fix: stabilize local dev auth startup#3252
Conversation
|
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
github-actions
Bot
added
vouch:unvouched
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
![macroscopeapp[bot]](https://avatars.githubusercontent.com/in/900172?s=60&v=4){kind=small}
ApprovabilityVerdict: Needs human review This PR modifies authentication-related code paths including credential submission handling, request proxy routing for auth endpoints, and clerk bridge initialization. Changes to auth flows and security-sensitive code require human review. You can customize Macroscope's approvability policy. Learn more. |
Gate Clerk-dependent renderer and desktop bridge setup when local config is absent, register the desktop schemes independently, proxy custom-scheme requests through the app protocol, and load the diff worker via the portable package worker entry. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Route configured loopback HTTP requests through the Vite origin so browser-session cookies are scoped to the page origin, while preserving direct WebSocket targets. Dedupe same-token pairing submits and tolerate stale one-time-token retries when a session is already authenticated. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Stream desktop protocol proxy responses instead of buffering complete bodies, and wait for browser sessions to become observable after manual pairing exchanges. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
| const effect = Effect.gen(function* () { | ||
| const clientRequest = HttpClientRequest.fromWeb(new Request(targetUrl, init)); | ||
| const clientResponse = yield* httpClient.execute(clientRequest); | ||
| return withContentSecurityPolicy( | ||
| new Response( | ||
| request.method === "HEAD" ? null : Stream.toReadableStream(clientResponse.stream), | ||
| { | ||
| status: clientResponse.status, | ||
| headers: clientResponse.headers, | ||
| }, | ||
| ), | ||
| contentSecurityPolicy, | ||
| ); | ||
| }); |
There was a problem hiding this comment.
why was this made? i ran into clerk bot protection when the fetch was made using undici earlier
2 participants
What Changed
Why
Local development could fail when Clerk config was missing or when running the web dev flow through
vp run dev. Clerk was being loaded too eagerly, desktop scheme registration depended on Clerk bridge setup, diff worker imports could fail under Vite, and pairing-token exchange could consume a one-time token before the browser session was observable on the correct origin.This keeps local startup resilient without Clerk config, avoids CORS/cookie-origin issues by using the web/Vite origin for browser HTTP requests, and preserves direct loopback WebSockets where required.
UI Changes
Checklist
Note
Medium Risk
Changes touch auth bootstrap, desktop protocol proxying, and HTTP base URL resolution across dev/desktop paths; mistakes could break cookies, pairing, or local API routing, though coverage is added in tests.
Overview
This PR makes local dev and desktop auth startup work when Clerk config is missing or when the app runs through Vite, by avoiding eager Clerk/bridge work and fixing how HTTP targets and pairing tokens are resolved.
Desktop: Clerk bridge setup is optional via
makeDesktopClerkLayer(enabled)anddesktopClerkBridgeEnabled; when disabled, the app still registers the custom scheme (registerDesktopSchemePrivileges) before Clerk would have run. Protocol proxying moves fromElectron.net.fetchto an injected UndiciHttpClient, with hop-by-hop header stripping,cache: no-store, and streamed response bodies.ElectronProtocol.layeris wired withNodeHttpClient.layerUndiciinmain.ts.Web primary environment:
resolveHttpRequestBaseUrlnow sends loopback API traffic through the Vite dev origin ort3code-dev://appwhen appropriate (including configuredVITE_HTTP_*targets), with safer handling ofnullorigins. PairingsubmitServerAuthCredentialdedupes in-flight submits, waits for session after exchange, and treats already-authenticated sessions as success on stale/duplicate token errors.Bundling / dev UX: Clerk UI and cloud auth roots are lazy-loaded; diff workers use the portable worker URL; Vite defines
VITE_DEV_SERVER_URLand sets HMRclientPort.Reviewed by Cursor Bugbot for commit ef3e801. Bugbot is set up for automated code reviews on this repo. Configure here.
Note
Fix local dev auth startup by stabilizing Clerk bridge initialization and HTTP request routing
DesktopClerk.makeDesktopClerkLayerbehind anenabledflag, skipping bridge setup entirely when no frontend API hostname is configured.target.tsto route loopback requests through the Vite dev server origin or the desktop dev custom scheme (t3code-dev://) as appropriate.Electron.net.fetchinElectronProtocol.tswith an injectedHttpClient(Undici at runtime), adding hop-by-hop header filtering and streaming response bodies without buffering.auth.ts, treating an already-authenticated session as success instead of surfacing an error on race or retry.Macroscope summarized ef3e801.