fix(webview-accounts): retry data-dir purge so CEF handle race doesn't leak cookies (#1076)

[oxoxDev]

Summary

• webview_account_purge now retries remove_dir_all on the per-account data directory with exponential backoff so the CEF / WKWebView handle-release race no longer leaves cookies on disk.
• Two new tokio::test cases cover the no-op-when-missing path and the happy-path deletion.

Problem

After clicking "Remove account" in OpenHuman (Slack / Gmail / Gmeet), re-adding the same provider lands the user already signed in (#1076). Repro is consistent on macOS.

Root cause: webview_account_purge (app/src-tauri/src/webview_accounts/mod.rs) calls wv.close() then immediately std::fs::remove_dir_all on the per-account data directory. On macOS, CEF subprocess holds file handles for ~200-500 ms after close returns. The deletion races those handles and fails; the existing code logs a warning and moves on, so cookies survive on disk and the next add lands the previous session.

Surfaced as a shared symptom in three independent parity audits (#1016 / #1020 / #1022), so the fix lands at the cross-provider purge primitive instead of per-provider.

Solution

Extract the deletion into purge_data_dir_with_retry:

• 5 attempts with exponential backoff: 100ms → 200ms → 400ms → 800ms → 1600ms (~3.1s total budget).
• Debug log per failed attempt with attempt {n}/{N} and the OS error so a stuck handle is diagnosable from the audit log.
• Warn log only after all attempts exhausted, with a pointer to schedule_cef_profile_purge as the cross-launch fallback.
• No-op when the path doesn't exist (e.g. account never opened a webview).

The retry budget covers the typical macOS handle-release window with margin. If the worst case exceeds 3 s, the warn log surfaces the leak instead of silently swallowing it.

Submission Checklist

• Tests added or updated (happy path + at least one failure / edge case) per docs/TESTING-STRATEGY.md
• N/A: Coverage matrix updated — no matrix row for purge primitive; behaviour-only change.
• N/A: All affected feature IDs from the matrix are listed in the PR description under ## Related — no matrix rows touched.
• No new external network dependencies introduced (mock backend used per docs/TESTING-STRATEGY.md)
• N/A: Manual smoke checklist updated — purge UX is not on docs/RELEASE-MANUAL-SMOKE.md.
• Linked issue closed via Closes #NNN in the ## Related section

Impact

• Runtime: macOS desktop primarily. Linux / Windows file-handle release is typically immediate, so this PR is a no-op on those platforms (first attempt succeeds).
• Performance: success path is unchanged (single remove_dir_all call). Failure path adds up to ~3.1 s of waiting before giving up — negligible for a user-initiated logout.
• Security: closes a real cookie-leak gap. After explicit logout, cookies no longer survive on disk for the next add to silently inherit.

Related

• Closes [Bug] cross-provider: in-app logout removes sidebar tile but leaves CEF profile cookies — re-add lands signed-in #1076
• Related: Webview: Slack full end-to-end parity with the native app #1016 (Slack parity), Webview: Gmail full end-to-end parity with the native app #1020 (Gmail parity, PR feat(gmail): native OS notifications via Atom-feed poll (#1020) #1046 in review), [Feature] webview: Google Meet — full end-to-end parity with native app #1022 (Gmeet parity, closed via PR feat(webview/gmeet): native cam/mic/screenshare + keep Meet routing in-app (#1022) #1054)
• Existing primitive cross-referenced in the warn log: schedule_cef_profile_purge (app/src-tauri/src/lib.rs:286) — per-user, queued for next launch; complementary fallback if the retry loop ever times out.

Summary by CodeRabbit

• Bug Fixes
  • Account data purge is now more reliable with automatic retry logic to handle temporary file system issues when removing accounts.

[coderabbitai]

Warning

Rate limit exceeded

@senamakel has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 6 minutes and 47 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7a5ff336-13cd-4737-a9a2-80d590bad99f

📥 Commits

Reviewing files that changed from the base of the PR and between a17968a and 28c442e.

📒 Files selected for processing (1)

• app/src-tauri/src/webview_accounts/mod.rs

📝 Walkthrough

Walkthrough

Enhanced the account data directory purge operation in webview_account_purge by replacing direct removal with a robust async helper that retries up to five times using exponential backoff (starting at 100ms). Added existence checks, staged logging (info/debug/warn), and two tokio tests to verify the retry behavior.

