superset-sh · saddlepaddle · Dec 14, 2025 · Dec 14, 2025 · Dec 14, 2025 · Dec 14, 2025
diff --git a/.env.example b/.env.example
@@ -26,3 +26,4 @@ BLOB_READ_WRITE_TOKEN=your_blob_token_here
 
 # Desktop App
 VITE_DEV_SERVER_PORT=4927
+DESKTOP_AUTH_SECRET=your_desktop_auth_secret_here_min_32_chars
diff --git a/.github/workflows/deploy-preview.yml b/.github/workflows/deploy-preview.yml
@@ -124,6 +124,7 @@ jobs:
           CLERK_SECRET_KEY: ${{ secrets.CLERK_SECRET_KEY }}
           CLERK_WEBHOOK_SECRET: ${{ secrets.CLERK_WEBHOOK_SECRET }}
           NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: ${{ secrets.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}
+          DESKTOP_AUTH_SECRET: ${{ secrets.DESKTOP_AUTH_SECRET }}
         run: |
           vercel pull --yes --environment=preview --token=$VERCEL_TOKEN
           vercel build --token=$VERCEL_TOKEN
@@ -135,7 +136,8 @@ jobs:
             --env BLOB_READ_WRITE_TOKEN=$BLOB_READ_WRITE_TOKEN \
             --env NEXT_PUBLIC_WEB_URL=$NEXT_PUBLIC_WEB_URL \
             --env NEXT_PUBLIC_ADMIN_URL=$NEXT_PUBLIC_ADMIN_URL \
-            --env NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=$NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY)
+            --env NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=$NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY \
+            --env DESKTOP_AUTH_SECRET=$DESKTOP_AUTH_SECRET)
           vercel alias $VERCEL_URL ${{ env.API_ALIAS }} --scope=$VERCEL_ORG_ID --token=$VERCEL_TOKEN
           echo "vercel_url=$VERCEL_URL" >> $GITHUB_OUTPUT
 
@@ -205,13 +207,15 @@ jobs:
           CLERK_SECRET_KEY: ${{ secrets.CLERK_SECRET_KEY }}
           NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: ${{ secrets.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}
           NEXT_PUBLIC_COOKIE_DOMAIN: ${{ secrets.NEXT_PUBLIC_COOKIE_DOMAIN }}
+          DESKTOP_AUTH_SECRET: ${{ secrets.DESKTOP_AUTH_SECRET }}
         run: |
           vercel pull --yes --environment=preview --token=$VERCEL_TOKEN
           vercel build --token=$VERCEL_TOKEN
           VERCEL_URL=$(vercel deploy --prebuilt --token=$VERCEL_TOKEN \
             --env CLERK_SECRET_KEY=$CLERK_SECRET_KEY \
             --env DATABASE_URL=$DATABASE_URL \
-            --env DATABASE_URL_UNPOOLED=$DATABASE_URL_UNPOOLED)
+            --env DATABASE_URL_UNPOOLED=$DATABASE_URL_UNPOOLED \
+            --env DESKTOP_AUTH_SECRET=$DESKTOP_AUTH_SECRET)
           vercel alias $VERCEL_URL ${{ env.WEB_ALIAS }} --scope=$VERCEL_ORG_ID --token=$VERCEL_TOKEN
           echo "vercel_url=$VERCEL_URL" >> $GITHUB_OUTPUT
 

diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
@@ -76,6 +76,7 @@ jobs:
           CLERK_WEBHOOK_SECRET: ${{ secrets.CLERK_WEBHOOK_SECRET }}
           BLOB_READ_WRITE_TOKEN: ${{ secrets.BLOB_READ_WRITE_TOKEN }}
           NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: ${{ secrets.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}
+          DESKTOP_AUTH_SECRET: ${{ secrets.DESKTOP_AUTH_SECRET }}
         run: |
           vercel pull --yes --environment=production --token=$VERCEL_TOKEN
           vercel build --prod --token=$VERCEL_TOKEN
@@ -87,7 +88,8 @@ jobs:
             --env BLOB_READ_WRITE_TOKEN=$BLOB_READ_WRITE_TOKEN \
             --env NEXT_PUBLIC_WEB_URL=$NEXT_PUBLIC_WEB_URL \
             --env NEXT_PUBLIC_ADMIN_URL=$NEXT_PUBLIC_ADMIN_URL \
-            --env NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=$NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY
+            --env NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=$NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY \
+            --env DESKTOP_AUTH_SECRET=$DESKTOP_AUTH_SECRET
 
