@agent-native/core 0.7.82 → 0.8.0

package/dist/server/auth.d.ts

@@ -144,10 +144,11 @@ export declare function runAuthGuard(event: H3Event): Promise<Response | object
  * Resolution chain:
  * 1. ACCESS_TOKEN → check legacy cookie-based token sessions
  * 2. BYOA custom getSession → delegate to template callback
- * 3. Better Auth → check session via Better Auth API (cookie or Bearer)
- * 4. Legacy cookie → check an_session cookie in legacy sessions table
- * 5. Desktop SSO broker (Electron loopback only)
- * 6. Mobile _session query param → promote to cookie
+ * 3. Bearer legacy session → check Authorization: Bearer against sessions
+ * 4. Better Auth → check session via Better Auth API (cookie or Bearer)
+ * 5. Legacy cookie → check an_session cookie in legacy sessions table
+ * 6. Desktop SSO broker (Electron loopback only)
+ * 7. Mobile _session query param → promote to cookie
  *
  * Returns `null` for unauthenticated requests. There is no dev-mode bypass:
  * local development uses the same Better Auth signup flow as production. The

package/dist/server/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAaA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gCAAgC,CAAC;AAsChE,KAAK,KAAK,GAAG,SAAS,CAAC;AAQvB,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AA0BlE;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC;AAMD,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mFAAmF;IACnF,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,oEAAoE;IACpE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,mDAAmD;IACnD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAC7D;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC;;;;;;;;;;;;;;;;;;;OAmBG;IACH,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB;;;;OAIG;IACH,SAAS,CAAC,EAAE;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;KACrB,CAAC;IACF;;OAEG;IACH,UAAU,CAAC,EAAE,gBAAgB,CAAC;CAC/B;AAqBD,eAAO,MAAM,WAAW,QAER,CAAC;AAgBjB;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,OAAO,CAG1C;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,CAUrE;AAoKD;;;GAGG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAW7E;AAED,uDAAuD;AACvD,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAShE;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAmB3E;AA6CD,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAeD,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,QAWd;AAED,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,2BAA2B,QAOnC;AAmGD;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,KAAK,EAAE,OAAO,GACb,OAAO,CAAC,QAAQ,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,CAG5C;AAiQD;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAoE5E;AAshCD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,KAAK,EACV,OAAO,GAAE,WAAgB,GACxB,OAAO,CAAC,OAAO,CAAC,CAiJlB;AAMD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,CAEzE"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gCAAgC,CAAC;AAsChE,KAAK,KAAK,GAAG,SAAS,CAAC;AAQvB,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AA0BlE;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC;AAMD,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mFAAmF;IACnF,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,oEAAoE;IACpE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,mDAAmD;IACnD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAC7D;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC;;;;;;;;;;;;;;;;;;;OAmBG;IACH,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB;;;;OAIG;IACH,SAAS,CAAC,EAAE;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;KACrB,CAAC;IACF;;OAEG;IACH,UAAU,CAAC,EAAE,gBAAgB,CAAC;CAC/B;AAqBD,eAAO,MAAM,WAAW,QAER,CAAC;AAgBjB;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,OAAO,CAG1C;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,CAUrE;AAyMD;;;GAGG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAW7E;AAED,uDAAuD;AACvD,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAShE;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAmB3E;AA6CD,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAmBD,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,QAWd;AAED,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,2BAA2B,QAOnC;AAmGD;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,KAAK,EAAE,OAAO,GACb,OAAO,CAAC,QAAQ,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,CAG5C;AAqQD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CA6E5E;AAmhCD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,KAAK,EACV,OAAO,GAAE,WAAgB,GACxB,OAAO,CAAC,OAAO,CAAC,CAmJlB;AAMD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,CAEzE"}

