fix(atlas): signing out actually disconnects — clear synced credentials, env, and queued usage#81
Merged
Conversation
…ls, env, and queued usage clearSession() only unlinked the session file, so signing out left every managed credential live: synced-env.json kept replaying thk_ keys into process.env on every boot, the seeded atlas-cli profile stayed authenticated, injected env vars survived in the running process, and queued usage rows could be flushed against whichever account logged in next. - clearSession now removes synced-env.json, openscience-synced.json, every env var the sync path injected (only when the live value still matches, so shell exports survive), the api_key it seeded into the atlas-cli default profile, and the pending usage queue. Applies to explicit logout and the 401-triggered clear alike; all best-effort. - syncServices rebuilds the synced env from the current response only, unsetting previously-synced vars absent from it (provider disconnected or key rotated on the dashboard), mirroring the ownedKeys cleanup in settings/credentials.ts. The persisted snapshot is written from the fresh set instead of the ever-growing accumulated map. - Both logout paths (server route and `connect logout`) best-effort revoke this device's key server-side before clearing, identified by a unique key_prefix match against the devices list. - Queued usage is dropped on sign-out with a log line so it can never bill a different account. Fixes #56
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #56
Problem
clearSession()only unlinked the session file. Everything else the sync path created stayed live after sign-out:synced-env.jsonkept replaying the still-validthk_key intoprocess.envon every boot (preload-env.ts), so the billing gate kept classifying calls as managed and routing them through the Atlas proxy — the signed-out account's wallet kept getting debited.openscience-synced.json(model lockdown config) stayed in place.api_keyseeded into the bundled atlas-cli's default profile stayed authenticated.syncedSecretValues) were never unset — and the map only ever grew, so a provider disconnected or a key rotated on the dashboard stayed live in the CLI indefinitely and was re-persisted on every sync.usage-queue.jsonl) survived logout;flushPendingUsagewould bill them to whichever account logged in next.Fix
clearSession()(covers explicit logout and the 401-triggered clear; all steps best-effort, never throw):synced-env.jsonandopenscience-synced.jsonconnect logoutprocess only has the latter, replayed by preload) — but only when the live value still matches what sync injected, so an explicit shell export survivesapi_keyfrom the atlas-cli default profile (ATLAS_CLI_CONFIG_PATHrespected); only when it matches the session key, or with no readable session, when the profile points at our backend — a hand-configured profile is left alonesyncServices()now rebuilds the synced snapshot from the current response only: previously-synced vars absent from the new response are unset (same live-value-match rule), mirroring theownedKeyscleanup inserver/routes/settings/credentials.ts, andsynced-env.jsonis written from the fresh set instead of the accumulated map.Server-side revocation on logout: both the
/account/logoutroute andopenscience connect logoutnow best-effort revoke this device's key before clearing. Note: the session stores only the rawapi_key, never itskey_id, so there is no direct way to name the current device's key. The device is identified by a uniquekey_prefixmatch againstlistDevices()(prefix longer thanthk_, exactly one match required); when zero or several devices match, revocation is skipped rather than guessed, and the CLI prints a pointer to the dashboard Devices tab. Local cleanup runs regardless.Tests
New
test/openscience-logout.test.ts(isolated XDG dirs via the test preload, real files, no mocks):clearSession(): session file,synced-env.json,openscience-synced.json, and the usage queue are gone; a previously-injected env var is out ofprocess.env; a shell export with a different value survives; the seeded atlas profile loses itsapi_keywhile other profiles/fields are untouchedcd backend/cli && bun test— 833 pass.bun run typecheckclean (all workspaces, via pre-push hook).