fix(sdk): defer loginWithToken auth-error cleanup to avoid racing fresh logins

The previous wrap cleared local credentials synchronously when DDPSDK's
auto-relogin on `connected` came back with an auth error. That fixed
the e2ee-key-reset flow (server force-logs out, SDK reconnects with
dead token, wrap clears creds, user falls back to Login) but raced
with concurrent fresh logins on:

  - e2ee-passphrase-management :76/:87 (loginByUserState +
    _pollStoredLoginToken inject a fresh token while the auto-retry
    with the dead one is still in flight)
  - saml :307 SLO (post-logout redirect chain rotates state under us)

Defer the cleanup by 500ms and re-verify the guards at the deadline.
If a concurrent fresh login completed in the meantime it will have
rotated either the stored token or sdk.account.uid; the deferred
check then bails out instead of nuking the just-stored credentials.
For genuine force-logout flows nothing else touches the state, so
the cleanup runs as before — just half a second later, well within
test timeouts.

Author: ggazzo

apps/meteor/client/lib/sdk/ddpSdk.ts

@@ -236,9 +236,20 @@ if (typeof window !== 'undefined') {
 		try {
 			return await originalLogin(token);
 		} catch (error) {
-			const stillSameStored = readStoredLoginToken() === token;
-			const accountStillReflectsThisToken = sdk.account.uid === triedWithUid;
-			if (isAuthError(error) && stillSameStored && accountStillReflectsThisToken) {
+			if (!isAuthError(error)) throw error;
+			// Defer the cleanup so a concurrent fresh login (e.g. SAML's
+			// post-redirect resume, e2ee-passphrase-management's
+			// loginByUserState/_pollStoredLoginToken, password login from
+			// the form) has a chance to rotate the stored token and SDK
+			// account state. After the delay, only clear creds if the
+			// state is still stuck on the same token+uid we tried with —
+			// meaning no concurrent flow rescued it. For real
+			// force-logout (no concurrent login), nothing else will
+			// touch localStorage and we end up clearing on schedule.
+			setTimeout(() => {
+				const stillSameStored = readStoredLoginToken() === token;
+				const accountStillReflectsThisToken = sdk.account.uid === triedWithUid;
+				if (!stillSameStored || !accountStillReflectsThisToken) return;
 				try {
 					Accounts._unstoreLoginToken();
 				} catch {
@@ -251,7 +262,7 @@ if (typeof window !== 'undefined') {
 				}
 				sdk.account.uid = undefined;
 				sdk.account.user = undefined;
-			}
+			}, 500);
 			throw error;
 		}
 	};