Fix session cookie creation race: skip initial token refresh, wrap extension auth hooks

[benceruleanlu]

Fixes a race causing “No auth header available for session creation” during sign‑in, by skipping the initial token refresh event, and wrapping extension auth hooks with async error handling.

Sentry: https://comfy-org.sentry.io/issues/6990347926/?alert_rule_id=1614600&project=4509681221369857

Context

• Error surfaced as an unhandled rejection when session creation was triggered without a valid auth header.
• Triggers: both onAuthUserResolved and onAuthTokenRefreshed fired during initial login.
• Pre‑fix, onIdTokenChanged treated the very first token emission as a “refresh” as well, so two concurrent createSession() calls ran back‑to‑back.
• One of those calls could land before a Firebase ID token existed, so getAuthHeader() returned null → createSession threw “No auth header available for session creation”.

Exact pre‑fix failure path

• src/extensions/core/cloudSessionCookie.ts
  • onAuthUserResolved → useSessionCookie().createSession()
  • onAuthTokenRefreshed → useSessionCookie().createSession()
• src/stores/firebaseAuthStore.ts
  • onIdTokenChanged increments tokenRefreshTrigger even for the initial token (treated as a refresh)
  • getAuthHeader() → getIdToken() may be undefined briefly during initialization
• src/platform/auth/session/useSessionCookie.ts
  • createSession(): calls authStore.getAuthHeader(); if falsy, throws Error('No auth header available for session creation')

What this PR changes

1. Skip initial token “refresh”
   • Track lastTokenUserId and ignore the first onIdTokenChanged for a user; only subsequent token changes count as refresh events.
   • File: src/stores/firebaseAuthStore.ts
2. Wrap extension auth hooks with async error handling
   • Use wrapWithErrorHandlingAsync for onAuthUserResolved/onAuthTokenRefreshed/onAuthUserLogout callbacks to avoid unhandled rejections.
   • File: src/services/extensionService.ts

Result

• Eliminates the timing window where createSession() runs before getIdToken() returns a token.
• Ensures any remaining errors are caught and reported instead of surfacing as unhandled promise rejections.

Notes

• Lint and typecheck run clean (pnpm lint:fix && pnpm typecheck).

┆Issue is synchronized with this Notion page by Unito

[github-actions]

🎭 Playwright Test Results

⚠️ Tests passed with flaky tests

⏰ Completed at: 11/05/2025, 06:35:59 AM UTC

📈 Summary

• Total Tests: 496
• Passed: 460 ✅
• Failed: 0
• Flaky: 6 ⚠️
• Skipped: 30 ⏭️

📊 Test Reports by Browser

• ✅ chromium: View Report • ✅ 451 / ❌ 0 / ⚠️ 6 / ⏭️ 30
• ✅ chromium-2x: View Report • ✅ 2 / ❌ 0 / ⚠️ 0 / ⏭️ 0
• ✅ chromium-0.5x: View Report • ✅ 1 / ❌ 0 / ⚠️ 0 / ⏭️ 0
• ✅ mobile-chrome: View Report • ✅ 6 / ❌ 0 / ⚠️ 0 / ⏭️ 0

---

🎉 Click on the links above to view detailed test results for each browser configuration.

[github-actions]

🎨 Storybook Build Status

✅ Build completed successfully!

⏰ Completed at: 11/05/2025, 06:21:48 AM UTC

🔗 Links

• 📊 View Workflow Run
• 🎨 View Storybook

---

🎉 Your Storybook is ready for review!

[benceruleanlu]

Only the 'Skip initial token “refresh”' is needed, rest are additional for additional hardening

[github-actions]

Bundle Size Report

Summary

• Raw size: 12.2 MB baseline 12.2 MB — 🔴 +1.31 kB
• Gzip: 2.49 MB baseline 2.49 MB — 🔴 +180 B
• Brotli: 1.96 MB baseline 1.96 MB — 🔴 +252 B
• Bundles: 58 current • 58 baseline • 13 added / 13 removed

Category Glance
App Entry Points 🔴 +1.31 kB (3.31 MB) · Vendor & Third-Party ⚪ 0 B (5.32 MB) · Other ⚪ 0 B (2.55 MB) · Graph Workspace ⚪ 0 B (729 kB) · Panels & Settings ⚪ 0 B (293 kB) · UI Components ⚪ 0 B (12.6 kB) · + 3 more

