v1.9.4 (#470)

* fix: session cleanup, delete account storage, stale exam cache, and UI polish (v1.9.4)

fix(auth): remove direct storage.objects DML from delete_user_account RPC

Supabase blocks DELETE FROM storage.objects directly; extract avatar
cleanup to the client using the Storage JS API before calling the RPC.
Adds migration 20260223000001_fix_delete_user_account_storage.sql.

fix(session): clear sb-* Supabase auth cookie on all logout paths

- /api/logout: now expires sb-{projectRef}-auth-token and .0/.1 chunks
- proxy Scenario A: unauthenticated redirect now deletes the sb-* cookie
- proxy terms loop: was redirecting to /logout (404); now redirects to /
  with full cookie clearing (ezygo_access_token, terms_version, csrf_token,
  terms_redirect_count, sb-*)
- login-form: clears localStorage and prefetchedSettings from sessionStorage
  on mount when no active session is detected (csrf_token_memory preserved)

fix(scores): invalidate exam query keys on semester/year change

useSetSemester and useSetAcademicYear mutations now invalidate ["exams"],
["exam-answers"], and ["exam-questions"] in their onSuccess handlers,
preventing stale data on the /scores page after settings changes.

feat(loading): add optional message prop to Loading component

Renders a muted caption below the spinner when minimal={true}, used on
the scores page: "Waiting on Ezygo to stop ghosting us 👻"

fix(notifications): fix empty state vertical spacing

Replace py-24 / flex-1 (too tall) with min-h-[50vh] on the empty state
container for balanced proportional spacing.

* fix: PR review feedback — loading JSDoc, delete-account storage timeout, proxy cookie helper, logout secure flag (#471)

* Initial plan

* fix: apply PR review feedback (loading JSDoc, delete-account timeout, proxy helper, logout secure flag)

Co-authored-by: devakesu <61821107+devakesu@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: devakesu <61821107+devakesu@users.noreply.github.com>

* fix: paginate avatar cleanup, use logger, guard storage clear on lock timeout (#472)

* Initial plan

* fix: paginate avatar list in delete-account, use logger, guard storage clear on lock timeout

Co-authored-by: devakesu <61821107+devakesu@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: devakesu <61821107+devakesu@users.noreply.github.com>

* fix(delete-account): wrap avatar storage cleanup in try/catch; add login-form storage cleanup tests (#473)

* Initial plan

* fix(delete-account): wrap avatar storage cleanup in own try/catch; add login-form storage cleanup tests

Co-authored-by: devakesu <61821107+devakesu@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: devakesu <61821107+devakesu@users.noreply.github.com>

* fix(logout): clear terms_redirect_count on logout; fix proxy comment (#474)

* Initial plan

* fix(logout): clear terms_redirect_count on logout and fix proxy comment

Co-authored-by: devakesu <61821107+devakesu@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: devakesu <61821107+devakesu@users.noreply.github.com>

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>

Author: devakesu

.example.env

@@ -41,7 +41,7 @@ NEXT_PUBLIC_APP_NAME=GhostClass
 # (calculate-version job). A GitHub Secret here would always be stale after
 # an auto-version bump. Keep in sync with package.json for local dev only.
 # 🔨 Build-time (auto-derived from git tag by pipeline — not a GitHub Secret)
-NEXT_PUBLIC_APP_VERSION=1.9.3
+NEXT_PUBLIC_APP_VERSION=1.9.4
 
 # ⚠️ Your production domain WITHOUT https://
 # All URL-based variables are derived from this.

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "ghostclass",
-  "version": "1.9.3",
+  "version": "1.9.4",
   "private": true,
   "engines": {
     "node": "^20.19.0 || >=22.12.0",

package.json

@@ -5,7 +5,7 @@ openapi: 3.1.0
 
 info:
   title: GhostClass API
-  version: 1.9.3
+  version: 1.9.4
   description: |
     **GhostClass API** provides endpoints for managing attendance synchronization with EzyGo.
     

public/api-docs/openapi.yaml

@@ -249,7 +249,7 @@ export default function NotificationsPage() {
   const isEmpty = virtualItems.length === 0;
 
   return (
-    <div ref={parentRef} className="bg-background relative overflow-auto">
+    <div ref={parentRef} className="bg-background relative overflow-auto flex flex-col">
       <header className="sticky top-0 z-20 w-full backdrop-blur-xl bg-background/80 border-b border-border/40">
         <div className="container mx-auto max-w-2xl px-4 pt-6 pb-4 flex items-center justify-between">
           <div className="flex items-center gap-3">
@@ -265,9 +265,9 @@ export default function NotificationsPage() {
         </div>
       </header>
 
-      <main className="container mx-auto max-w-2xl">
+      <main className="container mx-auto max-w-2xl flex-1 flex flex-col">
         {isEmpty ? (
-          <div className="flex flex-col items-center justify-center py-24 text-center">
+          <div className="flex flex-col items-center justify-center min-h-[50vh] text-center">
             <div className="h-20 w-20 rounded-full bg-muted/30 flex items-center justify-center mb-4">
               <BellOff className="h-9 w-9 text-muted-foreground/50" aria-hidden="true"/>
             </div>

src/app/(protected)/notifications/NotificationsClient.tsx

@@ -525,7 +525,7 @@ function ExamDetailDrawer({
           {/* Loading */}
           {isLoading && (
             <div className="flex items-center justify-center py-12">
-              <Loading minimal />
+              <Loading minimal message="Waiting on Ezygo to stop ghosting us 👻" />
             </div>
           )}
 
@@ -764,7 +764,7 @@ export default function ScoresClient() {
   if (isLoading || (!exams && !isError)) {
     return (
       <div className="flex-1 flex items-center justify-center p-8">
-        <Loading minimal />
+        <Loading minimal message="Waiting on Ezygo to stop ghosting us 👻" />
       </div>
     );
   }

src/app/(protected)/scores/ScoresClient.tsx

@@ -105,4 +105,22 @@ export async function clearTermsVersionCookie() {
     secure: process.env.HTTPS === 'true' || process.env.NODE_ENV === 'production',
     httpOnly: true,
   });
+}
+
+/**
+ * Server action to clear the terms_redirect_count cookie.
+ * Should be called during logout to reset the redirect loop protection
+ * counter so a subsequent user on the same browser starts from zero.
+ */
+export async function clearTermsRedirectCountCookie() {
+  const cookieStore = await cookies();
+  cookieStore.set({
+    name: "terms_redirect_count",
+    value: "",
+    path: "/",
+    maxAge: 0,
+    sameSite: "strict",
+    secure: process.env.HTTPS === 'true' || process.env.NODE_ENV === 'production',
+    httpOnly: true,
+  });
 }

src/app/actions/user.ts

@@ -1,7 +1,8 @@
 import { NextRequest, NextResponse } from "next/server";
+import { cookies } from "next/headers";
 import { clearAuthCookie } from "@/lib/security/auth-cookie";
 import { removeCsrfToken, validateCsrfToken } from "@/lib/security/csrf";
-import { clearTermsVersionCookie } from "@/app/actions/user";
+import { clearTermsVersionCookie, clearTermsRedirectCountCookie } from "@/app/actions/user";
 
 export async function POST(req: NextRequest) {
   // CSRF protection: Prevent unauthorized logout attacks
@@ -20,5 +21,43 @@ export async function POST(req: NextRequest) {
   await clearAuthCookie();
   await removeCsrfToken();
   await clearTermsVersionCookie();
+  await clearTermsRedirectCountCookie();
+
+  // Clear the Supabase SSR session cookie (@supabase/ssr sets this as
+  // sb-{project-ref}-auth-token). On account deletion supabase.auth.signOut()
+  // fails client-side because the auth user is already gone, so this cookie
+  // would otherwise remain. We derive the name from NEXT_PUBLIC_SUPABASE_URL
+  // which is always available in the server runtime.
+  try {
+    const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL ?? "";
+    // URL pattern: https://{project-ref}.supabase.co
+    const projectRef = new URL(supabaseUrl).hostname.split(".")[0];
+    if (projectRef) {
+      const cookieStore = await cookies();
+      const cookieName = `sb-${projectRef}-auth-token`;
+      cookieStore.set(cookieName, "", {
+        path: "/",
+        expires: new Date(0),
+        sameSite: "lax",
+        secure: process.env.HTTPS === "true" || process.env.NODE_ENV === "production",
+      });
+      // @supabase/ssr may also write a chunked variant: sb-{ref}-auth-token.0, .1 …
+      // Clear any chunks present in the current request cookies.
+      const allCookies = cookieStore.getAll();
+      for (const c of allCookies) {
+        if (c.name.startsWith(`${cookieName}.`)) {
+          cookieStore.set(c.name, "", {
+            path: "/",
+            expires: new Date(0),
+            sameSite: "lax",
+            secure: process.env.HTTPS === "true" || process.env.NODE_ENV === "production",
+          });
+        }
+      }
+    }
+  } catch {
+    // Non-critical: if URL parsing fails the cookie just expires naturally
+  }
+
   return NextResponse.json({ ok: true });
 }

