fix: Fix user session provider not syncing when server session differs from cached client state

[kingston]

Summary by CodeRabbit

• Bug Fixes
  • Fixed user session synchronization issue where the client session state failed to update when the server session differed from cached client data, ensuring server and client session states remain properly synchronized.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
baseplate-project-builder-web	Ready	Preview, Comment	Dec 19, 2025 2:46pm

[changeset-bot]

🦋 Changeset detected

Latest commit: 678ac78

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 18 packages

Name	Type
@baseplate-dev/plugin-auth	Patch
@baseplate-dev/project-builder-common	Patch
@baseplate-dev/project-builder-cli	Patch
@baseplate-dev/project-builder-test	Patch
@baseplate-dev/create-project	Patch
@baseplate-dev/code-morph	Patch
@baseplate-dev/core-generators	Patch
@baseplate-dev/fastify-generators	Patch
@baseplate-dev/project-builder-lib	Patch
@baseplate-dev/project-builder-server	Patch
@baseplate-dev/project-builder-web	Patch
@baseplate-dev/react-generators	Patch
@baseplate-dev/sync	Patch
@baseplate-dev/tools	Patch
@baseplate-dev/ui-components	Patch
@baseplate-dev/utils	Patch
@baseplate-dev/plugin-queue	Patch
@baseplate-dev/plugin-storage	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

This patch fix addresses a synchronization issue where the user session provider fails to sync when the server session differs from cached client state. Changes add a new effect to synchronize server and client user IDs and make callback notifications conditional on actual state changes.

Changes

Cohort / File(s)	Summary
Changeset entry \.changeset/tall-grapes-heal.md``	New changeset documenting a patch release for @baseplate-dev/plugin-auth with fix for user session provider synchronization.
Example app user session sync logic examples/blog-with-auth/apps/admin/src/app/user-session-provider.tsx, examples/blog-with-auth/apps/admin/src/services/user-session-client.ts	Added useEffect to synchronize server session with client once sessionQueryData loads, comparing serverUserId and clientUserId. Modified signIn and signOut to invoke callbacks only when userId actually changes or previously existed, respectively.
Plugin template user session sync logic plugins/plugin-auth/src/local-auth/core/generators/react-session/templates/src/app/user-session-provider.tsx, plugins/plugin-auth/src/local-auth/core/generators/react-session/templates/src/services/user-session-client.ts	Parallel implementation of example app changes: added useEffect for server-client session synchronization and conditional callback notification in signIn and signOut methods.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Verify the new useEffect dependency array and that sessionQueryData availability is the correct trigger for synchronization
• Examine the userId comparison logic and sign-in/sign-out flow to ensure correct behavior across server-client state differences
• Validate conditional callback invocation logic does not break existing subscriber expectations or state management
• Confirm consistency of implementations between example app and plugin template files

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main fix: synchronizing user session provider when server and cached client states differ, which matches all modified files.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch kingston/eng-931-login-fails-when-app_user_id-is-sset

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between a173074 and 678ac78.

⛔ Files ignored due to path filters (2)

• examples/blog-with-auth/apps/admin/baseplate/generated/src/app/user-session-provider.tsx is excluded by !**/generated/**, !**/generated/**
• examples/blog-with-auth/apps/admin/baseplate/generated/src/services/user-session-client.ts is excluded by !**/generated/**, !**/generated/**

📒 Files selected for processing (5)

• .changeset/tall-grapes-heal.md (1 hunks)
• examples/blog-with-auth/apps/admin/src/app/user-session-provider.tsx (1 hunks)
• examples/blog-with-auth/apps/admin/src/services/user-session-client.ts (1 hunks)
• plugins/plugin-auth/src/local-auth/core/generators/react-session/templates/src/app/user-session-provider.tsx (1 hunks)
• plugins/plugin-auth/src/local-auth/core/generators/react-session/templates/src/services/user-session-client.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (6)

examples/blog-with-auth/**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (examples/blog-with-auth/CLAUDE.md)

examples/blog-with-auth/**/*.{ts,tsx,js,jsx}: Always use .js extensions in import statements, even for TypeScript files (e.g., import { getSystemInfo } from '@src/system-info.js';)
Follow ESM module resolution with TypeScript's NodeNext setting
Add JSDocs to all exported functions, interfaces, and classes with documentation of the function, its parameters, return value, and all fields

