MCPcopy
hub / github.com/BuilderIO/agent-native / getSession

Function getSession

packages/core/src/server/auth.ts:990–1067  ·  view source on GitHub ↗
(event: H3Event)

Source from the content-addressed store, hash-verified

988 * page load.
989 */
990export async function getSession(event: H3Event): Promise<AuthSession | null> {
991 // 1. ACCESS_TOKEN check (programmatic/agent access)
992 const accessTokens = getAccessTokens();
993 if (accessTokens.length > 0) {
994 const cookie = getCookie(event, COOKIE_NAME);
995 if (cookie) {
996 const email = await getSessionEmail(cookie);
997 if (email) return { email, token: cookie };
998 }
999 }
1000
1001 // 2. BYOA custom getSession
1002 if (customGetSession) {
1003 const session = await customGetSession(event);
1004 if (session) return session;
1005
1006 const bearerSession = await getBearerLegacySession(event);
1007 if (bearerSession) return bearerSession;
1008
1009 // Desktop SSO broker: even with BYOA auth, fall back to the broker
1010 // for Electron requests so cross-template SSO works for custom-auth
1011 // templates too. Gated on `readDesktopSsoSafely` so a non-loopback
1012 // request that spoofs `User-Agent: ... Electron/...` cannot read the
1013 // home-dir broker file (and so production builds never consult it).
1014 const sso = await readDesktopSsoSafely(event);
1015 if (sso?.email) return { email: sso.email, token: sso.token };
1016 // Fall through to mobile _session check
1017 } else {
1018 // 3. Bearer legacy session. Desktop/native clients can persist a session
1019 // token outside the WebView cookie jar and attach it to all app requests.
1020 const bearerSession = await getBearerLegacySession(event);
1021 if (bearerSession) return bearerSession;
1022
1023 // 4. Better Auth session (cookie or Bearer token)
1024 try {
1025 const ba = getBetterAuthSync();
1026 if (ba) {
1027 const baSession = await ba.api.getSession({
1028 headers: event.headers,
1029 });
1030 if (baSession?.user?.email) {
1031 return mapBetterAuthSession(baSession);
1032 }
1033 }
1034 } catch (e) {
1035 console.error("[auth] ba.api.getSession error:", e);
1036 }
1037
1038 // 5. Legacy cookie fallback (for sessions created before migration)
1039 const cookie = getCookie(event, COOKIE_NAME);
1040 if (cookie) {
1041 const email = await getSessionEmail(cookie);
1042 if (email) {
1043 return { email, token: cookie };
1044 }
1045 }
1046
1047 // 6. Desktop SSO broker fallback.

Callers 15

[...page].get.tsFile · 0.90
callback.get.tsFile · 0.90
callback.get.tsFile · 0.90
status.get.tsFile · 0.90
disconnect.post.tsFile · 0.90
auth-url.get.tsFile · 0.90
photos.get.tsFile · 0.90
uEmailFunction · 0.90
requireRequestContextFunction · 0.90
uEmailFunction · 0.90
uEmailFunction · 0.90
uEmailFunction · 0.90

Calls 7

getSessionEmailFunction · 0.85
getBearerLegacySessionFunction · 0.85
readDesktopSsoSafelyFunction · 0.85
getBetterAuthSyncFunction · 0.85
mapBetterAuthSessionFunction · 0.85
promoteQuerySessionFunction · 0.85
getAccessTokensFunction · 0.70

Tested by

no test coverage detected