Check out the lifecycle hooks available to bokeh server, which are described in the User’s Guide here.
on_session_destroyed() function will be invoked when a particular user session ends. Note that the session does not end immediately on websocket connection closure.
There are bokeh parameters
check-unused-sessions which are configurable at server instantiation. See Session Expiration Options section of the bokeh Reference document here.
These parameters work together to govern how long after a session expires and cleanup actions occur.
The lifecycle mechanism might be workable for you if you want the cleanup to happen automatically assuming you are okay with some delay between websocket closure or other session expiration event and the actual cleanup.
Alternatively – to your second option – the example you link in the issue description does have a logout route tied to a button based on a perusal of the code. Is that not working to your expectations or is something more needed? (Caveat: I use different authentication methods in my hosted apps so don’t have direct experience with the ones in the example.)