Remove remaining req/res params from BaseController + Auth.logout

[kainovaii]

Pull Request: Remove remaining req/res params from BaseController + Auth.logout via SessionContext

Summary

Completes the req, res cleanup started in v2.6.1. Auth.logout() now uses SessionContext instead of accepting a Session parameter. BaseController wrappers (logout, isLogged, getLoggedUser, hasRole, requireLogin) are now fully no-arg. WebServer updated accordingly.

---

Changes

1. Auth.logout() — uses SessionContext

Modified: security/auth/Auth.java

• logout(Session session) → logout() (no-arg)
• Uses SessionContext.get().invalidate() with null guard
• Added import SessionContext

2. BaseController — all wrappers now no-arg

Modified: http/controller/BaseController.java

• logout(Session) → logout() — delegates to Auth.logout()
• isLogged(Request) → isLogged()
• getLoggedUser(Request) → getLoggedUser()
• hasRole(Request, String) → hasRole(String)
• requireLogin(Request, Response) → requireLogin()

3. WebServer — updated calls

Modified: core/WebServer.java

• isLogged(req) → isLogged()
• getLoggedUser(req) → getLoggedUser()

4. AuthTest — wired SessionContext

Modified: AuthTest.java

• Added import SessionContext
• tearDown() now clears SessionContext alongside RequestContext
• logout_invalidatesSession — sets SessionContext.set(session) before calling Auth.logout()
• Removed logout_nullSession_doesNotThrow (no longer applicable — null guard is internal)

---

Breaking Changes

• Auth.logout(Session) → Auth.logout() (no-arg)
• BaseController.logout(Session) → BaseController.logout() (no-arg)
• BaseController.isLogged(Request) → BaseController.isLogged()
• BaseController.getLoggedUser(Request) → BaseController.getLoggedUser()
• BaseController.hasRole(Request, String) → BaseController.hasRole(String)
• BaseController.requireLogin(Request, Response) → BaseController.requireLogin()