Changes

Cohort / File(s)	Summary
Account Purge Robustness app/src-tauri/src/webview_accounts/mod.rs	Replaced one-shot remove_dir_all with new purge_data_dir_with_retry async helper featuring existence checks, up to 5 retry attempts with exponential backoff, and tiered logging (info on success, debug on intermediate failures, warn on final failure). Added two tokio tests validating no-op behavior for absent directories and deletion of nested structures.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A bunny hops through retry loops,
Exponential grace, no droops—
Five chances dance with backoff beat,
Each purge attempt, a promise to delete!
Logs whisper soft, then warn of woe,
CEF cookies? Watch them go. 🗑️

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding retry logic to data directory purge to prevent CEF handle race conditions from leaking cookies.
Linked Issues check	✅ Passed	The PR successfully implements robust retry logic with exponential backoff for CEF profile deletion, directly addressing issue #1076's requirement to purge cookies after logout and prevent re-add from landing signed-in.
Out of Scope Changes check	✅ Passed	All changes are scoped to the webview_account_purge logic and a new private retry helper; no unrelated modifications are present outside the stated objectives.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Review rate limit: 0/5 reviews remaining, refill in 6 minutes and 47 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

app/src-tauri/src/webview_accounts/mod.rs (1)

2083-2090: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Propagate terminal purge failure instead of always reporting success

Line 2085 logs a successful purge and the command returns Ok(()) even when Lines 2132-2137 logged that deletion failed after all retries. That makes explicit “Remove account” look successful while cookies may still persist.

Suggested fix

-async fn purge_data_dir_with_retry(data_dir: &std::path::Path) {
+async fn purge_data_dir_with_retry(data_dir: &std::path::Path) -> Result<(), std::io::Error> {
     if !data_dir.exists() {
-        return;
+        return Ok(());
     }
@@
-                return;
+                return Ok(());
             }
@@
             Err(err) => {
                 log::warn!(
                     "[webview-accounts] purge remove_dir_all {} failed after {} attempts: {} — cookies may persist; cross-launch fallback handled by schedule_cef_profile_purge",
                     data_dir.display(),
                     MAX_ATTEMPTS,
                     err
                 );
+                return Err(err);
             }
         }
     }
+    Ok(())
 }

-    purge_data_dir_with_retry(&data_dir).await;
-
-    log::info!(
-        "[webview-accounts] purged account={} label={:?}",
-        args.account_id,
-        label_opt
-    );
-    Ok(())
+    purge_data_dir_with_retry(&data_dir)
+        .await
+        .map_err(|e| format!("purge data dir {}: {e}", data_dir.display()))?;
+
+    log::info!(
+        "[webview-accounts] purged account={} label={:?}",
+        args.account_id,
+        label_opt
+    );
+    Ok(())
 }

Also applies to: 2101-2141

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/src-tauri/src/webview_accounts/mod.rs` around lines 2083 - 2090, The code
always logs success and returns Ok(()) after calling
purge_data_dir_with_retry(&data_dir).await even when that helper logged a
terminal failure; change purge_data_dir_with_retry to return a Result (e.g.,
Result<(), anyhow::Error> or your crate's error type) and propagate its error:
await purge_data_dir_with_retry(&data_dir).await? (or match and return Err) so
that the surrounding function does not log success or return Ok(()) when purge
failed; update all call sites (the blocks around
purge_data_dir_with_retry(&data_dir).await and the duplicate range at 2101-2141)
to handle the Result and only log success when purge returns Ok.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@app/src-tauri/src/webview_accounts/mod.rs`:
- Around line 2119-2137: In the purge loop handling remove_dir_all (referencing
remove_dir_all, data_dir, MAX_ATTEMPTS, backoff, schedule_cef_profile_purge),
treat std::io::ErrorKind::NotFound as a success: when Err(err) is returned
during retries, check err.kind() == std::io::ErrorKind::NotFound and if so log a
debug/info message that the directory was already removed and break/return
success instead of counting it as a retry or emitting the final warning;
otherwise continue the existing retry/backoff logic and keep the final warn path
unchanged.

---

Outside diff comments:
In `@app/src-tauri/src/webview_accounts/mod.rs`:
- Around line 2083-2090: The code always logs success and returns Ok(()) after
calling purge_data_dir_with_retry(&data_dir).await even when that helper logged
a terminal failure; change purge_data_dir_with_retry to return a Result (e.g.,
Result<(), anyhow::Error> or your crate's error type) and propagate its error:
await purge_data_dir_with_retry(&data_dir).await? (or match and return Err) so
that the surrounding function does not log success or return Ok(()) when purge
failed; update all call sites (the blocks around
purge_data_dir_with_retry(&data_dir).await and the duplicate range at 2101-2141)
to handle the Result and only log success when purge returns Ok.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3f2fde77-a10d-4199-b7c6-282b19a60900

📥 Commits

Reviewing files that changed from the base of the PR and between 7bd83dd and a17968a.

📒 Files selected for processing (1)

• app/src-tauri/src/webview_accounts/mod.rs