Bug Report: Invalid Authentication Token Errors After Logout

[Sanady]

Describe the bug
When logging out from a Chainlit application, the UI repeatedly displays errors stating "Invalid authentication token". In the browser’s DevTools console, these appear as recurring 401 Unauthorized network errors.
The logout itself is successful — the user session ends correctly — but the application continues trying to call authenticated endpoints every ~15 seconds, causing a flood of errors.

To Reproduce
Steps to reproduce the behavior:

1. Open the Chainlit application.
2. Log in with a valid user.
3. Click Logout.
4. Observe UI error toasts stating "Invalid authentication token".
5. Open DevTools → Network tab → see recurring 401 Unauthorized requests continuing even after logout.

Expected behavior
After logging out:
The UI should stop making authenticated API calls.
No error toasts or console errors should appear.
Any background polling, websocket, or refresh loops should be terminated on logout.

Screenshots
imgur screenshots

Desktop (please complete the following information):

• OS: Windows
• Browser: Microsoft Edge
• Version: 146.0.3856.84 (Official build) (64‑bit)
• Device: Notebook

Additional context
The issue occurs consistently.
Requests continue to fire approximately every ~15 seconds in debug mode, suggesting that a background polling loop or web-socket reconnect attempts are not being cleaned up upon logout.
The logout endpoint works correctly — the user session ends — but the UI continues behaving as if still logged in and attempting protected API calls with an expired/invalid token.

[dosubot]

This is a confirmed gap in the logout flow. The core issue is that the frontend logout() function never disconnects the WebSocket, and Socket.io is configured with unlimited reconnection attempts — so after cookies are cleared, every reconnect attempt hits the auth middleware and produces a 401 "Invalid authentication token" error.

Root cause breakdown:

1. WebSocket not disconnected on logout — The logout() function in sessionManagement.ts calls apiClient.logout() and clears user state, but never calls the existing disconnect() function that would close the socket [1]. The disconnect() method exists in useChatSession.ts and does socket.removeAllListeners(); socket.close();, but it's simply never invoked during logout [2].

2. Unlimited Socket.io reconnection — The socket is created without a reconnectionAttempts limit [3], so Socket.io defaults to retrying indefinitely with exponential backoff (~every 15s matches what you're seeing). Each retry hits the authenticated handshake and triggers the 401 from authenticate_user() [4].

3. window.location.reload() race condition — When logout is called with reload = true (which is the default from the nav menu), the page reload should kill the socket. But there's a window where socket reconnect fires before the reload completes, or in embedded/Copilot mode where reload is false, the socket lives on indefinitely.

Related open issue: #2800 documents a related problem where @cl.on_logout returning a RedirectResponse causes the frontend to fail silently (it tries to parse the response as JSON), leaving the UI alive with cleared cookies — which amplifies the same 401 flooding.

Workaround until this is fixed: If you're using a custom @cl.on_logout, make sure it returns a JSON response (not a redirect), and ensure reload=true is used so the page fully reloads and kills the socket connection.

The fix would involve calling disconnect() on the WebSocket as part of the logout sequence in sessionManagement.ts, and potentially setting a reconnectionAttempts limit on the socket.io client configuration.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}