Ghost Session: WebSocket Connection Leaks After Logout #1158
Description
The logout function in packages/api/src/EmbeddedChatApi.ts fails to disconnect the WebSocket client (this.rcClient). It only calls this.auth.logout(), which removes the authentication token but leaves the socket connection active. Consequently, the application continues to receive live messages and events for the previous session even after the user has visibly "logged out," leading to privacy leaks and inconsistent state if a new user logs in without a full page refresh.
Steps to reproduce:
- Login to EmbeddedChat and enter a room.
- Open the browser's Developer Tools and navigate to the Network tab.
- Filter by "WebSocket" to see the active connection.
- Call
api.logout()or click the Logout button in the UI. - Observe that the WebSocket connection remains active (status 101 Switching Protocols) and frames continue to be received.
Expected behavior:
Logout should fully terminate the session. The function must call this.rcClient.disconnect() and this.rcClient.unsubscribeAll() to clean up resources and stop receiving data.
Actual behavior:
The WebSocket connection remains active, and the client continues to receive real-time updates for the logged-out user's session.