Skip to content

Fix/sw media auth - issues causing unauthenticated media requests#475

Open
Just-Insane wants to merge 3 commits intoSableClient:devfrom
Just-Insane:fix/sw-media-auth
Open

Fix/sw media auth - issues causing unauthenticated media requests#475
Just-Insane wants to merge 3 commits intoSableClient:devfrom
Just-Insane:fix/sw-media-auth

Conversation

@Just-Insane
Copy link
Contributor

@Just-Insane Just-Insane commented Mar 22, 2026
edited
Loading

Description

Appears to fix #358

Main issues:

  1. There is an early-return bug that occurred when the requested URL didn't match the session's baseURL which caused an unauthenticated request
  2. Resolves issues arising from using a stale or missing SW session
  3. Populate a session from cache on restarts to prevent a timing issue
  4. An issue with clientId being empty from clients such as prerenders which caused unauthenticated media requests

Note that you need to reload the SW by either killing the current one in DevTools, or if on mobile, the simplest option is to remove/re-download the PWA.

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings

AI disclosure:

  • Partially AI assisted (clarify which code was AI assisted and briefly explain what it does).
  • Fully AI generated (explain what all the generated code does in moderate detail).

These changes (2 commits) combine to reduce the likelihood that a missing/stale session will result in failed authenticated media requests that result in 401 errors by:

  • requesting sessions from all window clients so that the sessions map is populated after an SW restart
  • persisting the SW session to cache, which is then tried when requesting media (mainly if still waiting for sessions from the client window) - the preloadedSession in-memory fallback is discarded once a live session is received, though the underlying cache entry remains until logout.
  • tries to use a persisted session from the cache on SW activation to help resolve a timing issue between SW restart and the first setSession return
  • Note that if the persisted session is no longer valid, authenticated media requests will still fail with the same 401 unauthenticated response.
  • fixes logic bugs that 1: caused the browser to make unauthenticated requests if the URL didn't match the cached session's baseUrl, and 2: attempts to use the preloaded session rather than allowing the browser to send unauthenticated requests when the clientId is empty (i.e. prerenders).

@Just-Insane
fix: prevent 401 media errors from stale/missing SW session
9131e31 
Three changes to src/sw.ts:

1. Fix early-return bug in fetch handler: when sessions.get(clientId)
   returns a session but validMediaRequest(url, session.baseUrl) fails
   (e.g. multi-account users on different homeservers, or URL format
   mismatch), the old code returned without calling event.respondWith(),
   causing the browser to make an unauthenticated request → 401.
   Now we only short-circuit if BOTH conditions are met.

2. Proactively broadcast requestSession to all window clients in the
   activate event. After a SW restart the sessions Map is empty; the
   old code relied on the first intercepted media fetch to trigger
   requestSessionWithTimeout. Now the SW pre-populates the Map right
   after claiming clients, eliminating the 3-second race window.

3. Add loadPersistedSession() as a final fallback in the fetch handler.
   If requestSessionWithTimeout returns nothing (
Three changes to src/sw.ts:

1. Fix early-return bug in fetch handler: when sessions.get(clientId)
   returns a session buo a
1. Fix early-return bug i
@Just-Insane
fix: pre-load session from cache on activate to prevent SW restart 401s
ce333e0 
On SW restart the in-memory sessions Map is empty. Previously the fetch
handler fell through to requestSessionWithTimeout (3 s race window), so
all simultaneous thumbnail loads during that window 401'd.

Changes:
- Populate preloadedSession from Cache Storage in the activate handler
  so media fetches get immediate auth before the first live setSession
  arrives from the page.
- Include preloadedSession in the byBaseUrl fast path so the synchronous
  branch handles the burst of thumbnail requests without waiting at all.
- Clear preloadedSession as soon as any real setSession arrives so stale
  tokens cannot linger.
- Handle empty clientId (uncontrolled-context fetches) by falling through
  to byBaseUrl / preloadedSession / loadPersistedSession instead of doing
  a bare return that bypassed respondWith and caused an unauthenticated
  request.
@Just-Insane Just-Insane requested review from 7w1 and hazre as code owners March 22, 2026 16:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@7w1 7w1 Awaiting requested review from 7w1 7w1 is a code owner

@hazre hazre Awaiting requested review from hazre hazre is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Some media fails to load (Mismatched SHA-256 digest)

1 participant

@Just-Insane