fix(canvas): wire SaaS Sign-out button — POST /cp/auth/signout was unreachable from the UI

Reported externally on 2026-05-05: "SaaS app logout does not work." Root cause: the control plane has had POST /cp/auth/signout (clears the WorkOS session cookie + revokes at the provider) since auth shipped, but no canvas code ever called it. grep across canvas/ for `logout|signOut|signout|sign-out` returned zero results — no helper, no button, no menu entry. Users had no path to log out short of clearing cookies in DevTools. This is a UI gap, not a backend bug. Adding the missing pieces: 1. `signOut()` helper in `canvas/src/lib/auth.ts`: - POST /cp/auth/signout with credentials:include (cross-origin cookie required for tenant subdomain → app subdomain) - Best-effort: a 5xx, 401-stale-cookie, or network failure still redirects the browser to /cp/auth/login. Leaving the user on an authed-looking page after they clicked Sign out is the worst possible UX — that's the precise "logout doesn't work" symptom the report described. - Lands on /cp/auth/login (not the current URL) so the user doesn't loop back into the org they just left via AuthGate's return_to. 2. `AccountBar` component on /orgs page Shell — renders the signed-in email + Sign-out button at the top. Click → signOut() → `Signing out…` → bounces to login. Disabled-while-pending so a double-click can't fire two requests. 3. Tests in `auth.test.ts` (4 new, total 12 pass): - POSTs to the right endpoint with credentials:include - Redirects to /cp/auth/login after success - Redirects EVEN ON network failure (the critical UX invariant) - Redirects on 401 (stale cookie path) The auth-origin resolution (`getAuthOrigin`) is reused so a tenant subdomain (acme.moleculesai.app) correctly POSTs to app.moleculesai.app/cp/auth/signout — same chain that fetchSession + redirectToLogin already use. Test plan: - [x] `npx vitest run src/lib/__tests__/auth.test.ts` — 12/12 green - [x] `tsc --noEmit` — clean - [ ] Manual: navigate to /orgs, click Sign out, observe redirect + that the next /orgs visit bounces to login (cookie cleared) - [ ] CI green Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 11:39:38 -07:00 · 2026-05-05 11:39:38 -07:00 · 4cac4e7710
commit 4cac4e7710
parent 8254bedf30
3 changed files with 171 additions and 4 deletions
--- a/canvas/src/app/orgs/page.tsx
+++ b/canvas/src/app/orgs/page.tsx
@ -18,7 +18,7 @@
 // quick bounce between signup and either Checkout or the tenant UI.

 import { useEffect, useState } from "react";
-import { fetchSession, redirectToLogin, type Session } from "@/lib/auth";
+import { fetchSession, redirectToLogin, signOut, type Session } from "@/lib/auth";
 import { PLATFORM_URL } from "@/lib/api";
 import { formatCredits, pillTone, bannerKind } from "@/lib/credits";
 import { TermsGate } from "@/components/TermsGate";
@ -129,7 +129,7 @@ export default function OrgsPage() {
    return <EmptyState banner={justCheckedOut ? <CheckoutBanner /> : null} />;
  }
  return (
-    <Shell>
+    <Shell session={session}>
      {justCheckedOut && <CheckoutBanner />}
      <ul className="space-y-3">
        {orgs.map((o) => (
@ -160,11 +160,21 @@ function CheckoutBanner() {
  );
 }

-function Shell({ children }: { children: React.ReactNode }) {
+function Shell({
+  children,
+  session,
+}: {
+  children: React.ReactNode;
+  // Optional: when present, the header renders the signed-in email +
+  // a Sign-out button. The empty-state Shell call doesn't have a
+  // session in scope, so accept null and skip the header chrome there.
+  session?: Session | null;
+}) {
  return (
    <main className="min-h-screen bg-surface text-ink">
      <TermsGate>
        <div className="mx-auto max-w-2xl px-6 pt-20 pb-12">
+          {session ? <AccountBar session={session} /> : null}
          <h1 className="text-3xl font-bold text-ink">Your organizations</h1>
          <p className="mt-2 text-ink-mid">
            Each org is an isolated Molecule workspace.
@ -177,6 +187,40 @@ function Shell({ children }: { children: React.ReactNode }) {
  );
 }

