refactor(client): drop Accounts._unstoreLoginToken monkey-patch

[ggazzo]

Summary

The remaining client-side Accounts._unstoreLoginToken calls fell into two roles: a monkey-patch that piggybacked on Meteor's token-clear hook to run side effects on logout, and direct calls used to manually wipe the stored credentials. Both are replaceable now that #40442 landed sdk.account.onLogout and #40479 landed the SDK storage helper.

• Delete apps/meteor/client/meteor/overrides/unstoreLoginToken.ts (and its barrel entry). CachedStoresManager.ts now registers clearAllCachesOnLogout via getDdpSdk().account.onLogout at module init, which fires on the same uid → undefined transition Meteor's monkey-patch was capturing.
• AuthenticationProvider's unstoreLoginToken context method collapses from a monkey-patch + restore pair into (callback) => getDdpSdk().account.onLogout(callback). Same return shape (callback → unsubscribe), so useUnstoreLoginToken consumers stay intact.
• AuthenticationProvider.wipeLocalAuth and the auth-error branch in ddpSdk.ts now call removeStoredItem for USER_ID / LOGIN_TOKEN / LOGIN_TOKEN_EXPIRES — the three keys Meteor's _unstoreLoginToken clears. Adds LOGIN_TOKEN_EXPIRES to STORAGE_KEYS so storage.ts owns the full set.

No behaviour change: same localStorage keys cleared, same logout cleanup ordering. The Accounts import stays in AuthenticationProvider.tsx and ddpSdk.ts because callLoginMethod / loggingIn / getLoginToken / the onEmailVerificationLink + onPageLoadLogin bridges still use it (out of scope here).

Test plan

• yarn eslint on the 5 changed files + the deleted file: 0 errors.
• tsc --noEmit on apps/meteor is clean (no new errors in changed files).
• Manual: log in, then log out via the avatar menu. Confirm in DevTools › Application › Local Storage that Meteor.userId / Meteor.loginToken / Meteor.loginTokenExpires are removed.
• Manual: log out and confirm the cached stores (rooms / subscriptions / public-settings / permissions) reload on next login — i.e. clearAllCachesOnLogout fired.
• Manual: trigger a force-logout via admin → verify the auth-error branch in ddpSdk.ts clears the credentials and the router falls back to /login.
• Manual: iframe-login flow — the useIframeLoginListener re-trigger after logout still works (it depends on useUnstoreLoginToken, which now bridges through sdk.account.onLogout).

Summary by CodeRabbit

• Refactor

  • Logout now triggers clearing of client caches to prevent stale data after sign-out.
  • Authentication provider wiring updated to centralize logout handling.

• Bug Fixes

  • Stored login credentials are now reliably removed when token-based authentication fails.

Task: ARCH-2136

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 47df1e1

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a168b632-f169-49f6-a1e9-47a51d9f1d2e

📥 Commits

Reviewing files that changed from the base of the PR and between 1512465 and 47df1e1.

📒 Files selected for processing (6)

• apps/meteor/client/lib/cachedStores/CachedStoresManager.ts
• apps/meteor/client/lib/sdk/ddpSdk.ts
• apps/meteor/client/lib/sdk/storage.ts
• apps/meteor/client/meteor/overrides/index.ts
• apps/meteor/client/meteor/overrides/unstoreLoginToken.ts
• apps/meteor/client/providers/AuthenticationProvider/AuthenticationProvider.tsx

💤 Files with no reviewable changes (2)

• apps/meteor/client/meteor/overrides/index.ts
• apps/meteor/client/meteor/overrides/unstoreLoginToken.ts

🚧 Files skipped from review as they are similar to previous changes (4)

• apps/meteor/client/lib/sdk/ddpSdk.ts
• apps/meteor/client/lib/cachedStores/CachedStoresManager.ts
• apps/meteor/client/providers/AuthenticationProvider/AuthenticationProvider.tsx
• apps/meteor/client/lib/sdk/storage.ts

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

---

Walkthrough

The PR moves logout and token cleanup from a Meteor Accounts monkey-patch to DDP SDK callbacks, adds a LOGIN_TOKEN_EXPIRES storage key, updates auth-failure cleanup to remove stored auth keys directly, wires CachedStoresManager to SDK onLogout, and removes the deprecated unstoreLoginToken override.

Changes

Logout Flow Migration

Layer / File(s)	Summary
Storage Key Definition apps/meteor/client/lib/sdk/storage.ts	STORAGE_KEYS constant extended with LOGIN_TOKEN_EXPIRES: 'Meteor.loginTokenExpires'.
DDP SDK Import apps/meteor/client/lib/sdk/ddpSdk.ts	Import removeStoredItem alongside storage helpers to support explicit stored-auth removal.
Auth Failure Cleanup apps/meteor/client/lib/sdk/ddpSdk.ts	On auth-shaped loginWithToken failure with a still-matching stored token, remove USER_ID, LOGIN_TOKEN, and LOGIN_TOKEN_EXPIRES via removeStoredItem and clear Meteor connection user id.
Logout Callback Registration apps/meteor/client/lib/cachedStores/CachedStoresManager.ts	Import getDdpSdk and register logout listener via getDdpSdk().account.onLogout() to trigger clearAllCachesOnLogout().
AuthenticationProvider Refactoring apps/meteor/client/providers/AuthenticationProvider/AuthenticationProvider.tsx	Import DDP SDK and storage helpers; refactor wipeLocalAuth() to call removeStoredItem() for auth keys and delegate logout handling to getDdpSdk().account.onLogout() instead of patching Accounts._unstoreLoginToken.
Deprecated Override Removal apps/meteor/client/meteor/overrides/index.ts, apps/meteor/client/meteor/overrides/unstoreLoginToken.ts	Remove ./unstoreLoginToken import from overrides index and delete the deprecated monkey-patch override file.

---

🎯 3 (Moderate) | ⏱️ ~20 minutes

---

Possibly related PRs:

• RocketChat/Rocket.Chat#40479: Touches client SDK storage and ddpSdk auth/token cleanup codepaths and appears related to storage/key handling changes.

Suggested reviewers:

• tassoevan

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: removing the Accounts._unstoreLoginToken monkey-patch and refactoring logout handling to use SDK hooks instead.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• ARCH-2136: Request failed with status code 401

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 40.00000% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.64%. Comparing base (a8d5dc3) to head (47df1e1).

Additional details and impacted files

@@                          Coverage Diff                           @@
##           refactor/sdk-tracker-easy-autoruns   #40483      +/-   ##
======================================================================
+ Coverage                               69.62%   69.64%   +0.01%     
======================================================================
  Files                                    3319     3318       -1     
  Lines                                  122006   122002       -4     
  Branches                                21823    21783      -40     
======================================================================
+ Hits                                    84952    84973      +21     
+ Misses                                  33726    33701      -25     
  Partials                                 3328     3328              

Flag	Coverage Δ
e2e	59.12% <25.00%> (-0.01%)	⬇️
e2e-api	46.25% <ø> (ø)
unit	70.40% <40.00%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ggazzo]

/jira ARCH-2116