Files:

• examples/blog-with-auth/apps/admin/src/app/user-session-provider.tsx
• examples/blog-with-auth/apps/admin/src/services/user-session-client.ts

examples/blog-with-auth/**/*.{ts,tsx}

📄 CodeRabbit inference engine (examples/blog-with-auth/CLAUDE.md)

examples/blog-with-auth/**/*.{ts,tsx}: Use import type for type-only imports in TypeScript
Always specify explicit return types for functions in TypeScript

Files:

• examples/blog-with-auth/apps/admin/src/app/user-session-provider.tsx
• examples/blog-with-auth/apps/admin/src/services/user-session-client.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/code-style.mdc)

**/*.{ts,tsx}: Use TypeScript with strict type checking enabled
Always include return types on top-level functions including React components (React.ReactElement)
Include absolute paths in import statements via tsconfig paths (@src/ is the alias for src/)
If a particular interface or type is not exported, change the file so it is exported
If caught on a typing loop where forcing the any type is necessary, do not iterate too much - leave the typing as broken and let the user fix it

If target code is not easily testable, refactor it to be more testable (e.g., export types or functions)

**/*.{ts,tsx}: Import components from '@baseplate-dev/ui-components' package for UI development (e.g., Button, Input, Card, Dialog, etc.)
Use form components with React Hook Form controller variants (InputField, TextareaField, SelectField, CheckboxField, SwitchField, ComboboxField, MultiComboboxField, ColorPickerField, DatePickerField, DateTimePickerField)
Use SidebarLayout, Card, Breadcrumb, NavigationMenu, and NavigationTabs components for consistent layout structure from @baseplate-dev/ui-components
Use Dialog, ConfirmDialog, and useConfirmDialog from @baseplate-dev/ui-components for modal dialogs and confirmation interactions
Always use compareStrings from @baseplate-dev/utils instead of String.prototype.localeCompare() for code generation, file sorting, and internal data structures
If a particular interface or type is not exported, modify the file to export it
Use TsCodeFragment for composable code pieces and TsCodeUtils for manipulating fragments when generating TypeScript code
Create generators using createGenerator with configuration via descriptor schema (Zod), organizing into one or more tasks created with createGeneratorTask
Tasks should have run (initialization) and build (code generation) phases, export and consume providers, and may be organized into phases for ordered execution
Use provider scopes to control visibility and prevent collisions be...

Files:

• examples/blog-with-auth/apps/admin/src/app/user-session-provider.tsx
• plugins/plugin-auth/src/local-auth/core/generators/react-session/templates/src/services/user-session-client.ts
• plugins/plugin-auth/src/local-auth/core/generators/react-session/templates/src/app/user-session-provider.tsx
• examples/blog-with-auth/apps/admin/src/services/user-session-client.ts

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/code-style.mdc)

**/*.{ts,tsx,js}: Node 16 module resolution - include file extensions in imports (.js)
Sort imports by group: external libs first, then local imports
Use camelCase for variables/functions, PascalCase for types/classes
Order functions such that functions are placed below the variables/functions they use
Prefer using nullish coalescing operator (??) instead of logical or (||), enforced via ESLint rule
Prefer barrel exports e.g. export * from './foo.js' instead of individual named exports
Use console.info/warn/error instead of console.log

Files:

• examples/blog-with-auth/apps/admin/src/app/user-session-provider.tsx
• plugins/plugin-auth/src/local-auth/core/generators/react-session/templates/src/services/user-session-client.ts
• plugins/plugin-auth/src/local-auth/core/generators/react-session/templates/src/app/user-session-provider.tsx
• examples/blog-with-auth/apps/admin/src/services/user-session-client.ts

.changeset/*.md

📄 CodeRabbit inference engine (AGENTS.md)

Add a new Changeset in the .changeset/ directory for new features or changes, with format 'package-name': patch and description of the feature or change

Files:

