feat(medcat-trainer): Clear app storage on start-up to prevent auth state conflicts

[jocelyneholdbrook]

It has been observed on a few occasions that when a user switches from an instance of medcat-trainer where OIDC authentication is enabled to another instance where it is not that data fails to load in the UI (with 502 errors). The fix has been to delete any application related session storage, local storage and cookies. Therefore as a protective measure, before application mount, relevant cookies and session data is removed.

[tomolopolis]

Task linked: CU-869c0uhre Invalid session tokens doesn't gracefully fail

In general, the way to fix clear-text transmission of sensitive cookies is to ensure that any cookie containing authentication/session data is set with the Secure attribute (and usually HttpOnly and SameSite), so it is only sent over HTTPS and less exposed to JavaScript.

In this specific file, the issue is only in how test cookies are created. The document.cookie setter is mocked to store the full cookie string verbatim, so adding attributes like Secure; HttpOnly to the cookie strings will not alter the test’s semantics: the cleanup code under test still “sees” the same cookie names/values, and the test only checks that cleanup runs (via consoleLogSpy) rather than inspecting cookie contents. The best fix is therefore to update each document.cookie = '...' line in the it('should clear application cookies', ...) test to include ; Secure; HttpOnly (and optionally SameSite=Lax) in the cookie string.

Concretely:

• In medcat-trainer/webapp/frontend/src/tests/utils/storage-cleanup.spec.ts, around lines 89–101, update all document.cookie = 'name=value' to document.cookie = 'name=value; Secure; HttpOnly'.
• No new imports or helper methods are required; this is a straightforward change to the literal cookie strings.

In general, sensitive cookies must be created with the Secure attribute (and usually HttpOnly) so that browsers only send them over HTTPS. In browser JavaScript, this means appending ; Secure; HttpOnly (case‑insensitive) when assigning document.cookie. For tests that simulate such cookies, we should mirror this secure form.

In this specific file, the only problematic code is in the test "should clear application cookies" where several sensitive cookies are set with plain name=value. The test’s cookie mock simply stores the raw string and looks for an expires=Thu, 01 Jan 1970 substring to detect deletions; it ignores other attributes. Therefore, we can safely modify each document.cookie = ... assignment to include secure attributes such as ; Secure; HttpOnly without changing the test semantics. The test assertions only check that performStartupCleanup runs and logs, not the exact cookie format, so behavior remains unchanged.

You only need to edit medcat-trainer/webapp/frontend/src/tests/utils/storage-cleanup.spec.ts in the block where cookies are set (lines 90–100). No new imports or helpers are required: we just update the literal strings.

In general, sensitive cookies should always be set with the Secure attribute (and usually HttpOnly and SameSite as appropriate) so they are only sent over HTTPS. In browser JavaScript, this means ensuring the cookie string assigned to document.cookie includes Secure (e.g. document.cookie = 'name=value; Secure; HttpOnly'). Even though this is test code using a mock document.cookie, adding these attributes to the cookie strings being set avoids the insecure pattern and more accurately represents production best practice.

The best way to fix this without changing functionality is to update each cookie assignment in the test to append ; Secure (and optionally ; HttpOnly if you want to be stricter) to the cookie string values. The test only cares that these cookies exist so that performStartupCleanup() will attempt to clear them; adding attributes after the value does not affect the test’s logic, because the mock cookie store stores the entire string as-is and the deletion logic only uses the name before the first =. Specifically, in medcat-trainer/webapp/frontend/src/tests/utils/storage-cleanup.spec.ts, in the it('should clear application cookies', () => { ... }) block, lines 91–100 (the series of document.cookie = '...') should be updated to include ; Secure after each cookie value. No new imports or helper methods are required; this is just a change to the literal strings used in the test.

In general, to avoid clear-text transmission of sensitive cookies, you must ensure all security-sensitive cookies are set with the Secure attribute (and typically HttpOnly and SameSite as appropriate). In a browser context, that means including ; Secure in the cookie string assigned to document.cookie or via Set-Cookie headers, so that the browser will only send that cookie over HTTPS.

For this specific test file, we should update the cookie strings used in the should clear application cookies test so that each cookie that represents a session/authentication token is set with at least the Secure flag. Since the mocked document.cookie implementation simply stores whatever string is assigned and does not parse attributes, adding ; Secure (and optionally ; HttpOnly) to the cookie values will not change the behavior of the test: performStartupCleanup will still see the same cookie names and will still clear them. Therefore, the best fix is to append a ; Secure attribute to each sensitive cookie string in lines 91–101 (or at minimum all clearly session/auth cookies), leaving the rest of the test logic unchanged. No new imports or helpers are necessary; we only adjust the literal strings being assigned.