src/app/api/logout/route.ts

@@ -21,14 +21,17 @@ import { handleLogout } from "@/lib/security/auth";
  * @param minimal - When true, hides the timeout warning and action buttons.
  *                  Use this when Loading is embedded inside a component (e.g. a chart)
  *                  rather than as a full-page loader.
+ * @param message - Optional caption rendered below the spinner when `minimal={true}`.
+ *                  Has no effect when `minimal` is false or omitted.
  *
  * @example
  * ```tsx
- * <Loading />           // full-page with logout/refresh buttons after 15s
- * <Loading minimal />   // spinner + message only, no buttons
+ * <Loading />                                  // full-page with logout/refresh buttons after 15s
+ * <Loading minimal />                          // spinner only, no caption, no buttons
+ * <Loading minimal message="Loading data…" />  // spinner + caption, no buttons
  * ```
  */
-export function Loading({ minimal = false }: { minimal?: boolean }) {
+export function Loading({ minimal = false, message }: { minimal?: boolean; message?: string }) {
   const [showWarning, setShowWarning] = useState(false);
 
   useEffect(() => {
@@ -58,6 +61,10 @@ export function Loading({ minimal = false }: { minimal?: boolean }) {
       <div className="flex flex-col items-center gap-6 text-center max-w-md">
         <Ring2 size="45" stroke="4" speed="1" color="#3b82f6" aria-hidden="true" />
 
+        {minimal && message && (
+          <p className="text-sm text-muted-foreground">{message}</p>
+        )}
+
         {!minimal && (
           <div className="space-y-2">
             <p className="text-lg font-medium text-muted-foreground italic leading-relaxed">

src/components/loading.tsx

@@ -4,7 +4,7 @@ import React from "react";
 
 // vi.mock factories are hoisted to the top of the file, so variables used inside
 // them must also be hoisted via vi.hoisted().
-const { mockNProgressStart, mockNProgressDone, mockAxiosPost, mockRouter } = vi.hoisted(() => {
+const { mockNProgressStart, mockNProgressDone, mockAxiosPost, mockRouter, mockGetSession } = vi.hoisted(() => {
   const push = vi.fn();
   return {
     mockNProgressStart: vi.fn(),
@@ -13,6 +13,8 @@ const { mockNProgressStart, mockNProgressDone, mockAxiosPost, mockRouter } = vi.
     // A single stable router object prevents useEffect([router, supabase]) from
     // re-running on every render (which would cause an infinite loop in tests).
     mockRouter: { push, replace: vi.fn(), prefetch: vi.fn(), back: vi.fn(), forward: vi.fn(), refresh: vi.fn() },
+    // Hoisted so it can be used inside the vi.mock factory for @/lib/supabase/client.
+    mockGetSession: vi.fn().mockResolvedValue({ data: { session: null }, error: null }),
   };
 });
 
@@ -27,6 +29,26 @@ vi.mock("next/navigation", () => ({
   useParams: () => ({}),
 }));
 
+// --- Supabase client mock (overrides vitest.setup.ts global) ---
+// Uses the hoisted mockGetSession so individual tests can control getSession behavior.
+vi.mock("@/lib/supabase/client", () => ({
+  createClient: vi.fn(() => ({
+    auth: {
+      getSession: mockGetSession,
+      getUser: vi.fn().mockResolvedValue({ data: { user: null }, error: null }),
+      signOut: vi.fn().mockResolvedValue({ error: null }),
+    },
+    from: vi.fn(() => ({
+      select: vi.fn().mockReturnThis(),
+      insert: vi.fn().mockReturnThis(),
+      update: vi.fn().mockReturnThis(),
+      delete: vi.fn().mockReturnThis(),
+      eq: vi.fn().mockReturnThis(),
+      single: vi.fn(() => Promise.resolve({ data: null, error: null })),
+    })),
+  })),
+}));
+
 // --- NProgress mock ---
 vi.mock("nprogress", () => ({
   default: { start: mockNProgressStart, done: mockNProgressDone },
@@ -78,6 +100,7 @@ vi.mock("@/lib/logger", () => ({
 // --- auth helper ---
 vi.mock("@/lib/security/auth", () => ({
   isAuthSessionMissingError: vi.fn().mockReturnValue(false),
+  isSupabaseLockTimeoutError: vi.fn().mockReturnValue(false),
 }));
 
 // --- Password-reset form ---
@@ -96,6 +119,7 @@ vi.mock("@/lib/security/csrf-constants", () => ({
 }));
 
 import { LoginForm } from "../login-form";
+import { isAuthSessionMissingError, isSupabaseLockTimeoutError } from "@/lib/security/auth";
 
