feat: logout should navigate by default so middleware can enforce auth on the next render (#956)

[frano-m]

Summary

• Adds optional logoutCallbackUrl?: string prop on NextAuthAuthenticationProvider, threaded into useNextAuthService(logoutCallbackUrl).
• When set, requestLogout() defaults to signOut({ redirect: true, callbackUrl }) so the browser actually navigates and Next middleware re-runs on the next render. Without it, behavior is identical to today (signOut({ redirect: false })).
• Resolution lives in a pure helper resolveLogoutOptions(options, logoutCallbackUrl) under src/nextauth/hooks/utils.ts. Caller-supplied options always win (e.g. requestLogout({ callbackUrl: "/account-disabled", redirect: true }) still routes the disabled user correctly; the inactivity-timer's explicit { callbackUrl, redirect: true } still wins).

Closes #956

Back-compat

• Consumers that don't set logoutCallbackUrl: requestLogout() falls through to signOut({ callbackUrl: undefined, redirect: false }) — bit-for-bit identical to current behavior.
• Explicit callers (e.g. AuthorizationProvider for disabled users, useSessionIdleTimer for inactivity logout): their full options pass through unchanged.
• AuthenticationConfig shape unchanged — we opted for a provider prop over a config field so the trigger is explicit at the integration site and doesn't require new config plumbing.

Test plan

• tests/resolveLogoutOptions.test.ts — 6 cases covering the pure helper (no-args defaults, provider-only, caller callbackUrl wins, caller redirect:false wins, full pass-through, caller callbackUrl-only implies redirect:true).
• tests/useNextAuthService.test.ts — extended with 5 hook-level cases that exercise the new logout matrix.
• npm run lint, npm run check-format, npx tsc, full npm test all clean (469 tests).
• Verified end-to-end in hca-atlas-tracker via tarball install: clicking "Logout" on a protected page now triggers a navigation, middleware redirects to the configured logoutCallbackUrl, and stale UI no longer lingers.

🤖 Generated with Claude Code

[Copilot]

Pull request overview

Adds an opt-in, navigation-driven default for NextAuth logout so Next.js middleware re-runs after a user signs out, while preserving existing behavior when not configured.

Changes:

• Added logoutCallbackUrl?: string to NextAuthAuthenticationProvider and threaded it into useNextAuthService(logoutCallbackUrl).
• Introduced resolveLogoutOptions(options, logoutCallbackUrl) to consistently apply precedence rules and default redirect behavior.
• Added unit tests for the pure helper and extended hook tests to cover the new logout option matrix.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/nextauth/types.ts	Adds logoutCallbackUrl?: string to provider props and documents the behavior.
src/nextauth/provider.tsx	Wires the new prop into useNextAuthService(logoutCallbackUrl).
src/nextauth/hooks/useNextAuthService.ts	Uses resolveLogoutOptions so requestLogout() can default to redirect when configured.
src/nextauth/hooks/utils.ts	New helper that resolves logout options with clear precedence rules.
tests/resolveLogoutOptions.test.ts	New unit tests covering helper behavior and precedence.
tests/useNextAuthService.test.ts	Extends hook tests to validate logout defaults and overrides.