Metaculus · hlbmtc · Feb 19, 2026 · Feb 16, 2026 · Feb 16, 2026 · Feb 19, 2026
diff --git a/authentication/urls.py b/authentication/urls.py
@@ -7,8 +7,6 @@
     path("auth/logout/", common.logout_api_view),
     path("auth/refresh/", common.token_refresh_api_view, name="token_refresh"),
     path("auth/verify_token/", common.verify_token_api_view),
-    # DEPRECATED: Legacy token migration endpoint (remove after 30 days)
-    path("auth/exchange-legacy-token/", common.exchange_legacy_token_api_view),
     path("auth/signup/", common.signup_api_view, name="auth-signup"),
     path(
         "auth/signup/simplified/",

diff --git a/authentication/views/common.py b/authentication/views/common.py
@@ -289,31 +289,6 @@ def api_key_rotate_api_view(request):
     return Response({"key": api_key.key}, status=status.HTTP_201_CREATED)
 
 
-@api_view(["POST"])
-@permission_classes([AllowAny])
-def exchange_legacy_token_api_view(request):
-    """
-    Exchange a legacy DRF auth token for new JWT tokens.
-
-    DEPRECATED: This endpoint exists only for backward compatibility during
-    the migration period. It should be removed after the grace period (30 days).
-    """
-    token = serializers.CharField().run_validation(request.data.get("token"))
-
-    try:
-        token_obj = ApiKey.objects.get(key=token)
-    except ApiKey.DoesNotExist:
-        raise ValidationError({"token": ["Invalid token"]})
-
-    user = token_obj.user
-    if not user.is_active:
-        raise ValidationError({"token": ["User account is inactive"]})
-
-    tokens = get_tokens_for_user(user)
-
-    return Response({"tokens": tokens})
-
-
 @api_view(["POST"])
 @permission_classes([AllowAny])
 def token_refresh_api_view(request):

diff --git a/front_end/src/app/(main)/accounts/actions.ts b/front_end/src/app/(main)/accounts/actions.ts
@@ -1,7 +1,7 @@
 "use server";
 
 import { revalidatePath } from "next/cache";
-import { cookies, headers } from "next/headers";
+import { headers } from "next/headers";
 import { redirect } from "next/navigation";
 import { getLocale } from "next-intl/server";
 
@@ -156,8 +156,6 @@ export async function LogOut() {
   authManager.clearAuthTokens();
   authManager.clearImpersonatorRefreshToken();
 
-  // DEPRECATED: Remove after 30-day migration period
-  (await cookies()).delete("auth_token");
   return redirect("/");
 }
 

diff --git a/front_end/src/middleware.ts b/front_end/src/middleware.ts
@@ -2,9 +2,7 @@ import { NextRequest, NextResponse } from "next/server";
 
 import ServerAuthApi from "@/services/api/auth/auth.server";
 import { AuthCookieManager, AuthCookieReader } from "@/services/auth_tokens";
-import { handleLegacyTokenMigration } from "@/services/auth_tokens_migration";
 import { CsrfManager } from "@/services/csrf";
-// DEPRECATED: Remove after 30-day migration period
 import {
   LanguageService,
   LOCALE_COOKIE_NAME,
@@ -93,24 +91,12 @@ export async function middleware(request: NextRequest) {
     // 3. Clear invalid JWT tokens (only on definitive 4xx, not transient errors)
     if (!hasSession && (accessToken || refreshToken)) {
       responseAuth.clearAuthTokens();
-      // Clear legacy auth token
-      response.cookies.delete("auth_token");
     }
   } catch (error) {
     // Transient error (5xx, network) - don't clear tokens
     console.error("Auth service error, preserving tokens:", error);
   }
 
-  // 4. No JWT tokens - try legacy migration
-  // DEPRECATED: Remove after 30-day migration period
-  if (!hasSession && !accessToken && !refreshToken) {
-    hasSession = await handleLegacyTokenMigration(
-      request,
-      response,
-      responseAuth
-    );
-  }
-
   const { PUBLIC_AUTHENTICATION_REQUIRED } = getPublicSettings();
 
   // If authentication is required, redirect unauthenticated users

diff --git a/front_end/src/services/auth_tokens_migration.ts b/front_end/src/services/auth_tokens_migration.ts