Per-category breakdown

App Entry Points — 3.31 MB (baseline 3.31 MB) • 🔴 +1.31 kB

Main entry bundles and manifests

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/index-CEhN3zOx.js (new)	—	2.92 MB	🔴 +2.92 MB	🔴 +605 kB	🔴 +458 kB
assets/index-zUwM8XLC.js (removed)	2.92 MB	—	🟢 -2.92 MB	🟢 -605 kB	🟢 -457 kB
assets/index-BaO-tSAK.js (new)	—	382 kB	🔴 +382 kB	🔴 +76.6 kB	🔴 +62.1 kB
assets/index-Dv04s-Ig.js (removed)	382 kB	—	🟢 -382 kB	🟢 -76.6 kB	🟢 -62.1 kB
assets/index-Bam8EMeC.js (new)	—	1.75 kB	🔴 +1.75 kB	🔴 +576 B	🔴 +482 B
assets/index-DTXds8Ct.js (removed)	1.75 kB	—	🟢 -1.75 kB	🟢 -576 B	🟢 -483 B

Status: 3 added / 3 removed

Graph Workspace — 729 kB (baseline 729 kB) • ⚪ 0 B

Graph editor runtime, canvas, workflow orchestration

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/GraphView-C7C3HWQu.js (new)	—	729 kB	🔴 +729 kB	🔴 +142 kB	🔴 +110 kB
assets/GraphView-Dyy-XWDh.js (removed)	729 kB	—	🟢 -729 kB	🟢 -142 kB	🟢 -110 kB

Status: 1 added / 1 removed

Views & Navigation — 8.18 kB (baseline 8.18 kB) • ⚪ 0 B

Top-level views, pages, and routed surfaces

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/UserSelectView-BwoHrjLp.js (new)	—	8.18 kB	🔴 +8.18 kB	🔴 +2.48 kB	🔴 +2.17 kB
assets/UserSelectView-C9DKR6mg.js (removed)	8.18 kB	—	🟢 -8.18 kB	🟢 -2.48 kB	🟢 -2.17 kB

Status: 1 added / 1 removed

Panels & Settings — 293 kB (baseline 293 kB) • ⚪ 0 B

Configuration panels, inspectors, and settings screens

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/CreditsPanel-Bbak0IA_.js (new)	—	22.9 kB	🔴 +22.9 kB	🔴 +5.45 kB	🔴 +4.76 kB
assets/CreditsPanel-CMwT6wSm.js (removed)	22.9 kB	—	🟢 -22.9 kB	🟢 -5.45 kB	🟢 -4.77 kB
assets/KeybindingPanel-2qbK87QK.js (removed)	15.3 kB	—	🟢 -15.3 kB	🟢 -3.78 kB	🟢 -3.32 kB
assets/KeybindingPanel-BW5pbKv2.js (new)	—	15.3 kB	🔴 +15.3 kB	🔴 +3.78 kB	🔴 +3.33 kB
assets/ExtensionPanel-BJJmHkBD.js (new)	—	12.1 kB	🔴 +12.1 kB	🔴 +2.84 kB	🔴 +2.48 kB
assets/ExtensionPanel-CMZsUbOf.js (removed)	12.1 kB	—	🟢 -12.1 kB	🟢 -2.84 kB	🟢 -2.48 kB
assets/AboutPanel-BM4HpRbG.js (removed)	10.3 kB	—	🟢 -10.3 kB	🟢 -2.68 kB	🟢 -2.34 kB
assets/AboutPanel-BoEX6go_.js (new)	—	10.3 kB	🔴 +10.3 kB	🔴 +2.67 kB	🔴 +2.34 kB
assets/ServerConfigPanel-pN2hcMW7.js (removed)	8.23 kB	—	🟢 -8.23 kB	🟢 -2.18 kB	🟢 -1.91 kB
assets/ServerConfigPanel-SjMoGY2z.js (new)	—	8.23 kB	🔴 +8.23 kB	🔴 +2.18 kB	🔴 +1.91 kB
assets/UserPanel-C3fnz9w3.js (removed)	7.94 kB	—	🟢 -7.94 kB	🟢 -2.07 kB	🟢 -1.81 kB
assets/UserPanel-Dv2w3j_F.js (new)	—	7.94 kB	🔴 +7.94 kB	🔴 +2.07 kB	🔴 +1.81 kB
assets/settings-0O6mq5to.js	24.3 kB	24.3 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-BYaBy7dC.js	20.4 kB	20.4 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-C3vygQN4.js	25.7 kB	25.7 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-CbKYXyH0.js	22.7 kB	22.7 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-CCholIsI.js	25 kB	25 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-DFX7vRkK.js	19.8 kB	19.8 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-INJLrcmT.js	31.3 kB	31.3 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-iR6BKRXe.js	23.7 kB	23.7 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-YjQmudNE.js	23.5 kB	23.5 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B

