@hexclave/next 1.0.5 → 1.0.6

package/src/components-page/hexclave-handler-client.test.tsx

@@ -0,0 +1,64 @@
+
+//===========================================
+// THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY UNLESS YOU ALSO EDIT THE CORRESPONDING FILE IN packages/template
+//===========================================
+import { KnownErrors } from "@hexclave/shared";
+import { describe, expect, it, vi } from "vitest";
+import { hexclaveAppInternalsSymbol } from "../lib/hexclave-app";
+import type { StackClientApp } from "../lib/hexclave-app/apps/interfaces/client-app";
+import { getRedirectToPageResult } from "./hexclave-handler-client";
+
+vi.mock("next/navigation", () => ({
+  RedirectType: {
+    replace: "replace",
+  },
+  notFound: () => {
+    throw new Error("notFound");
+  },
+  redirect: (url: string) => {
+    throw new Error(`redirect:${url}`);
+  },
+  usePathname: () => window.location.pathname,
+  useSearchParams: () => new URLSearchParams(window.location.search),
+}));
+
+function createAppTestDouble(options: {
+  redirectToHandler: (name: string, options: { replace: true }) => Promise<void>,
+}) {
+  const projectId = "00000000-0000-4000-8000-000000000000";
+  const app = {
+    projectId,
+    urls: {
+      handler: "http://localhost/handler",
+      signIn: `https://${projectId}.example-stack-hosted.test/handler/sign-in`,
+      home: "http://localhost",
+    },
+    redirectToHome: vi.fn(async () => {}),
+    [hexclaveAppInternalsSymbol]: {
+      getConstructorOptions: () => ({ urls: {} }),
+      redirectToHandler: options.redirectToHandler,
+    },
+  };
+
+  // This test double intentionally implements only the StackClientApp surface
+  // that HexclaveHandlerClient touches in this redirect path.
+  return app as unknown as StackClientApp<true>;
+}
+
+describe("HexclaveHandlerClient", () => {
+  it("returns known cross-domain redirect errors instead of treating them as unhandled async failures", async () => {
+    const redirectToHandler = vi.fn(async () => {
+      throw new KnownErrors.RedirectUrlNotWhitelisted();
+    });
+    const app = createAppTestDouble({ redirectToHandler });
+
+    const result = await getRedirectToPageResult(app, "signIn");
+
+    expect(redirectToHandler).toHaveBeenCalledWith("signIn", { replace: true });
+    expect(result.status).toBe("known-error");
+    if (result.status === "known-error") {
+      expect(result.error.errorCode).toBe("REDIRECT_URL_NOT_WHITELISTED");
+      expect(result.error.message).toContain("Redirect URL not whitelisted");
+    }
+  });
+});

package/src/components-page/hexclave-handler-client.tsx

@@ -5,12 +5,13 @@
 // THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY UNLESS YOU ALSO EDIT THE CORRESPONDING FILE IN packages/template
 //===========================================
 
-import { HexclaveAssertionError } from "@hexclave/shared/dist/utils/errors";
+import { KnownError } from "@hexclave/shared";
+import { captureError, HexclaveAssertionError } from "@hexclave/shared/dist/utils/errors";
 import { FilterUndefined, filterUndefined } from "@hexclave/shared/dist/utils/objects";
-import { runAsynchronouslyWithAlert } from "@hexclave/shared/dist/utils/promises";
+import { use } from "@hexclave/shared/dist/utils/react";
 import { getRelativePart } from "@hexclave/shared/dist/utils/urls";
 import { notFound, redirect, RedirectType, usePathname, useSearchParams } from 'next/navigation'; // THIS_LINE_PLATFORM next
-import { useEffect, useMemo, useSyncExternalStore } from 'react';
+import { Suspense, useMemo, useSyncExternalStore } from 'react';
 import { SignIn, SignUp, StackServerApp } from "..";
 import { useStackApp } from "../lib/hooks";
 import { HandlerUrls, StackClientApp, hexclaveAppInternalsSymbol } from "../lib/hexclave-app";
@@ -28,7 +29,9 @@ import { PasswordReset } from "./password-reset";
 import { SignOut } from "./sign-out";
 import { TeamInvitation } from "./team-invitation";
 
+import { KnownErrorMessageCard } from "../components/message-cards/known-error-message-card";
 import { MessageCard } from "../components/message-cards/message-card";
+import { PredefinedMessageCard } from "../components/message-cards/predefined-message-card";
 
 type Components = {
   SignIn: typeof SignIn,
@@ -52,6 +55,11 @@ type RouteProps = {
   searchParams: Promise<Record<string, string>> | Record<string, string>,
 };
 
+type RedirectToPageResult =
+  | { status: "success" }
+  | { status: "known-error", error: KnownError }
+  | { status: "unknown-error" };
+
 const availablePaths = {
   signIn: 'sign-in',
   signUp: 'sign-up',
@@ -225,6 +233,42 @@ function renderComponent(props: {
   }
 }
 
+export async function getRedirectToPageResult(
+  app: StackClientApp,
+  redirectToPage: keyof HandlerUrls,
+): Promise<RedirectToPageResult> {
+  try {
+    await app[hexclaveAppInternalsSymbol].redirectToHandler(redirectToPage, { replace: true });
+    return { status: "success" };
+  } catch (e) {
+    if (KnownError.isKnownError(e)) {
+      return { status: "known-error", error: e };
+    }
+    captureError("<HexclaveHandlerClient redirectToPage />", e);
+    return { status: "unknown-error" };
+  }
+}
+
+function RedirectToPage(props: {
+  app: StackClientApp,
+  fullPage?: boolean,
+  redirectToPage: keyof HandlerUrls,
+}) {
+  const redirectResultPromise = useMemo(
+    () => getRedirectToPageResult(props.app, props.redirectToPage),
+    [props.app, props.redirectToPage],
+  );
+
+  const redirectResult = use(redirectResultPromise);
+  if (redirectResult.status === "known-error") {
+    return <KnownErrorMessageCard error={redirectResult.error} fullPage={props.fullPage} />;
+  }
+  if (redirectResult.status === "unknown-error") {
+    return <PredefinedMessageCard type="unknownError" fullPage={props.fullPage} />;
+  }
+  return <MessageCard title="Redirecting..." fullPage={props.fullPage} />;
+}
+
 export function HexclaveHandlerClient(props: BaseHandlerProps & Partial<RouteProps> & { location?: string }) {
   // Use hooks to get app
   const hexclaveApp = useStackApp();
@@ -284,16 +328,11 @@ export function HexclaveHandlerClient(props: BaseHandlerProps & Partial<RoutePro
 
   const redirectToPage = (result != null && typeof result === 'object' && 'redirectToPage' in result) ? result.redirectToPage : undefined;
 
-  useEffect(() => {
-    if (redirectToPage == null) return;
-    runAsynchronouslyWithAlert(
-      hexclaveApp[hexclaveAppInternalsSymbol].redirectToHandler(redirectToPage, { replace: true })
-    );
-  }, [redirectToPage, hexclaveApp]);
-
   if (redirectToPage != null) {
     return (
-      <MessageCard title="Redirecting..." fullPage={props.fullPage} />
+      <Suspense fallback={<MessageCard title="Redirecting..." fullPage={props.fullPage} />}>
+        <RedirectToPage app={hexclaveApp} redirectToPage={redirectToPage} fullPage={props.fullPage} />
+      </Suspense>
     );
   }
 

package/src/dev-tool/dev-tool-core.ts

@@ -7,7 +7,7 @@ import type { RequestLogEntry } from "@hexclave/shared/dist/interface/client-int
 import { runAsynchronously } from "@hexclave/shared/dist/utils/promises";
 import { isLocalhost } from "@hexclave/shared/dist/utils/urls";
 import type { StackClientApp } from "../lib/hexclave-app";
-import { envVars } from "../lib/env";
+import { envVars } from "../generated/env";
 import { getBaseUrl } from "../lib/hexclave-app/apps/implementations/common";
 import type { HandlerUrlOptions, HandlerUrls, HandlerUrlTarget } from "../lib/hexclave-app/common";
 import { hexclaveAppInternalsSymbol } from "../lib/hexclave-app/common";
@@ -211,7 +211,7 @@ function resolveApiBaseUrl(app: StackClientApp<true>): string {
 }
 
 function shouldShowDashboardTab(app: StackClientApp<true>): boolean {
-  return envVars.NEXT_PUBLIC_STACK_IS_LOCAL_EMULATOR === "true" && isLocalhost(resolveApiBaseUrl(app));
+  return envVars.HEXCLAVE_IS_LOCAL_EMULATOR === "true" && isLocalhost(resolveApiBaseUrl(app));
 }
 
 function getTabsForApp(app: StackClientApp<true>): { id: TabId; label: string; icon: string }[] {

package/src/generated/.gitignore

@@ -1,3 +1,3 @@
 /*
 !.gitignore
-!quetzal-translations.ts
+!/quetzal-translations.ts

package/src/global.d.ts

@@ -2,4 +2,11 @@
 //===========================================
 // THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY UNLESS YOU ALSO EDIT THE CORRESPONDING FILE IN packages/template
 //===========================================
-import type {} from "react/canary";
+import type { } from "react/canary";
+
+declare global {
+// eslint-disable-next-line @typescript-eslint/consistent-type-definitions
+  interface ImportMeta {
+    readonly env?: Record<string, string | undefined>,
+  }
+}

package/src/lib/hexclave-app/apps/implementations/client-app-impl.cross-domain.test.ts

@@ -3,8 +3,39 @@
 // THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY UNLESS YOU ALSO EDIT THE CORRESPONDING FILE IN packages/template
 //===========================================
 import { describe, expect, it, vi } from "vitest";
+import { AccessToken } from "@hexclave/shared/dist/sessions";
+import { Store } from "@hexclave/shared/dist/utils/stores";
 import { StackClientApp } from "../interfaces/client-app";
 
+function createAccessTokenString(refreshTokenId: string): string {
+  const encode = (value: unknown) => Buffer.from(JSON.stringify(value)).toString("base64url");
+  const nowSeconds = Math.floor(Date.now() / 1000);
+  return [
+    encode({ alg: "none", typ: "JWT" }),
+    encode({
+      sub: "user-id",
+      exp: nowSeconds + 60,
+      iat: nowSeconds,
+      iss: "https://api.example.test",
+      aud: "project-id",
+      project_id: "project-id",
+      branch_id: "main",
+      refresh_token_id: refreshTokenId,
+      role: "authenticated",
+      name: null,
+      email: null,
+      email_verified: false,
+      selected_team_id: null,
+      signed_up_at: nowSeconds,
+      is_anonymous: false,
+      is_restricted: false,
+      restricted_reason: null,
+      requires_totp_mfa: false,
+    }),
+    "",
+  ].join(".");
+}
+
 function createMockDocument(): Document {
   const cookieJar = new Map<string, string>();
   return {
@@ -23,12 +54,13 @@ function createMockDocument(): Document {
 
 describe("StackClientApp cross-domain auth", () => {
   it("uses the fresh post-auth refresh token when minting a cross-domain handoff", async () => {
+    const freshAccessToken = createAccessTokenString("fresh-refresh-token-id");
     const clientApp = new StackClientApp({
       baseUrl: "http://localhost:12345",
       projectId: "00000000-0000-4000-8000-000000000000",
       publishableClientKey: "stack-pk-test",
       tokenStore: {
-        accessToken: "stale-access-token",
+        accessToken: createAccessTokenString("stale-refresh-token-id"),
         refreshToken: "stale-refresh-token",
       },
       redirectMethod: "none",
@@ -37,24 +69,43 @@ describe("StackClientApp cross-domain auth", () => {
 
     const clientInterface = Reflect.get(clientApp, "_interface");
     const originalSendClientRequest = Reflect.get(clientInterface, "sendClientRequest");
+    const originalFetchNewAccessToken = Reflect.get(clientInterface, "fetchNewAccessToken");
     const capturedRefreshTokens: string[] = [];
+    const capturedAccessTokenRefreshTokenIds: string[] = [];
+    const refreshedRawRefreshTokens: string[] = [];
 
