Clicking logout previously only called supabase.auth.signOut(): Keycloak's SSO cookie was untouched, so the (app) layout's $effect immediately re-fired login() and Keycloak silently re-authenticated — logout looked broken. That same chain also surfaced "PKCE code verifier not found in storage" on prod, since signOut()'s async storage clear could race signInWithOAuth()'s verifier write, or the $effect could double-fire and overwrite verifiers mid-flight. - logout(): signOut() then redirect to Keycloak's end_session endpoint (client_id + post_logout_redirect_uri=/logged-out). Keycloak shows a one-click "Do you want to log out?" confirmation because GoTrue's proxy flow does not expose the id_token, so we can't pass id_token_hint. - isLoggingOut flag + guard in (app) layout $effect: prevents auto-relogin during the logout navigation. - New public /logged-out route, outside the (app) group. - A-05 rewritten, new A-07 (fresh login must prompt for credentials after RP-initiated logout). - pgTAP 008 extended with 4 assertions for migration 014's UPDATE trigger. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
7.5 KiB
7.5 KiB