fix(auth): clear MJ client-side caches on Auth0 logout#2185
fix(auth): clear MJ client-side caches on Auth0 logout#2185bc-izygmunt merged 3 commits intonextfrom
Conversation
|
|
Claude finished @bc-izygmunt's task —— View job SQL Migration Review CompleteTodo List:
Summary: I've completed the review of this PR for SQL migration files. No SQL files were found in the Since there are no SQL migration files with INSERT statements or spCreate calls to review, there's nothing to flag regarding the hard-coded UUID requirements. |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
SQL Migration Review Results
I've reviewed this PR for SQL migration files as requested.
No SQL migration files were found in this PR. The changes only include:
packages/Angular/Explorer/auth-services/src/lib/providers/mjexplorer-auth0-provider.service.ts- TypeScript service filepackages/GraphQLDataProvider/src/graphQLDataProvider.ts- TypeScript provider file
Since there are no SQL files in the migrations/ directory to review for hard-coded UUIDs in INSERT statements or spCreate calls, there's nothing to flag regarding the migration requirements.
✅ Dependency Check ResultsAll dependencies are properly declared! No missing dependencies detected in this PR. |
bc-izygmunt
force-pushed
the
ian-auth0-logout-cache-fix
branch
from
ec25925 to
55b7709
Compare
AN-BC
left a comment
AN-BC
left a comment
There was a problem hiding this comment.
LGTM - however, @bc-izygmunt I'd like @rkihm-BC to review this quickly as he just did something with MSAL so I want to ensure this isn't overlapping in some way with his work and we should make sure we fix this for all auth providers not just Auth0 or MSAL, we support many
rkihm-align
left a comment
rkihm-align
left a comment
There was a problem hiding this comment.
I think clearing the client-side cache on logout makes sense for all Authentication providers so it should be moved down to the base class with the ability to override to provide provider-specific behavior when necessary.
| } | ||
|
|
||
| /** | ||
| * Clears MJ client-side caches (IndexedDB + localStorage) before logout so that |
There was a problem hiding this comment.
The clearing of the client-side cache on logout should be something that's done regardless of the Auth provider. ie. Auth0, MSAL, Okta, etc. @bc-izygmunt, is this something that can be added to MJAuthBase and, if there are additional caches that need to be cleared specific to the Authentication provider, the method can be overridden in the provider?
There was a problem hiding this comment.
@rkihm-align agreed @bc-izygmunt can you make this change please and test with both MSAL and Auth0 and if that all works update PR and merge?
bc-izygmunt
force-pushed
the
ian-auth0-logout-cache-fix
branch
from
55b7709 to
f5bba58
Compare
When a user logs out and a different user logs in, the second user could see stale metadata and cached data from the first user's session. Root cause: Auth0's logout() only clears its own localStorage keys. MJ's IndexedDB cache (MJ_Metadata) and sessionId localStorage key survived logout, causing the next user to load the previous user's data. Secondary bug: MJAuth0Provider.logout() was not subscribing to Auth0 Angular SDK v2's logout() Observable, so authState.refresh() never fired. Changes: - MJAuth0Provider.logout() now clears all user-specific localStorage and deletes the MJ_Metadata IndexedDB before redirecting to Auth0 logout - Auth0 logout() Observable is now subscribed via firstValueFrom() so authState.refresh() fires correctly - GraphQLDataProvider.clearClientCache() static method added for apps that want to call cache clearing directly Documented in Izzy: docs/mj-core-logout-cache-fix.md. Once this ships, IzzyAuth0Provider can be deleted and app.module.ts reverted to MJAuth0Provider. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…iders Cache clearing on logout now happens in the base class so MSAL, Okta, and any future providers get the same stale-data protection automatically. Providers implement logoutInternal() for provider-specific logout only. Adds unit tests covering cache clearing, key preservation, and call order. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add afterEach to vitest imports and update vi.fn generic syntax from vi.fn<[], T>() to vi.fn<() => T>() for newer vitest versions. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
bc-izygmunt
force-pushed
the
ian-auth0-logout-cache-fix
branch
from
336413f to
425862d
Compare
3 participants
When a user logs out and a different user logs in, the second user could see stale metadata and cached data from the first user's session.
Root cause: Auth0's logout() only clears its own localStorage keys. MJ's IndexedDB cache (MJ_Metadata) and sessionId localStorage key survived logout, causing the next user to load the previous user's data.
Secondary bug: MJAuth0Provider.logout() was not subscribing to Auth0 Angular SDK v2's logout() Observable, so authState.refresh() never fired.
Changes:
Documented in Izzy: docs/mj-core-logout-cache-fix.md. Once this ships, IzzyAuth0Provider can be deleted and app.module.ts reverted to MJAuth0Provider.