refactor(desktop): Manage auth token in renderer instead of main thread for cleaner code / better interop with better auth

apps/desktop/package.json

@@ -70,6 +70,7 @@
 		"@xterm/addon-webgl": "^0.18.0",
 		"@xterm/headless": "^5.5.0",
 		"@xterm/xterm": "^5.5.0",
+		"better-auth": "^1.4.9",
 		"better-sqlite3": "12.5.0",
 		"bindings": "^1.5.0",
 		"clsx": "^2.1.1",

apps/desktop/src/lib/trpc/routers/auth/index.ts

@@ -1,62 +1,113 @@
+import crypto from "node:crypto";
+import fs from "node:fs/promises";
 import { AUTH_PROVIDERS } from "@superset/shared/constants";
 import { observable } from "@trpc/server/observable";
-import { type AuthSession, authService } from "main/lib/auth";
+import { shell } from "electron";
+import { env } from "main/env.main";
 import { z } from "zod";
 import { publicProcedure, router } from "../..";
-
-/** Auth state emitted by onAuthState subscription */
-export type AuthState = (AuthSession & { token: string | null }) | null;
+import {
+	authEvents,
+	loadToken,
+	saveToken,
+	stateStore,
+	TOKEN_FILE,
+} from "./utils/auth-functions";
 
 export const createAuthRouter = () => {
 	return router({
-		onAuthState: publicProcedure.subscription(() => {
-			return observable<AuthState>((emit) => {
-				const emitCurrent = () => {
-					const sessionData = authService.getSession();
-					const token = authService.getAccessToken();
+		/**
+		 * Get initial token from encrypted disk storage.
+		 * Called once on app startup for hydration.
+		 */
+		getStoredToken: publicProcedure.query(async () => {
+			return await loadToken();
+		}),
 
-					if (!sessionData) {
-						emit.next(null);
-						return;
+		/**
+		 * Persist token to encrypted disk storage.
+		 * Called when renderer saves token to localStorage.
+		 */
+		persistToken: publicProcedure
+			.input(
+				z.object({
+					token: z.string(),
+					expiresAt: z.string(),
+				}),
+			)
+			.mutation(async ({ input }) => {
+				await saveToken(input);
+				return { success: true };
+			}),
+
+		/**
+		 * Subscribe to token changes from deep link callbacks.
+		 * CRITICAL: Notifies renderer when OAuth callback saves new token.
+		 * Without this, renderer wouldn't know to update localStorage after OAuth.
+		 */
+		onTokenChanged: publicProcedure.subscription(() => {
+			return observable<{ token: string; expiresAt: string } | null>((emit) => {
+				// Emit initial token on subscription
+				loadToken().then((initial) => {
+					if (initial.token && initial.expiresAt) {
+						emit.next({ token: initial.token, expiresAt: initial.expiresAt });
 					}
+				});
 
-					emit.next({ ...sessionData, token });
+				const handler = (data: { token: string; expiresAt: string }) => {
+					emit.next(data);
 				};
 
-				emitCurrent();
-
-				const sessionHandler = () => {
-					emitCurrent();
-				};
-				const stateHandler = () => {
-					emitCurrent();
-				};
-
-				authService.on("session-changed", sessionHandler);
-				authService.on("state-changed", stateHandler);
+				authEvents.on("token-saved", handler);
 
 				return () => {
-					authService.off("session-changed", sessionHandler);
-					authService.off("state-changed", stateHandler);
+					authEvents.off("token-saved", handler);
 				};
 			});
 		}),
 
-		setActiveOrganization: publicProcedure
-			.input(z.object({ organizationId: z.string() }))
-			.mutation(async ({ input }) => {
-				await authService.setActiveOrganization(input.organizationId);
-				return { success: true };
-			}),
-
+		/**
+		 * Start OAuth sign-in flow.
+		 * Opens browser for OAuth, token delivered via deep link callback.
+		 */
 		signIn: publicProcedure
 			.input(z.object({ provider: z.enum(AUTH_PROVIDERS) }))
 			.mutation(async ({ input }) => {
-				return authService.signIn(input.provider);
+				try {
+					const state = crypto.randomBytes(32).toString("base64url");
+					stateStore.set(state, Date.now());
+
+					// Clean up old states (older than 10 minutes)
+					const tenMinutesAgo = Date.now() - 10 * 60 * 1000;
+					for (const [s, ts] of stateStore) {
+						if (ts < tenMinutesAgo) stateStore.delete(s);
+					}
+
+					const connectUrl = new URL(
+						`${env.NEXT_PUBLIC_API_URL}/api/auth/desktop/connect`,
+					);
+					connectUrl.searchParams.set("provider", input.provider);
+					connectUrl.searchParams.set("state", state);
+					await shell.openExternal(connectUrl.toString());
+					return { success: true };
+				} catch (err) {
+					return {
+						success: false,
+						error:
+							err instanceof Error ? err.message : "Failed to open browser",
+					};
+				}
 			}),
 
+		/**
+		 * Sign out - clears token from disk.
+		 * Renderer should also clear localStorage and call authClient.signOut().
+		 */
 		signOut: publicProcedure.mutation(async () => {
-			await authService.signOut();
+			console.log("[auth] Clearing token");
+			try {
+				await fs.unlink(TOKEN_FILE);
+			} catch {}
 			return { success: true };
 		}),
 	});

apps/desktop/src/lib/trpc/routers/auth/utils/auth-functions.ts

@@ -0,0 +1,99 @@
+import { EventEmitter } from "node:events";
+import fs from "node:fs/promises";
+import { join } from "node:path";
+import { PROTOCOL_SCHEMES } from "@superset/shared/constants";
+import { SUPERSET_HOME_DIR } from "main/lib/app-environment";
+import { decrypt, encrypt } from "./crypto-storage";
+
+interface StoredAuth {
+	token: string;
+	expiresAt: string;
+}
+
+export const TOKEN_FILE = join(SUPERSET_HOME_DIR, "auth-token.enc");
+export const stateStore = new Map<string, number>();
+
+/**
+ * Event emitter for auth-related events.
+ * Used by tRPC subscription to notify renderer of token changes.
+ */
+export const authEvents = new EventEmitter();
+
+/**
+ * Load token from encrypted disk storage.
+ */
+export async function loadToken(): Promise<{
+	token: string | null;
+	expiresAt: string | null;
+}> {
+	try {
+		const data = decrypt(await fs.readFile(TOKEN_FILE));
+		const parsed: StoredAuth = JSON.parse(data);
+		console.log("[auth] Token loaded from disk");
+		return { token: parsed.token, expiresAt: parsed.expiresAt };
+	} catch {
+		return { token: null, expiresAt: null };
+	}
+}
+
+/**
+ * Persist token to encrypted disk storage and notify subscribers.
+ */
+export async function saveToken({
+	token,
+	expiresAt,
+}: {
+	token: string;
+	expiresAt: string;
+}): Promise<void> {
+	const storedAuth: StoredAuth = { token, expiresAt };
+	await fs.writeFile(TOKEN_FILE, encrypt(JSON.stringify(storedAuth)));
+	console.log("[auth] Token saved to disk");
+
+	// Emit event for onTokenChanged subscription
+	authEvents.emit("token-saved", { token, expiresAt });
+}
+
+/**
+ * Handle OAuth callback from deep link.
+ * Validates CSRF state and saves token.
+ */
+export async function handleAuthCallback(params: {
+	token: string;
+	expiresAt: string;
+	state: string;
+}): Promise<{ success: boolean; error?: string }> {
+	if (!stateStore.has(params.state)) {
+		return { success: false, error: "Invalid or expired auth session" };
+	}
+	stateStore.delete(params.state);
+
+	await saveToken({ token: params.token, expiresAt: params.expiresAt });
+
+	return { success: true };
+}
+
+/**
+ * Parse and validate auth deep link URL.
+ */
+export function parseAuthDeepLink(
+	url: string,
+): { token: string; expiresAt: string; state: string } | null {
+	try {
+		const parsed = new URL(url);
+		const validProtocols = [
+			`${PROTOCOL_SCHEMES.PROD}:`,
+			`${PROTOCOL_SCHEMES.DEV}:`,
+		];
+		if (!validProtocols.includes(parsed.protocol)) return null;
+		if (parsed.host !== "auth" || parsed.pathname !== "/callback") return null;
+
+		const token = parsed.searchParams.get("token");
+		const expiresAt = parsed.searchParams.get("expiresAt");
+		const state = parsed.searchParams.get("state");
+		if (!token || !expiresAt || !state) return null;
+		return { token, expiresAt, state };
+	} catch {
+		return null;
+	}
+}

