[PM-35118] fix: Prevent vault timeout from re-firing for already-soft-logged-out accounts

[morganzellers-bw]

🎟️ Tracking

PM-35118

📔 Objective

After setting Vault Timeout to Immediate + Log Out, the account is soft-logged-out on foreground (PM-11472 design, access token removed but account kept in state for email pre-fill). However, checkSessionTimeouts was re-firing the timeout on every subsequent foreground event because hasPassedSessionTimeout always returns true for .immediately (0 seconds elapsed ≥ 0). This caused the app to navigate the user back to the landing screen even while they were mid-way through re-authenticating on the login screen.

Fix: Add && !account.isLoggedOut to the shouldTimeout guard in checkSessionTimeouts. account.isLoggedOut is !isAuthenticated, which (after PM-35285) correctly returns true for soft-logged-out accounts. This prevents the timeout from re-firing for accounts that are already logged out.

Test corrections included:

• Two existing tests (lockAccount, logoutAccount) needed stateService.isAuthenticated[userId] = true — MockStateService defaults isAuthenticated to false, so without it the accounts appeared already-logged-out and the timeout was skipped.
• One existing test (timedOut_activeAccount_handleActiveUser) was vacuously passing because the closure assertion was never reached; hardened with an explicit handleActiveUserCalled flag.
• One router test (didTimeout_sessionExpired_logout) was asserting .landing but production actually returns .landingSoftLoggedOut — the old assertion only passed because authRepository.activeAccount was unset, forcing getAccount() through the catch path.

Screenshots

Before & After Videos

pm-35118-after-720.mov

pm-35118-before-720.mov

[codecov]

Codecov Report

❌ Patch coverage is 91.66667% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 87.21%. Comparing base (3ecf4ce) to head (6db8a42).
⚠️ Report is 4 commits behind head on main.

Files with missing lines	Patch %	Lines
...d/Core/Auth/Repositories/AuthRepositoryTests.swift	90.47%	2 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff            @@
##             main    #2571    +/-   ##
========================================
  Coverage   87.20%   87.21%            
========================================
  Files        1894     1895     +1     
  Lines      167519   167756   +237     
========================================
+ Hits       146087   146302   +215     
- Misses      21432    21454    +22     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

Reviewed the one-line fix in AuthRepository.checkSessionTimeouts that prevents handleActiveUser/logout from re-firing for accounts already in the soft-logged-out state, plus the accompanying test changes. Verified account.isLoggedOut is derived from !isAuthenticated via profileItem(from:), so the guard correctly suppresses the redundant timeout for .immediately after PM-35285. Confirmed the router test correction (.landing → .landingSoftLoggedOut) matches production behavior in AuthRouter+Redirects.swift:312, and the test hardening (explicit handleActiveUserCalled flag, setting stateService.isAuthenticated = true where MockStateService defaults to false) addresses real test-quality issues described in the PR body.

Code Review Details

No findings.