Skip to content

[Fix] Token Store Overrides are now Respected #1156

Merged
nams1570 merged 1 commit intodevfrom
spike-bun-header-issue
Feb 4, 2026
Merged

[Fix] Token Store Overrides are now Respected #1156
nams1570 merged 1 commit intodevfrom
spike-bun-header-issue

Conversation

@nams1570
Copy link
Collaborator

@nams1570 nams1570 commented Feb 4, 2026
edited by coderabbitai bot
Loading

Context

Recently, a user raised this issue, which indicated that tokenOverrides were not being respected/used in the getUser() function. If we trace the flow through this function, we see this._getSession -> this._getOrCreateTokenStore -> _createCookieHelper -> createCookieHelper -> createNextCookieHelper -> await rscHeaders(). What this means is that even when a requestLike tokenOverride was passed, we would not end up using it because the createCookieHelper call occurs before the extant override checking logic in getOrCreateTokenStore, and the createCookieHelper didn't check the override but only the default tokenStoreInit. This caused the error to propagate up.

Summary of Changes

We check the tokenStoreOverride in the createCookieHelper function now, preventing this issue from happening. We also add extra test coverage to verify that overrides are respected, and don't overwrite the default token store.

Out of Scope Discussion

The original issue was raised with a bun runtime running next.js code. There seems to be some incompatibility between bun 1.3.8 and nextjs 15+, not just with our backend but with fetching and working with responses from any nextjs server.

Summary by CodeRabbit

  • Tests

    • Added comprehensive authentication flow tests validating token retrieval via cookies and custom headers, covering server/client resolution and ensuring token-store overrides don’t leak into the app’s default store.

  • Refactor

    • Improved token store initialization to support per-call overrides, allowing more flexible authentication handling for cookie-based flows.

Copilot AI review requested due to automatic review settings February 4, 2026 01:34
@vercel
Copy link

vercel bot commented Feb 4, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
stack-backend Ready Ready Preview, Comment Feb 4, 2026 2:27am
stack-dashboard Ready Ready Preview, Comment Feb 4, 2026 2:27am
stack-demo Ready Ready Preview, Comment Feb 4, 2026 2:27am
stack-docs Ready Ready Preview, Comment Feb 4, 2026 2:27am

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 4, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Adds request-like tokenStore authentication tests and a per-call overrideTokenStoreInit passthrough to cookie helper logic, plus a tiny formatting cleanup.

Changes

Cohort / File(s) Summary
Authentication Testing
apps/e2e/tests/js/auth-like.test.ts		 Adds extensive tests (request-like tokenStore scenarios) exercising auth via cookie headers, x-stack-auth header, absence of cookies, and isolation of tokenStore overrides.
Token Store Override
packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts		 Adds optional overrideTokenStoreInit parameter to _createCookieHelper and threads it through _getSession, enabling per-call tokenStore initialization selection with fallback to instance default.
Code Cleanup
packages/stack-shared/src/interface/client-interface.ts		 Minor formatting removal of a blank line in sendClientRequest; no logic change.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant ClientApp as ClientApp/_getSession
    participant CookieHelper as _createCookieHelper
    participant TokenStore
    participant Server as serverApp.getUser

    Client->>ClientApp: request session (maybe with request-like tokenStore)
    ClientApp->>CookieHelper: create cookie helper (pass overrideTokenStoreInit?)
    CookieHelper->>TokenStore: initialize using override or instance default
    ClientApp->>Server: serverApp.getUser (uses request-like tokenStore / cookies)
    Server->>TokenStore: read tokens from provided tokenStore/cookies
    Server-->>ClientApp: user payload
    ClientApp-->>Client: session/user response
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

Poem

🐰
I nibbled through cookies, found a new path fine,
Request-like stores and headers all in line.
Overrides snug, tests hopped through the door,
Tokens twirl, user found—then one hop more! 🥕

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly identifies the main fix: token store overrides are now respected. It accurately summarizes the primary change in the changeset.
Description check ✅ Passed The description includes context explaining the issue, a clear summary of changes made, and notes on out-of-scope items. It comprehensively documents the problem, solution, and testing additions.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch spike-bun-header-issue

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Feb 4, 2026

Greptile Overview

Greptile Summary

This PR fixes a subtle override ordering bug in the Stack client app implementation: _getSession() now threads overrideTokenStoreInit into _createCookieHelper(), ensuring request-like tokenStore overrides are respected when the cookie helper is created (instead of always using the default token store init).