 // ---------------------------------------------------------------------------
 // Helpers
@@ -124,6 +148,11 @@ function fillValidForm(passwordInput: HTMLElement) {
 describe("LoginForm – NProgress integration", () => {
   beforeEach(() => {
     vi.clearAllMocks();
+    // Reset mockGetSession to default (no session, no error) before each test.
+    mockGetSession.mockResolvedValue({ data: { session: null }, error: null });
+    // Reset auth helpers to default (both return false).
+    vi.mocked(isAuthSessionMissingError).mockReturnValue(false);
+    vi.mocked(isSupabaseLockTimeoutError).mockReturnValue(false);
   });
 
   it("calls NProgress.start() when the form is submitted", async () => {
@@ -154,3 +183,59 @@ describe("LoginForm – NProgress integration", () => {
     await waitFor(() => expect(mockNProgressDone).toHaveBeenCalled());
   });
 });
+
+describe("LoginForm – mount-time storage cleanup", () => {
+  // Replace the global Storage objects with mocks so we can reliably track calls.
+  // vi.spyOn on the Storage prototype can fail silently in jsdom.
+  let mockLocalStorage: { clear: ReturnType<typeof vi.fn>; removeItem: ReturnType<typeof vi.fn>; getItem: ReturnType<typeof vi.fn>; setItem: ReturnType<typeof vi.fn>; key: ReturnType<typeof vi.fn>; length: number };
+  let mockSessionStorage: { clear: ReturnType<typeof vi.fn>; removeItem: ReturnType<typeof vi.fn>; getItem: ReturnType<typeof vi.fn>; setItem: ReturnType<typeof vi.fn>; key: ReturnType<typeof vi.fn>; length: number };
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    // Reset auth helpers and session mock to clean defaults.
+    vi.mocked(isAuthSessionMissingError).mockReturnValue(false);
+    vi.mocked(isSupabaseLockTimeoutError).mockReturnValue(false);
+    mockGetSession.mockResolvedValue({ data: { session: null }, error: null });
+
+    mockLocalStorage = { clear: vi.fn(), removeItem: vi.fn(), getItem: vi.fn(), setItem: vi.fn(), key: vi.fn(), length: 0 };
+    mockSessionStorage = { clear: vi.fn(), removeItem: vi.fn(), getItem: vi.fn(), setItem: vi.fn(), key: vi.fn(), length: 0 };
+    Object.defineProperty(global, "localStorage", { writable: true, configurable: true, value: mockLocalStorage });
+    Object.defineProperty(global, "sessionStorage", { writable: true, configurable: true, value: mockSessionStorage });
+  });
+
+  it("clears localStorage and sessionStorage when there is no session and no error", async () => {
+    // Default: getSession returns { session: null, error: null }.
+    // isAuthSessionMissingError and isSupabaseLockTimeoutError both return false.
+    render(<LoginForm />);
+    // Use waitFor because checkUser() is async: render() resolves immediately on the
+    // initial (pre-loading) frame, before the useEffect async session check completes.
+    await waitFor(() => expect(mockLocalStorage.clear).toHaveBeenCalled());
+    expect(mockSessionStorage.removeItem).toHaveBeenCalledWith("prefetchedSettings");
+  });
+
+  it("clears localStorage and sessionStorage when there is no session and the error is a session-missing error", async () => {
+    const sessionError = new Error("Auth session missing");
+    mockGetSession.mockResolvedValue({ data: { session: null }, error: sessionError });
+    vi.mocked(isAuthSessionMissingError).mockReturnValue(true);
+
+    render(<LoginForm />);
+    await waitFor(() => expect(mockLocalStorage.clear).toHaveBeenCalled());
+    expect(mockSessionStorage.removeItem).toHaveBeenCalledWith("prefetchedSettings");
+  });
+
+  it("does not clear storage when getSession returns a lock-timeout error", async () => {
+    const lockError = new Error(
+      "Exclusive Navigator LockManager lock timed out on auth-token",
+    );
+    mockGetSession.mockResolvedValue({ data: { session: null }, error: lockError });
+    vi.mocked(isSupabaseLockTimeoutError).mockReturnValue(true);
+
+    render(<LoginForm />);
+    // Wait for the session check to have run (mockGetSession called), then flush
+    // remaining async work so the effect has fully completed before asserting.
+    await waitFor(() => expect(mockGetSession).toHaveBeenCalled());
+    await act(async () => {});
+    expect(mockLocalStorage.clear).not.toHaveBeenCalled();
+    expect(mockSessionStorage.removeItem).not.toHaveBeenCalledWith("prefetchedSettings");
+  });
+});