Files
multica/packages/core/platform/auth-initializer.tsx
Bohan Jiang 6c17771cce fix: re-sign inline attachment media for token-mode clients (#4085)
The two prior MUL-3254 fixes preserved draft/description state across a
modal close, but Desktop still could not RENDER the reopened image: in
CloudFront signed-URL mode every URL the renderer holds after reopen is
unloadable. The persisted record strips the expired signed download_url,
the raw CDN url is unsigned (403 on a signed distribution), and the
durable /api/attachments/<id>/download endpoint needs credentials that a
cross-site file:// <img> fetch cannot carry (web works via the same-site
session cookie, which is why the bug was desktop-only).

Two changes close the last mile:

- /api/config now reports cdn_signed when CloudFront signing is enabled,
  and pickInlineMediaURL stops picking the raw (unsigned) CDN url in
  that mode — it is a guaranteed 403.
- The Attachment renderer upgrades an auth-gated media URL to a freshly
  signed one via authenticated GET /api/attachments/<id> (the same
  re-sign the click-time download path already does), but only on
  clients without a same-origin /api proxy (api.getBaseUrl() non-empty:
  Desktop, mobile webview). Cached via TanStack Query with a 20-minute
  staleTime, inside the server's 30-minute signed-URL TTL.

Old servers omit cdn_signed; the schema defaults it to false so behavior
is unchanged there. Non-CloudFront deployments return the API path again
from the metadata fetch and the renderer keeps the original URL.

Co-authored-by: J <j@multica.ai>
Co-authored-by: multica-agent <github@multica.ai>
2026-06-15 13:54:36 +08:00

144 lines
4.5 KiB
TypeScript

"use client";
import { useEffect, type ReactNode } from "react";
import { useQueryClient } from "@tanstack/react-query";
import { getApi } from "../api";
import { useAuthStore } from "../auth";
import {
captureSignupSource,
identify as identifyAnalytics,
initAnalytics,
resetAnalytics,
} from "../analytics";
import { configStore } from "../config";
import { workspaceKeys } from "../workspace/queries";
import { createLogger } from "../logger";
import { defaultStorage } from "./storage";
import { setCurrentWorkspace } from "./workspace-storage";
import type { ClientIdentity } from "./types";
import type { StorageAdapter } from "../types/storage";
import type { User } from "../types";
const logger = createLogger("auth");
export function AuthInitializer({
children,
onLogin,
onLogout,
storage = defaultStorage,
cookieAuth,
identity,
}: {
children: ReactNode;
onLogin?: () => void;
onLogout?: () => void;
storage?: StorageAdapter;
cookieAuth?: boolean;
identity?: ClientIdentity;
}) {
const qc = useQueryClient();
useEffect(() => {
const api = getApi();
// Stamp attribution before anything else — the signup event (server-side)
// reads this cookie, so it has to be present before the user hits submit.
captureSignupSource();
// Fetch app config (CDN domain, PostHog key, …) in the background — non-blocking.
api
.getConfig()
.then((cfg) => {
if (cfg.cdn_domain) {
configStore.getState().setCdnConfig({
cdnDomain: cfg.cdn_domain,
// Old servers omit this — false keeps the previous behavior.
cdnSigned: cfg.cdn_signed === true,
});
}
configStore.getState().setAuthConfig({
allowSignup: cfg.allow_signup,
googleClientId: cfg.google_client_id,
// Old servers omit this field — treat that as "creation allowed"
// (the managed-cloud default) rather than blocking the UI.
workspaceCreationDisabled: cfg.workspace_creation_disabled === true,
});
configStore.getState().setDaemonConfig({
daemonServerUrl: cfg.daemon_server_url,
daemonAppUrl: cfg.daemon_app_url,
});
if (cfg.posthog_key) {
initAnalytics({
key: cfg.posthog_key,
host: cfg.posthog_host || "",
appVersion: identity?.version,
environment: cfg.analytics_environment,
});
}
})
.catch(() => {
/* config is optional — legacy file card matching degrades gracefully */
});
const onAuthSuccess = (user: User) => {
onLogin?.();
useAuthStore.setState({ user, isLoading: false });
identifyAnalytics(user.id, { email: user.email, name: user.name });
};
const onAuthFailure = () => {
onLogout?.();
resetAnalytics();
useAuthStore.setState({ user: null, isLoading: false });
};
if (cookieAuth) {
// Cookie mode: the HttpOnly cookie is sent automatically by the browser.
// Call the API to check if the session is still valid.
//
// Seed the workspace list into React Query so the URL-driven layout can
// resolve the slug without a second fetch. The active workspace itself
// is derived from the URL by [workspaceSlug]/layout.tsx — no imperative
// selection here.
Promise.all([api.getMe(), api.listWorkspaces()])
.then(([user, wsList]) => {
onAuthSuccess(user);
qc.setQueryData(workspaceKeys.list(), wsList);
})
.catch((err) => {
logger.error("cookie auth init failed", err);
onAuthFailure();
});
return;
}
// Token mode: read from localStorage (Electron / legacy).
const token = storage.getItem("multica_token");
if (!token) {
onLogout?.();
useAuthStore.setState({ isLoading: false });
return;
}
api.setToken(token);
Promise.all([api.getMe(), api.listWorkspaces()])
.then(([user, wsList]) => {
onAuthSuccess(user);
// Seed React Query cache so the URL-driven layout can resolve the
// slug without a second fetch.
qc.setQueryData(workspaceKeys.list(), wsList);
})
.catch((err) => {
logger.error("auth init failed", err);
api.setToken(null);
setCurrentWorkspace(null, null);
storage.removeItem("multica_token");
onAuthFailure();
});
// eslint-disable-next-line react-hooks/exhaustive-deps
}, []);
return <>{children}</>;
}