Skip to content

fix(llc): fix userId for guest#128

Open
renefloor wants to merge 2 commits into
mainfrom
renefloor/flu-373-guest-and-anonymous-login
Open

fix(llc): fix userId for guest#128
renefloor wants to merge 2 commits into
mainfrom
renefloor/flu-373-guest-and-anonymous-login

Conversation

@renefloor

@renefloor renefloor commented Jul 10, 2026

Copy link
Copy Markdown
Collaborator

Submit a pull request

Linear: FLU-373

CLA

  • I have signed the Stream CLA (required).
  • The code changes follow best practices
  • Code changes are tested (add some information if not applicable)

Description of the pull request

When logging in as guest user the backend generates a userId for you. That's in the token, but not available when constructing the tokenManager. By getting it from the token directly we are always sure to have the right user id.

Neede for: GetStream/stream-feeds-flutter#113

Summary by CodeRabbit

  • Bug Fixes

    • Ensured requests use the user ID associated with the authenticated token, keeping query parameters aligned with the authorization identity.
  • Tests

    • Added coverage for matching and differing configured and token-resolved user IDs.

@renefloor renefloor requested a review from a team as a code owner July 10, 2026 10:19
@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@renefloor, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 55 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: dc72d3a2-a79a-4bdf-8578-018857678833

📥 Commits

Reviewing files that changed from the base of the PR and between 25f34b5 and 234298a.

📒 Files selected for processing (1)
  • packages/stream_core/CHANGELOG.md
📝 Walkthrough

Walkthrough

AuthInterceptor now populates user_id from the resolved token’s userId, ensuring it matches the authorization identity. Tests add request capture and JWT-like tokens to verify differing and matching configured identities.

Changes

Authenticated request identity

Layer / File(s) Summary
Use resolved token identity and validate requests
packages/stream_core/lib/src/api/interceptors/auth_interceptor.dart, packages/stream_core/test/api/interceptors/auth_interceptor_test.dart
AuthInterceptor uses the resolved token’s userId; tests capture outgoing requests and verify behavior for differing and matching token identities.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the PR's main change: fixing guest userId resolution from the token.
Description check ✅ Passed The description covers the required template sections, including Linear, CLA, and a clear fix summary.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renefloor/flu-373-guest-and-anonymous-login

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codecov

codecov Bot commented Jul 10, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 46.19%. Comparing base (36559fb) to head (234298a).

Additional details and impacted files
@@            Coverage Diff             @@
##             main     #128      +/-   ##
==========================================
+ Coverage   45.80%   46.19%   +0.38%     
==========================================
  Files         178      178              
  Lines        7243     7243              
==========================================
+ Hits         3318     3346      +28     
+ Misses       3925     3897      -28     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Comment on lines +26 to +31
// Use the resolved token's own user id rather than
// `_tokenManager.userId`: some token providers (e.g. guest exchanges)
// can resolve to a different id than the one originally requested, and
// this must stay consistent with the identity in the `Authorization`
// header below.
options.queryParameters['user_id'] = token.userId;

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In my opinion the token should always match the id set in the token manager. if its different we should expire the current token and get a new token for the user id set in the manager.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants