auth/callback persists localStorage identity before confirming the live session; fire-and-forget /me

[Jose-Gael-Cruz-Lopez]

Severity: Low
Labels: bug, frontend, P3
Location: frontend/src/app/auth/callback/page.tsx:51-99; frontend/src/context/UserContext.tsx:83-94

Description

UserContext treats presence of localStorage.sapling_user as isAuthenticated. The callback awaits POST /api/auth/session (good) but then calls setActiveUser (writing localStorage) regardless of whether the subsequent GET /api/auth/me succeeded (its failure is swallowed and defaults onboardingCompleted=true). So a user whose cookie set but whose profile fetch failed is persisted as "authenticated" with empty name/admin/roles; and because isAuthenticated is never reconciled against a live session check, a stale/cleared cookie with a lingering localStorage entry yields a client that believes it's authenticated until a middleware-guarded navigation bounces it.

Suggested fix

Gate the setActiveUser/localStorage write on a successful me response, or add a lightweight client-side session-validity check on mount that clears localStorage when the cookie is gone.

Acceptance criteria

• localStorage identity is written only after a confirmed me; a missing cookie clears stale client auth state.