fix(auth): isolate user data across logout and cold-start transitions

Eliminates cross-user data leaks in the mobile/web/extension app by
plugging gaps in the logout cleanup and persisted-cache rehydration flow.

- AuthContext.logout() now clears the in-memory QueryClient (A1) so the
  next login does not flash the previous user's userProfile, eventTypes,
  bookings, or schedules under staleTime: Infinity + refetchOnMount: false.
- AuthContext.logout() now calls clearWidgetBookings() (A3) so the iOS /
  Android home-screen widget does not keep showing the signed-out user's
  meetings.
- AuthContext.logout()'s clearAuth() step is wrapped in its own try/catch
  (A5) so a SecureStore failure no longer skips region/cache/widget
  cleanup and leaves a zombie session with isAuthenticated still true.
- useWidgetSync no longer fires syncBookingsToWidget on mount when
  isAuthenticated is false (A6), preventing an unauthenticated /bookings
  fallback during cold start before tokens are loaded.
- queryPersister.restoreClient checks for cal_oauth_tokens before
  rehydrating (A2 pt 1); if no tokens exist the orphaned cache is wiped
  so a previously-logged-in user's data is never restored into a logged-
  out cold start.
- setupAfterLogin compares the rehydrated userProfile.id to the just-
  fetched profile and wipes both in-memory and persisted caches on a
  mismatch (A2 pt 2).

Author: devin-ai-integration[bot]

apps/mobile/contexts/AuthContext.tsx

@@ -1,3 +1,4 @@
+import { useQueryClient } from "@tanstack/react-query";
 import {
   createContext,
   type ReactNode,
@@ -7,6 +8,7 @@ import {
   useRef,
   useState,
 } from "react";
+import { queryKeys } from "@/config/cache.config";
 import { USER_PREFERENCES_KEY } from "@/hooks/useUserPreferences";
 import { CalComAPIService } from "@/services/calcom";
 import {
@@ -19,6 +21,7 @@ import { WebAuthService } from "@/services/webAuth";
 import { clearQueryCache } from "@/utils/queryPersister";
 import { clearRegion, getRegion, preloadRegion, subscribeRegion } from "@/utils/region";
 import { generalStorage, secureStorage } from "@/utils/storage";
+import { clearWidgetBookings } from "@/utils/widgetStorage";
 
 /**
  * Simplified user info stored in auth context
@@ -71,6 +74,10 @@ export function AuthProvider({ children }: AuthProviderProps) {
   const [userInfo, setUserInfo] = useState<AuthUserInfo | null>(null);
   const [isWebSession, setIsWebSession] = useState(false);
   const [loading, setLoading] = useState(true);
+  // AuthProvider is mounted inside QueryProvider (see app/_layout.tsx), so
+  // useQueryClient() resolves the live client we need to wipe on logout and
+  // on cross-user cache rehydration.
+  const queryClient = useQueryClient();
   // Construct synchronously on first render so downstream hooks can rely on a
   // non-null service immediately and mount-time configuration failures are
   // logged right away. The effect below rebuilds only if `preloadRegion()`
@@ -98,25 +105,52 @@ export function AuthProvider({ children }: AuthProviderProps) {
   }, []);
 
   // Common post-login setup: configure API service and fetch user profile
-  const setupAfterLogin = useCallback(async (token: string, refreshToken?: string) => {
-    CalComAPIService.setAccessToken(token, refreshToken);
+  const setupAfterLogin = useCallback(
+    async (token: string, refreshToken?: string) => {
+      CalComAPIService.setAccessToken(token, refreshToken);
 
