Persist user login/logout audit in ncue_user

Add first_login_at and last_logout_at, ensure table exists at runtime, upsert user on /api/auth/sync, and record logout via /api/auth/logout from the client.

Co-authored-by: Cursor <cursoragent@cursor.com>

script.js

@@ -666,6 +666,36 @@
     }
   }
 
+  function sendLogoutToServer(idToken) {
+    if (!idToken) return;
+    const cfg = getAuthConfig();
+    const payload = JSON.stringify({ t: Date.now() });
+    // Prefer sendBeacon to survive navigation
+    try {
+      const blob = new Blob([payload], { type: "application/json" });
+      const ok = navigator.sendBeacon("/api/auth/logout", blob);
+      if (ok) return;
+    } catch {
+      // ignore
+    }
+    // Fallback fetch keepalive (best-effort)
+    try {
+      fetch("/api/auth/logout", {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${idToken}`,
+          "X-Auth0-Issuer": `https://${cfg.auth0.domain}/`,
+          "X-Auth0-ClientId": cfg.auth0.clientId,
+          "Content-Type": "application/json",
+        },
+        body: payload,
+        keepalive: true,
+      }).catch(() => {});
+    } catch {
+      // ignore
+    }
+  }
+
   function isAllowedEmail(email) {
     const { allowedEmails } = getAuthConfig();
     if (!allowedEmails.length) return true; // 설정이 비어있으면 로그인만으로 허용
@@ -871,6 +901,13 @@
     if (auth.mode !== "enabled") return;
     // SDK가 있으면 SDK로, 없으면 수동 로그아웃
     if (auth.client) {
+      try {
+        const claims = await auth.client.getIdTokenClaims();
+        const raw = claims && claims.__raw ? String(claims.__raw) : "";
+        if (raw) sendLogoutToServer(raw);
+      } catch {
+        // ignore
+      }
       auth.user = null;
       auth.authorized = false;
       updateAuthUi();
@@ -882,6 +919,9 @@
       });
       return;
     }
+    // manual token logout
+    const t = loadTokens();
+    if (t && t.id_token) sendLogoutToServer(t.id_token);
     clearTokens();
     auth.user = null;
     auth.authorized = false;