     Reflect.set(clientInterface, "sendClientRequest", async (_path: unknown, _requestOptions: unknown, session: unknown) => {
       const getRefreshToken = Reflect.get(session ?? {}, "getRefreshToken");
+      const getOrFetchLikelyValidTokens = Reflect.get(session ?? {}, "getOrFetchLikelyValidTokens");
       if (typeof getRefreshToken !== "function") {
         throw new Error("Expected cross-domain auth to pass a session to the client interface.");
       }
+      if (typeof getOrFetchLikelyValidTokens !== "function") {
+        throw new Error("Expected cross-domain auth to pass a session with token accessors.");
+      }
       const refreshToken = getRefreshToken.call(session);
       const refreshTokenString = Reflect.get(refreshToken ?? {}, "token");
       if (typeof refreshTokenString !== "string") {
         throw new Error("Expected cross-domain auth to pass a refresh-token-backed session.");
       }
       capturedRefreshTokens.push(refreshTokenString);
+      const tokens = await getOrFetchLikelyValidTokens.call(session, 0, null);
+      capturedAccessTokenRefreshTokenIds.push(tokens.accessToken.payload.refresh_token_id);
       return {
         ok: true,
         json: async () => ({ redirect_url: "https://example.com/handler/oauth-callback?code=handoff-code&state=handoff-state" }),
       };
     });
+    Reflect.set(clientInterface, "fetchNewAccessToken", async (refreshToken: unknown) => {
+      const refreshTokenString = Reflect.get(refreshToken ?? {}, "token");
+      if (typeof refreshTokenString !== "string") {
+        throw new Error("Expected refresh token while fetching a new access token.");
+      }
+      refreshedRawRefreshTokens.push(refreshTokenString);
+      return AccessToken.createIfValid(freshAccessToken) ?? (() => {
+        throw new Error("Expected test access token to be valid");
+      })();
+    });
 
     try {
       const createCrossDomainAuthRedirectUrl = Reflect.get(clientApp, "_createCrossDomainAuthRedirectUrl");
@@ -68,15 +119,18 @@ describe("StackClientApp cross-domain auth", () => {
         codeChallenge: "abcdefghijklmnopqrstuvwxyzABCDEFG_0123456789-._~",
         afterCallbackRedirectUrl: "https://example.com/account-settings",
         overrideTokenStoreInit: {
-          accessToken: "fresh-access-token",
+          accessToken: createAccessTokenString("fresh-stale-refresh-token-id"),
           refreshToken: "fresh-refresh-token",
         },
       })).resolves.toBe("https://example.com/handler/oauth-callback?code=handoff-code&state=handoff-state");
     } finally {
       Reflect.set(clientInterface, "sendClientRequest", originalSendClientRequest);
+      Reflect.set(clientInterface, "fetchNewAccessToken", originalFetchNewAccessToken);
     }
 
+    expect(refreshedRawRefreshTokens).toEqual(["fresh-refresh-token"]);
     expect(capturedRefreshTokens).toEqual(["fresh-refresh-token"]);
+    expect(capturedAccessTokenRefreshTokenIds).toEqual(["fresh-refresh-token-id"]);
   });
 
