From 223491fad5887afbb0e608e23189c02d0707f1d3 Mon Sep 17 00:00:00 2001
From: giles <giles.bradshaw@sigyl.com>
Date: Mon, 23 Feb 2026 12:15:35 +0000
Subject: [PATCH] SSO revocation: clear local session when sso_hint cookie is
 gone

When account logs out and deletes sso_hint, client apps now detect
the missing cookie and clear their local session on next request.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 infrastructure/factory.py | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/infrastructure/factory.py b/infrastructure/factory.py
index e9b235a..7ba8718 100644
--- a/infrastructure/factory.py
+++ b/infrastructure/factory.py
@@ -132,12 +132,28 @@ def create_base_app(
             from quart import session as qs
             if request.path.startswith("/auth/"):
                 return
-            if qs.get("uid"):
+
+            uid = qs.get("uid")
+            has_hint = request.cookies.get("sso_hint")
+
+            # SSO revoked (account logged out) → clear local session
+            if uid and not has_hint:
+                qs.pop("uid", None)
+                qs.pop("cart_sid", None)
+                qs.pop("sso_checked", None)
                 return
+
+            # Already logged in locally
+            if uid:
+                return
+
+            # No hint → nothing to do
+            if not has_hint:
+                return
+
+            # Has hint but no local session → trigger silent OAuth once
             if qs.get("sso_checked"):
                 return
-            if not request.cookies.get("sso_hint"):
-                return
             qs["sso_checked"] = True
             return redirect(f"/auth/login/?next={_quote(request.url, safe='')}")