🥅 server: fix bad session issue, fingerprint validator errors by code

[cruzdanilo]

sentry error: https://exactly.sentry.io/issues/7195875235/events/6d2aa6b11f3546328e90412bd89dacea/

---

Summary by CodeRabbit

• Bug Fixes
  • Session delivery now supports both header and cookie mechanisms for improved reliability
  • Authentication cookies configured with explicit path settings
  • Error fingerprinting enhanced for better diagnostic tracking

[changeset-bot]

🦋 Changeset detected

Latest commit: 36db52b

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[gemini-code-assist]

Summary of Changes

Hello @cruzdanilo, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces significant improvements to how user sessions are managed and how validation errors are reported. By implementing a flexible session ID retrieval strategy that supports both cookies and a custom header, it aims to resolve "bad session" issues and enhance compatibility across different client environments. Concurrently, the integration of code-based fingerprinting for validation errors will streamline debugging and monitoring in Sentry.

Highlights

• Session Management Enhancement: Implemented a robust session ID retrieval mechanism, prioritizing the X-Session-Id header for improved client compatibility (especially mobile) and explicitly setting cookie paths to / for authentication endpoints. This directly addresses the "bad session" issue.
• Advanced Error Fingerprinting: Enhanced Sentry error reporting by configuring validation errors to be fingerprinted based on their specific error codes, which will lead to more precise grouping and analysis of issues.

Changelog

• .changeset/full-doves-bark.md
  • Added a fallback mechanism for session delivery via response header.
• .changeset/odd-cats-play.md
  • Ensured explicit cookie path setting for authentication endpoints.
• .changeset/thin-cats-draw.md
  • Implemented mirroring of the session cookie as a header in the authentication flow for mobile clients.
• .changeset/warm-foxes-leap.md
  • Configured Sentry to fingerprint validator errors by their specific error codes.
• server/api/auth/authentication.ts
  • Made the session_id optional in the cookie validation schema.
  • Explicitly set the path attribute for session cookies to /.
  • Added X-Session-Id to response headers for session ID delivery.
  • Modified session ID retrieval to first check X-Session-Id header, then fall back to cookie, and return a bad session error if neither is found.
• server/api/auth/registration.ts
  • Made the session_id optional in the cookie validation schema.
  • Explicitly set the path attribute for session cookies to /.
  • Added X-Session-Id to response headers for session ID delivery.
  • Modified session ID retrieval to first check X-Session-Id header, then fall back to cookie, and return a bad session error if neither is found.
• server/test/utils/validatorHook.test.ts
  • Updated validation error tests to include Sentry fingerprinting assertions.
• server/utils/validatorHook.ts
  • Implemented Sentry fingerprinting for captured validation exceptions using the error code.
• src/utils/server.ts
  • Added logic to extract X-Session-Id from response headers after authentication/registration GET requests.
  • Modified authentication and registration POST requests to send the X-Session-Id header if available.
  • Updated stringOrLegacy utility to correctly parse API responses containing a code property.

Activity

• No specific activity (comments, reviews, or progress updates) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Walkthrough

The PR introduces session management via response headers across authentication endpoints, making session_id optional in cookie schemas and adding X-Session-Id header propagation for cross-origin requests. Client-side utilities now extract and reuse session IDs from response headers. Error fingerprinting by code is added to the validator hook for improved Sentry error tracking.

Changes

Cohort / File(s)	Summary
Changesets .changeset/full-doves-bark.md, .changeset/odd-cats-play.md, .changeset/thin-cats-draw.md, .changeset/warm-foxes-leap.md	Documentation for patch releases specifying session cookie path management, header mirroring, and validator error fingerprinting.
Session header & cookie management server/api/auth/authentication.ts, server/api/auth/registration.ts	Made session_id cookie field optional; updated GET/POST flows to set explicit cookie path, expose X-Session-Id response header, and read sessionId from header with fallback to cookie; added validation guards.
CORS configuration server/api/index.ts	Added X-Session-Id to CORS exposeHeaders to allow client access to the header in cross-origin requests.
Error fingerprinting server/utils/validatorHook.ts, server/test/utils/validatorHook.test.ts	Enhanced captureException with fingerprint field combining default template and error code; updated test assertions to verify fingerprint inclusion.
Client-side session handling src/utils/server.ts	Extracts x-session-id from GET auth/registration responses and propagates it as header in subsequent POST requests; extended stringOrLegacy to handle code field alongside legacy property.