   it("uses a fresh nested OAuth state while preserving the outer cross-domain return state", async () => {
@@ -105,7 +159,7 @@ describe("StackClientApp cross-domain auth", () => {
     const previousWindow = globalThis.window;
     const previousDocument = globalThis.document;
     let redirectedUrl = "";
-    vi.spyOn(clientApp as any, "_getCurrentRefreshTokenIdIfSignedIn").mockResolvedValue(null);
+    vi.spyOn(clientApp as any, "_fetchCurrentRefreshTokenIdIfSignedIn").mockResolvedValue(null);
     vi.spyOn(clientApp as any, "_getCrossDomainHandoffParamsForRedirect").mockResolvedValue({
       state: "fresh-nested-state",
       codeChallenge: "fresh-nested-code-challenge",
@@ -138,4 +192,263 @@ describe("StackClientApp cross-domain auth", () => {
     expect(redirectUri.searchParams.get("hexclave_cross_domain_code_challenge")).toBe(outerCodeChallenge);
     expect(redirectUri.searchParams.get("hexclave_cross_domain_after_callback_redirect_url")).toBe("https://demo.stack-auth.com/");
   });
+
+  it("clears a stale target-domain session before deferring to the source-domain session", async () => {
+    const projectId = "00000000-0000-4000-8000-000000000006";
+    const hostedAccessToken = createAccessTokenString("hosted-old-refresh-token-id");
+    const clientApp = new StackClientApp({
+      baseUrl: "http://localhost:12345",
+      projectId,
+      publishableClientKey: "stack-pk-test",
+      tokenStore: "memory",
+      redirectMethod: "window",
+      urls: {
+        default: { type: "hosted" },
+      },
+      noAutomaticPrefetch: true,
+    });
+    const tokenStore = Reflect.get(clientApp, "_memoryTokenStore");
+    if (!(tokenStore instanceof Store)) {
+      throw new Error("Expected StackClientApp to use a memory token store in this test.");
+    }
+    tokenStore.set({
+      refreshToken: "hosted-old-refresh-token",
+      accessToken: hostedAccessToken,
+    });
+
+    const currentUrl = new URL(`https://${projectId}.example-stack-hosted.test/handler/sign-in`);
+    currentUrl.searchParams.set("stack_nested_cross_domain_auth_refresh_token_id", "source-anonymous-refresh-token-id");
+    currentUrl.searchParams.set("stack_nested_cross_domain_auth_callback_url", "https://demo.stack-auth.com/handler/oauth-callback");
+    currentUrl.searchParams.set("hexclave_cross_domain_state", "outer-state");
+    currentUrl.searchParams.set("hexclave_cross_domain_code_challenge", "outer-code-challenge");
+    currentUrl.searchParams.set("hexclave_cross_domain_after_callback_redirect_url", "https://demo.stack-auth.com/app");
+
+    const previousWindow = globalThis.window;
+    const previousDocument = globalThis.document;
+    let redirectedUrl = "";
+    const clientInterface = Reflect.get(clientApp, "_interface");
+    const originalFetchNewAccessToken = Reflect.get(clientInterface, "fetchNewAccessToken");
+    Reflect.set(clientInterface, "fetchNewAccessToken", async () => {
+      return AccessToken.createIfValid(hostedAccessToken) ?? (() => {
+        throw new Error("Expected test access token to be valid");
+      })();
+    });
+    vi.spyOn(clientApp as any, "_isTrusted").mockResolvedValue(true);
+
+    globalThis.document = createMockDocument();
+    globalThis.window = {
+      location: {
+        href: currentUrl.toString(),
+        replace: (url: string) => {
+          redirectedUrl = url;
+          throw new Error("INTENTIONAL_TEST_ABORT");
+        },
+      },
+    } as any;
+
+    try {
+      await expect((clientApp as any)._maybeHandleNestedCrossDomainAuth()).rejects.toThrowError("INTENTIONAL_TEST_ABORT");
+    } finally {
+      Reflect.set(clientInterface, "fetchNewAccessToken", originalFetchNewAccessToken);
+      globalThis.window = previousWindow;
+      globalThis.document = previousDocument;
+    }
+
+    expect(tokenStore.get()).toEqual({
+      refreshToken: null,
+      accessToken: null,
+    });