-    try {
-      const profile = await CalComAPIService.getUserProfile();
-      // Store user info for use in the app (e.g., to display "You" in bookings)
-      if (profile) {
-        setUserInfo({
-          email: profile.email,
-          name: profile.name,
-          id: profile.id,
-          username: profile.username,
-        });
+      try {
+        const profile = await CalComAPIService.getUserProfile();
+        // Store user info for use in the app (e.g., to display "You" in bookings)
+        if (profile) {
+          // If the persisted cache was rehydrated for a different user (cold
+          // start before logout fully ran, or a foreign cache that survived
+          // restore), wipe everything before the next fetch lands so no PII
+          // from the previous identity flashes onto screen.
+          const cachedProfile = queryClient.getQueryData<UserProfile>(
+            queryKeys.userProfile.current()
+          );
+          if (cachedProfile && cachedProfile.id !== profile.id) {
+            if (__DEV__) {
+              console.debug(
+                "[AuthContext] Rehydrated cache belonged to a different user; clearing"
+              );
+            }
+            try {
+              queryClient.clear();
+            } catch (clearError) {
+              console.warn("Failed to clear stale in-memory cache:", clearError);
+            }
+            try {
+              await clearQueryCache();
+            } catch (cacheError) {
+              console.warn("Failed to clear stale persisted cache:", cacheError);
+            }
+          }
+          setUserInfo({
+            email: profile.email,
+            name: profile.name,
+            id: profile.id,
+            username: profile.username,
+          });
+        }
+      } catch (profileError) {
+        console.error("Failed to fetch user profile:", profileError);
+        // Don't fail login if profile fetch fails
       }
-    } catch (profileError) {
-      console.error("Failed to fetch user profile:", profileError);
-      // Don't fail login if profile fetch fails
-    }
-  }, []);
+    },
+    [queryClient]
+  );
 
   // Plain async fn (no useCallback): identity doesn't need to be stable for
   // memoization, and taking `service` explicitly lets cold-start callers pass
@@ -161,38 +195,59 @@ export function AuthProvider({ children }: AuthProviderProps) {
   }, []);
 
   const logout = useCallback(async () => {
+    // Each cleanup step has its own try/catch so a failure in one does not
+    // skip the others. resetAuthState() always runs last to put the UI in a
+    // known logged-out state even if disk writes failed.
     try {
       await clearAuth();
-      // Clear user preferences to ensure fresh state for next user
-      try {
-        await generalStorage.removeItem(USER_PREFERENCES_KEY);
-      } catch (prefsError) {
-        console.warn("Failed to clear user preferences during logout:", prefsError);
-      }
-      // Reset the persisted data region so the next user is prompted via the
-      // login-screen picker rather than silently inheriting this session's
-      // region (the extension background worker clears `cal_region` on logout
-      // too — keep the two surfaces in sync).
-      try {
-        await clearRegion();
-      } catch (regionError) {
-        console.warn("Failed to clear data region during logout:", regionError);
-      }
-      // Clear all cached queries to ensure fresh data on re-login
-      try {
-        await clearQueryCache();
-      } catch (cacheError) {
-        console.warn("Failed to clear query cache during logout:", cacheError);
-      }
-      resetAuthState();
-    } catch (error) {
-      const message = getErrorMessage(error);
-      console.error("Failed to logout", message);
+    } catch (clearAuthError) {
+      const message = getErrorMessage(clearAuthError);
+      console.warn("Failed to clear auth tokens during logout:", message);
       if (__DEV__) {
-        console.debug("[AuthContext] logout failed", { message, stack: getErrorStack(error) });
+        console.debug("[AuthContext] clearAuth failed", {
+          message,
+          stack: getErrorStack(clearAuthError),
+        });
       }
     }
-  }, [clearAuth, resetAuthState]);
+    // Clear user preferences to ensure fresh state for next user
+    try {
+      await generalStorage.removeItem(USER_PREFERENCES_KEY);
+    } catch (prefsError) {
+      console.warn("Failed to clear user preferences during logout:", prefsError);
+    }
+    // Reset the persisted data region so the next user is prompted via the
+    // login-screen picker rather than silently inheriting this session's
+    // region (the extension background worker clears `cal_region` on logout
+    // too — keep the two surfaces in sync).
+    try {
+      await clearRegion();
+    } catch (regionError) {
+      console.warn("Failed to clear data region during logout:", regionError);
+    }
+    // Memory first, then disk. PersistQueryClient throttles persists
+    // (cache.config.ts: throttleTime = 1000ms); clearing the in-memory cache
+    // before the disk wipe prevents an in-flight persist from re-writing the
+    // previous user's data right after we erased it.
+    try {
+      queryClient.clear();
+    } catch (clearError) {
+      console.warn("Failed to clear in-memory query cache during logout:", clearError);
+    }
+    try {
+      await clearQueryCache();
+    } catch (cacheError) {
+      console.warn("Failed to clear persisted query cache during logout:", cacheError);
+    }
+    // Wipe the home-screen widget so the previous user's meetings don't
+    // linger after sign-out (no-op on web).
+    try {
+      await clearWidgetBookings();
+    } catch (widgetError) {
+      console.warn("Failed to clear widget bookings during logout:", widgetError);
+    }
+    resetAuthState();
+  }, [clearAuth, resetAuthState, queryClient]);
 
