feat: enhance authentication flow and session management, add RLS fixes release:patch

ralyodio · ralyodio · commit 167fdc1954d7 · 2026-01-26T06:48:26.000-08:00
diff --git a/.claude/settings.local.json b/.claude/settings.local.json
@@ -199,7 +199,10 @@
       "Bash(gh api:*)",
       "Bash(set -a)",
       "Bash(source .env)",
-      "Bash(set +a)"
+      "Bash(set +a)",
+      "Bash(gh workflow run:*)",
+      "Bash(gh workflow:*)",
+      "Bash(pnpm -F @pairux/web typecheck:*)"
     ],
     "deny": [
       "Bash(npm *)",
diff --git a/apps/desktop/electron.vite.config.ts b/apps/desktop/electron.vite.config.ts
@@ -27,6 +27,7 @@ export default defineConfig({
   },
   renderer: {
     root: 'src/renderer',
+    publicDir: resolve(__dirname, 'public'),
     build: {
       outDir: 'dist/renderer',
       rollupOptions: {
diff --git a/apps/desktop/src/main/ipc/auth.ts b/apps/desktop/src/main/ipc/auth.ts
@@ -58,23 +58,26 @@ export function registerAuthHandlers(): void {
       args: { email: string; password: string }
     ): Promise<{ success: true; user: AuthUser } | { success: false; error: string }> => {
       try {
-        const result = await apiRequest<{ user: AuthUser }>('/api/auth/login', {
+        const result = await apiRequest<{
+          user: AuthUser;
+          session: { accessToken: string; refreshToken: string; expiresAt: number };
+        }>('/api/auth/login', {
           method: 'POST',
           body: JSON.stringify({ email: args.email, password: args.password }),
         });
 
-        if (!result.success || !result.data?.user) {
+        if (!result.success || !result.data) {
           console.log('[Auth] Login failed:', result.error);
           return { success: false, error: result.error ?? 'Invalid credentials' };
         }
 
-        const user = result.data.user;
+        const { user, session } = result.data;
 
-        // Store user info (no tokens needed since we use API)
+        // Store real access token for API authentication
         storeAuth({
-          accessToken: 'api-session', // Placeholder - auth is cookie-based on API
-          refreshToken: '',
-          expiresAt: Date.now() + 7 * 24 * 60 * 60 * 1000, // 7 days
+          accessToken: session.accessToken,
+          refreshToken: session.refreshToken,
+          expiresAt: session.expiresAt * 1000, // Convert to milliseconds
           user: { id: user.id, email: user.email },
         });
 
diff --git a/apps/desktop/src/main/window.ts b/apps/desktop/src/main/window.ts
@@ -1,16 +1,34 @@
-import { BrowserWindow, shell, session, desktopCapturer } from 'electron';
+import { BrowserWindow, shell, session, desktopCapturer, nativeImage } from 'electron';
 import { join } from 'path';
 
 const isDev = process.env.NODE_ENV === 'development';
 
+// Get the icon path based on environment
+function getIconPath(): string {
+  if (isDev) {
+    // Development: use resources folder relative to dist/main
+    return join(__dirname, '../../resources/icon.png');
+  }
+  // Production: icon is in resources folder of the packaged app
+  return join(__dirname, '../../resources/icon.png');
+}
+
 export async function createMainWindow(): Promise<BrowserWindow> {
+  // Load the window icon
+  const iconPath = getIconPath();
+  const icon = nativeImage.createFromPath(iconPath);
+
   const mainWindow = new BrowserWindow({
     width: 1200,
     height: 800,
     minWidth: 800,
     minHeight: 600,
     show: false,
-    titleBarStyle: process.platform === 'darwin' ? 'hiddenInset' : 'hidden',
+    icon: icon.isEmpty() ? undefined : icon,
+    // macOS: hidden inset for native look with traffic lights
+    // Windows: custom title bar overlay
+    // Linux: default titlebar to show window controls and menu
+    titleBarStyle: process.platform === 'darwin' ? 'hiddenInset' : 'default',
     titleBarOverlay:
       process.platform === 'win32'
         ? {
diff --git a/apps/desktop/src/renderer/components/capture/CapturePreview.tsx b/apps/desktop/src/renderer/components/capture/CapturePreview.tsx
@@ -250,8 +250,11 @@ export function CapturePreview({
       quality: recordingQuality,
       format: 'webm',
       includeAudio: false,
+      // Pass the existing stream so we don't need to create a new one
+      // This is especially important for Wayland where the source ID isn't a valid chromeMediaSourceId
+      existingStream: stream,
     });
-  }, [source, recordingQuality, startRecording]);
+  }, [source, recordingQuality, startRecording, stream]);
 
