@F-004 @auth @logout Feature: User Logout Background: Given the user "alice@example.com" exists with password "SecurePass123!" And I am authenticated as "alice@example.com" @positive Scenario: Successful logout invalidates current session Given my current access token is valid When I logout Then I should receive confirmation And my session should be marked as revoked And my access token should no longer be valid @positive Scenario: Logout with refresh token also invalidates access Given I have a valid refresh token When I logout Then both access and refresh tokens should be invalid And I should not be able to get new access token with refresh @positive Scenario: Logout all sessions for user Given I am logged in from device "desktop" And I am logged in from device "mobile" When I logout from all devices Then all my sessions should be invalidated And I should not be able to use any previous token @negative Scenario: Using token after logout returns unauthorized Given I previously logged in successfully And I have logged out When I try to use my old access token Then I should receive 401 Unauthorized And I should not have access to protected resources @negative Scenario: Logout with invalid token does nothing Given I have an invalid/expired token When I attempt to logout Then logout should not fail But no session should be affected @security Scenario: Concurrent logout requests are handled correctly Given my session is valid When I send multiple logout requests simultaneously Then only one logout operation should occur And token should be invalidated only once @smoke Scenario: Logout endpoint returns 200 on success Given I am authenticated as "alice@example.com" When I send POST request to "/api/v1/auth/logout" Then response should be 200 OK And response should indicate success