package/dist/server/auth.js

@@ -1,5 +1,5 @@
 import crypto from "node:crypto";
-import { defineEventHandler, getMethod, getQuery, getRequestIP, sendRedirect, setResponseHeader, setResponseStatus, getCookie, setCookie, deleteCookie, } from "h3";
+import { defineEventHandler, getMethod, getQuery, getRequestIP, sendRedirect, setResponseHeader, setResponseStatus, getCookie, setCookie, deleteCookie, getHeader, } from "h3";
 // In h3 v2, `event.req` IS the web Request — but in Nitro's dev server (srvx
 // runtime), event.url and event.req share the same underlying URL object.
 // When registerMiddleware strips the mount prefix from event.url.pathname, it
@@ -216,6 +216,36 @@ function safeTokenMatch(input, tokens) {
     }
     return false;
 }
+function getBearerSessionToken(event) {
+    const auth = getHeader(event, "authorization");
+    if (!auth)
+        return undefined;
+    const match = /^Bearer\s+(.+)$/i.exec(auth.trim());
+    return match?.[1]?.trim() || undefined;
+}
+async function getBearerLegacySession(event) {
+    const bearerToken = getBearerSessionToken(event);
+    if (!bearerToken)
+        return null;
+    const email = await getSessionEmail(bearerToken);
+    return email ? { email, token: bearerToken } : null;
+}
+function shouldExposeSessionTokenInBody(event) {
+    const origin = getHeader(event, "origin");
+    if (origin && DESKTOP_AUTH_TOKEN_BODY_ORIGINS.has(origin))
+        return true;
+    // Some native WebViews do not consistently emit an Origin header for
+    // programmatic fetches. The desktop app marks same-server requests with
+    // X-Request-Source; browsers can only use that cross-origin after our CORS
+    // allowlist has approved the origin, and same-origin pages already receive
+    // an equivalent httpOnly session cookie on successful login.
+    return !origin && getHeader(event, "x-request-source") === "clips-desktop";
+}
+function authLoginResponse(event, token, email) {
+    if (!shouldExposeSessionTokenInBody(event))
+        return { ok: true };
+    return email ? { ok: true, token, email } : { ok: true, token };
+}
 // ---------------------------------------------------------------------------
 // Legacy session store — kept for backward compat (addSession/getSessionEmail)
 // Used by google-oauth.ts for mobile deep linking session creation.
@@ -331,6 +361,10 @@ function areGenericGoogleOAuthRoutesEnabled(app) {
 }
 const _desktopExchanges = new Map();
 const DESKTOP_EXCHANGE_ERROR_PREFIX = "__error__::";
+const DESKTOP_AUTH_TOKEN_BODY_ORIGINS = new Set([
+    "tauri://localhost",
+    "http://localhost:1420",
+]);
 // 5-minute TTL for exchange entries (short — single-use tokens).
 const DESKTOP_EXCHANGE_TTL_MS = 5 * 60 * 1000;
 export function setDesktopExchange(flowId, token, email) {
@@ -465,9 +499,7 @@ function applyCorsHeaders(event) {
     // response would be missing the Allow-Origin header and the browser
     // blocks the response body (making it look like a network error
     // rather than "unauthenticated").
-    const reqHeaders = (event.node?.req?.headers ?? {});
-    const originRaw = reqHeaders["origin"];
-    const origin = Array.isArray(originRaw) ? originRaw[0] : originRaw;
+    const origin = getHeader(event, "origin");
     if (!origin)
         return { hasOrigin: false, allowed: true };
     const allowedOrigin = getAllowedCorsOrigin(origin, {
@@ -633,6 +665,15 @@ function createAuthGuardFn() {
             p.endsWith(".woff")) {
             return;
         }
+        // React Router 7's lazy route discovery fetches `/__manifest?p=...` to
+        // resolve manifest patches for `<Link>`s the user might click. The
+        // auth fallback returning loginHtml here makes RR fail to parse the
+        // body as RSC, surfacing as a console error and (when the visitor
+        // already errored elsewhere) blocking the app from rendering. Let it
+        // through — it returns a tiny RSC-encoded manifest of the public
+        // route tree, no per-user data.
+        if (p === "/__manifest")
+            return;
         if (isPublicPath(normalizedUrl, publicPaths))
             return;
         const session = await getSession(event);
@@ -666,10 +707,11 @@ function mapBetterAuthSession(baSession) {
  * Resolution chain:
  * 1. ACCESS_TOKEN → check legacy cookie-based token sessions
  * 2. BYOA custom getSession → delegate to template callback
- * 3. Better Auth → check session via Better Auth API (cookie or Bearer)
- * 4. Legacy cookie → check an_session cookie in legacy sessions table
- * 5. Desktop SSO broker (Electron loopback only)
- * 6. Mobile _session query param → promote to cookie
+ * 3. Bearer legacy session → check Authorization: Bearer against sessions
+ * 4. Better Auth → check session via Better Auth API (cookie or Bearer)
+ * 5. Legacy cookie → check an_session cookie in legacy sessions table
+ * 6. Desktop SSO broker (Electron loopback only)
+ * 7. Mobile _session query param → promote to cookie
  *
  * Returns `null` for unauthenticated requests. There is no dev-mode bypass:
  * local development uses the same Better Auth signup flow as production. The
@@ -692,6 +734,9 @@ export async function getSession(event) {
         const session = await customGetSession(event);
         if (session)
             return session;
+        const bearerSession = await getBearerLegacySession(event);
+        if (bearerSession)
+            return bearerSession;
         // Desktop SSO broker: even with BYOA auth, fall back to the broker
         // for Electron requests so cross-template SSO works for custom-auth
         // templates too. Gated on `readDesktopSsoSafely` so a non-loopback
@@ -703,7 +748,12 @@ export async function getSession(event) {
         // Fall through to mobile _session check
     }
     else {
-        // 3. Better Auth session (cookie or Bearer token)
+        // 3. Bearer legacy session. Desktop/native clients can persist a session
