From 80c4400ae29d34623c51d87307e6bf9f7f2c4f5c Mon Sep 17 00:00:00 2001
From: giles <giles.bradshaw@sigyl.com>
Date: Mon, 23 Feb 2026 12:18:04 +0000
Subject: [PATCH] Remove sso_hint, add sso-clear logout chain through all apps

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 bp/auth/routes.py | 34 ++++++++++++++++++----------------
 shared            |  2 +-
 2 files changed, 19 insertions(+), 17 deletions(-)

diff --git a/bp/auth/routes.py b/bp/auth/routes.py
index 6ec78c8..6bcbfb7 100644
--- a/bp/auth/routes.py
+++ b/bp/auth/routes.py
@@ -196,20 +196,13 @@ def register(url_prefix="/auth"):
         qsession[SESSION_USER_KEY] = user_id
 
         redirect_url = pop_login_redirect_target()
-        resp = redirect(redirect_url, 303)
-        resp.set_cookie(
-            "sso_hint", "1",
-            domain=".rose-ash.com", max_age=30 * 24 * 3600,
-            secure=True, samesite="Lax", httponly=True,
-        )
-        return resp
+        return redirect(redirect_url, 303)
 
     @auth_bp.post("/logout/")
     async def logout():
         qsession.pop(SESSION_USER_KEY, None)
-        resp = redirect(account_url("/"))
-        resp.delete_cookie("sso_hint", domain=".rose-ash.com", path="/")
-        return resp
+        # Chain through all client apps to clear their sessions too
+        return redirect(url_for("auth.sso_logout"))
 
     @auth_bp.get("/clear/")
     async def clear():
@@ -217,16 +210,25 @@ def register(url_prefix="/auth"):
         qsession.clear()
         resp = redirect(account_url("/"))
         resp.delete_cookie("blog_session", domain=".rose-ash.com", path="/")
-        resp.delete_cookie("sso_hint", domain=".rose-ash.com", path="/")
         return resp
 
     @auth_bp.get("/sso-logout/")
     async def sso_logout():
-        """SSO logout: clear account session + sso_hint, redirect to blog."""
+        """SSO logout: clear account session, then chain through all client
+        apps so each clears its own first-party session cookie."""
         qsession.pop(SESSION_USER_KEY, None)
-        from shared.infrastructure.urls import blog_url
-        resp = redirect(blog_url("/"))
-        resp.delete_cookie("sso_hint", domain=".rose-ash.com", path="/")
-        return resp
+
+        from shared.infrastructure.urls import blog_url, market_url, cart_url, events_url, federation_url
+        from urllib.parse import quote
+
+        # Build redirect chain: blog → market → cart → events → federation → blog home
+        final = blog_url("/")
+        chain = federation_url(f"/auth/sso-clear?next={quote(final, safe='')}")
+        chain = events_url(f"/auth/sso-clear?next={quote(chain, safe='')}")
+        chain = cart_url(f"/auth/sso-clear?next={quote(chain, safe='')}")
+        chain = market_url(f"/auth/sso-clear?next={quote(chain, safe='')}")
+        chain = blog_url(f"/auth/sso-clear?next={quote(chain, safe='')}")
+
+        return redirect(chain)
 
     return auth_bp
diff --git a/shared b/shared
index 223491f..a93a456 160000
--- a/shared
+++ b/shared
@@ -1 +1 @@
-Subproject commit 223491fad5887afbb0e608e23189c02d0707f1d3
+Subproject commit a93a456ac56e862f8a66d39660a331d1eb326d87