   const handleStopRecording = useCallback(async () => {
     await stopRecording();
diff --git a/apps/desktop/src/renderer/hooks/useRecording.ts b/apps/desktop/src/renderer/hooks/useRecording.ts
@@ -13,6 +13,8 @@ interface RecordingOptions {
   format?: RecordingFormat;
   includeAudio?: boolean;
   customPath?: string;
+  /** Existing stream to record from (for Wayland/getDisplayMedia captures) */
+  existingStream?: MediaStream;
 }
 
 interface RecordingState {
@@ -116,35 +118,46 @@ export function useRecording(options: UseRecordingOptions = {}) {
         format = 'webm',
         includeAudio = false,
         customPath,
+        existingStream,
       } = recordingOptions;
 
       try {
         // Get video constraints based on quality
         const preset = QUALITY_PRESETS[quality];
 
-        // Get media stream from the source
-        // Electron's desktopCapturer requires non-standard mandatory constraints
-        const constraints = {
-          audio: includeAudio
-            ? {
-                mandatory: {
-                  chromeMediaSource: 'desktop',
-                },
-              }
-            : false,
-          video: {
-            mandatory: {
-              chromeMediaSource: 'desktop',
-              chromeMediaSourceId: sourceId,
-              maxWidth: preset.width,
-              maxHeight: preset.height,
-              maxFrameRate: 30,
+        let stream: MediaStream;
+        let ownsStream = false;
+
+        if (existingStream) {
+          // Use existing stream (e.g., from Wayland getDisplayMedia)
+          stream = existingStream;
+          ownsStream = false;
+        } else {
+          // Get media stream from the source
+          // Electron's desktopCapturer requires non-standard mandatory constraints
+          const constraints = {
+            audio: includeAudio
+              ? {
+                  mandatory: {
+                    chromeMediaSource: 'desktop',
+                  },
+                }
+              : false,
+            video: {
+              mandatory: {
+                chromeMediaSource: 'desktop',
+                chromeMediaSourceId: sourceId,
+                maxWidth: preset.width,
+                maxHeight: preset.height,
+                maxFrameRate: 30,
+              },
             },
-          },
-        } as MediaStreamConstraints;
+          } as MediaStreamConstraints;
 
-        const stream = await navigator.mediaDevices.getUserMedia(constraints);
-        streamRef.current = stream;
+          stream = await navigator.mediaDevices.getUserMedia(constraints);
+          ownsStream = true;
+        }
+        streamRef.current = ownsStream ? stream : null; // Only track if we own it
 
         // Start recording on main process (creates file)
         const startResult = (await electronAPI.invoke('recording:start', {
@@ -153,9 +166,12 @@ export function useRecording(options: UseRecordingOptions = {}) {
         })) as { success: boolean; path?: string; error?: string };
 
         if (!startResult.success) {
-          stream.getTracks().forEach((track) => {
-            track.stop();
-          });
+          // Only stop tracks if we created the stream
+          if (ownsStream) {
+            stream.getTracks().forEach((track) => {
+              track.stop();
+            });
+          }
           return { success: false, error: startResult.error };
         }
 
diff --git a/apps/web/src/app/api/auth/login/route.ts b/apps/web/src/app/api/auth/login/route.ts
@@ -19,15 +19,21 @@ export async function POST(request: Request) {
       return errorResponse(error.message, 401);
     }
 
-    if (!data.user) {
+    if (!data.user || !data.session) {
       return errorResponse('Invalid credentials', 401);
     }
 
+    // Return tokens for desktop app authentication
     return successResponse({
       user: {
         id: data.user.id,
         email: data.user.email,
       },
+      session: {
+        accessToken: data.session.access_token,
+        refreshToken: data.session.refresh_token,
+        expiresAt: data.session.expires_at,
+      },
     });
   } catch (error) {
     return handleApiError(error);
diff --git a/apps/web/src/lib/supabase/server.ts b/apps/web/src/lib/supabase/server.ts
@@ -1,8 +1,13 @@
 /* eslint-disable @typescript-eslint/no-deprecated */
 import { createServerClient, type CookieOptions } from '@supabase/ssr';
-import { cookies } from 'next/headers';
+import { createClient as createSupabaseClient } from '@supabase/supabase-js';
+import { cookies, headers } from 'next/headers';
 import type { Database } from '@pairux/shared-types';
 
+/**
+ * Create a Supabase client for server-side use.
+ * Supports both cookie-based auth (web browser) and Bearer token auth (desktop app).
+ */
 export async function createClient() {
   const url = process.env.NEXT_PUBLIC_SUPABASE_URL;
   const key = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
@@ -11,6 +16,27 @@ export async function createClient() {
     throw new Error('Missing Supabase environment variables');
   }
 