+        // token outside the WebView cookie jar and attach it to all app requests.
+        const bearerSession = await getBearerLegacySession(event);
+        if (bearerSession)
+            return bearerSession;
+        // 4. Better Auth session (cookie or Bearer token)
         try {
             const ba = getBetterAuthSync();
             if (ba) {
@@ -718,7 +768,7 @@ export async function getSession(event) {
         catch (e) {
             console.error("[auth] ba.api.getSession error:", e);
         }
-        // 4. Legacy cookie fallback (for sessions created before migration)
+        // 5. Legacy cookie fallback (for sessions created before migration)
         const cookie = getCookie(event, COOKIE_NAME);
         if (cookie) {
             const email = await getSessionEmail(cookie);
@@ -726,7 +776,7 @@ export async function getSession(event) {
                 return { email, token: cookie };
             }
         }
-        // 5. Desktop SSO broker fallback.
+        // 6. Desktop SSO broker fallback.
         // Each template in the Electron desktop app has its own database, so
         // a session token created by one template doesn't resolve in another.
         // When an Electron request has no resolvable session, trust the
@@ -740,7 +790,7 @@ export async function getSession(event) {
             return { email: sso.email, token: sso.token };
         }
     }
-    // 6. Mobile WebView bridge — _session query param
+    // 7. Mobile WebView bridge — _session query param
     const querySession = await promoteQuerySession(event);
     if (querySession)
         return querySession;
@@ -782,21 +832,11 @@ function setFrameworkSessionCookie(event, token) {
 }
 function isHttpsRequest(event) {
     try {
-        const req = event.req ?? event.node?.req;
-        const headers = req?.headers;
-        const get = (k) => {
-            if (!headers)
-                return undefined;
-            if (typeof headers.get === "function") {
-                return headers.get(k) ?? undefined;
-            }
-            const v = headers[k];
-            return Array.isArray(v) ? v[0] : v;
-        };
-        const xfProto = get("x-forwarded-proto");
+        const xfProto = getHeader(event, "x-forwarded-proto");
         if (xfProto && String(xfProto).split(",")[0].trim() === "https") {
             return true;
         }
+        const req = event.req ?? event.node?.req;
         const url = req?.url;
         if (typeof url === "string" && url.startsWith("https://"))
             return true;
@@ -1311,7 +1351,7 @@ async function mountBetterAuthRoutes(app, options) {
                 path: "/",
                 maxAge: sessionMaxAge,
             });
-            return { ok: true };
+            return authLoginResponse(event, sessionToken, "user");
         }
         // Email/password login via Better Auth
         const email = body?.email?.trim?.()?.toLowerCase?.();
@@ -1339,7 +1379,7 @@ async function mountBetterAuthRoutes(app, options) {
                         expiresAt: Date.now() + sessionMaxAge * 1000,
                     });
                 }
-                return { ok: true };
+                return authLoginResponse(event, result.token, email);
             }
             // signInEmail succeeded but returned no token — typically means the
             // email isn't verified yet. Don't return { ok: true } without a
@@ -1390,6 +1430,9 @@ async function mountBetterAuthRoutes(app, options) {
         const cookie = getCookie(event, COOKIE_NAME);
         if (cookie)
             await removeSession(cookie);
+        const bearerToken = getBearerSessionToken(event);
+        if (bearerToken)
+            await removeSession(bearerToken);
         deleteCookie(event, COOKIE_NAME, { path: "/" });
         try {
             await auth.api.signOut({ headers: event.headers });
@@ -1526,12 +1569,15 @@ function mountTokenOnlyRoutes(app, accessTokens, publicPaths = []) {
             path: "/",
             maxAge: sessionMaxAge,
         });
-        return { ok: true };
+        return authLoginResponse(event, sessionToken, "user");
     }));
     app.use("/_agent-native/auth/logout", defineEventHandler(async (event) => {
         const cookie = getCookie(event, COOKIE_NAME);
         if (cookie)
             await removeSession(cookie);
+        const bearerToken = getBearerSessionToken(event);
+        if (bearerToken)
+            await removeSession(bearerToken);
         deleteCookie(event, COOKIE_NAME, { path: "/" });
         if (isElectronRequest(event))
             await clearDesktopSso();
@@ -1586,7 +1632,7 @@ function mountAuthFallbackRoutes(app) {
                         expiresAt: Date.now() + sessionMaxAge * 1000,
                     });
                 }
-                return { ok: true };
+                return authLoginResponse(event, result.token, email);
             }
             setResponseStatus(event, 403);
             return {
@@ -1630,6 +1676,9 @@ function mountAuthFallbackRoutes(app) {
         const cookie = getCookie(event, COOKIE_NAME);
         if (cookie)
             await removeSession(cookie);
+        const bearerToken = getBearerSessionToken(event);
+        if (bearerToken)
+            await removeSession(bearerToken);
         deleteCookie(event, COOKIE_NAME, { path: "/" });
         try {
             const auth = await getBetterAuth();
@@ -1743,6 +1792,9 @@ export async function autoMountAuth(app, options = {}) {
             const cookie = getCookie(event, COOKIE_NAME);
             if (cookie)
                 await removeSession(cookie);
+            const bearerToken = getBearerSessionToken(event);
+            if (bearerToken)
+                await removeSession(bearerToken);
             deleteCookie(event, COOKIE_NAME, { path: "/" });
             if (isElectronRequest(event))
                 await clearDesktopSso();