+    expect(new URL(redirectedUrl).origin).toBe("https://demo.stack-auth.com");
+  });
+
+  it("uses the latest browser refresh cookie before computing nested cross-domain session IDs", async () => {
+    const projectId = "00000000-0000-4000-8000-000000000007";
+    const previousWindow = globalThis.window;
+    const previousDocument = globalThis.document;
+
+    globalThis.document = createMockDocument();
+    globalThis.window = {
+      location: {
+        href: "https://demo.stack-auth.com/",
+        protocol: "https:",
+        hostname: "demo.stack-auth.com",
+      },
+    } as any;
+
+    const clientApp = new StackClientApp({
+      baseUrl: "http://localhost:12345",
+      projectId,
+      publishableClientKey: "stack-pk-test",
+      tokenStore: "cookie",
+      redirectMethod: "none",
+      noAutomaticPrefetch: true,
+    });
+    const clientInterface = Reflect.get(clientApp, "_interface");
+    const originalFetchNewAccessToken = Reflect.get(clientInterface, "fetchNewAccessToken");
+    const refreshedRawRefreshTokens: string[] = [];
+
+    try {
+      const getBrowserCookieTokenStore = Reflect.get(clientApp, "_getBrowserCookieTokenStore");
+      if (typeof getBrowserCookieTokenStore !== "function") {
+        throw new Error("Expected StackClientApp to expose _getBrowserCookieTokenStore in tests.");
+      }
+      const tokenStore = getBrowserCookieTokenStore.call(clientApp);
+      tokenStore.set({
+        refreshToken: "old-refresh-token",
+        accessToken: createAccessTokenString("old-refresh-token-id"),
+      });
+
+      document.cookie = `__Host-hexclave-refresh-${projectId}--default=${JSON.stringify({
+        refresh_token: "new-refresh-token",
+        updated_at_millis: 1,
+      })}`;
+      Reflect.set(clientInterface, "fetchNewAccessToken", async (refreshToken: unknown) => {
+        const refreshTokenString = Reflect.get(refreshToken ?? {}, "token");
+        if (typeof refreshTokenString !== "string") {
+          throw new Error("Expected refresh token while fetching a new access token.");
+        }
+        refreshedRawRefreshTokens.push(refreshTokenString);
+        return AccessToken.createIfValid(createAccessTokenString("new-refresh-token-id")) ?? (() => {
+          throw new Error("Expected test access token to be valid");
+        })();
+      });
+
+      const fetchCurrentRefreshTokenIdIfSignedIn = Reflect.get(clientApp, "_fetchCurrentRefreshTokenIdIfSignedIn");
+      if (typeof fetchCurrentRefreshTokenIdIfSignedIn !== "function") {
+        throw new Error("Expected StackClientApp to expose _fetchCurrentRefreshTokenIdIfSignedIn in tests.");
+      }
+      await expect(fetchCurrentRefreshTokenIdIfSignedIn.call(clientApp, {
+        awaitPendingAuthResolutions: false,
+      })).resolves.toBe("new-refresh-token-id");
+    } finally {
+      Reflect.set(clientInterface, "fetchNewAccessToken", originalFetchNewAccessToken);
+      globalThis.window = previousWindow;
+      globalThis.document = previousDocument;
+    }
+
+    expect(refreshedRawRefreshTokens).toEqual(["new-refresh-token"]);
+  });
+
+  it("uses direct sign-out instead of hosted sign-out redirects when code execution is available", async () => {
+    const clientApp = new StackClientApp({
+      baseUrl: "http://localhost:12345",
+      projectId: "00000000-0000-4000-8000-000000000003",
+      publishableClientKey: "stack-pk-test",
+      tokenStore: "memory",
+      redirectMethod: "window",
+      urls: {
+        handler: "/handler",
+        signOut: { type: "hosted" },
+      },
+      noAutomaticPrefetch: true,
+    });
+    const signOutSpy = vi.spyOn(clientApp, "signOut").mockRejectedValue(new Error("INTENTIONAL_TEST_ABORT"));
+
+    try {
+      await expect(clientApp.redirectToSignOut()).rejects.toThrowError("INTENTIONAL_TEST_ABORT");
+      expect(signOutSpy).toHaveBeenCalledWith();
+    } finally {
+      signOutSpy.mockRestore();
+    }
+  });
+