   // Handle OAuth authentication. `service` is passed explicitly so the boot
   // effect can hand in a freshly-rebuilt service on cold-start region

apps/mobile/hooks/useWidgetSync.ts

@@ -2,6 +2,7 @@ import { useQueryClient } from "@tanstack/react-query";
 import { useCallback, useEffect } from "react";
 import { Platform } from "react-native";
 import { queryKeys } from "@/config/cache.config";
+import { useAuth } from "@/contexts/AuthContext";
 import { type Booking, CalComAPIService } from "@/services/calcom";
 import {
   clearWidgetBookings,
@@ -11,6 +12,7 @@ import {
 
 export function useWidgetSync() {
   const queryClient = useQueryClient();
+  const { isAuthenticated } = useAuth();
 
   const syncBookingsToWidget = useCallback(async () => {
     if (__DEV__) {
@@ -140,13 +142,19 @@ export function useWidgetSync() {
     if (Platform.OS === "web") {
       return;
     }
+    // Skip the initial sync (and the API fallback inside syncBookingsToWidget)
+    // until auth is verified — otherwise the hook fires on every cold start
+    // before tokens are loaded and triggers an unauthenticated /bookings request.
+    if (!isAuthenticated) {
+      return;
+    }
 
     syncBookingsToWidget();
 
     const cleanup = setupWidgetRefreshOnAppStateChange(syncBookingsToWidget);
 
     return cleanup;
-  }, [syncBookingsToWidget]);
+  }, [syncBookingsToWidget, isAuthenticated]);
 
   return {
     syncBookingsToWidget,

apps/mobile/utils/queryPersister.ts

@@ -7,11 +7,16 @@
 import type { PersistedClient, Persister } from "@tanstack/react-query-persist-client";
 import { CACHE_CONFIG } from "@/config/cache.config";
 import { safeLogWarn } from "./safeLogger";
-import { generalStorage } from "./storage";
+import { generalStorage, secureStorage } from "./storage";
 
 // Use the shared general storage adapter for cache persistence
 const storage = generalStorage;
 
+// Duplicated from AuthContext to avoid a circular import; keep these in sync.
+// If a persisted cache is found but no tokens exist, the user is logged out —
+// don't rehydrate a previous user's data into an unauthenticated session.
+const OAUTH_TOKENS_KEY = "cal_oauth_tokens";
+
 /**
  * Create a React Query persister that works across all platforms
  *
@@ -44,6 +49,25 @@ export const createQueryPersister = (): Persister => {
      */
     restoreClient: async (): Promise<PersistedClient | undefined> => {
       try {
+        // Bail early if the user is logged out — never restore another user's
+        // cache into an unauthenticated session. Wipe the orphaned cache too
+        // so a stale logout (e.g. one where queryClient.clear() succeeded but
+        // the throttled disk persist ran later) doesn't survive a cold start.
+        let hasTokens = false;
+        try {
+          const tokens = await secureStorage.get(OAUTH_TOKENS_KEY);
+          hasTokens = Boolean(tokens);
+        } catch (tokenError) {
+          safeLogWarn(
+            "[QueryPersister] Failed to read auth tokens, treating as logged out:",
+            tokenError
+          );
+        }
+        if (!hasTokens) {
+          await storage.removeItem(storageKey);
+          return undefined;
+        }
+
         const serialized = await storage.getItem(storageKey);
         if (!serialized) {
           return undefined;