refactor(streams): replace STREAMS_SECRET with session-based auth

.github/workflows/ci.yml

@@ -127,6 +127,4 @@ jobs:
       - name: Build CLI and Desktop
         run: bun turbo run build --filter=@superset/cli --filter=@superset/desktop
         env:
-          # TODO: Remove once desktop app no longer validates STREAMS_* at build time
           STREAMS_URL: ${{ secrets.STREAMS_URL }}
-          STREAMS_SECRET: ${{ secrets.STREAMS_SECRET }}

.github/workflows/deploy-preview.yml

@@ -124,9 +124,21 @@ jobs:
   deploy-streams-preview:
     name: Deploy Streams (Fly.io)
     runs-on: ubuntu-latest
+    needs: deploy-database
 
     steps:
       - uses: actions/checkout@v4
+
+      - name: Download database info
+        uses: actions/download-artifact@v4
+        with:
+          name: database-status
+
+      - name: Load database URL
+        run: |
+          source database-status.env
+          echo "DATABASE_URL=$DATABASE_URL" >> $GITHUB_ENV
+
       - name: Deploy Streams preview to Fly.io
         uses: superfly/fly-pr-review-apps@1.3.0
         with:
@@ -135,7 +147,7 @@ jobs:
           org: ${{ vars.FLY_ORG }}
           config: apps/streams/fly.toml
           secrets: |
-            STREAMS_SECRET=${{ secrets.STREAMS_SECRET }}
+            DATABASE_URL=${{ env.DATABASE_URL }}
         env:
           FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}
       - name: Save streams status

.github/workflows/deploy-production.yml

@@ -411,7 +411,7 @@ jobs:
           FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}
         run: |
           flyctl secrets set \
-            STREAMS_SECRET="${{ secrets.STREAMS_SECRET }}" \
+            DATABASE_URL="${{ secrets.DATABASE_URL }}" \
             --app superset-stream \
             --stage
       - name: Deploy to Fly.io

.superset/setup.sh

@@ -299,16 +299,6 @@ step_start_electric() {
   return 0
 }
 
-step_setup_streams() {
-  echo "🔄 Setting up Streams secret..."
-
-  STREAMS_SECRET=$(openssl rand -hex 32)
-  export STREAMS_SECRET
-
-  success "Streams secret generated"
-  return 0
-}
-
 step_write_env() {
   echo "📝 Writing .env file..."
 
@@ -352,9 +342,6 @@ step_write_env() {
       echo "ELECTRIC_SECRET=$ELECTRIC_SECRET"
     fi
 
-    echo ""
-    echo "# Workspace Streams (AI Chat Server)"
-    echo "STREAMS_SECRET=$STREAMS_SECRET"
   } >> .env
 
   success "Workspace .env written"
@@ -390,12 +377,7 @@ main() {
     step_failed "Start Electric SQL"
   fi
 
-  # Step 6: Setup Streams secret
-  if ! step_setup_streams; then
-    step_failed "Setup Streams secret"
-  fi
-
-  # Step 7: Write .env file
+  # Step 6: Write .env file
   if ! step_write_env; then
     step_failed "Write .env file"
   fi

apps/desktop/src/lib/trpc/routers/ai-chat/index.ts

@@ -4,6 +4,7 @@ import { join } from "node:path";
 import { env } from "main/env.main";
 import { z } from "zod";
 import { publicProcedure, router } from "../..";
+import { loadToken } from "../auth/utils/auth-functions";
 import {
 	readClaudeSessionMessages,
 	scanClaudeSessions,
@@ -55,10 +56,13 @@ function scanCustomCommands(cwd: string): CommandEntry[] {
 
 export const createAiChatRouter = () => {
 	return router({
-		getConfig: publicProcedure.query(() => ({
-			proxyUrl: env.STREAMS_URL,
-			authToken: env.STREAMS_SECRET,
-		})),
+		getConfig: publicProcedure.query(async () => {
+			const { token } = await loadToken();
+			return {
+				proxyUrl: env.STREAMS_URL,
+				authToken: token,
+			};
+		}),
 
 		getSlashCommands: publicProcedure
 			.input(z.object({ cwd: z.string() }))

apps/desktop/src/lib/trpc/routers/ai-chat/utils/session-manager/session-manager.ts