+  it("keeps default hosted signOut() on the source domain when afterSignOut is not configured", async () => {
+    const clientApp = new StackClientApp({
+      baseUrl: "http://localhost:12345",
+      projectId: "00000000-0000-4000-8000-000000000004",
+      publishableClientKey: "stack-pk-test",
+      tokenStore: "memory",
+      redirectMethod: "window",
+      urls: {
+        default: { type: "hosted" },
+      },
+      noAutomaticPrefetch: true,
+    });
+    const currentHref = "https://demo.stack-auth.com/settings?tab=profile";
+
+    const clientInterface = Reflect.get(clientApp, "_interface");
+    const originalSignOut = Reflect.get(clientInterface, "signOut");
+    Reflect.set(clientInterface, "signOut", async () => {});
+    const previousWindow = globalThis.window;
+    const previousDocument = globalThis.document;
+    let redirectedUrl = "";
+
+    globalThis.document = createMockDocument();
+    globalThis.window = {
+      location: {
+        href: currentHref,
+        replace: (url: string) => {
+          redirectedUrl = url;
+          throw new Error("INTENTIONAL_TEST_ABORT");
+        },
+      },
+    } as any;
+
+    try {
+      const signOut = Reflect.get(clientApp, "_signOut");
+      if (typeof signOut !== "function") {
+        throw new Error("Expected StackClientApp to expose _signOut in tests.");
+      }
+      await expect(signOut.call(clientApp, Reflect.get(clientInterface, "createSession").call(clientInterface, {
+        refreshToken: null,
+      }))).rejects.toThrowError("INTENTIONAL_TEST_ABORT");
+    } finally {
+      Reflect.set(clientInterface, "signOut", originalSignOut);
+      globalThis.window = previousWindow;
+      globalThis.document = previousDocument;
+    }
+
+    expect(redirectedUrl).toBe("/settings?tab=profile");
+  });
+
+  it("ignores stale session callbacks after a newer refresh token owns the token store", async () => {
+    const clientApp = new StackClientApp({
+      baseUrl: "http://localhost:12345",
+      projectId: "00000000-0000-4000-8000-000000000005",
+      publishableClientKey: "stack-pk-test",
+      tokenStore: "memory",
+      redirectMethod: "none",
+      noAutomaticPrefetch: true,
+    });
+    const oldAccessToken = createAccessTokenString("old-refresh-token-id");
+    const refreshedOldAccessToken = createAccessTokenString("refreshed-old-refresh-token-id");
+    const newAccessToken = createAccessTokenString("new-refresh-token-id");
+    const tokenStore = new Store({
+      refreshToken: "old-refresh-token",
+      accessToken: oldAccessToken,
+    });
+    const clientInterface = Reflect.get(clientApp, "_interface");
+    const originalFetchNewAccessToken = Reflect.get(clientInterface, "fetchNewAccessToken");
+    Reflect.set(clientInterface, "fetchNewAccessToken", async () => {
+      return AccessToken.createIfValid(refreshedOldAccessToken) ?? (() => {
+        throw new Error("Expected test access token to be valid");
+      })();
+    });
+
+    try {
+      const getSessionFromTokenStore = Reflect.get(clientApp, "_getSessionFromTokenStore");
+      if (typeof getSessionFromTokenStore !== "function") {
+        throw new Error("Expected StackClientApp to expose _getSessionFromTokenStore in tests.");
+      }
+      const oldSession = getSessionFromTokenStore.call(clientApp, tokenStore);
+      tokenStore.set({
+        refreshToken: "new-refresh-token",
+        accessToken: newAccessToken,
+      });
+
+      await oldSession.fetchNewTokens();
+      expect(tokenStore.get()).toEqual({
+        refreshToken: "new-refresh-token",
+        accessToken: newAccessToken,
+      });
+
+      oldSession.markInvalid();
+      expect(tokenStore.get()).toEqual({
+        refreshToken: "new-refresh-token",
+        accessToken: newAccessToken,
+      });
+    } finally {
+      Reflect.set(clientInterface, "fetchNewAccessToken", originalFetchNewAccessToken);
+    }
+  });
 });