   deploy-web:
     name: Deploy Web to Vercel
@@ -129,13 +131,15 @@ jobs:
           CLERK_SECRET_KEY: ${{ secrets.CLERK_SECRET_KEY }}
           NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: ${{ secrets.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}
           NEXT_PUBLIC_COOKIE_DOMAIN: ${{ secrets.NEXT_PUBLIC_COOKIE_DOMAIN }}
+          DESKTOP_AUTH_SECRET: ${{ secrets.DESKTOP_AUTH_SECRET }}
         run: |
           vercel pull --yes --environment=production --token=$VERCEL_TOKEN
           vercel build --prod --token=$VERCEL_TOKEN
           vercel deploy --prod --prebuilt --token=$VERCEL_TOKEN \
             --env CLERK_SECRET_KEY=$CLERK_SECRET_KEY \
             --env DATABASE_URL=$DATABASE_URL \
-            --env DATABASE_URL_UNPOOLED=$DATABASE_URL_UNPOOLED
+            --env DATABASE_URL_UNPOOLED=$DATABASE_URL_UNPOOLED \
+            --env DESKTOP_AUTH_SECRET=$DESKTOP_AUTH_SECRET
 
   deploy-marketing:
     name: Deploy Marketing to Vercel

diff --git a/apps/api/package.json b/apps/api/package.json
@@ -20,6 +20,7 @@
 		"@trpc/server": "^11.7.1",
 		"@vercel/blob": "^2.0.0",
 		"drizzle-orm": "0.45.1",
+		"jose": "^6.1.3",
 		"next": "^16.0.10",
 		"react": "^19.2.3",
 		"react-dom": "^19.2.3",