Sequence Diagram

sequenceDiagram
    participant Client
    participant AuthServer as Auth Server
    participant Client2 as Client<br/>(with session)

    Client->>AuthServer: GET /authentication
    AuthServer->>AuthServer: Create session
    AuthServer-->>Client: 200 + Cookie (path=/) +<br/>X-Session-Id Header
    
    Client->>Client: Extract X-Session-Id<br/>from response header
    Client2->>AuthServer: POST /authentication<br/>+ X-Session-Id Header
    AuthServer->>AuthServer: Read sessionId<br/>from header (or fallback<br/>to cookie)
    AuthServer-->>Client2: 200 + Response

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Suggested reviewers

• nfmelendez
• dieguezguille
• franm91

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title comprehensively captures both main changes: fixing the bad session issue through header-based session delivery and fingerprinting validator errors by code, aligning well with the commit messages and changeset entries.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch catch

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

Devin Review found 1 potential issue.

View 4 additional findings in Devin Review.

[gemini-code-assist]

Code Review

This pull request effectively addresses a session handling issue, likely affecting mobile clients, by introducing a session ID header as a fallback to cookies. The changes are consistent across both client and server implementations. Setting the cookie path to / is a good fix for broader cookie availability. Additionally, the introduction of Sentry error fingerprinting for validation errors is a valuable improvement for monitoring. I've identified a potential runtime error in the stringOrLegacy utility function and provided a suggestion to make it more robust.

[sentry]

Codecov Report

❌ Patch coverage is 31.57895% with 13 lines in your changes missing coverage. Please review.
✅ Project coverage is 67.21%. Comparing base (816d52c) to head (36db52b).
⚠️ Report is 4 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
src/utils/server.ts	23.07%	10 Missing ⚠️
server/api/auth/registration.ts	33.33%	1 Missing and 1 partial ⚠️
server/api/auth/authentication.ts	66.66%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #732      +/-   ##
==========================================
- Coverage   67.68%   67.21%   -0.48%     
==========================================
  Files         206      206              
  Lines        7056     6902     -154     
  Branches     2217     2143      -74     
==========================================
- Hits         4776     4639     -137     
+ Misses       2093     2081      -12     
+ Partials      187      182       -5     

Flag	Coverage Δ
e2e	67.21% <31.57%> (-0.48%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.changeset/full-doves-bark.md:
- Line 5: The changeset summary is a noun phrase and must be an imperative
lowercase sentence; update the summary line in .changeset/full-doves-bark.md
(the line currently "🥅 fallback session delivery via response header") to
include a present-tense verb and be lowercase, e.g. change it to something like
"add fallback session delivery via response header" or "provide fallback session
delivery via response header".

In `@server/api/auth/registration.ts`:
- Around line 308-309: The error responses in registration.ts (e.g., where
sessionId is read and later error returns) are inconsistent with
authentication.ts: some return { code: "bad session" } while others include the
deprecated legacy field; update all error response shapes in registration.ts
(and mirror in authentication.ts) to follow a consistent transitional
pattern—either include the legacy payload on every error return or remove it
everywhere—so that stringOrLegacy and LegacyAuthentication behavior remains
predictable; search for returns that emit { code: "..."} (notably around the
sessionId check and the error returns near the comments referencing legacy) and
make them emit the chosen canonical shape (include the legacy key with the same
structure used elsewhere if you choose to include it, or remove legacy from all
error responses) and ensure tests/consumers still accept the change.