Remove sso_hint cookie, add sso-clear logout chain

sso_hint on .rose-ash.com was blocked by Safari ITP — the exact problem we're solving. Replaced with redirect chain: account logout chains through each client app's /auth/sso-clear to clear all first-party sessions without any cross-domain cookies. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-23 12:17:22 +00:00
parent 223491fad5
commit a93a456ac5
2 changed files with 10 additions and 37 deletions
--- a/infrastructure/factory.py
+++ b/infrastructure/factory.py
@@ -123,40 +123,6 @@ def create_base_app(
        for fn in before_request_fns:
            app.before_request(fn)

-    # Silent SSO: if account set sso_hint cookie, trigger OAuth once
-    if name != "account":
-        from urllib.parse import quote as _quote
-
-        @app.before_request
-        async def _sso_check():
-            from quart import session as qs
-            if request.path.startswith("/auth/"):
-                return
-
-            uid = qs.get("uid")
-            has_hint = request.cookies.get("sso_hint")
-
-            # SSO revoked (account logged out) → clear local session
-            if uid and not has_hint:
-                qs.pop("uid", None)
-                qs.pop("cart_sid", None)
-                qs.pop("sso_checked", None)
-                return
-
-            # Already logged in locally
-            if uid:
-                return
-
-            # No hint → nothing to do
-            if not has_hint:
-                return
-
-            # Has hint but no local session → trigger silent OAuth once
-            if qs.get("sso_checked"):
-                return
-            qs["sso_checked"] = True
-            return redirect(f"/auth/login/?next={_quote(request.url, safe='')}")
-
    @app.before_request
    async def _csrf_protect():
        await protect()