diff --git a/apps/api/src/app/api/auth/desktop/refresh/route.ts b/apps/api/src/app/api/auth/desktop/refresh/route.ts
@@ -0,0 +1,98 @@
+import { TOKEN_CONFIG } from "@superset/shared/constants";
+import { type JWTPayload, jwtVerify, SignJWT } from "jose";
+import { type NextRequest, NextResponse } from "next/server";
+
+import { env } from "@/env";
+
+/**
+ * Refresh token payload structure (minimal claims)
+ */
+interface RefreshTokenPayload extends JWTPayload {
+	userId: string;
+	type: "refresh";
+}
+
+/**
+ * Refresh endpoint for desktop auth
+ *
+ * POST /api/auth/desktop/refresh
+ * Body: { refresh_token: string }
+ *
+ * Exchanges a valid refresh token for new access + refresh tokens
+ */
+export async function POST(request: NextRequest) {
+	try {
+		const body = await request.json();
+		const { refresh_token } = body;
+
+		// Validate required parameters
+		if (!refresh_token || typeof refresh_token !== "string") {
+			return NextResponse.json(
+				{ error: "Missing or invalid refresh_token parameter" },
+				{ status: 400 },
+			);
+		}
+
+		// Verify and decode the refresh token
+		const secret = new TextEncoder().encode(env.DESKTOP_AUTH_SECRET);
+		let payload: RefreshTokenPayload;
+
+		try {
+			const result = await jwtVerify(refresh_token, secret);
+			payload = result.payload as RefreshTokenPayload;
+		} catch (verifyError) {
+			console.error("[refresh] Token verification failed:", verifyError);
+			return NextResponse.json(
+				{ error: "Invalid or expired refresh token" },
+				{ status: 401 },
+			);
+		}
+
+		// Verify this is a refresh token
+		if (payload.type !== "refresh") {
+			return NextResponse.json(
+				{ error: "Invalid token type" },
+				{ status: 400 },
+			);
+		}
+
+		// Create a new access token
+		const accessTokenExpiresAt =
+			Date.now() + TOKEN_CONFIG.ACCESS_TOKEN_EXPIRY * 1000;
+
+		const accessToken = await new SignJWT({
+			userId: payload.userId,
+			type: "access",
+		})
+			.setProtectedHeader({ alg: "HS256" })
+			.setIssuedAt()
+			.setExpirationTime(`${TOKEN_CONFIG.ACCESS_TOKEN_EXPIRY}s`)
+			.sign(secret);
+
+		// Create a new refresh token (rotation - old one becomes invalid)
+		const refreshTokenExpiresAt =
+			Date.now() + TOKEN_CONFIG.REFRESH_TOKEN_EXPIRY * 1000;
+
+		const newRefreshToken = await new SignJWT({
+			userId: payload.userId,
+			type: "refresh",
+		})
+			.setProtectedHeader({ alg: "HS256" })
+			.setIssuedAt()
+			.setExpirationTime(`${TOKEN_CONFIG.REFRESH_TOKEN_EXPIRY}s`)
+			.sign(secret);
+
+		return NextResponse.json({
+			access_token: accessToken,
+			access_token_expires_at: accessTokenExpiresAt,
+			refresh_token: newRefreshToken,
+			refresh_token_expires_at: refreshTokenExpiresAt,
+		});
+	} catch (error) {
+		console.error("[refresh] Token refresh failed:", error);
+		return NextResponse.json(
+			{ error: "Token refresh failed" },
+			{ status: 500 },
+		);
+	}
+}
diff --git a/apps/api/src/app/api/auth/desktop/token/route.ts b/apps/api/src/app/api/auth/desktop/token/route.ts
@@ -0,0 +1,145 @@
+import { createHash } from "node:crypto";
+import { TOKEN_CONFIG } from "@superset/shared/constants";
+import { type JWTPayload, jwtVerify, SignJWT } from "jose";
+import { type NextRequest, NextResponse } from "next/server";
+
+import { env } from "@/env";
+
+/**
+ * Auth code payload structure (minimal claims, no PII)
+ */
+interface AuthCodePayload extends JWTPayload {
+	userId: string;
+	codeChallenge: string;
+	type: "auth_code";
+}
+
+/**
+ * Create an access token (short-lived, for API calls)
+ * Only contains userId - user info is fetched via tRPC
+ */
+async function createAccessToken(
+	userId: string,
+	secret: Uint8Array,
+): Promise<{ token: string; expiresAt: number }> {
+	const expiresAt = Date.now() + TOKEN_CONFIG.ACCESS_TOKEN_EXPIRY * 1000;
+
+	const token = await new SignJWT({
+		userId,
+		type: "access",
+	})
+		.setProtectedHeader({ alg: "HS256" })
+		.setIssuedAt()
+		.setExpirationTime(`${TOKEN_CONFIG.ACCESS_TOKEN_EXPIRY}s`)
+		.sign(secret);
+
+	return { token, expiresAt };
+}
+
+/**
+ * Create a refresh token (long-lived, for getting new access tokens)
+ * Only contains userId - user info is fetched via tRPC
+ */
+async function createRefreshToken(
+	userId: string,
+	secret: Uint8Array,
+): Promise<{ token: string; expiresAt: number }> {
+	const expiresAt = Date.now() + TOKEN_CONFIG.REFRESH_TOKEN_EXPIRY * 1000;
+
+	const token = await new SignJWT({
+		userId,
+		type: "refresh",
+	})
+		.setProtectedHeader({ alg: "HS256" })
+		.setIssuedAt()
+		.setExpirationTime(`${TOKEN_CONFIG.REFRESH_TOKEN_EXPIRY}s`)
+		.sign(secret);
+
+	return { token, expiresAt };
+}
+
+/**
+ * Token exchange endpoint for desktop PKCE flow
+ *
+ * POST /api/auth/desktop/token
+ * Body: { code: string, code_verifier: string }
+ *
+ * Verifies PKCE challenge and exchanges auth code for access + refresh tokens.
+ * Does NOT return user info - desktop should call user.me via tRPC.
+ */
+export async function POST(request: NextRequest) {
+	try {
+		const body = await request.json();
+		const { code, code_verifier } = body;
+
+		// Validate required parameters
+		if (!code || typeof code !== "string") {
+			return NextResponse.json(
+				{ error: "Missing or invalid code parameter" },
+				{ status: 400 },
+			);
+		}
+
+		if (!code_verifier || typeof code_verifier !== "string") {
+			return NextResponse.json(
+				{ error: "Missing or invalid code_verifier parameter" },
+				{ status: 400 },
+			);
+		}
+
+		// Verify and decode the auth code
+		const secret = new TextEncoder().encode(env.DESKTOP_AUTH_SECRET);
+		let payload: AuthCodePayload;
+
+		try {
+			const result = await jwtVerify(code, secret);
+			payload = result.payload as AuthCodePayload;
+		} catch (verifyError) {
+			console.error("[token] Auth code verification failed:", verifyError);
+			return NextResponse.json(
+				{ error: "Invalid or expired auth code" },
+				{ status: 401 },
+			);
+		}
+
+		// Verify this is an auth code (not a session token)
+		if (payload.type !== "auth_code") {
+			return NextResponse.json(
+				{ error: "Invalid token type" },
+				{ status: 400 },
+			);
+		}
+
+		// Verify PKCE: SHA256(code_verifier) should equal code_challenge
+		const computedChallenge = createHash("sha256")
+			.update(code_verifier)
+			.digest("base64url");
+
+		if (computedChallenge !== payload.codeChallenge) {
+			console.error("[token] PKCE verification failed");
+			return NextResponse.json(
+				{ error: "PKCE verification failed" },
+				{ status: 401 },
+			);
+		}
+
+		// PKCE verified! Create access and refresh tokens
+		const [accessToken, refreshToken] = await Promise.all([
+			createAccessToken(payload.userId, secret),
+			createRefreshToken(payload.userId, secret),
+		]);
+
+		return NextResponse.json({
+			access_token: accessToken.token,
+			access_token_expires_at: accessToken.expiresAt,
+			refresh_token: refreshToken.token,
+			refresh_token_expires_at: refreshToken.expiresAt,
+		});
+	} catch (error) {
+		console.error("[token] Token exchange failed:", error);
+		return NextResponse.json(
+			{ error: "Token exchange failed" },
+			{ status: 500 },
+		);
+	}
+}
diff --git a/apps/api/src/env.ts b/apps/api/src/env.ts
@@ -8,6 +8,7 @@ export const env = createEnv({
 		CLERK_SECRET_KEY: z.string(),
 		CLERK_WEBHOOK_SECRET: z.string(),
 		BLOB_READ_WRITE_TOKEN: z.string(),
+		DESKTOP_AUTH_SECRET: z.string().min(32),
 	},
 	client: {
 		NEXT_PUBLIC_WEB_URL: z.string().url(),

