SSO revocation: clear local session when sso_hint cookie is gone

When account logs out and deletes sso_hint, client apps now detect the missing cookie and clear their local session on next request. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-23 12:15:35 +00:00
parent dfc41ada7d
commit 223491fad5
1 changed files with 19 additions and 3 deletions
--- a/infrastructure/factory.py
+++ b/infrastructure/factory.py
@@ -132,12 +132,28 @@ def create_base_app(
            from quart import session as qs
            if request.path.startswith("/auth/"):
                return
-            if qs.get("uid"):
+
+            uid = qs.get("uid")
+            has_hint = request.cookies.get("sso_hint")
+
+            # SSO revoked (account logged out) → clear local session
+            if uid and not has_hint:
+                qs.pop("uid", None)
+                qs.pop("cart_sid", None)
+                qs.pop("sso_checked", None)
                return
+
+            # Already logged in locally
+            if uid:
+                return
+
+            # No hint → nothing to do
+            if not has_hint:
+                return
+
+            # Has hint but no local session → trigger silent OAuth once
            if qs.get("sso_checked"):
                return
-            if not request.cookies.get("sso_hint"):
-                return
            qs["sso_checked"] = True
            return redirect(f"/auth/login/?next={_quote(request.url, safe='')}")