
  3. Ensure the callback URL is allowed in Auth.js config
  4. Check for errors in the browser console

Session Persists After Logout

If the session persists:
  1. Clear browser cookies manually
  2. Check for custom session storage logic
  3. Verify Auth.js session callbacks are configured correctly

Login

Authenticate users

Authentication Overview

Learn about authentication

Build docs developers (and LLMs) love

Get started for freeTalk to us