feat: implement combined demo-check and sign-out endpoint for fresh sign-up flow

JoachimLK · JoachimLK · commit a5632bd86561 · 2026-03-19T14:37:40.000+01:00
diff --git a/app/pages/auth/fresh-signup.vue b/app/pages/auth/fresh-signup.vue
@@ -7,23 +7,16 @@ const localePath = useLocalePath()
 
 onMounted(async () => {
   try {
-    // Server-side demo check — avoids client-side auth library quirks
-    const { hasSession, isDemo } = await $fetch('/api/auth/demo-check')
+    // Single server-side call: checks demo status AND signs out if needed.
+    // The server deletes the session from the DB and clears auth cookies
+    // via Set-Cookie headers — no client-side sign-out quirks.
+    const { action } = await $fetch('/api/auth/demo-fresh-signup', { method: 'POST' })
 
-    if (!hasSession) {
-      window.location.href = localePath('/auth/sign-up')
-      return
-    }
-
-    if (isDemo) {
-      // Sign out the demo session via the auth API directly
-      await $fetch('/api/auth/sign-out', { method: 'POST', body: {} })
-      // Hard navigate to clear all client-side state (Better Auth atoms, Nuxt caches)
-      window.location.href = localePath('/auth/sign-up')
+    if (action === 'dashboard') {
+      window.location.href = localePath('/dashboard')
     }
     else {
-      // Real user — go to dashboard
-      window.location.href = localePath('/dashboard')
+      window.location.href = localePath('/auth/sign-up')
     }
   }
   catch {
diff --git a/server/api/auth/demo-fresh-signup.post.ts b/server/api/auth/demo-fresh-signup.post.ts
@@ -0,0 +1,52 @@
+import { eq } from 'drizzle-orm'
+import * as schema from '../../database/schema'
+
+/**
+ * Combined demo-check + sign-out endpoint for the fresh-signup flow.
+ *
+ * Called when a marketing-site visitor clicks "Use Cloud". Determines
+ * whether the existing session belongs to the demo org, and if so,
+ * deletes the session server-side and clears the auth cookies so the
+ * browser arrives at sign-up with a clean slate.
+ *
+ * Returns { action: 'signup' | 'dashboard' }.
+ */
+export default defineEventHandler(async (event) => {
+  const session = await auth.api.getSession({ headers: event.headers })
+
+  if (!session) {
+    return { action: 'signup' }
+  }
+
+  const demoSlug = useRuntimeConfig().public.demoOrgSlug as string
+  const activeOrgId = (session.session as { activeOrganizationId?: string }).activeOrganizationId
+
+  if (!demoSlug || !activeOrgId) {
+    return { action: 'dashboard' }
+  }
+
+  const [org] = await db
+    .select({ slug: schema.organization.slug })
+    .from(schema.organization)
+    .where(eq(schema.organization.id, activeOrgId))
+    .limit(1)
+
+  if (org?.slug !== demoSlug) {
+    return { action: 'dashboard' }
+  }
+
+  // ── Demo session — destroy it server-side ──────────────────────
+  // 1. Remove the session row from the database
+  await db.delete(schema.session).where(eq(schema.session.id, session.session.id))
+
+  // 2. Expire the auth cookies so the browser doesn't keep sending them.
+  //    Better Auth prefixes cookie names with __Secure- over HTTPS.
+  const isSecure = getRequestURL(event).protocol === 'https:'
+  const prefix = isSecure ? '__Secure-better-auth' : 'better-auth'
+  const cookieOpts = { path: '/', ...(isSecure && { secure: true }) }
+
+  deleteCookie(event, `${prefix}.session_token`, cookieOpts)
+  deleteCookie(event, `${prefix}.session_data`, cookieOpts)
+
+  return { action: 'signup' }
+})
