fix: reset abandoned code flow flag on non-callback checkAuth (#2221)

[FabianGosebrink]

Summary

Fixes #2221 — the storageCodeFlowInProgress flag was never reset when a code flow is abandoned and the session is later established via silent renew, permanently disabling periodic token renewal.

Root cause

resetCodeFlowInProgress is only called in CodeFlowCallbackService.authenticatedCallbackWithCode, which is reached only when the current URL contains an authorization code (isCallback === true).

When a user calls authorize() (which sets storageCodeFlowInProgress = true), authenticates at the IdP, but returns to the app without the callback URL, the flag is never reset. If the session is then established via checkAuthIncludingServer → forceRefreshSession (iframe silent renew), shouldStartPeriodicallyCheckForConfig keeps reading isCodeFlowInProgress === true and always returns false — so tokens are silently never renewed.

Unlike isSilentRenewRunning, isCodeFlowInProgress has no self-healing timeout.

Fix

Reset the flag in checkAuthWithConfig whenever the current URL is not a callback. If the app loads without a callback URL, there is no in-flight code flow to protect, so the flag should be cleared. This is the minimal, defensive fix suggested in the issue, and it does not interfere with iframe silent renew (gated by the separate isSilentRenewRunning flag) or the existing reset on the callback path.

Tests

Added two tests to check-auth.service.spec.ts (written test-first):

• resets a previously abandoned code flow when the current URL is not a callback
• does not reset the code flow when the current URL is a callback (the existing callback-path reset remains the single source of truth during real flows)

Verification

• ✅ 995/995 lib tests pass (npm run test-lib-ci)
• ✅ npm run lint-lib clean
• ✅ Prettier clean

🤖 Generated with Claude Code

[damienbod]

I would need to verify that this has no side effects