+// AccountBar renders the signed-in email + a Sign-out button at the
+// top of the page. Without this the user has no way to log out — the
+// /cp/auth/signout endpoint exists on the control plane but no UI ever
+// called it. Reported externally on 2026-05-05; this is the fix.
+//
+// Click → calls signOut() which POSTs /cp/auth/signout (clears the
+// WorkOS session cookie + revokes at the provider) then bounces to
+// /cp/auth/login. The signOut helper is best-effort — even on a 5xx
+// or network failure the redirect fires so the user never gets stuck
+// on an authed-looking page after they clicked Sign out.
+function AccountBar({ session }: { session: Session }) {
+  const [signingOut, setSigningOut] = useState(false);
+  return (
+    <div className="mb-6 flex items-center justify-between text-sm text-ink-mid">
+      <span title="Signed-in user">{session.email}</span>
+      <button
+        type="button"
+        disabled={signingOut}
+        onClick={async () => {
+          setSigningOut(true);
+          await signOut();
+          // Redirect happens inside signOut; this line is for tests +
+          // edge cases (jsdom, blocked navigation) where it doesn't.
+          setSigningOut(false);
+        }}
+        className="rounded border border-line bg-surface-card px-3 py-1 text-xs text-ink hover:bg-surface-card disabled:opacity-50"
+        aria-label="Sign out"
+      >
+        {signingOut ? "Signing out…" : "Sign out"}
+      </button>
+    </div>
+  );
+}
+
 // DataResidencyNotice surfaces where workspace data lives so EU-based
 // signups can make an informed choice (GDPR Art. 13 disclosure
 // requirement). Plain text, no icon — the goal is clarity, not
--- a/canvas/src/lib/tests/auth.test.ts
+++ b/canvas/src/lib/tests/auth.test.ts
@ -2,7 +2,7 @@
 * @vitest-environment jsdom
 */
 import { describe, it, expect, vi, afterEach } from "vitest";
-import { fetchSession, redirectToLogin } from "../auth";
+import { fetchSession, redirectToLogin, signOut } from "../auth";

