Delete Pending requests on switch account / logout

[pory-gone]

Description

fix #2366

Fixed race condition:

• Added Apollo Client context link that strips authentication headers from requests when window.logoutInProgress flag is true
• Set logout flag immediately before logout/account switch operations to invalidate auth context for pending requests
• Created reusable clearAuthCookies() helper function in auth.js using existing cookie constants
• Added immediate client-side cookie invalidation during logout process using centralized cookie management

Screenshots

NaN

Additional Context

Uses Apollo Client's setContext link for clean request interception, clearAuthCookies() function can be reused for other logout scenarios

Checklist

Are your changes backward compatible? Please answer below:
Yes

On a scale of 1-10 how well and how have you QA'd this change and any features it might affect? Please answer below:
8/10

For frontend changes: Tested on mobile, light and dark mode? Please answer below:
NaN

Did you introduce any new environment variables? If so, call them out explicitly here:
NaN

Did you use AI for this? If so, how much did it assist you?
I used AI to locate interested files and to test the implementations

[ekzyis]

How did you test this?

It does not work, see video:

2025-09-21.16-32-03.mp4

I will add this video to the issue because this is the same test I did to demonstrate that #2406 (review) does not work.

I also added a new possible hint how to fix this in the issue.

[ekzyis]

I don't think JS can clear httpOnly cookies in production

[ekzyis]

headers is always undefined here

[ekzyis]

we might not hit this line during logout because we get switched to another account, see code above

the code above is also prone to the race condition

[ekzyis]

is the assumption that this variable is reset when the page is reloaded?

[pory-gone]

i tested using something like this:
setInterval(() => { fetch('/api/graphql', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ query: '{ me { id name } }' }) }).then(r => r.json()).then(data => { console.log('req complete:', data.data?.me ? 'auth' : 'anon'); }); }, 5000);
and it didn't seem to have any errors, but following the procedure in the video, the problem persists for me too, I'll try to investigate a bit better

[ekzyis]

i tested using something like this: setInterval(() => { fetch('/api/graphql', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ query: '{ me { id name } }' }) }).then(r => r.json()).then(data => { console.log('req complete:', data.data?.me ? 'auth' : 'anon'); }); }, 5000); and it didn't seem to have any errors, but following the procedure in the video, the problem persists for me too, I'll try to investigate a bit better

This is fetching every 5 seconds, but the bug is about requests that take 5 seconds to finish

[pory-gone]

After spending some time in the documentations you suggested, I implemented a custom Apollo Link that injects AbortSignal into all GraphQL operations and physically cancels them during logout/account switching. I did some investigations on Apollo's Advanced HTTP networking docs and created an abort link that sits before HttpLink in the chain and adds signal: abortController.signal to fetchOptions via operation.setContext(), then when logout happens we call abortPendingRequests() which triggers controller.abort() to actually cancel pending requests. The abort link handles both logout and account switching scenarios, and I followed the standard AbortController/Fetch API integration patterns from MDN docs combined with Apollo Link request handler patterns. This should completely eliminate the race condition since requests get cancelled mid-flight rather than completing successfully, so no fresh cookies = no automatic re-authentication. Hope i did everything right ahaha

2025-09-21-19-56-11.mp4