@@ -9,11 +9,11 @@ import {
 } from "@superset/agent";
 import { app } from "electron";
 import { env } from "main/env.main";
+import { loadToken } from "../../../auth/utils/auth-functions";
 import { buildClaudeEnv } from "../auth";
 import type { SessionStore } from "../session-store";
 
 const PROXY_URL = env.STREAMS_URL;
-const STREAMS_SECRET = env.STREAMS_SECRET;
 
 function getClaudeBinaryPath(): string {
 	if (app.isPackaged) {
@@ -30,10 +30,14 @@ function getClaudeBinaryPath(): string {
 	);
 }
 
-function buildProxyHeaders(): Record<string, string> {
+async function buildProxyHeaders(): Promise<Record<string, string>> {
+	const { token } = await loadToken();
+	if (!token) {
+		throw new Error("User not authenticated");
+	}
 	return {
 		"Content-Type": "application/json",
-		Authorization: `Bearer ${STREAMS_SECRET}`,
+		Authorization: `Bearer ${token}`,
 	};
 }
 
@@ -97,7 +101,7 @@ export class ChatSessionManager extends EventEmitter {
 		permissionMode?: string;
 		maxThinkingTokens?: number;
 	}): Promise<void> {
-		const headers = buildProxyHeaders();
+		const headers = await buildProxyHeaders();
 
 		const createRes = await fetch(`${PROXY_URL}/v1/sessions/${sessionId}`, {
 			method: "PUT",
@@ -258,7 +262,7 @@ export class ChatSessionManager extends EventEmitter {
 		const abortController = new AbortController();
 		this.runningAgents.set(sessionId, abortController);
 
-		const headers = buildProxyHeaders();
+		const headers = await buildProxyHeaders();
 		let messageId: string | undefined;
 
 		try {
@@ -455,7 +459,7 @@ export class ChatSessionManager extends EventEmitter {
 		try {
 			await fetch(`${PROXY_URL}/v1/sessions/${sessionId}/stop`, {
 				method: "POST",
-				headers: buildProxyHeaders(),
+				headers: await buildProxyHeaders(),
 				body: JSON.stringify({}),
 			});
 		} catch (error) {
@@ -479,7 +483,7 @@ export class ChatSessionManager extends EventEmitter {
 		try {
 			await fetch(`${PROXY_URL}/v1/sessions/${sessionId}/stop`, {
 				method: "POST",
-				headers: buildProxyHeaders(),
+				headers: await buildProxyHeaders(),
 				body: JSON.stringify({}),
 			});
 		} catch (err) {
@@ -516,7 +520,7 @@ export class ChatSessionManager extends EventEmitter {
 
 	async deleteSession({ sessionId }: { sessionId: string }): Promise<void> {
 		console.log(`[chat/session] Deleting session ${sessionId}`);
-		const headers = buildProxyHeaders();
+		const headers = await buildProxyHeaders();
 
 		const controller = this.runningAgents.get(sessionId);
 		if (controller) {

apps/desktop/src/main/env.main.ts

@@ -20,7 +20,6 @@ export const env = createEnv({
 		NEXT_PUBLIC_POSTHOG_HOST: z.string().default("https://us.i.posthog.com"),
 		SENTRY_DSN_DESKTOP: z.string().optional(),
 		STREAMS_URL: z.url(),
-		STREAMS_SECRET: z.string().min(1),
 	},
 
 	runtimeEnv: {
@@ -34,7 +33,6 @@ export const env = createEnv({
 		NEXT_PUBLIC_POSTHOG_HOST: process.env.NEXT_PUBLIC_POSTHOG_HOST,
 		SENTRY_DSN_DESKTOP: process.env.SENTRY_DSN_DESKTOP,
 		STREAMS_URL: process.env.STREAMS_URL,
-		STREAMS_SECRET: process.env.STREAMS_SECRET,
 	},
 	emptyStringAsUndefined: true,
 	// Only allow skipping validation in development (never in production)

apps/streams/Dockerfile

@@ -7,11 +7,13 @@ WORKDIR /app
 # Install dependencies (workspace root)
 COPY package.json bun.lock ./
 COPY tooling/typescript/package.json tooling/typescript/
+COPY packages/db/package.json packages/db/
 COPY apps/streams/package.json apps/streams/
 RUN bun install --frozen-lockfile
 
