User can end up logged into regular Hypothesis account on a page configured to use a third party account

[robertknight]

Steps to reproduce

1. Run a local build of the client against a local h service
2. Login to the client using a regular account on the local h service
3. Run the publisher account test site https://github.com/hypothesis/publisher-account-test-site and do not login to the test site

Expected result

Client shows publisher group. User is not logged in.

Actual result

Client shows normal Hypothesis groups. User is logged in to their normal Hypothesis account.

Notes

The issue is that in this context, the host page (the publisher account test site) includes a services config for the client but the grantToken is null. If the grant token is null we fall back to trying to load access tokens from local storage.

Since the apiUrl config param is the same for this "third party service" as it is for the regular Hypothesis service, the storageKey() function returns the same key that was used to store OAuth tokens for the regular Hypothesis service.

Consequently the client ends up using the saved access token and the user ends up logged in to their regular Hypothesis account.

[seanh]

At least on the publisher account site the log out button also doesn't work, when I'm logged in to a first-party account on the publisher site

[seanh]

Confirmed that I can reproduce this