From ec8ef13c93756f392fbde6b95e176ce390ba7d85 Mon Sep 17 00:00:00 2001
From: Salvatore Martire <4652631+salmart-dev@users.noreply.github.com>
Date: Tue, 3 Feb 2026 13:49:18 +0100
Subject: [PATCH] fix: add X-User-Id header to logout response before clearing
 the user session

Signed-off-by: Salvatore Martire <4652631+salmart-dev@users.noreply.github.com>
---
 core/Controller/LoginController.php           | 9 +++++++--
 tests/Core/Controller/LoginControllerTest.php | 1 +
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/core/Controller/LoginController.php b/core/Controller/LoginController.php
index d7c1528b71de9..e6e48134ed861 100644
--- a/core/Controller/LoginController.php
+++ b/core/Controller/LoginController.php
@@ -77,8 +77,9 @@ public function __construct(
 	#[FrontpageRoute(verb: 'GET', url: '/logout')]
 	public function logout() {
 		$loginToken = $this->request->getCookie('nc_token');
-		if (!is_null($loginToken)) {
-			$this->config->deleteUserValue($this->userSession->getUser()->getUID(), 'login_token', $loginToken);
+		$uid = $this->userSession->getUser()?->getUID();
+		if ($loginToken !== null && $uid !== null) {
+			$this->config->deleteUserValue($uid, 'login_token', $loginToken);
 		}
 		$this->userSession->logout();
 
@@ -97,6 +98,10 @@ public function logout() {
 			$response->addHeader('Clear-Site-Data', '"cache", "storage"');
 		}
 
+		if ($uid !== null) {
+			$response->addHeader('X-User-Id', $uid);
+		}
+
 		return $response;
 	}
 
diff --git a/tests/Core/Controller/LoginControllerTest.php b/tests/Core/Controller/LoginControllerTest.php
index 95c020d05a682..28b613cb4ba0c 100644
--- a/tests/Core/Controller/LoginControllerTest.php
+++ b/tests/Core/Controller/LoginControllerTest.php
@@ -217,6 +217,7 @@ public function testLogoutWithToken(): void {
 
 		$expected = new RedirectResponse('/login');
 		$expected->addHeader('Clear-Site-Data', '"cache", "storage"');
+		$expected->addHeader('X-User-Id', 'JohnDoe');
 		$this->assertEquals($expected, $this->loginController->logout());
 	}