Skip to content

feat: include user_id in device-flow token response#141

Merged
tomasz-tomczyk merged 1 commit intomainfrom
fix-share-user-id
Apr 29, 2026
Merged

feat: include user_id in device-flow token response#141
tomasz-tomczyk merged 1 commit intomainfrom
fix-share-user-id

Conversation

@tomasz-tomczyk
Copy link
Copy Markdown
Owner

@tomasz-tomczyk tomasz-tomczyk commented Apr 29, 2026
edited
Loading

Summary

  • POST /api/device/token now returns user_id, user_name, user_email (was: user_name only).
  • Crit.DeviceCodes.poll_device_code/1 returns {:ok, access_token, %{id, name, email}} instead of {:ok, access_token, user_name}.
  • Tests updated.

Why

Closes a prod attribution bug where crit CLI sent shares with blank user_id on the comments — the server then wrote them with user_id = nil and author_identity = "imported", even though the bearer token authenticated the request correctly. Without user_id in this response, the CLI had no way to cache the verified id at login time.

Review

  • Code review: not requested (small, surgical change)
  • Parity audit: N/A (no frontend touched)

Test plan

  • mix precommit — clean (471 tests, 0 failures)
  • device_codes_test.exs and device_api_controller_test.exs updated to assert the new shape
  • Full crit↔crit-web share integration suite (./scripts/e2e-share.sh from crit/) — all tests pass

See also: tomasz-tomczyk/crit#393 (CLI side that consumes this)

🤖 Generated with Claude Code

@tomasz-tomczyk @claude
feat: include user_id in device-flow token response
12c6797 
The /api/device/token response now carries user_id alongside the existing
user_name (and adds user_email). This lets the CLI cache the verified
server-side user id at login time instead of needing to lazy-backfill it
via /api/auth/whoami on first share — closing a window where the daemon
sent shares with a blank user_id and the server wrote them as "imported".

See also: tomasz-tomczyk/crit#391 (CLI side)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@tomasz-tomczyk tomasz-tomczyk mentioned this pull request Apr 29, 2026
Merged
7 tasks
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 29, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 83.33333% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 77.25%. Comparing base (1250216) to head (12c6797).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
lib/crit/device_codes.ex 83.33% 1 Missing ⚠️
lib/crit_web/controllers/device_api_controller.ex 83.33% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #141      +/-   ##
==========================================
+ Coverage   77.21%   77.25%   +0.03%     
==========================================
  Files          52       52              
  Lines        1567     1574       +7     
==========================================
+ Hits         1210     1216       +6     
- Misses        357      358       +1
Flag Coverage Δ
unit 77.25% <83.33%> (+0.03%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@tomasz-tomczyk tomasz-tomczyk merged commit 5296d0f into main Apr 29, 2026
4 checks passed
@tomasz-tomczyk tomasz-tomczyk deleted the fix-share-user-id branch April 29, 2026 15:37
tomasz-tomczyk added a commit to tomasz-tomczyk/crit that referenced this pull request Apr 29, 2026
@tomasz-tomczyk @claude
fix: persist verified user_id on auth login (#393)
da47740 
Two bugs surfaced from a prod attribution miss:

1. crit auth login wrote auth_user_name and auth_user_email but never
   auth_user_id, because the device-flow token response didn't carry it.
   The daemon then stamped comments with a blank user_id and the server
   wrote them as "imported".

2. The identity fields were saved one at a time, so a stale auth_user_id
   from a previous account survived a re-login as a different user. The
   payload then contained user A's id while the bearer token authenticated
   as user B; the server treated the mismatch as anonymous.

Fix:
- Add UserID to tokenResponse so the CLI reads the new field that
  tomasz-tomczyk/crit-web#141 emits.
- Extract saveAuthIdentity() that rewrites all three identity fields
  atomically: missing fields delete the key on disk so a stale value
  cannot survive a re-login.
- Belt-and-braces: when the response omits user_id (older crit-web),
  fall through to lazyBackfillAuthUserID() which fetches via whoami.

Existing logged-in users need to log out + log in to pick up the
verified user_id; comments authored before then stay anonymous on the
server (intentional — the explicit re-login is the migration).

Follow-up: consolidate the five overlapping author/identity config
fields (#392).

See also: tomasz-tomczyk/crit-web#141 (server side)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tomasz-tomczyk