Mirror cookie mismatch: re-mint cookies for child users

Don't show a primary account re-authentication dialog for child users,
so they wouldn't get in signed-out state. Forcibly logout all accounts
to re-mint the cookies.

Bug: 1052099
Change-Id: I1d643856b3500e1ce366ef3e9282c334fbb40dbb
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2059412Reviewed-by: Kush Sinha <sinhak@chromium.org>
Reviewed-by: David Roger <droger@chromium.org>
Commit-Queue: Anastasiia Nikolaienko <anastasiian@chromium.org>
Cr-Commit-Position: refs/heads/master@{#743926}

chrome/browser/signin/chrome_signin_helper.cc

@@ -11,6 +11,7 @@
 #include "base/bind_helpers.h"
 #include "base/logging.h"
 #include "base/memory/ref_counted.h"
+#include "base/metrics/histogram_macros.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/supports_user_data.h"
@@ -19,6 +20,7 @@
 #include "base/time/time.h"
 #include "build/build_config.h"
 #include "chrome/browser/prefs/incognito_mode_prefs.h"
+#include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/profiles/profile_io_data.h"
 #include "chrome/browser/signin/account_consistency_mode_manager.h"
 #include "chrome/browser/signin/account_reconcilor_factory.h"
@@ -38,6 +40,7 @@
 #include "components/signin/core/browser/cookie_reminter.h"
 #include "components/signin/public/base/account_consistency_method.h"
 #include "components/signin/public/base/signin_buildflags.h"
+#include "components/signin/public/identity_manager/accounts_cookie_mutator.h"
 #include "content/public/browser/browser_task_traits.h"
 #include "content/public/browser/browser_thread.h"
 #include "google_apis/gaia/gaia_auth_util.h"
@@ -220,6 +223,23 @@ void ProcessMirrorHeader(
       return;
     }
 
+    // Child users shouldn't get the re-authentication dialog for primary
+    // account. Log out all accounts to re-mint the cookies.
+    // (See the reason below.)
+    signin::IdentityManager* const identity_manager =
+        IdentityManagerFactory::GetForProfile(profile);
+    CoreAccountInfo primary_account = identity_manager->GetPrimaryAccountInfo(
+        signin::ConsentLevel::kNotRequired);
+    if (profile->IsChild() &&
+        gaia::AreEmailsSame(primary_account.email,
+                            manage_accounts_params.email)) {
+      identity_manager->GetAccountsCookieMutator()->LogOutAllAccounts(
+          gaia::GaiaSource::kChromeOS);
+      UMA_HISTOGRAM_BOOLEAN("AccountManager.MirrorReauthenticationRequest",
+                            true);
+      return;
+    }
+
     // The account's cookie is invalid but the cookie has not been removed by
     // |AccountReconcilor|. Ideally, this should not happen. At this point,
     // |AccountReconcilor| cannot detect this state because its source of truth
@@ -228,8 +248,6 @@ void ProcessMirrorHeader(
     // invalid, so that if/when this account is re-authenticated, we can force a
     // reconciliation for this account instead of treating it as a no-op.
     // See https://crbug.com/1012649 for details.
-    signin::IdentityManager* const identity_manager =
-        IdentityManagerFactory::GetForProfile(profile);
     base::Optional<AccountInfo> maybe_account_info =
         identity_manager
             ->FindExtendedAccountInfoForAccountWithRefreshTokenByEmailAddress(