Bug: Lingering third party billing token

[AnthonyRonning]

There might be a bug where a user signing out and logging in/signing up as a new user will leave the third party billing JWT token as it was on the previous account. and then when they go to pay, it creates a payment session for the previous UUID.

We need to make sure that always, we regenerated a new billing token on signup / signin. I think the easiest approach is that when any sign in or sign up button is pressed (also need to consider oauth), we clear out the JWT token for billing.

Also to make sure 100% that any logout flows will clear it too. That should already be the case but there must be an edge case somewhere because this just happened.

[AnthonyRonning]

@claude can you try to research this and then handle it?

[claude]

Claude finished @AnthonyRonning's task —— View job • claude/issue-127-20250623_223107 • Create PR ➔

---

I successfully researched and fixed the lingering third party billing token bug.

Todo List:

• Set up development environment
• Research current billing token management system
• Identify all sign in/sign up flows (including OAuth)
• Identify all logout flows
• Implement billing token clearing in auth flows
• Run linting and formatting
• Commit changes and create PR

Problem & Solution:

The billing JWT token was persisting in sessionStorage across user sessions. When a user signed out and a new user signed in, the old billing token remained, causing payment sessions to be created for the previous user's UUID.

Root Cause: Token was only cleared on logout, not during new authentication flows.

Changes Made:

Added getBillingService().clearToken() calls to all authentication flows:

• Email login/signup (routes/login.tsx, routes/signup.tsx)
• OAuth callbacks (routes/auth.$provider.callback.tsx)
• Native Apple Sign-In (iOS flows in login/signup)
• Apple web authentication (components/AppleAuthProvider.tsx)

This ensures that whenever any user signs in or signs up (regardless of method), any existing billing token is cleared, preventing session mixing between different user accounts.

Testing:

• All code passes linting with only minor warnings
• Code is properly formatted with Prettier
• Changes follow existing code patterns and error handling