(event: H3Event)
| 988 | * page load. |
| 989 | */ |
| 990 | export async function getSession(event: H3Event): Promise<AuthSession | null> { |
| 991 | // 1. ACCESS_TOKEN check (programmatic/agent access) |
| 992 | const accessTokens = getAccessTokens(); |
| 993 | if (accessTokens.length > 0) { |
| 994 | const cookie = getCookie(event, COOKIE_NAME); |
| 995 | if (cookie) { |
| 996 | const email = await getSessionEmail(cookie); |
| 997 | if (email) return { email, token: cookie }; |
| 998 | } |
| 999 | } |
| 1000 | |
| 1001 | // 2. BYOA custom getSession |
| 1002 | if (customGetSession) { |
| 1003 | const session = await customGetSession(event); |
| 1004 | if (session) return session; |
| 1005 | |
| 1006 | const bearerSession = await getBearerLegacySession(event); |
| 1007 | if (bearerSession) return bearerSession; |
| 1008 | |
| 1009 | // Desktop SSO broker: even with BYOA auth, fall back to the broker |
| 1010 | // for Electron requests so cross-template SSO works for custom-auth |
| 1011 | // templates too. Gated on `readDesktopSsoSafely` so a non-loopback |
| 1012 | // request that spoofs `User-Agent: ... Electron/...` cannot read the |
| 1013 | // home-dir broker file (and so production builds never consult it). |
| 1014 | const sso = await readDesktopSsoSafely(event); |
| 1015 | if (sso?.email) return { email: sso.email, token: sso.token }; |
| 1016 | // Fall through to mobile _session check |
| 1017 | } else { |
| 1018 | // 3. Bearer legacy session. Desktop/native clients can persist a session |
| 1019 | // token outside the WebView cookie jar and attach it to all app requests. |
| 1020 | const bearerSession = await getBearerLegacySession(event); |
| 1021 | if (bearerSession) return bearerSession; |
| 1022 | |
| 1023 | // 4. Better Auth session (cookie or Bearer token) |
| 1024 | try { |
| 1025 | const ba = getBetterAuthSync(); |
| 1026 | if (ba) { |
| 1027 | const baSession = await ba.api.getSession({ |
| 1028 | headers: event.headers, |
| 1029 | }); |
| 1030 | if (baSession?.user?.email) { |
| 1031 | return mapBetterAuthSession(baSession); |
| 1032 | } |
| 1033 | } |
| 1034 | } catch (e) { |
| 1035 | console.error("[auth] ba.api.getSession error:", e); |
| 1036 | } |
| 1037 | |
| 1038 | // 5. Legacy cookie fallback (for sessions created before migration) |
| 1039 | const cookie = getCookie(event, COOKIE_NAME); |
| 1040 | if (cookie) { |
| 1041 | const email = await getSessionEmail(cookie); |
| 1042 | if (email) { |
| 1043 | return { email, token: cookie }; |
| 1044 | } |
| 1045 | } |
| 1046 | |
| 1047 | // 6. Desktop SSO broker fallback. |
no test coverage detected