Skip to content

fix(auth): harden macOS Google sign-in and sign-out#41

Open
mihaimetal wants to merge 1 commit into
NUber-dev:mainfrom
mihaimetal:fix/macos-auth
Open

fix(auth): harden macOS Google sign-in and sign-out#41
mihaimetal wants to merge 1 commit into
NUber-dev:mainfrom
mihaimetal:fix/macos-auth

Conversation

@mihaimetal

Copy link
Copy Markdown

Summary

  • Use per-account WebKit data store identifiers so Google sessions no longer leak across accounts on macOS.
  • Wipe residual WebKit auth data on sign-out (WKWebView does not honor data_directory for cookie isolation).
  • Hand off auth via www.youtube.com on macOS; avoid interrupting 2FA challenges.
  • Make last-account sign-out a full wipe from the UI.

Context

On macOS, signed-out accounts could still appear authenticated to Google / YouTube Music web (e.g. GET CHROME after SSO) because sessions survived in the shared HTTP cookie store. This is a WebKit-specific isolation problem and should not change Windows DPAPI cookie behavior.

Test plan

  • Sign in with Google on macOS, use the app, sign out — session should not remain for the next account
  • Multi-account switch / last-account full wipe
  • Smoke-test sign-in / sign-out on Windows if possible

WKWebView does not honor data_directory for cookie isolation, so Google
sessions survived sign-out in the shared HTTPStorages store and Music
web showed GET CHROME after SSO. Use per-account data store identifiers,
wipe residual WebKit auth data on sign-out, hand off via www.youtube.com
on macOS, avoid interrupting 2FA challenges, and make last-account
sign-out a full wipe from the UI.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant