mirror of
https://github.com/koala73/worldmonitor.git
synced 2026-04-25 17:14:57 +02:00
fc0c6bc163
* fix(convex): use ConvexError for AUTH_REQUIRED so Sentry treats it as expected
WORLDMONITOR-N3: 8 events / 2 users from server-side Convex reporting
`Uncaught Error: Authentication required` thrown by requireUserId() when
a query fires before the WebSocket auth handshake completes. Every other
business error in this repo uses ConvexError("CODE"), which Convex's
server-side Sentry integration treats as expected rather than unhandled.
Migrate requireUserId to ConvexError("AUTH_REQUIRED") (no consumer parses
the message string — only a code comment references it) and add a matching
client-side ignoreErrors pattern next to the existing API_ACCESS_REQUIRED
precedent, as defense-in-depth against unhandled rejections reaching the
browser SDK.
* fix(sentry): drop broad AUTH_REQUIRED ignoreErrors — too many real call sites
Review feedback: requireUserId() backs user-initiated actions (checkout,
billing portal, API key ops), not just the benign query-race path. A bare
`ConvexError: AUTH_REQUIRED` message-regex in ignoreErrors has no stack
context, so a genuine auth regression breaking those flows for signed-in
users would be silently dropped. The server-side ConvexError migration in
convex/lib/auth.ts is enough to silence WORLDMONITOR-N3; anything that
still reaches the browser SDK should surface.
67 lines
2.1 KiB
TypeScript
67 lines
2.1 KiB
TypeScript
import { ConvexError } from "convex/values";
|
|
import { QueryCtx, MutationCtx, ActionCtx } from "../_generated/server";
|
|
|
|
export const DEV_USER_ID = "test-user-001";
|
|
|
|
/**
|
|
* True only when explicitly running `convex dev` (which sets CONVEX_IS_DEV).
|
|
* Never infer dev mode from missing env vars — that would make production
|
|
* behave like dev if CONVEX_CLOUD_URL happens to be unset.
|
|
*/
|
|
export const isDev = process.env.CONVEX_IS_DEV === "true";
|
|
|
|
/**
|
|
* Returns the current user's ID, or null if unauthenticated.
|
|
*
|
|
* Resolution order:
|
|
* 1. Real auth identity from Clerk/Convex auth (ctx.auth.getUserIdentity)
|
|
* 2. Dev-only fallback to test-user-001 (only when CONVEX_IS_DEV=true)
|
|
*
|
|
* This is the sole entry point for resolving the current user —
|
|
* no Convex function should call auth APIs directly.
|
|
*/
|
|
export async function resolveUserId(
|
|
ctx: QueryCtx | MutationCtx | ActionCtx,
|
|
): Promise<string | null> {
|
|
const identity = await ctx.auth.getUserIdentity();
|
|
if (identity?.subject) {
|
|
return identity.subject;
|
|
}
|
|
|
|
if (isDev) {
|
|
return DEV_USER_ID;
|
|
}
|
|
|
|
return null;
|
|
}
|
|
|
|
/**
|
|
* Returns the full user identity (name, email, etc.) or null.
|
|
* Use when you need more than just the user ID (e.g., checkout prefill).
|
|
*/
|
|
export async function resolveUserIdentity(
|
|
ctx: QueryCtx | MutationCtx | ActionCtx,
|
|
): Promise<{ subject: string; name?: string; givenName?: string; familyName?: string; email?: string } | null> {
|
|
const identity = await ctx.auth.getUserIdentity();
|
|
if (identity?.subject) return identity;
|
|
return null;
|
|
}
|
|
|
|
/**
|
|
* Returns the current user's ID or throws if unauthenticated.
|
|
* Use for mutations/actions that always require auth.
|
|
*/
|
|
export async function requireUserId(
|
|
ctx: QueryCtx | MutationCtx | ActionCtx,
|
|
): Promise<string> {
|
|
const userId = await resolveUserId(ctx);
|
|
if (!userId) {
|
|
// Throw as ConvexError so Convex's server-side Sentry integration treats it
|
|
// as an expected business error (WebSocket/auth races on query fire) rather
|
|
// than reporting every unauthed query fire as an unhandled exception
|
|
// (WORLDMONITOR-N3).
|
|
throw new ConvexError("AUTH_REQUIRED");
|
|
}
|
|
return userId;
|
|
}
|