psa-systems/mokosh-apps
8
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

fix(auth): drop auth-signal writes from UserMenu logout closure #79

Merged
YousifShkara merged 1 commit from fix/logout-no-signal-writes-pre-navigation into main 2026-06-06 02:56:52 +02:00
Conversation 0 Commits 1 Files changed 1 +13 -3
YousifShkara commented 2026-06-06 02:56:49 +02:00
Owner
Copy link

PR #78 switched the UserMenu logout to navigate at the bunyip-api OptionalUser-backed GET /v1/auth/logout?url=... endpoint, which correctly clears the .a8n.systems-scoped session cookies. The user reports the symptom did not actually change: clicking Logout still lands them back on the mokosh dashboard, still authenticated.

The bug is the closure ordering, not the URL. hooks::auth::use_logout carries an explicit warning, copied here for the record: "the call to location.replace MUST run before any write to the auth signal. Otherwise auth.write(user = None) schedules a Dioxus re-render; on that re-render the route guard sees an unauthenticated user on /dashboard and calls navigator.push(Route::Login {}), which puts /login on TOP of /dashboard in history; the subsequent location.replace races the router push and the user ends up navigated away from the hub logout URL and back onto the dashboard view." The UserMenu closure introduced in PR #78 ignored that warning: it wrote auth.write().user = None (and set_access_token(None), which is the same signal-write pattern) and then called location.replace. The race plays out exactly as the warning describes; nothing about the URL change altered the outcome.

This change drops both signal writes. The closure now does the minimum: close the dropdown menu, clear sessionStorage (so a refresh after the navigation cannot rehydrate), then location.replace(hub_logout). The full page reload that follows resets every in-memory signal anyway, so the explicit writes were always redundant on top of being racy.

No other changes. The hub_logout URL, the Profile -> /settings link, and the local memberships synthesis from PR #78 all stay as they were.

PR #78 switched the UserMenu logout to navigate at the bunyip-api `OptionalUser`-backed `GET /v1/auth/logout?url=...` endpoint, which correctly clears the .a8n.systems-scoped session cookies. The user reports the symptom did not actually change: clicking Logout still lands them back on the mokosh dashboard, still authenticated. The bug is the closure ordering, not the URL. `hooks::auth::use_logout` carries an explicit warning, copied here for the record: "the call to `location.replace` MUST run before any write to the auth signal. Otherwise `auth.write(user = None)` schedules a Dioxus re-render; on that re-render the route guard sees an unauthenticated user on `/dashboard` and calls `navigator.push(Route::Login {})`, which puts `/login` on TOP of `/dashboard` in history; the subsequent `location.replace` races the router push and the user ends up navigated away from the hub logout URL and back onto the dashboard view." The UserMenu closure introduced in PR #78 ignored that warning: it wrote `auth.write().user = None` (and `set_access_token(None)`, which is the same signal-write pattern) and then called `location.replace`. The race plays out exactly as the warning describes; nothing about the URL change altered the outcome. This change drops both signal writes. The closure now does the minimum: close the dropdown menu, clear sessionStorage (so a refresh after the navigation cannot rehydrate), then `location.replace(hub_logout)`. The full page reload that follows resets every in-memory signal anyway, so the explicit writes were always redundant on top of being racy. No other changes. The hub_logout URL, the Profile -> /settings link, and the local memberships synthesis from PR #78 all stay as they were.
fix(auth): drop auth-signal writes from UserMenu logout closure
All checks were successful
Create release / Create release from merged PR (pull_request) Has been skipped
Details
Check / clippy + fmt + tests (pull_request) Successful in 39s
Details
8272512caf 
PR #78 switched the UserMenu logout to navigate at the bunyip-api `OptionalUser`-backed `GET /v1/auth/logout?url=...` endpoint, which correctly clears the .a8n.systems-scoped session cookies. The user reports the symptom did not actually change: clicking Logout still lands them back on the mokosh dashboard, still authenticated.

The bug is the closure ordering, not the URL. `hooks::auth::use_logout` carries an explicit warning, copied here for the record: "the call to `location.replace` MUST run before any write to the auth signal. Otherwise `auth.write(user = None)` schedules a Dioxus re-render; on that re-render the route guard sees an unauthenticated user on `/dashboard` and calls `navigator.push(Route::Login {})`, which puts `/login` on TOP of `/dashboard` in history; the subsequent `location.replace` races the router push and the user ends up navigated away from the hub logout URL and back onto the dashboard view." The UserMenu closure introduced in PR #78 ignored that warning: it wrote `auth.write().user = None` (and `set_access_token(None)`, which is the same signal-write pattern) and then called `location.replace`. The race plays out exactly as the warning describes; nothing about the URL change altered the outcome.

This change drops both signal writes. The closure now does the minimum: close the dropdown menu, clear sessionStorage (so a refresh after the navigation cannot rehydrate), then `location.replace(hub_logout)`. The full page reload that follows resets every in-memory signal anyway, so the explicit writes were always redundant on top of being racy.

No other changes. The hub_logout URL, the Profile -> /settings link, and the local memberships synthesis from PR #78 all stay as they were.
YousifShkara deleted branch fix/logout-no-signal-writes-pre-navigation 2026-06-06 02:56:52 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
YousifShkara
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
psa-systems/mokosh-apps!79
No description provided.