fix: add logout endpoint and session cleanup

internal/auth/service.go

@@ -47,6 +47,10 @@ func NewService(db *sql.DB, encryptionKey string) *Service {
 }
 
 func (s *Service) Login(ctx context.Context, username, password string) (Session, error) {
+	if err := s.cleanupExpiredSessions(ctx); err != nil {
+		return Session{}, fmt.Errorf("cleanup expired sessions: %w", err)
+	}
+
 	user, passwordHash, _, err := s.findUserByUsername(ctx, username)
 	if err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
@@ -107,6 +111,8 @@ func (s *Service) CurrentUserByToken(ctx context.Context, token string) (User, e
 		return User{}, ErrUnauthorized
 	}
 
+	_ = s.cleanupExpiredSessions(ctx)
+
 	user, err := s.findUserByToken(ctx, token)
 	if err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
@@ -118,6 +124,16 @@ func (s *Service) CurrentUserByToken(ctx context.Context, token string) (User, e
 	return user, nil
 }
 
+func (s *Service) Logout(ctx context.Context, token string) error {
+	if strings.TrimSpace(token) == "" {
+		return nil
+	}
+	if _, err := s.db.ExecContext(ctx, `DELETE FROM sessions WHERE token = ?`, strings.TrimSpace(token)); err != nil {
+		return fmt.Errorf("delete session: %w", err)
+	}
+	return nil
+}
+
 func (s *Service) CurrentUserBySubsonicAuth(ctx context.Context, username, password, token, salt string) (User, error) {
 	if username == "" {
 		return User{}, ErrUnauthorized
@@ -262,6 +278,11 @@ func (s *Service) storeSubsonicSecret(ctx context.Context, userID, password stri
 	return err
 }
 
+func (s *Service) cleanupExpiredSessions(ctx context.Context) error {
+	_, err := s.db.ExecContext(ctx, `DELETE FROM sessions WHERE expires_at <= ?`, time.Now().UTC().Format(time.RFC3339))
+	return err
+}
+
 func EncryptSubsonicSecret(value, key string) (string, error) {
 	return encryptSecret(value, key)
 }