 # Copy source
 COPY tooling/typescript tooling/typescript
+COPY packages/db packages/db
 COPY apps/streams apps/streams
 
 # Build
@@ -28,10 +30,12 @@ ENV NODE_ENV=production
 # Install production dependencies (workspace root)
 COPY package.json bun.lock ./
 COPY tooling/typescript/package.json tooling/typescript/
+COPY packages/db/package.json packages/db/
 COPY apps/streams/package.json apps/streams/
 RUN bun install --frozen-lockfile --production
 
-# Copy built files
+# Copy built files and db package (needed at runtime for schema)
+COPY --from=builder /app/packages/db ./packages/db
 COPY --from=builder /app/apps/streams/dist ./apps/streams/dist
 
 WORKDIR /app/apps/streams

apps/streams/package.json

@@ -16,10 +16,12 @@
 		"@durable-streams/client": "^0.2.1",
 		"@durable-streams/server": "^0.2.0",
 		"@hono/node-server": "^1.13.0",
+		"@superset/db": "workspace:*",
 		"@superset/durable-session": "workspace:*",
 		"@t3-oss/env-core": "^0.13.8",
 		"@tanstack/ai": "^0.3.0",
 		"@tanstack/db": "0.5.25",
+		"drizzle-orm": "0.45.1",
 		"hono": "^4.4.0",
 		"zod": "^4.3.5"
 	},

apps/streams/src/env.ts

@@ -7,7 +7,7 @@ export const env = createEnv({
 		STREAMS_INTERNAL_PORT: z.coerce.number(),
 		STREAMS_INTERNAL_URL: z.string().url(),
 		STREAMS_DATA_DIR: z.string().min(1),
-		STREAMS_SECRET: z.string().min(1),
+		DATABASE_URL: z.string().url(),
 	},
 	clientPrefix: "PUBLIC_",
 	client: {},

apps/streams/src/index.ts

@@ -40,7 +40,6 @@ const { app } = createServer({
 	baseUrl: env.STREAMS_INTERNAL_URL,
 	cors: true,
 	logging: true,
-	authToken: env.STREAMS_SECRET,
 });
 
 const proxyServer = serve(

apps/streams/src/server.ts

@@ -1,3 +1,6 @@
+import { db } from "@superset/db";
+import { sessions } from "@superset/db/schema/auth";
+import { and, eq, gt } from "drizzle-orm";
 import { Hono } from "hono";
 import { cors } from "hono/cors";
 import { logger } from "hono/logger";
@@ -16,15 +19,20 @@ import {
 } from "./routes";
 import type { AIDBProtocolOptions } from "./types";
 
+type SessionEnv = {
+	Variables: {
+		userId: string;
+	};
+};
+
 export interface AIDBProxyServerOptions extends AIDBProtocolOptions {
 	cors?: boolean;
 	logging?: boolean;
 	corsOrigins?: string | string[];
-	authToken?: string;
 }
 
 export function createServer(options: AIDBProxyServerOptions) {
-	const app = new Hono();
+	const app = new Hono<SessionEnv>();
 
 	const protocol = new AIDBSessionProtocol({
 		baseUrl: options.baseUrl,
@@ -56,16 +64,26 @@ export function createServer(options: AIDBProxyServerOptions) {
 	app.route("/health", createHealthRoutes());
 
 	// No auth on health; Bearer token required on /v1/*
-	if (options.authToken) {
-		const expectedHeader = `Bearer ${options.authToken}`;
-		app.use("/v1/*", async (c, next) => {
-			const authorization = c.req.header("Authorization");
-			if (authorization !== expectedHeader) {
-				return c.json({ error: "Unauthorized" }, 401);
-			}
-			return next();
-		});
-	}
+	app.use("/v1/*", async (c, next) => {
+		const authorization = c.req.header("Authorization");
+		if (!authorization?.startsWith("Bearer ")) {
+			return c.json({ error: "Unauthorized" }, 401);
+		}
+
+		const token = authorization.slice(7);
+		const [session] = await db
+			.select({ userId: sessions.userId })
+			.from(sessions)
+			.where(and(eq(sessions.token, token), gt(sessions.expiresAt, new Date())))
+			.limit(1);
+
+		if (!session) {
+			return c.json({ error: "Unauthorized" }, 401);
+		}
+
+		c.set("userId", session.userId);
+		return next();
+	});
 
 	const v1 = new Hono();
 	v1.route("/sessions", createSessionRoutes(protocol));