diff --git a/apps/api/src/trpc/context.ts b/apps/api/src/trpc/context.ts
@@ -1,7 +1,39 @@
 import { auth } from "@clerk/nextjs/server";
 import { createTRPCContext } from "@superset/trpc";
 
-export const createContext = async () => {
-	const session = await auth();
-	return createTRPCContext({ session });
+import { verifyDesktopToken } from "./utils/verifyDesktopToken";
+
+/**
+ * Create tRPC context with support for both Clerk and desktop JWT auth
+ *
+ * Auth priority:
+ * 1. Clerk session (cookie or Clerk Bearer token)
+ * 2. Desktop JWT (Bearer token signed with DESKTOP_AUTH_SECRET)
+ */
+export const createContext = async ({
+	req,
+}: {
+	req: Request;
+	resHeaders: Headers;
+}) => {
+	// First, try Clerk auth (handles cookies and Clerk Bearer tokens)
+	const clerkAuth = await auth();
+
+	if (clerkAuth.userId) {
+		return createTRPCContext({ userId: clerkAuth.userId });
+	}
+
+	// No Clerk session, check for desktop JWT
+	const authHeader = req.headers.get("authorization");
+	if (authHeader?.startsWith("Bearer ")) {
+		const token = authHeader.slice(7);
+		const userId = await verifyDesktopToken(token);
+
+		if (userId) {
+			return createTRPCContext({ userId });
+		}
+	}
+
+	// No valid auth
+	return createTRPCContext({ userId: null });
 };
Original file line number	Diff line number	Diff line change
Expand Up		@@ -26,3 +26,4 @@ BLOB_READ_WRITE_TOKEN=your_blob_token_here

		# Desktop App
		VITE_DEV_SERVER_PORT=4927
		DESKTOP_AUTH_SECRET=your_desktop_auth_secret_here_min_32_chars