refactor(auth): clean up login and logout logic

frontend/src/app/feature/login-success/login-success.component.ts

@@ -17,13 +17,7 @@ export default class LoginSuccessComponent implements OnInit {
   private router: Router = inject(Router);
 
   async ngOnInit() {
-
     try {
-      // Handle code flow without throwing errors
-      const success = await this.oauthService.loadDiscoveryDocumentAndTryLogin();
-
-      // If we have a valid access token, the user should be loaded in AuthService
-      const user = this.authService.getUser();
 
       // Check if we're authenticated
       if (this.oauthService.hasValidAccessToken()) {

frontend/src/app/service/auth.service.ts

@@ -4,7 +4,7 @@ import { UserService } from './user.service';
 import { User } from '../model/User';
 import { Router } from '@angular/router';
 import { environment } from '../../environments/environment';
-import { catchError, from, of, tap } from 'rxjs';
+import { catchError, from, of } from 'rxjs';
 
 @Injectable({
   providedIn: 'root',
@@ -17,6 +17,10 @@ export class AuthService {
     scope: `openid email profile ${environment.OAUTH_CLIENT_ID}`,
     responseType: 'code',
     redirectUri: window.location.origin + '/auth/callback',
+    // Important - use empty post logout redirect URI to prevent auto-redirect
+    postLogoutRedirectUri: '',
+    // Don't use redirect URI as fallback for post logout
+    redirectUriAsPostLogoutRedirectUriFallback: false,
     oidc: true,
     requestAccessToken: true,
     // Explicitly set token endpoint since discovery is failing
@@ -60,7 +64,7 @@ export class AuthService {
     // Try to exchange the authorization code for tokens
     this.oauthService
       .tryLogin({
-        onTokenReceived: (context) => {
+        onTokenReceived: () => {
           // Manually create a token_received event
           this.handleSuccessfulLogin();
         },
@@ -75,7 +79,6 @@ export class AuthService {
     this.oauthService
       .loadDiscoveryDocumentAndTryLogin()
       .then((isLoggedIn) => {
-
         if (isLoggedIn && !this.user) {
           this.handleSuccessfulLogin();
         }
@@ -87,16 +90,13 @@ export class AuthService {
 
   private setupEventHandling() {
     this.oauthService.events.subscribe((event: OAuthEvent) => {
-
       if (event.type === 'token_received') {
         this.handleSuccessfulLogin();
-      } else if (event.type === 'token_refresh_error' || event.type === 'token_expires') {
       }
     });
   }
 
   private handleSuccessfulLogin() {
-
     // Extract claims from id token if available
     const claims = this.oauthService.getIdentityClaims();
 
@@ -110,7 +110,6 @@ export class AuthService {
     try {
       from(this.oauthService.loadUserProfile())
         .pipe(
-          tap((profile) => {}),
           catchError((error) => {
             console.error('Error loading user profile:', error);
             // If we can't load the profile but have a token, create a minimal profile
@@ -192,8 +191,15 @@ export class AuthService {
       // Prevent redirect to Authentik by doing a local logout only
       // Instead of using oauthService.logOut() which redirects to the provider
 
-      // Clear tokens from storage
-      this.oauthService.logOut(false); // logOut(false) prevents redirect
+      // Clear tokens from storage without redirecting
+      // The parameter noRedirectToLogoutUrl=true prevents redirect to the identity provider
+      this.oauthService.logOut(true); // true means: don't redirect to Authentik logout page
+
+      // Override any post-logout redirect URI that might be configured
+      if (window.location.href.includes('id_token') || window.location.href.includes('logout')) {
+        // If we somehow ended up at a logout URL, redirect back to the app
+        window.location.href = window.location.origin;
+      }
 
       // Clear any lingering tokens manually
       localStorage.removeItem('access_token');