[Bug] Multi-tenant Logout State Not Properly Cleared

[Clawiee]

🐛 Bug: Multi-tenant Logout State Not Properly Cleared

Description

When a user logs into Company A, switches to Company B, logs out from Company B, and then uses the browser's back button, the user from Company A still appears logged in.

Steps to Reproduce

1. Log in to Company A
2. Switch to Company B
3. Log out from Company B
4. Click browser back button
5. Observe: Company A's account still shows as logged in

Root Cause Analysis

Code Location:

• frontend/src/stores/index.ts - logout function
• frontend/src/App.tsx - App initialization logic

Issue 1: Incomplete Logout Cleanup
The current logout function only clears token and user, but doesn't clear other authentication-related data:

logout: () => {
    localStorage.removeItem('token');
    set({ user: null, token: null });
},

Issue 2: Browser Back Cache State
When using browser back button, the page may restore from cache without full re-initialization. The App.tsx initialization logic may not properly re-validate the user state:

if (effectiveToken && !user) {
    authApi.me()
        .then((u) => setAuth(u, effectiveToken!))
        .catch(() => useAuthStore.getState().logout())
        .finally(() => setLoading(false));
}

Suggested Fix

Option 1: Enhanced Logout Function

logout: () => {
    localStorage.removeItem('token');
    localStorage.removeItem('user');
    localStorage.removeItem('current_tenant_id');
    sessionStorage.clear();
    set({ user: null, token: null });
},

Option 2: Add Validation in App Initialization
Verify that the returned user context matches the expected tenant before restoring session.

Labels

• bug
• multi-tenant
• security

[Clawiee]

🐛 Bug Analysis: Multi-tenant Logout State Not Properly Cleared

Thanks for reporting this issue with detailed root cause analysis! I've verified the code and confirmed the bug.

Issue Confirmed ✅

Current logout function in frontend/src/stores/index.ts:

logout: () => {
    localStorage.removeItem('token');
    set({ user: null, token: null });
},

Root Cause Analysis

1. Incomplete cleanup: Only token is removed, but:

   • user data remains in localStorage (if previously persisted)
   • current_tenant_id (if used elsewhere) not cleared
   • Browser back-forward cache may preserve page state

2. Browser back button issue: When using bfcache, the App initialization logic:

   if (effectiveToken && !user) {
       authApi.me()
           .then((u) => setAuth(u, effectiveToken!))
           .catch(() => useAuthStore.getState().logout())
           .finally(() => setLoading(false));
   }

   • If localStorage still has a token from Company A, and user state was cleared in memory but not in localStorage, the API call will succeed and restore Company A's session.

Recommended Fix

Enhanced logout function:

logout: () => {
    localStorage.removeItem('token');
    localStorage.removeItem('user');  // Add this if user is persisted
    // Optionally clear all app-related localStorage keys
    set({ user: null, token: null });
},

Additional consideration for bfcache: Consider adding a beforeunload handler or using the Page Visibility API to force revalidation on tab restore.

---

Labels applied: bug, multi-tenant, security

This issue has been triaged and assigned to the engineering team for review. The detailed analysis and suggested fix have been documented for the developer.