fix(auth): RP-initiated Keycloak logout + PKCE verifier race

Clicking logout previously only called supabase.auth.signOut(): Keycloak's
SSO cookie was untouched, so the (app) layout's $effect immediately
re-fired login() and Keycloak silently re-authenticated — logout looked
broken. That same chain also surfaced "PKCE code verifier not found in
storage" on prod, since signOut()'s async storage clear could race
signInWithOAuth()'s verifier write, or the $effect could double-fire and
overwrite verifiers mid-flight.

- logout(): signOut() then redirect to Keycloak's end_session endpoint
  (client_id + post_logout_redirect_uri=/logged-out). Keycloak shows a
  one-click "Do you want to log out?" confirmation because GoTrue's proxy
  flow does not expose the id_token, so we can't pass id_token_hint.
- isLoggingOut flag + guard in (app) layout $effect: prevents auto-relogin
  during the logout navigation.
- New public /logged-out route, outside the (app) group.
- A-05 rewritten, new A-07 (fresh login must prompt for credentials after
  RP-initiated logout).
- pgTAP 008 extended with 4 assertions for migration 014's UPDATE trigger.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-04-21 09:35:17 +02:00
parent 9067ab8f0c
commit ca12516005
7 changed files with 165 additions and 17 deletions

View File

@@ -32,7 +32,25 @@ test.describe('Auth — login and route protection', () => {
).toBeVisible({ timeout: 15_000 });
});
test('A-05: Ana can sign out', async ({ page }) => {
// Helper: click through Keycloak's "Do you want to log out?" confirmation.
// Keycloak shows this whenever the end-session request is made without
// `id_token_hint` — which is our case, because GoTrue's proxy flow does
// not expose the Keycloak id_token to the client. In prod users see it
// as a one-click confirmation, which is acceptable.
async function confirmKeycloakLogout(page: import('@playwright/test').Page) {
await page.waitForURL(/realms\/colectivo\/protocol\/openid-connect\/logout/, {
timeout: 15_000
});
await page.getByRole('button', { name: /^logout$/i }).click();
}
test('A-05: Ana can sign out (ends Keycloak SSO, lands on /logged-out)', async ({ page }) => {
const pkceErrors: string[] = [];
page.on('console', (msg) => {
const t = msg.text();
if (/PKCE code verifier not found/i.test(t)) pkceErrors.push(t);
});
await loginAs(page, USERS.ana);
await page.goto('/settings');
@@ -40,10 +58,39 @@ test.describe('Auth — login and route protection', () => {
await expect(signOutButton).toBeVisible({ timeout: 10_000 });
await signOutButton.click();
// After sign out, the session is cleared. The (app) layout's auth effect
// will redirect back to Keycloak for re-auth (SSO still active there), so
// we end up somewhere other than /settings. We just verify we left.
await expect(page).not.toHaveURL(/\/settings/, { timeout: 15_000 });
await confirmKeycloakLogout(page);
// After the Keycloak confirmation, browser lands on /logged-out.
await page.waitForURL(/\/logged-out(\?|$|#)/, { timeout: 20_000 });
// No Supabase session should remain.
const hasSession = await page.evaluate(() =>
Object.keys(localStorage).some(
(k) => k.startsWith('sb-') && k.endsWith('-auth-token') && !!localStorage.getItem(k)
)
);
expect(hasSession).toBe(false);
// And no PKCE error was emitted during the flow.
expect(pkceErrors).toEqual([]);
});
test('A-07: after sign out, next login prompts for Keycloak credentials', async ({ page }) => {
await loginAs(page, USERS.ana);
await page.goto('/settings');
await page.getByRole('button', { name: /sign out|cerrar sesión/i }).click();
await confirmKeycloakLogout(page);
await page.waitForURL(/\/logged-out/, { timeout: 20_000 });
// Navigate anywhere in the (app) group — the auth effect should push us
// to Keycloak, and because the SSO cookie was cleared by RP-initiated
// logout, Keycloak must render the login form (not silently redirect).
await page.goto('/lists');
await page.waitForURL(
new RegExp(`realms/${KEYCLOAK_REALM}/protocol/openid-connect/auth`),
{ timeout: 15_000 }
);
await expect(page.locator('#username')).toBeVisible({ timeout: 10_000 });
});
test('A-06: David (guest) can log in and see the collective', async ({ page }) => {