• .changeset/tall-grapes-heal.md

plugins/**/plugin-*/**/*.{jsx,tsx}

📄 CodeRabbit inference engine (plugins/CLAUDE.md)

All CSS classes used in className attributes within plugin components MUST be prefixed with the plugin name (e.g., auth:, storage:) to avoid style conflicts between plugins and the main application

Files:

• plugins/plugin-auth/src/local-auth/core/generators/react-session/templates/src/app/user-session-provider.tsx

🧠 Learnings (1)

📚 Learning: 2025-11-25T22:46:20.505Z

Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T22:46:20.505Z
Learning: Applies to .changeset/*.md : Add a new Changeset in the `.changeset/` directory for new features or changes, with format `'package-name': patch` and description of the feature or change

Applied to files:

• .changeset/tall-grapes-heal.md

🧬 Code graph analysis (2)

examples/blog-with-auth/apps/admin/src/app/user-session-provider.tsx (2)

examples/blog-with-auth/apps/admin/src/services/user-session-client.ts (1)

• userSessionClient (120-120)

plugins/plugin-auth/src/local-auth/core/generators/react-session/templates/src/services/user-session-client.ts (1)

• userSessionClient (122-122)

plugins/plugin-auth/src/local-auth/core/generators/react-session/templates/src/app/user-session-provider.tsx (2)

examples/blog-with-auth/apps/admin/src/services/user-session-client.ts (1)

• userSessionClient (120-120)

plugins/plugin-auth/src/local-auth/core/generators/react-session/templates/src/services/user-session-client.ts (1)

• userSessionClient (122-122)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Verify Sync (todo-with-auth0)
• GitHub Check: Lint Examples (blog-with-auth)
• GitHub Check: test
• GitHub Check: Test E2E
• GitHub Check: Lint

🔇 Additional comments (7)

.changeset/tall-grapes-heal.md (1)

1-5: LGTM! Changeset follows conventions.

The changeset correctly documents this as a patch release for the plugin-auth package with an appropriate description of the fix.

plugins/plugin-auth/src/local-auth/core/generators/react-session/templates/src/app/user-session-provider.tsx (1)

64-79: LGTM! Server-to-client session synchronization is correctly implemented.

The effect correctly synchronizes server session state with the client when sessionQueryData loads. The unidirectional sync (server → client) ensures the server is the source of truth. The conditional check prevents unnecessary operations when states already match.

The interaction with the existing onUserIdChange effect (lines 52-62) is appropriate: when sync triggers signIn/signOut, it will fire the change callback and reset the Apollo store as intended.

examples/blog-with-auth/apps/admin/src/services/user-session-client.ts (2)

28-33: LGTM! Conditional notification prevents unnecessary callbacks.

The change correctly captures the existing user ID and only notifies callbacks when the user ID actually changes. This prevents redundant operations (like Apollo store resets) when signIn is called with the same user ID that's already authenticated.

---

39-44: LGTM! Conditional notification in signOut is correct.

The change ensures callbacks are only notified when an actual sign-out occurs (i.e., when there was a user ID present before clearing). This prevents unnecessary notifications when signOut is called on an already-signed-out session.

examples/blog-with-auth/apps/admin/src/app/user-session-provider.tsx (1)

64-79: LGTM! Synchronization logic matches the template implementation.

The server-to-client session synchronization is correctly implemented and consistent with the template at plugins/plugin-auth/src/local-auth/core/generators/react-session/templates/src/app/user-session-provider.tsx. The effect properly handles the case where server session state differs from cached client state by reconciling them when sessionQueryData becomes available.

plugins/plugin-auth/src/local-auth/core/generators/react-session/templates/src/services/user-session-client.ts (2)

30-35: LGTM! Template correctly implements conditional notification in signIn.

The template correctly captures the existing user ID and only notifies callbacks when the user ID actually changes. This matches the implementation in the example app and prevents unnecessary operations when signing in with the same user ID.

---

41-46: LGTM! Template correctly implements conditional notification in signOut.

The template ensures callbacks are only notified when an actual sign-out occurs. This matches the example app implementation and is consistent with the fix objective.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}