Ghost Session: WebSocket Connection Leaks After Logout

[deepak0x]

The logout function in packages/api/src/EmbeddedChatApi.ts fails to disconnect the WebSocket client (this.rcClient). It only calls this.auth.logout(), which removes the authentication token but leaves the socket connection active. Consequently, the application continues to receive live messages and events for the previous session even after the user has visibly "logged out," leading to privacy leaks and inconsistent state if a new user logs in without a full page refresh.

Steps to reproduce:

1. Login to EmbeddedChat and enter a room.
2. Open the browser's Developer Tools and navigate to the Network tab.
3. Filter by "WebSocket" to see the active connection.
4. Call api.logout() or click the Logout button in the UI.
5. Observe that the WebSocket connection remains active (status 101 Switching Protocols) and frames continue to be received.

Expected behavior:

Logout should fully terminate the session. The function must call this.rcClient.disconnect() and this.rcClient.unsubscribeAll() to clean up resources and stop receiving data.

Actual behavior:

The WebSocket connection remains active, and the client continues to receive real-time updates for the logged-out user's session.

[kanaksharma9]

Hey, I'd like to work on this issue, will share my findings soon.