Status: 6 added / 6 removed

UI Components — 12.6 kB (baseline 12.6 kB) • ⚪ 0 B

Reusable component library chunks

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/ComfyQueueButton-d1L9pL9N.js (removed)	11.3 kB	—	🟢 -11.3 kB	🟢 -2.83 kB	🟢 -2.49 kB
assets/ComfyQueueButton-Dm8WX8on.js (new)	—	11.3 kB	🔴 +11.3 kB	🔴 +2.83 kB	🔴 +2.49 kB
assets/UserAvatar.vue_vue_type_script_setup_true_lang-CY-Afo9h.js	1.29 kB	1.29 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B

Status: 1 added / 1 removed

Data & Services — 10.4 kB (baseline 10.4 kB) • ⚪ 0 B

Stores, services, APIs, and repositories

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/keybindingService-CMJXUvnQ.js (new)	—	7.6 kB	🔴 +7.6 kB	🔴 +1.84 kB	🔴 +1.59 kB
assets/keybindingService-DfBQoB60.js (removed)	7.6 kB	—	🟢 -7.6 kB	🟢 -1.85 kB	🟢 -1.59 kB
assets/serverConfigStore-Drx1xdev.js	2.79 kB	2.79 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B

Status: 1 added / 1 removed

Utilities & Hooks — 1.07 kB (baseline 1.07 kB) • ⚪ 0 B

Helpers, composables, and utility bundles

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/mathUtil-CTARWQ-l.js	1.07 kB	1.07 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B

Vendor & Third-Party — 5.32 MB (baseline 5.32 MB) • ⚪ 0 B

External libraries and shared vendor chunks

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/vendor-other-DTJaZ2wB.js	3.22 MB	3.22 MB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/vendor-primevue-PESgPnbc.js	517 B	517 B	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/vendor-three-JDoAqkQm.js	1.37 MB	1.37 MB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/vendor-tiptap-BovKm-bo.js	232 kB	232 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/vendor-vue-D0cJmhlH.js	92.6 kB	92.6 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/vendor-xterm-BZLod3g9.js	407 kB	407 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B

Other — 2.55 MB (baseline 2.55 MB) • ⚪ 0 B

Bundles that do not match a named category

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/commands-B2KZRBmX.js	15.1 kB	15.1 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-Bw-ckyga.js	13.9 kB	13.9 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-C_NmM85I.js	13.8 kB	13.8 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-CuozCW4W.js	14 kB	14 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-DGfVUJCR.js	16.2 kB	16.2 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-dOJNDogK.js	14.5 kB	14.5 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-DwiE551e.js	14.7 kB	14.7 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-Fw7mvqSy.js	13.1 kB	13.1 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-FXnO1W4Q.js	13.2 kB	13.2 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-B2H4r1yK.js	70.7 kB	70.7 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-BfrcYvru.js	59.4 kB	59.4 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-BhRi1J0e.js	68.4 kB	68.4 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-BUG9wuyt.js	80.3 kB	80.3 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-C0hL5eRA.js	76.4 kB	76.4 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-CkKZCT7r.js	58.7 kB	58.7 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-D1RQ0Vb_.js	66.3 kB	66.3 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-DdyfZOXg.js	67.6 kB	67.6 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-DPE2NqRw.js	92.9 kB	92.9 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-3I1vPgv4.js	181 kB	181 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-B2huPGKQ.js	190 kB	190 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-BWugyUzd.js	215 kB	215 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-bXqu6Stq.js	194 kB	194 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-CtB2M3sY.js	229 kB	229 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-D-rCrn-T.js	200 kB	200 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-D38DSnl1.js	179 kB	179 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-DAsU52ON.js	192 kB	192 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-DnGONaA_.js	196 kB	196 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[benceruleanlu]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. 🎉

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[claude]

Comprehensive PR Review

This review is generated by Claude. It may not always be accurate, as with human reviewers. If you believe that any of the comments are invalid or incorrect, please state why for each. For others, please implement the changes in one way or another.

