Agreed. There is no secret key known. I mistaken on how handshake in WPA2 works.
However that doesn't mean that future protocol (say WPA3) couldn't use public key securely.
Essentially imagine an SSL like implementation to authenticate and securely exchange keys but for AP instead.
Client requests session from AP.
AP returns public key cert (could be self signed but also could be CA signed for an organization like starbucks).
For self signed certs you woudld still have the issue of MitM. For CA signed certs the client verifies the AP cert if valid and signed by a trusted CA. Thus client has at least some assurance it is talking to the "real" starbucks AP.
Client creates a random session key and also a public/private keypair.
Client encrypts everything w/ AP public key and transmits to AP.
Now all traffic is encrypted w/ securely shared session key.
However that would require something beyond what the article indicates. I was mistaken on the keyshare in WPA2. With Eve knowing passphrase it would be very simple to force a session disconnect and then capture the handshake.