+  // Check for Bearer token in Authorization header (desktop app)
+  const headerStore = await headers();
+  const authHeader = headerStore.get('authorization');
+
+  if (authHeader?.startsWith('Bearer ')) {
+    const token = authHeader.slice(7);
+    // Desktop app: use token-based auth
+    return createSupabaseClient<Database>(url, key, {
+      global: {
+        headers: {
+          Authorization: `Bearer ${token}`,
+        },
+      },
+      auth: {
+        persistSession: false,
+        autoRefreshToken: false,
+      },
+    });
+  }
+
+  // Web browser: use cookie-based auth
   const cookieStore = await cookies();
 
   return createServerClient<Database>(url, key, {
diff --git a/supabase/migrations/20250126000001_fix_all_rls_recursion.sql b/supabase/migrations/20250126000001_fix_all_rls_recursion.sql
@@ -0,0 +1,103 @@
+-- Fix remaining infinite recursion in RLS policies
+-- The recursion happens when:
+-- 1. Query sessions → "Participants can view their sessions" → EXISTS on session_participants
+-- 2. session_participants RLS → "Host can view session participants" → EXISTS on sessions
+-- This creates a circular dependency.
+
+-- The is_session_participant and is_session_host functions already exist from
+-- migration 20250123000002, but they haven't been applied to all problematic policies.
+
+-- =============================================================================
+-- STEP 1: Fix sessions table policies that query session_participants
+-- =============================================================================
+
+-- Drop the problematic policy on sessions table
+DROP POLICY IF EXISTS "Participants can view their sessions" ON public.sessions;
+
+-- Recreate using SECURITY DEFINER helper function
+CREATE POLICY "Participants can view their sessions"
+  ON public.sessions FOR SELECT
+  USING (
+    public.is_session_participant(id, auth.uid())
+  );
+
+-- =============================================================================
+-- STEP 2: Fix session_participants policies that query sessions
+-- =============================================================================
+
+-- Drop and recreate "Host can view session participants"
+DROP POLICY IF EXISTS "Host can view session participants" ON public.session_participants;
+
+CREATE POLICY "Host can view session participants"
+  ON public.session_participants FOR SELECT
+  USING (
+    public.is_session_host(session_id, auth.uid())
+  );
+
+-- Drop and recreate "Host can update participants"
+DROP POLICY IF EXISTS "Host can update participants" ON public.session_participants;
+
+CREATE POLICY "Host can update participants"
+  ON public.session_participants FOR UPDATE
+  USING (
+    public.is_session_host(session_id, auth.uid())
+  );
+
+-- Drop and recreate "Host can delete participants"
+DROP POLICY IF EXISTS "Host can delete participants" ON public.session_participants;
+
+CREATE POLICY "Host can delete participants"
+  ON public.session_participants FOR DELETE
+  USING (
+    public.is_session_host(session_id, auth.uid())
+  );
+
+-- =============================================================================
+-- STEP 3: Fix media_sessions policies that query session_participants or sessions
+-- =============================================================================
+
+-- Drop and recreate "Room participants can view media sessions"
+DROP POLICY IF EXISTS "Room participants can view media sessions" ON public.media_sessions;
+
+CREATE POLICY "Room participants can view media sessions"
+  ON public.media_sessions
+  FOR SELECT
+  TO authenticated
+  USING (
+    public.is_session_participant(room_id, auth.uid())
+    OR public.is_session_host(room_id, auth.uid())
+  );
+
+-- =============================================================================
+-- STEP 4: Add a helper function to check creator status
+-- =============================================================================
+
+CREATE OR REPLACE FUNCTION public.is_session_creator(p_session_id UUID, p_user_id UUID)
+RETURNS BOOLEAN
+LANGUAGE sql
+SECURITY DEFINER
+SET search_path = public
+STABLE
+AS $$
+  SELECT EXISTS (
+    SELECT 1 FROM public.sessions
+    WHERE id = p_session_id
+      AND creator_id = p_user_id
+  );
+$$;
+
+GRANT EXECUTE ON FUNCTION public.is_session_creator TO anon, authenticated;
+
+-- Update "Room creators can manage room media sessions" to use helper
+DROP POLICY IF EXISTS "Room creators can manage room media sessions" ON public.media_sessions;
+
+CREATE POLICY "Room creators can manage room media sessions"
+  ON public.media_sessions
+  FOR ALL
+  TO authenticated
+  USING (
+    public.is_session_creator(room_id, auth.uid())
+  )
+  WITH CHECK (
+    public.is_session_creator(room_id, auth.uid())
+  );
