Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Andrespeerez/porfolio-blog/llms.txt

Use this file to discover all available pages before exploring further.

This endpoint requires the caller to be authenticated (.RequireAuthorization() is applied at registration time). It delegates to LogoutUser.ExecuteAsync(), which calls ISessionManager.SignOutAsync() — implemented by CookieSessionManager — to clear the ASP.NET Core authentication cookie. Once the cookie is invalidated, the server issues a 302 Found redirect to /login, returning the browser to the public login page.

Request

Method

POST

Path

/api/auth/logout
Auth required: Yes — the request must include the .AspNetCore.Cookies authentication cookie issued by POST /api/auth/login. Requests without a valid cookie are rejected with 401 Unauthorized. Request body: None. This endpoint takes no parameters.

Request example

cURL
curl -b cookies.txt -X POST https://localhost:7140/api/auth/logout
The -b cookies.txt flag tells cURL to send the cookies saved during the login call (-c cookies.txt). Without it the request will be rejected with 401 Unauthorized.

Responses

302 Found

Logout succeeded. The authentication cookie is expired via Set-Cookie, and the client is redirected to /login.

401 Unauthorized

The request was not authenticated. No valid authentication cookie was present. The user is effectively already logged out.

Response example

302 Found
HTTP/1.1 302 Found
Location: /login
Set-Cookie: .AspNetCore.Cookies=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/

Response fields

Location (302)
string
Always /login. The redirect is hard-coded in the handler via Results.Redirect("/login").
The authentication cookie is overwritten with an empty value and a past expiry date, causing the browser to delete it immediately.

Antiforgery note

This endpoint has .DisableAntiforgery() applied at registration. This allows the Admin.razor HTML <form> to submit POST /api/auth/logout without an antiforgery token. This is intentional: Blazor’s built-in antiforgery token infrastructure is not automatically available to standard HTML forms rendered outside a Blazor form context, so requiring it here would cause all logout attempts from the admin UI to fail with a 400 Bad Request.

Source reference

The full endpoint registration and handler are defined in Api/Auth/Logout.cs:
Logout.cs
public static IEndpointRouteBuilder MapLogout(this IEndpointRouteBuilder routes)
{
    routes.MapPost("/api/auth/logout", HandleAsync)
        .RequireAuthorization()
        .DisableAntiforgery();
    return routes;
}

public static async Task<IResult> HandleAsync(LogoutUser useCase)
{
    await useCase.ExecuteAsync();
    return Results.Redirect("/login");
}
The LogoutUser use case delegates sign-out to the ISessionManager abstraction:
LogoutUser.cs
public class LogoutUser
{
    private readonly ISessionManager _sessionManager;

    public LogoutUser(ISessionManager sessionManager)
    {
        _sessionManager = sessionManager;
    }

    public async Task ExecuteAsync()
    {
        await _sessionManager.SignOutAsync();
    }
}
The endpoint is registered in Program.cs alongside the login route:
Program.cs
app.UseAuthentication();
app.UseAuthorization();

// ...

app.MapLogin();
app.MapLogout();
Because .RequireAuthorization() is applied, the authorization middleware must be registered in Program.cs via app.UseAuthorization() — and app.UseAuthentication() must appear before it — otherwise all requests to this endpoint will either pass without authentication checks or fail at middleware resolution.

Build docs developers (and LLMs) love