fix(android-sdk): discard in-flight token responses after sign-out

[xiaoyijun]

Summary

Backports #263 to the v2.x maintenance line (cherry-pick -x of 6a84601, fixes #253 for v2): an in-flight token refresh (or sign-in code exchange) landing after signOut() no longer resurrects the cleared credentials. See #263 for the full design discussion (CredentialGuard optimistic lock, credential snapshots for in-flight reads, stale flows complete with NOT_AUTHENTICATED).

Conflict resolution beyond the clean hunks, due to the v2/v3 divergence (v3 replaced WebView with Custom Tabs and split sign-out into clearCredentials + browser signOut in #249/#251):

• v2's single signOut(completion) keeps its WebView cookie clearing and now drops credentials through the same atomic dropCredentials(); v3's browser-based signOut(context, ...) overload and clearCredentials do not exist on v2 and were not introduced.
• The seven race tests were ported to v2's API shape: no-arg signOut(), mocked CookieManager, and the sign-in race driven through the WebView-era LogtoAuthManager/LogtoWebViewAuthActivity flow instead of the Custom Tabs one.

No public API changes; NOT_AUTHENTICATED is reused (no new exception type), so the patch stays source- and binary-compatible for v2 consumers.

Testing

unit tests — the seven race tests from #263 ported to the v2 flow; red-check verified against the unfixed v2 implementation (exactly those 7 fail, the existing 26 pass; all 33 pass with the fix).

Checklist

• .changeset (N/A — this repo uses release-please)
• unit tests
• integration tests (N/A)
• necessary KDoc comments

🤖 Generated with Claude Code

[Copilot]

Pull request overview

Backport to the v2 Android SDK to prevent in-flight token refresh / authorization-code exchanges from persisting tokens after signOut(), which could otherwise resurrect cleared credentials.

Changes:

• Add an in-memory optimistic “generation” guard (CredentialGuard) to invalidate/commit credential writes and discard stale token flows after sign-out.
• Update signIn() and getAccessToken() refresh flow to snapshot credentials and commit token responses only if still current.
• Add deterministic unit tests covering refresh/sign-in races around signOut() (including JWKS/OIDC-config in-flight cases).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
android-sdk/android/src/main/kotlin/io/logto/sdk/android/LogtoClient.kt	Introduces CredentialGuard, atomic credential dropping, and guarded persistence of token responses to prevent post-sign-out credential resurrection.
android-sdk/android/src/test/kotlin/io/logto/sdk/android/LogtoClientTest.kt	Adds race-condition unit tests and supporting helpers to validate stale refresh/sign-in results are discarded after sign-out.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.