Implement Logout

[Ayurshi-Singh]

Closes:#14

Summary by CodeRabbit

• New Features

  • Added secure sign-out and visible "Logged Out" messaging/title so users see a clear logged-out state.

• Bug Fixes

  • Fixed popover markup so user info displays correctly.

• Refactor

  • Restructured authentication and security token handling and unified forbidden-state handling so error titles/messages and login/retry visibility behave consistently.

[coderabbitai]

Walkthrough

This change adds a tenant-scoped secure logout flow and related UI hook, moves CSRF token handling to per-call tenant lookup, and replaces a callback-based 401 handling with direct forbidden-state updates. It introduces a LOGGED_OUT error code and i18n strings, extends the forbidden-state model with an error title and logged-out handling, and adds an App controller sign-out handler that invokes Auth.secureLogout. Miscellaneous adjustments include a small XML comment fix, repositioning of Api.init, and non-functional formatting edits.

🚥 Pre-merge checks | ✅ 1

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Implement Logout' accurately and directly summarizes the main change—adding logout functionality across multiple files including a new secureLogout method, sign-out handler, and logout UI state management.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@webapp/services/Auth.service.ts`:
- Around line 54-87: secureLogout currently only clears storage and never
informs the caller or redirects; update secureLogout to (1) properly check
response.ok using response.status (or response.ok) and include that in the
thrown Error if not ok, (2) call the existing postLogoutClearance() after a
successful logout, and (3) change secureLogout to return a boolean (or resolved
value) indicating success/failure so callers (e.g., the controller that
fire-and-forgets this promise) can clear UI state and navigate; also call
postLogoutClearance() in the catch path before returning false (or rethrow if
you prefer) and optionally perform a client redirect (e.g., window.location.href
= '/login') only after clearance when desired.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e2a760ba-67a9-408b-9b20-de57a1d108f3

📥 Commits

Reviewing files that changed from the base of the PR and between c946583 and 17d8924.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (4)

• webapp/controller/App.controller.ts
• webapp/resources/fragments/UserInfoPopover.fragment.xml
• webapp/services/Api.service.ts
• webapp/services/Auth.service.ts

[Ayurshi-Singh]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[Ayurshi-Singh]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 3

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 76b800d1-6b92-40f4-86c5-a3005854a53c

📥 Commits

Reviewing files that changed from the base of the PR and between 17d8924 and c5cbb8d.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (10)

• webapp/common/Constants.ts
• webapp/common/Helpers.ts
• webapp/controller/App.controller.ts
• webapp/controller/Forbidden.controller.ts
• webapp/i18n/i18n_en.properties
• webapp/resources/fragments/UserInfoPopover.fragment.xml
• webapp/services/Api.service.ts
• webapp/services/Auth.service.ts
• webapp/utils/ForbiddenState.ts
• webapp/view/Forbidden.view.xml

✅ Files skipped from review due to trivial changes (4)

• webapp/common/Constants.ts
• webapp/view/Forbidden.view.xml
• webapp/common/Helpers.ts
• webapp/i18n/i18n_en.properties

🚧 Files skipped from review as they are similar to previous changes (1)

• webapp/resources/fragments/UserInfoPopover.fragment.xml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Use the active tenant ID for logout instead of this.tenantId.

On Line 320, this.tenantId can still be '' here, which makes Auth.secureLogout look up CSRF- instead of CSRF-{tenant}. That can force logout into fallback behavior instead of a valid tenant-scoped logout.

💡 Proposed fix

 public onSignOutPress(): void {
-    void Auth.secureLogout(this.tenantId);
+    const tenantId =
+        (this.twoWayModel.getProperty('/selectedTenant') as string) ||
+        this.tenantId ||
+        /#\/([^/]+)/.exec(window.location.hash)?.[1] ||
+        '';
+    void Auth.secureLogout(tenantId);
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	public onSignOutPress(): void {
	void Auth.secureLogout(this.tenantId);
	public onSignOutPress(): void {
	const tenantId =
	(this.twoWayModel.getProperty('/selectedTenant') as string) ||
	this.tenantId ||
	/#\/([^/]+)/.exec(window.location.hash)?.[1] ||
	'';
	void Auth.secureLogout(tenantId);
	}

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid clearing all Web Storage during logout.

localStorage.clear() and sessionStorage.clear() remove all keys for the origin, including data not owned by this app/module.

💡 Proposed fix

 static postLogoutClearance(): void {
-    localStorage.clear();
-    sessionStorage.clear();
+    sessionStorage.removeItem(Auth.loginSessionStorageKey);
+
+    const appPrefixes = ['myapp_', 'kms_'];
+    for (let i = localStorage.length - 1; i >= 0; i--) {
+        const key = localStorage.key(i);
+        if (key && appPrefixes.some((prefix) => key.startsWith(prefix))) {
+            localStorage.removeItem(key);
+        }
+    }
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	static postLogoutClearance(): void {
	localStorage.clear();
	sessionStorage.clear();
	}
	static postLogoutClearance(): void {
	sessionStorage.removeItem(Auth.loginSessionStorageKey);
	const appPrefixes = ['myapp_', 'kms_'];
	for (let i = localStorage.length - 1; i >= 0; i--) {
	const key = localStorage.key(i);
	if (key && appPrefixes.some((prefix) => key.startsWith(prefix))) {
	localStorage.removeItem(key);
	}
	}
	}

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Reset /errorTitle when clearing forbidden state.

Since /errorTitle is now part of the model (Line 17), clearForbiddenState() should clear it too to avoid stale titles on future transitions.

💡 Proposed fix

 public clearForbiddenState(): void {
+    this.model.setProperty('/errorTitle', '');
     this.model.setProperty('/errorCode', '');
     this.model.setProperty('/errorMessage', '');
     this.model.setProperty('/loginButtonVisible', false);
     this.model.setProperty('/isForbidden', false);
 }