From b47afd0f55d5a8e59c07c35dae1111c1db6dd5cf Mon Sep 17 00:00:00 2001
From: Henrik Jess Nielsen <lrihni@egmont.com>
Date: Sat, 23 May 2026 01:59:44 +0200
Subject: [PATCH] feat: Step 1 always resets session state
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Navigating to Step 1 (via stepper, direct link, or browser back) now
clears the token store and session — identical to clicking Reset.
This prevents stale user/token state from a previous flow run.
---
 src/routes/demo.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/routes/demo.py b/src/routes/demo.py
index afae7cf..c4b3b15 100644
--- a/src/routes/demo.py
+++ b/src/routes/demo.py
@@ -141,7 +141,14 @@ async def step1(request: Request):
     Fetches an app-level token with scope 'user:create,authorization:grant'.
     Docs: https://docs.tink.com/api#connectivity/oauth/create-an-oauth-token
     """
-    sess = _session(request)
+    # Step 1 always starts a clean session — equivalent to reset
+    old_sid = request.session.get("demo", {}).get("sid", "")
+    if old_sid:
+        _token_store.pop(old_sid, None)
+        _callback_locks.pop(old_sid, None)
+    request.session.pop("demo", None)
+
+    sess = _session(request)  # creates a fresh demo dict with a new sid
     client = _client(log_cb=_logger(sess))
     s = get_settings()
     error = None