Remove sso_hint, add sso-clear logout chain through all apps

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

bp/auth/routes.py

@@ -196,20 +196,13 @@ def register(url_prefix="/auth"):
         qsession[SESSION_USER_KEY] = user_id
 
         redirect_url = pop_login_redirect_target()
-        resp = redirect(redirect_url, 303)
-        resp.set_cookie(
-            "sso_hint", "1",
-            domain=".rose-ash.com", max_age=30 * 24 * 3600,
-            secure=True, samesite="Lax", httponly=True,
-        )
-        return resp
+        return redirect(redirect_url, 303)
 
     @auth_bp.post("/logout/")
     async def logout():
         qsession.pop(SESSION_USER_KEY, None)
-        resp = redirect(account_url("/"))
-        resp.delete_cookie("sso_hint", domain=".rose-ash.com", path="/")
-        return resp
+        # Chain through all client apps to clear their sessions too
+        return redirect(url_for("auth.sso_logout"))
 
     @auth_bp.get("/clear/")
     async def clear():
@@ -217,16 +210,25 @@ def register(url_prefix="/auth"):
         qsession.clear()
         resp = redirect(account_url("/"))
         resp.delete_cookie("blog_session", domain=".rose-ash.com", path="/")
-        resp.delete_cookie("sso_hint", domain=".rose-ash.com", path="/")
         return resp
 
     @auth_bp.get("/sso-logout/")
     async def sso_logout():
-        """SSO logout: clear account session + sso_hint, redirect to blog."""
+        """SSO logout: clear account session, then chain through all client
+        apps so each clears its own first-party session cookie."""
         qsession.pop(SESSION_USER_KEY, None)
-        from shared.infrastructure.urls import blog_url
-        resp = redirect(blog_url("/"))
-        resp.delete_cookie("sso_hint", domain=".rose-ash.com", path="/")
-        return resp
+
+        from shared.infrastructure.urls import blog_url, market_url, cart_url, events_url, federation_url
+        from urllib.parse import quote
+
+        # Build redirect chain: blog → market → cart → events → federation → blog home
+        final = blog_url("/")
+        chain = federation_url(f"/auth/sso-clear?next={quote(final, safe='')}")
+        chain = events_url(f"/auth/sso-clear?next={quote(chain, safe='')}")
+        chain = cart_url(f"/auth/sso-clear?next={quote(chain, safe='')}")
+        chain = market_url(f"/auth/sso-clear?next={quote(chain, safe='')}")
+        chain = blog_url(f"/auth/sso-clear?next={quote(chain, safe='')}")
+
+        return redirect(chain)
 
     return auth_bp