feat: Enhance authentication by refining user role validation during session handling and ensuring immediate ID token refresh after sign-in to prevent unauthenticated Data Connect SDK requests.

apps/mobile/packages/data_connect/lib/src/services/mixins/session_handler_mixin.dart

@@ -205,13 +205,23 @@ mixin SessionHandlerMixin {
     try {
       _emitSessionState(SessionState.loading());
 
-      // Validate role if allowed roles are specified
+      // Validate role only when allowed roles are specified.
       if (_allowedRoles.isNotEmpty) {
-        final bool isAuthorized = await validateUserRole(
-          user.uid,
-          _allowedRoles,
-        );
-        if (!isAuthorized) {
+        final String? userRole = await fetchUserRole(user.uid);
+
+        if (userRole == null) {
+          // User has no record in the database yet. This is expected during
+          // the sign-up flow: Firebase Auth fires authStateChanges before the
+          // repository has created the PostgreSQL user record. Do NOT sign out —
+          // just emit unauthenticated and let the registration flow complete.
+          _emitSessionState(SessionState.unauthenticated());
+          return;
+        }
+
+        if (!_allowedRoles.contains(userRole)) {
+          // User IS in the database but has a role that is not permitted in
+          // this app (e.g., a STAFF-only user trying to use the Client app).
+          // Sign them out to force them to use the correct app.
           await auth.signOut();
           _emitSessionState(SessionState.unauthenticated());
           return;