Skip to content

fix: logout redirect races with RequireAuth login redirect#76

Merged
eugenioenko merged 3 commits into
mainfrom
fix/logout-redirect-race
May 9, 2026
Merged

fix: logout redirect races with RequireAuth login redirect#76
eugenioenko merged 3 commits into
mainfrom
fix/logout-redirect-race

Conversation

@eugenioenko
Copy link
Copy Markdown
Owner

@eugenioenko eugenioenko commented May 9, 2026

Summary

  • Reorder logout() to redirect to end_session_endpoint before clearing auth state, preventing RequireAuth from triggering a competing login() redirect
  • Only clear state locally when no end_session_endpoint is available
  • Remove the Kasper adapter's unsubscribe-before-logout workaround since the race is now fixed in the client

Test plan

  • Updated client unit test: verifies state is preserved when redirecting to end_session_endpoint
  • New client unit test: verifies state is cleared when no end_session_endpoint exists
  • Removed obsolete Kasper test for unsubscribe-before-logout workaround
  • All 31 client tests pass
  • All 28 Kasper tests pass

Closes #71

🤖 Generated with Claude Code

eugenioenko and others added 3 commits May 8, 2026 17:10
@eugenioenko @claude
fix: redirect before clearing state in logout to prevent race
397aa7b 
Previously, logout() cleared auth state (isAuthenticated: false) before
redirecting to the end_session_endpoint. This triggered RequireAuth to
call login(), which raced with and won over the logout redirect.

Now logout redirects first and returns immediately — state is only
cleared locally when no end_session_endpoint is available. Also removes
the Kasper adapter's unsubscribe-before-logout workaround since the
race is fixed in the client itself.

Closes #71

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@eugenioenko @claude
docs: add decision 028 for logout redirect ordering
8bc69cf 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@eugenioenko @claude
fix: update React and Preact logout tests to match redirect-first beh…
515204e 
…avior

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@eugenioenko eugenioenko merged commit f31adeb into main May 9, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix: logout redirect races with RequireAuth login redirect

1 participant

@eugenioenko