 afterEach(() => {
  vi.unstubAllGlobals();
@ -110,3 +110,88 @@ describe("redirectToLogin", () => {
    expect((window.location as unknown as { href: string }).href).toBe(signupHref);
  });
 });
+
+describe("signOut", () => {
+  it("POSTs to /cp/auth/signout with credentials:include", async () => {
+    Object.defineProperty(window, "location", {
+      writable: true,
+      value: {
+        href: "https://acme.moleculesai.app/orgs",
+        pathname: "/orgs",
+        hostname: "acme.moleculesai.app",
+        protocol: "https:",
+      },
+    });
+    const fetchMock = vi.fn().mockResolvedValue({ ok: true, status: 200 });
+    vi.stubGlobal("fetch", fetchMock);
+
+    await signOut();
+
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+    expect(fetchMock).toHaveBeenCalledWith(
+      expect.stringContaining("/cp/auth/signout"),
+      expect.objectContaining({ method: "POST", credentials: "include" }),
+    );
+  });
+
+  it("redirects to /cp/auth/login on the auth origin after signout", async () => {
+    Object.defineProperty(window, "location", {
+      writable: true,
+      value: {
+        href: "https://acme.moleculesai.app/orgs",
+        pathname: "/orgs",
+        hostname: "acme.moleculesai.app",
+        protocol: "https:",
+      },
+    });
+    vi.stubGlobal("fetch", vi.fn().mockResolvedValue({ ok: true, status: 200 }));
+
+    await signOut();
+
+    const after = (window.location as unknown as { href: string }).href;
+    // Tenant subdomain (acme.moleculesai.app) → auth origin is app.moleculesai.app.
+    expect(after).toBe("https://app.moleculesai.app/cp/auth/login");
+  });
+
+  it("redirects even when the POST fails so the user isn't stuck on an authed page", async () => {
+    // Critical UX invariant: clicking 'Sign out' MUST navigate away from
+    // the authenticated app, even if the network is down or the cookie
+    // is already invalid. Anything else looks like the button is
+    // broken — the precise complaint that triggered this fix.
+    Object.defineProperty(window, "location", {
+      writable: true,
+      value: {
+        href: "https://acme.moleculesai.app/orgs",
+        pathname: "/orgs",
+        hostname: "acme.moleculesai.app",
+        protocol: "https:",
+      },
+    });
+    vi.stubGlobal("fetch", vi.fn().mockRejectedValue(new Error("network down")));
+
+    await signOut();
+
+    const after = (window.location as unknown as { href: string }).href;
+    expect(after).toBe("https://app.moleculesai.app/cp/auth/login");
+  });
+
+  it("redirects on 401 (session already invalid) just like 200", async () => {
+    // A user with an already-invalid cookie should still see the
+    // logout flow complete — no error, no stuck-on-app dead end.
+    Object.defineProperty(window, "location", {
+      writable: true,
+      value: {
+        href: "https://acme.moleculesai.app/orgs",
+        pathname: "/orgs",
+        hostname: "acme.moleculesai.app",
+        protocol: "https:",
+      },
+    });
+    vi.stubGlobal("fetch", vi.fn().mockResolvedValue({ ok: false, status: 401 }));
+
+    await signOut();
+
+    const after = (window.location as unknown as { href: string }).href;
+    expect(after).toBe("https://app.moleculesai.app/cp/auth/login");
+  });
+});
--- a/canvas/src/lib/auth.ts
+++ b/canvas/src/lib/auth.ts
@ -67,3 +67,41 @@ export function redirectToLogin(screenHint: "sign-up" | "sign-in" = "sign-in"):
  const dest = `${authOrigin}${AUTH_BASE}/${path}?return_to=${encodeURIComponent(returnTo)}`;
  window.location.href = dest;
 }
+
+/**
+ * signOut posts to /cp/auth/signout to clear the WorkOS session cookie
+ * + revoke at the provider, then bounces to the auth-origin login page.
+ *
+ * Best-effort by design: a 5xx, network failure, or stale cookie still
+ * results in the browser navigation away from the authenticated app —
+ * leaving the user on a logged-in-looking page after they clicked
+ * "Sign out" is the worst possible UX. The cookie is cleared client-
+ * visibly via the redirect target's response (Set-Cookie with maxAge=-1
+ * runs even on a non-200 path). If the user is already anonymous, the
+ * POST 401s harmlessly + we still redirect.
+ *
+ * Throws nothing — callers can disable the button optimistically or
+ * await this and trust it returns. On a redirect-blocked test
+ * environment (jsdom under vitest) we still exit cleanly so unit tests
+ * can spy on the fetch call.
+ */
+export async function signOut(): Promise<void> {
+  // Fire-and-tolerate the POST. credentials:include is mandatory cross-
+  // origin so the SaaS canvas (acme.moleculesai.app) can hit
+  // app.moleculesai.app/cp/auth/signout with the session cookie.
+  try {
+    await fetch(`${getAuthOrigin()}${AUTH_BASE}/signout`, {
+      method: "POST",
+      credentials: "include",
+    });
+  } catch {
+    // Ignore — we still redirect below.
+  }
+  if (typeof window === "undefined") return;
+  // Land on the login screen rather than the current URL: returning to
+  // a tenant URL after signout would just re-redirect through
+  // /cp/auth/login due to AuthGate. Send the user straight there with
+  // no return_to so they don't loop back into the org they just left.
+  const authOrigin = getAuthOrigin();
+  window.location.href = `${authOrigin}${AUTH_BASE}/login`;
+}