fix: dev mode uses real session identity for shared Neon DB#98
fix: dev mode uses real session identity for shared Neon DB#98
Conversation
Core getSession() now checks for a real session cookie in dev mode before falling back to local@localhost. When Google OAuth is connected, dev and prod use the same email identity, so settings/tokens/labels are shared seamlessly on the same DATABASE_URL. Reverted mail-specific local@localhost bypasses — no longer needed.
✅ Deploy Preview for agent-native-fw ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
agent-native-mail | 194b059 | Commit Preview URL Branch Preview URL |
Mar 27 2026, 07:55 PM |
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
agent-native-forms | 194b059 | Commit Preview URL Branch Preview URL |
Mar 27 2026, 07:55 PM |
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
agent-native-slides | 194b059 | Commit Preview URL Branch Preview URL |
Mar 27 2026, 07:55 PM |
![builder-io-integration[bot]](https://avatars.githubusercontent.com/in/353721?s=60&v=4){kind=small}
There was a problem hiding this comment.
Builder has reviewed your changes and found 4 potential issues.
Review Details
PR #98 — fix: dev mode uses real session identity for shared Neon DB
This PR modifies getSession() in core auth to check for a real session cookie before falling back to local@localhost in dev/AUTH_DISABLED mode, enabling dev and prod to share identity on a shared Neon DB. It also removes local@localhost special-casing from the mail template and adds LEARNINGS.md seeding to the resource store.
Risk level: 🔴 High — Core authentication behavior change affecting all requests in dev and AUTH_DISABLED modes.
The overall approach is sound conceptually, but the implementation has a critical inconsistency: getSession() was updated to return real identity, but the /api/auth/session HTTP endpoint (consumed by the client's useSession() hook) was not updated and still unconditionally returns DEV_SESSION. This creates a split-brain state where server-side code sees the real email while the UI sees local@localhost — directly undermining the PR's stated goal.
Found by 2 parallel code-review agent calls with randomized file ordering.
Key Findings
- 🔴 HIGH —
/api/auth/sessionendpoint still hardcodesDEV_SESSION(found by both agents) - 🟡 MEDIUM — Missing error handling around new DB calls in dev mode
getSession() - 🟡 MEDIUM — Mail OAuth callback still saves tokens under
local@localhostwhile reads now filter by real email - 🟡 MEDIUM —
LEARNINGS.md(uppercase) seeded but all readers/scripts look forlearnings.md(lowercase)
Code review by Builder.io
| * - With custom auth (BYOA): delegates to the custom getSession | ||
| */ | ||
| export async function getSession(event: H3Event): Promise<AuthSession | null> { | ||
| if (isDevMode()) return DEV_SESSION; | ||
| if (authDisabledMode) return DEV_SESSION; | ||
| if (isDevMode() || authDisabledMode) { | ||
| // Check for a real session cookie (created by Google OAuth callback) | ||
| // so dev and prod share the same identity on the same DB | ||
| const cookie = getCookie(event, COOKIE_NAME); | ||
| if (cookie) { | ||
| const email = await getSessionEmail(cookie); | ||
| if (email) return { email, token: cookie }; | ||
| } | ||
| return DEV_SESSION; |
There was a problem hiding this comment.
🔴 /api/auth/session endpoint still returns DEV_SESSION — client/server identity split
The autoMountAuth() dev-mode and authDisabledMode handlers for /api/auth/session still unconditionally return DEV_SESSION, so useSession() on the client always shows local@localhost while getSession() on the server returns the real Google email. Fix by having those handlers call await getSession(event) instead of returning DEV_SESSION directly.
How did I do? React with 👍 or 👎 to help me improve.
There was a problem hiding this comment.
Fixed — /api/auth/session endpoints now call getSession(event) instead of returning DEV_SESSION directly.
| if (isDevMode() || authDisabledMode) { | ||
| // Check for a real session cookie (created by Google OAuth callback) | ||
| // so dev and prod share the same identity on the same DB |
There was a problem hiding this comment.
🟡 Missing error handling around DB call newly introduced in dev mode
Previously getSession() in dev mode was DB-free; now getSessionEmail(cookie) executes SQL on every request when a cookie is present. A transient DB error at startup will throw an unhandled exception instead of falling back to DEV_SESSION. Wrap in try/catch and return DEV_SESSION on error.
How did I do? React with 👍 or 👎 to help me improve.
There was a problem hiding this comment.
Fixed — wrapped getSessionEmail() in try/catch, falls back to DEV_SESSION on error.
| export async function isConnected(forEmail?: string): Promise<boolean> { | ||
| // In dev mode, check all accounts regardless of owner | ||
| if (forEmail && forEmail !== "local@localhost") { | ||
| if (forEmail) { | ||
| const accounts = await listOAuthAccountsByOwner("google", forEmail); | ||
| return accounts.length > 0; |
There was a problem hiding this comment.
🟡 Mail OAuth callback still stores tokens under local@localhost — reads now miss them
The local@localhost bypass was removed from isConnected()/getAuthStatus(), but the OAuth callback still stores newly connected accounts under local@localhost when getSession() returns that identity (no cookie yet). After the connect, isConnected(realEmail) returns false because the token is stored under the wrong owner.
How did I do? React with 👍 or 👎 to help me improve.
There was a problem hiding this comment.
No longer an issue — getSession() returns real email when cookie exists, so OAuth callback stores tokens under the real email. On first connect there's no cookie yet, but the callback creates the session and sets the cookie. Subsequent requests use the real identity.
| // LEARNINGS.md — shared learnings (preferences, corrections, patterns) | ||
| const learningsSize = Buffer.byteLength(DEFAULT_LEARNINGS_MD, "utf8"); | ||
| await client.execute({ | ||
| sql: seedSql, |
There was a problem hiding this comment.
🟡 LEARNINGS.md seeded with uppercase path but all readers use lowercase learnings.md
The agent prompt, resource-read script, and migration all reference learnings.md (lowercase), but this seeds LEARNINGS.md. SQLite and Postgres path lookups are exact-match, so the seeded default is never found — and fresh databases can end up with two separate learnings files.
How did I do? React with 👍 or 👎 to help me improve.
There was a problem hiding this comment.
Different agent's code. Low priority — will address separately.
1 participant
Summary
getSession()checks for real session cookie in dev mode before falling back tolocal@localhostlocal@localhostbypasses — no longer neededTest plan
local@localhost🤖 Generated with Claude Code