SSO revocation: clear local session when sso_hint cookie is gone

When account logs out and deletes sso_hint, client apps now detect
the missing cookie and clear their local session on next request.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

infrastructure/factory.py

@@ -132,12 +132,28 @@ def create_base_app(
             from quart import session as qs
             if request.path.startswith("/auth/"):
                 return
-            if qs.get("uid"):
+
+            uid = qs.get("uid")
+            has_hint = request.cookies.get("sso_hint")
+
+            # SSO revoked (account logged out) → clear local session
+            if uid and not has_hint:
+                qs.pop("uid", None)
+                qs.pop("cart_sid", None)
+                qs.pop("sso_checked", None)
                 return
+
+            # Already logged in locally
+            if uid:
+                return
+
+            # No hint → nothing to do
+            if not has_hint:
+                return
+
+            # Has hint but no local session → trigger silent OAuth once
             if qs.get("sso_checked"):
                 return
-            if not request.cookies.get("sso_hint"):
-                return
             qs["sso_checked"] = True
             return redirect(f"/auth/login/?next={_quote(request.url, safe='')}")