Review Summary

PR: Fix session cookie creation race: skip initial token refresh, wrap extension auth hooks (#6563)
Impact: 78 additions, 4 deletions across 3 files

Issue Distribution

• Critical: 0
• High: 0
• Medium: 2
• Low: 2

Category Breakdown

• Architecture: 1 issues
• Security: 0 issues
• Performance: 1 issues
• Code Quality: 2 issues

Key Findings

Architecture & Design

The PR correctly addresses the race condition in session creation by implementing a deduplication mechanism. The solution is architecturally sound, using a straightforward approach to track the initial token event per user. The error handling wrapper integration follows established patterns in the codebase.

Security Considerations

No security vulnerabilities identified. The changes maintain the existing authentication flow security while improving reliability. The error handling enhancements actually improve security posture by preventing unhandled promise rejections that could expose internal state.

Performance Impact

The changes have minimal performance impact. The additional state tracking (lastTokenUserId) is lightweight. However, there is a minor concern about potential memory leaks from Firebase listeners that should be monitored.

Integration Points

The changes integrate well with existing authentication systems. The deduplication logic is isolated to the auth store and doesn't affect other components. Extension error handling is improved without changing extension APIs.

Positive Observations

• Excellent test coverage: The PR includes comprehensive unit tests covering edge cases including concurrent operations and error scenarios
• Clear problem identification: The PR description clearly explains the root cause and solution approach
• Minimal invasive changes: The fix is targeted and doesn't require extensive refactoring
• Proper error handling: Uses the existing error handling patterns consistently
• Race condition fix: Addresses a real production issue affecting user experience

References

• Repository Architecture Guide
• Frontend Standards
• Security Guidelines

Next Steps

1. Address medium-priority race condition concern for rapid user switches
2. Consider error context improvements for better debugging
3. Monitor potential memory leaks from Firebase listeners in production
4. No critical or high-priority issues blocking merge

---

This is a comprehensive automated review. For architectural decisions requiring human judgment, please request additional manual review.

[benceruleanlu]

Addressed review feedback:

• Removed in-flight dedupe in session creation to avoid suppressing legitimate calls after user switches.
• Added structured error context for extension auth hooks (extension + hook name) while preserving toast UX.
• Clarified async wrapper return is intentionally discarded for hooks typed as void/Promise.
• Explained token listener lifecycle: single registration tied to store lifetime; no accumulation in runtime.
• Clarified race considerations for rapid user switches; logic treats first token per uid as initialization, subsequent tokens increment; sign-out resets.

Please let me know if you want a test-only dispose hook for the auth store’s token listener.

[benceruleanlu]

Addressed: the async wrapper now adds structured error context for auth hooks — we log the extension name and the hook (e.g., onAuthUserResolved) and still route to the shared toast. This makes triage clearer without changing UX.

[benceruleanlu]

Clarification: the wrapper’s return is intentionally discarded (void handleUserResolved(user)). Extension hooks are void | Promise<void>, so a potential undefined return from the wrapper doesn’t affect behavior.

[benceruleanlu]

Clarification: the Pinia store is a singleton for the app’s lifetime, so we register one onIdTokenChanged listener and it doesn’t accumulate in normal runtime. If preferred for tests, we can add an explicit dispose() to call the unsubscribe, but it isn’t necessary for the app.

[benceruleanlu]

Clarification: onIdTokenChanged events are delivered sequentially. We treat the first token for any uid as initialization by setting lastTokenUserId and returning; subsequent events for the same uid increment the trigger. We reset lastTokenUserId on sign‑out in onAuthStateChanged. This avoids spurious increments without introducing races; tests cover this behaviour in tests-ui/tests/store/firebaseAuthStore.test.ts.

[christian-byrne]

LGTM. We can verify the fix in the data after the next deploy