From 88446748250ba0e14a032d03760d5a4eaf528e6f Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Tue, 2 Dec 2025 16:33:44 +0000
Subject: [PATCH] chore(security): purge session store on logout

---
 CHANGELOG.md           | 1 +
 src/web/logout.test.ts | 3 +++
 src/web/session.ts     | 3 +++
 3 files changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 081c4c00b..2ace486db 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,7 @@
 
 ### Security
 - Hardened the relay IPC socket: now lives under `~/.warelay/ipc`, enforces 0700 dir / 0600 socket perms, rejects symlink or foreign-owned paths, and includes unit tests to lock in the behavior.
+- `warelay logout` now also prunes the shared session store (`~/.warelay/sessions.json`) alongside WhatsApp Web credentials, reducing leftover state after unlinking.
 
 ## 1.3.0 — 2025-12-02
 
diff --git a/src/web/logout.test.ts b/src/web/logout.test.ts
index 478f2864c..a1d822cae 100644
--- a/src/web/logout.test.ts
+++ b/src/web/logout.test.ts
@@ -35,6 +35,8 @@ describe("web logout", () => {
     const credsDir = path.join(tmpDir, ".warelay", "credentials");
     fs.mkdirSync(credsDir, { recursive: true });
     fs.writeFileSync(path.join(credsDir, "creds.json"), "{}");
+    const sessionsPath = path.join(tmpDir, ".warelay", "sessions.json");
+    fs.writeFileSync(sessionsPath, "{}");
     const { logoutWeb, WA_WEB_AUTH_DIR } = await import("./session.js");
 
     expect(WA_WEB_AUTH_DIR.startsWith(tmpDir)).toBe(true);
@@ -42,6 +44,7 @@ describe("web logout", () => {
 
     expect(result).toBe(true);
     expect(fs.existsSync(credsDir)).toBe(false);
+    expect(fs.existsSync(sessionsPath)).toBe(false);
   });
 
   it("no-ops when nothing to delete", async () => {
diff --git a/src/web/session.ts b/src/web/session.ts
index 545291ebf..974f40cf1 100644
--- a/src/web/session.ts
+++ b/src/web/session.ts
@@ -12,6 +12,7 @@ import {
 } from "@whiskeysockets/baileys";
 import qrcode from "qrcode-terminal";
 
+import { SESSION_STORE_DEFAULT } from "../config/sessions.js";
 import { danger, info, success } from "../globals.js";
 import { getChildLogger } from "../logging.js";
 import { defaultRuntime, type RuntimeEnv } from "../runtime.js";
@@ -160,6 +161,8 @@ export async function logoutWeb(runtime: RuntimeEnv = defaultRuntime) {
     return false;
   }
   await fs.rm(WA_WEB_AUTH_DIR, { recursive: true, force: true });
+  // Also drop session store to clear lingering per-sender state after logout.
+  await fs.rm(SESSION_STORE_DEFAULT, { force: true });
   runtime.log(
     success(
       "Cleared WhatsApp Web credentials. Run `warelay login --provider web` to relink.",