apps/desktop/src/lib/trpc/routers/index.ts

@@ -13,10 +13,8 @@ import { createPortsRouter } from "./ports";
 import { createProjectsRouter } from "./projects";
 import { createRingtoneRouter } from "./ringtone";
 import { createSettingsRouter } from "./settings";
-import { createTasksRouter } from "./tasks";
 import { createTerminalRouter } from "./terminal";
 import { createUiStateRouter } from "./ui-state";
-import { createUserRouter } from "./user";
 import { createWindowRouter } from "./window";
 import { createWorkspacesRouter } from "./workspaces";
 
@@ -25,7 +23,6 @@ export const createAppRouter = (getWindow: () => BrowserWindow | null) => {
 		analytics: createAnalyticsRouter(),
 		auth: createAuthRouter(),
 		autoUpdate: createAutoUpdateRouter(),
-		user: createUserRouter(),
 		window: createWindowRouter(getWindow),
 		projects: createProjectsRouter(getWindow),
 		workspaces: createWorkspacesRouter(),
@@ -40,7 +37,6 @@ export const createAppRouter = (getWindow: () => BrowserWindow | null) => {
 		config: createConfigRouter(),
 		uiState: createUiStateRouter(),
 		ringtone: createRingtoneRouter(),
-		tasks: createTasksRouter(),
 	});
 };
 

apps/desktop/src/main/index.ts

@@ -6,11 +6,14 @@ import path from "node:path";
 import { settings } from "@superset/local-db";
 import { app, BrowserWindow, dialog } from "electron";
 import { makeAppSetup } from "lib/electron-app/factories/app/setup";
+import {
+	handleAuthCallback,
+	parseAuthDeepLink,
+} from "lib/trpc/routers/auth/utils/auth-functions";
 import { DEFAULT_CONFIRM_ON_QUIT, PROTOCOL_SCHEME } from "shared/constants";
 import { setupAgentHooks } from "./lib/agent-setup";
 import { posthog } from "./lib/analytics";
 import { initAppState } from "./lib/app-state";
-import { authService, parseAuthDeepLink } from "./lib/auth";
 import { setupAutoUpdater } from "./lib/auto-updater";
 import { localDb } from "./lib/local-db";
 import { ensureShellEnvVars } from "./lib/shell-env";
@@ -41,7 +44,7 @@ async function processDeepLink(url: string): Promise<void> {
 	const authParams = parseAuthDeepLink(url);
 	if (!authParams) return;
 
-	const result = await authService.handleAuthCallback(authParams);
+	const result = await handleAuthCallback(authParams);
 	if (result.success) {
 		focusMainWindow();
 	} else {
@@ -206,7 +209,6 @@ if (!gotTheLock) {
 		await app.whenReady();
 
 		await initAppState();
-		await authService.initialize();
 
 		// Resolve shell environment before setting up agent hooks
 		// This ensures ZDOTDIR and PATH are available for terminal initialization