chore: Fixing email verification on signup (#39838)

## Description
If email verification is turned on, on sign up the user is not getting
logged out in case they need to verify their email. This fixes that
issue.


Fixes #`Issue Number`  
_or_  
Fixes `Issue URL`
> [!WARNING]  
> _If no issue exists, please create an issue first, and check with the
maintainers if the issue is valid._

## Automation

/test sanity

### 🔍 Cypress test results
<!-- This is an auto-generated comment: Cypress test results  -->
> [!TIP]
> 🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
> Workflow run:
<https://github.com/appsmithorg/appsmith/actions/runs/13973800139>
> Commit: 81eac95f38bf52516423a120018b525261b1eb3e
> <a
href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=13973800139&attempt=1"
target="_blank">Cypress dashboard</a>.
> Tags: `@tag.Sanity`
> Spec:
> <hr>Thu, 20 Mar 2025 16:37:15 UTC
<!-- end of auto-generated comment: Cypress test results  -->


## Communication
Should the DevRel and Marketing teams inform users about this change?
- [ ] Yes
- [ ] No


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **Bug Fixes**
- Enhanced the authentication flow by fully terminating obsolete
sessions after verification, ensuring that any residual session data is
completely cleared for improved security.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

app/server/appsmith-server/src/main/java/com/appsmith/server/authentication/handlers/ce/AuthenticationSuccessHandlerCE.java

@@ -171,16 +171,20 @@ public class AuthenticationSuccessHandlerCE implements ServerAuthenticationSucce
     private Mono<Void> postVerificationRequiredHandler(
             WebFilterExchange webFilterExchange, User user, Application defaultApplication) {
         return webFilterExchange.getExchange().getSession().flatMap(webSession -> {
+            // First remove the security context from the session attributes
             webSession.getAttributes().remove(DEFAULT_SPRING_SECURITY_CONTEXT_ATTR_NAME);
-            return redirectHelper
-                    .getAuthSuccessRedirectUrl(webFilterExchange, defaultApplication, true)
-                    .flatMap(redirectUrl -> extractRedirectUrlAndSendVerificationMail(
-                                    webFilterExchange, user, redirectUrl)
-                            .map(url -> String.format(
-                                    "/user/verificationPending?email=%s",
-                                    URLEncoder.encode(user.getEmail(), StandardCharsets.UTF_8)))
-                            .flatMap(redirectUri -> redirectStrategy.sendRedirect(
-                                    webFilterExchange.getExchange(), URI.create(redirectUri))));
+            // Then invalidate the entire session to remove it from Redis
+            return webSession
+                    .invalidate()
+                    .then(redirectHelper
+                            .getAuthSuccessRedirectUrl(webFilterExchange, defaultApplication, true)
+                            .flatMap(redirectUrl -> extractRedirectUrlAndSendVerificationMail(
+                                            webFilterExchange, user, redirectUrl)
+                                    .map(url -> String.format(
+                                            "/user/verificationPending?email=%s",
+                                            URLEncoder.encode(user.getEmail(), StandardCharsets.UTF_8)))
+                                    .flatMap(redirectUri -> redirectStrategy.sendRedirect(
+                                            webFilterExchange.getExchange(), URI.create(redirectUri)))));
         });
     }