Regression after fix for #98: signOut redirects correctly, but signIn() immediately results in a logged-in state

[paulfalgout]

Hi 👋 following up on #98, which was resolved (thank you!). After upgrading to the latest version of @workos/authkit-js, we’re seeing unexpected behavior in our logout/login flow.

---

Summary

After calling signOut(), the user is redirected back to our app as expected. On page load, the user is not authenticated. However, when our app calls signIn(), the user is immediately logged in, without seeing a login prompt or taking any explicit action.

Reverting to the previous version of authkkit-js restores the expected behavior, with no code changes on our end.

---

Expected behavior

1. client.signOut({ returnTo }) redirects back to the app
2. client.getUser() indicates the user is not authenticated
3. Calling client.signIn() shows the login UI
4. User must authenticate before being logged in

---

Actual behavior (latest version)

1. signOut() redirects back to the app
2. client.getUser() indicates the user is not authenticated
3. App calls client.signIn()
4. User is immediately logged in, without seeing a login prompt

---

Relevant code

Auth gate on load:

const isAuthenticated = await client.getUser();

if (!isAuthenticated) {
  client.signIn({ state: path }); // this happens after a logout
} else {
  runApp();
}

xref: https://github.com/RoundingWell/care-ops-frontend/blob/develop/packages/care-ops-auth/providers/workos.js

No changes were made to this logic between versions.

Notes / Observations

This behavior did not occur before the fix for #98
Redirect works, but authentication state appears to persist

Happy to test a patch or provide a minimal repro if helpful.

Thanks!

[paulfalgout]

@nicknisi any thoughts?

[jesushernandez]

@paulfalgout have you double checked that the user you are trying this with has no active session in workos? After the initial sign-out, I mean

[paulfalgout]

@jesushernandez tried this in an incognito window so I would assume there should be no active session after logout?

To be clear, logging out and staying logged out works if all I do is switch to the previous version of the authkit-js.

So to be clear:
v0.19.0

client .signOut({ returnTo: window.origin });
client .signIn() // immediate access no login screen

v0.18.0

client .signOut({ returnTo: window.origin });
client .signIn() // login screen

It's repeatable by multiple users.

[paulfalgout]

Alright

So we have a /logout route
If you hit the route without an access token in local memory (like a hard-refresh, or you open in a new tab), signOut won't know the session id and won't hit the sign out endpoint on workos.

An awkward solution that works is essentially

  const PATH_LOGOUT = '/logout';
 
    this.client = await createClient(clientId, {
      redirectUri,
      onRedirectCallback({ state }) {
        if (state = PATH_LOGOUT) {
          this.signOut({ returnTo: location.origin });
        }
    });

    if (location.pathName === PATH_LOGOUT) {
      this.client.signIn({ state: PATH_LOGOUT });
      return;
    }

Not sure if there's a better way around this @jesushernandez