It also adds e2e coverage for getUser({ tokenStore: requestLike }) via Cookie headers and x-stack-auth, plus a regression assertion that using an override does not mutate the app’s default token store.

Main concern is around the new cookie-based test: it appears to construct stack-access and cookie values in a format that may not match real cookie writer/reader expectations, which could make the test flaky or not actually exercise the intended path reliably.

Confidence Score: 4/5

  • This PR is likely safe to merge; the functional change is small and targeted, with added coverage.
  • The core change (passing overrideTokenStoreInit through to cookie helper creation) is low-surface-area and aligns with the described bug. Added tests improve confidence, but the cookie override test may be brittle if cookie formats/encoding don’t match production, reducing certainty slightly.
  • apps/e2e/tests/js/auth-like.test.ts (cookie construction/encoding in new request-like override tests)

Important Files Changed

Filename Overview
apps/e2e/tests/js/auth-like.test.ts Adds request-like tokenStore override coverage for getUser via cookies and x-stack-auth headers; test cookie construction likely doesn’t match real cookie formats and may be flaky.
packages/stack-shared/src/interface/client-interface.ts Removes an extra blank line; no functional changes.
packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts Threads overrideTokenStoreInit into _createCookieHelper so cookie helpers respect token store overrides when creating sessions.

Sequence Diagram

sequenceDiagram
  autonumber
  participant Caller as App caller
  participant App as _StackClientAppImplIncomplete
  participant CookieHelper as CookieHelper factory
  participant TokenStore as _getOrCreateTokenStore
  participant Session as InternalSession

  Caller->>App: getUser({ tokenStore: override })
  Note over App: overrideTokenStoreInit derived from override
  App->>CookieHelper: _createCookieHelper(overrideTokenStoreInit)
  CookieHelper-->>App: CookieHelper (real vs placeholder)
  App->>TokenStore: _getOrCreateTokenStore(cookieHelper, overrideTokenStoreInit)
  TokenStore-->>App: Store<TokenObject>
  App->>Session: _getSessionFromTokenStore(store)
  Session-->>App: InternalSession
  App-->>Caller: user (resolved via override token store)

  Note over App,CookieHelper: PR change: overrideTokenStoreInit now influences _createCookieHelper
Loading

greptile-apps[bot]
greptile-apps bot reviewed Feb 4, 2026
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3 files reviewed, 2 comments

Edit Code Review Agent Settings | Greptile

Copilot AI reviewed Feb 4, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes getUser() so tokenStore overrides (especially request-like objects) are respected during session initialization, avoiding premature Next.js RSC headers()/cookies() access (e.g., Bun middleware context).

Changes:

  • Thread overrideTokenStoreInit through _getSession()_createCookieHelper() so cookie helpers aren’t created when the override doesn’t require cookies.
  • Add E2E coverage for request-like tokenStore overrides (cookie header + x-stack-auth) and verify overrides don’t mutate the default store.
  • Minor formatting cleanup in the shared client interface.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts Uses the override tokenStore init to decide whether to create a real cookie helper, preventing RSC header access when an override is provided.
packages/stack-shared/src/interface/client-interface.ts Removes an extra blank line (no functional impact).
apps/e2e/tests/js/auth-like.test.ts Adds E2E tests validating request-like tokenStore overrides are honored and don’t overwrite default token store state.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@nams1570 nams1570 requested a review from N2D4 February 4, 2026 01:54
N2D4
N2D4 approved these changes Feb 4, 2026
View reviewed changes
@nams1570 nams1570 force-pushed the spike-bun-header-issue branch from 51e60c1 to 165f3f5 Compare February 4, 2026 02:18
@nams1570 nams1570 force-pushed the spike-bun-header-issue branch from 165f3f5 to 0d80aac Compare February 4, 2026 02:19
@nams1570 nams1570 merged commit bb69ee4 into dev Feb 4, 2026
27 checks passed
@nams1570 nams1570 deleted the spike-bun-header-issue branch February 4, 2026 02:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@N2D4 N2D4 N2D4 approved these changes

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@nams1570 nams1570

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nams1570 @N2D4