huggingface
diff --git a/‎src/hooks.server.ts‎
Lines changed: 173 additions & 162 deletions b/‎src/hooks.server.ts‎
Lines changed: 173 additions & 162 deletions
@@ -20,7 +20,7 @@ import { adminTokenManager } from "$lib/server/adminToken";
 import { isHostLocalhost } from "$lib/server/isURLLocal";
 import { MetricsServer } from "$lib/server/metrics";
 import { loadMcpServersOnStartup } from "$lib/server/mcp/registry";
-import { runWithRequestContext } from "$lib/server/requestContext";
+import { runWithRequestContext, updateRequestContext } from "$lib/server/requestContext";
 
 export const init: ServerInit = async () => {
 	// Wait for config to be fully loaded
@@ -105,196 +105,207 @@ export const handle: Handle = async ({ event, resolve }) => {
 	const requestId = crypto.randomUUID();
 
 	// Run the entire request handling within the request context
-	return runWithRequestContext(async () => {
-		await ready.then(() => {
-			config.checkForUpdates();
-		});
-
-		logger.debug({
-			locals: event.locals,
-			url: event.url.pathname,
-			params: event.params,
-			request: event.request,
-		});
-
-		function errorResponse(status: number, message: string) {
-			const sendJson =
-				event.request.headers.get("accept")?.includes("application/json") ||
-				event.request.headers.get("content-type")?.includes("application/json");
-			return new Response(sendJson ? JSON.stringify({ error: message }) : message, {
-				status,
-				headers: {
-					"content-type": sendJson ? "application/json" : "text/plain",
-				},
+	return runWithRequestContext(
+		async () => {
+			await ready.then(() => {
+				config.checkForUpdates();
 			});
-		}
 
-		if (event.url.pathname.startsWith(`${base}/admin/`) || event.url.pathname === `${base}/admin`) {
-			const ADMIN_SECRET = config.ADMIN_API_SECRET || config.PARQUET_EXPORT_SECRET;
-
-			if (!ADMIN_SECRET) {
-				return errorResponse(500, "Admin API is not configured");
-			}
+			logger.debug({
+				locals: event.locals,
+				url: event.url.pathname,
+				params: event.params,
+				request: event.request,
+			});
 
-			if (event.request.headers.get("Authorization") !== `Bearer ${ADMIN_SECRET}`) {
-				return errorResponse(401, "Unauthorized");
+			function errorResponse(status: number, message: string) {
+				const sendJson =
+					event.request.headers.get("accept")?.includes("application/json") ||
+					event.request.headers.get("content-type")?.includes("application/json");
+				return new Response(sendJson ? JSON.stringify({ error: message }) : message, {
+					status,
+					headers: {
+						"content-type": sendJson ? "application/json" : "text/plain",
+					},
+				});
 			}
-		}
-
-		const auth = await authenticateRequest(
-			{ type: "svelte", value: event.request.headers },
-			{ type: "svelte", value: event.cookies },
-			event.url
-		);
 
-		event.locals.sessionId = auth.sessionId;
+			if (
+				event.url.pathname.startsWith(`${base}/admin/`) ||
+				event.url.pathname === `${base}/admin`
+			) {
+				const ADMIN_SECRET = config.ADMIN_API_SECRET || config.PARQUET_EXPORT_SECRET;
 
-		if (loginEnabled && !auth.user && !event.url.pathname.startsWith(`${base}/.well-known/`)) {
-			if (config.AUTOMATIC_LOGIN === "true") {
-				// AUTOMATIC_LOGIN: always redirect to OAuth flow (unless already on login or healthcheck pages)
-				if (
-					!event.url.pathname.startsWith(`${base}/login`) &&
-					!event.url.pathname.startsWith(`${base}/healthcheck`)
-				) {
-					// To get the same CSRF token after callback
-					refreshSessionCookie(event.cookies, auth.secretSessionId);
-					return await triggerOauthFlow(event);
+				if (!ADMIN_SECRET) {
+					return errorResponse(500, "Admin API is not configured");
 				}
-			} else {
-				// Redirect to OAuth flow unless on the authorized pages (home, shared conversation, login, healthcheck, model thumbnails)
-				if (
-					event.url.pathname !== `${base}/` &&
-					event.url.pathname !== `${base}` &&
-					!event.url.pathname.startsWith(`${base}/login`) &&
-					!event.url.pathname.startsWith(`${base}/login/callback`) &&
-					!event.url.pathname.startsWith(`${base}/healthcheck`) &&
-					!event.url.pathname.startsWith(`${base}/r/`) &&
-					!event.url.pathname.startsWith(`${base}/conversation/`) &&
-					!event.url.pathname.startsWith(`${base}/models/`) &&
-					!event.url.pathname.startsWith(`${base}/api`)
-				) {
-					refreshSessionCookie(event.cookies, auth.secretSessionId);
-					return triggerOauthFlow(event);
+
+				if (event.request.headers.get("Authorization") !== `Bearer ${ADMIN_SECRET}`) {
+					return errorResponse(401, "Unauthorized");
 				}
 			}
-		}
-
-		event.locals.user = auth.user || undefined;
-		event.locals.token = auth.token;
 
-		event.locals.isAdmin =
-			event.locals.user?.isAdmin || adminTokenManager.isAdmin(event.locals.sessionId);
-
-		// CSRF protection
-		const requestContentType = event.request.headers.get("content-type")?.split(";")[0] ?? "";
-		/** https://developer.mozilla.org/en-US/docs/Web/HTML/Element/form#attr-enctype */
-		const nativeFormContentTypes = [
-			"multipart/form-data",
-			"application/x-www-form-urlencoded",
-			"text/plain",
-		];
-
-		if (event.request.method === "POST") {
-			if (nativeFormContentTypes.includes(requestContentType)) {
-				const origin = event.request.headers.get("origin");
+			const auth = await authenticateRequest(
+				{ type: "svelte", value: event.request.headers },
+				{ type: "svelte", value: event.cookies },
+				event.url
+			);
 
-				if (!origin) {
-					return errorResponse(403, "Non-JSON form requests need to have an origin");
+			event.locals.sessionId = auth.sessionId;
+
+			if (loginEnabled && !auth.user && !event.url.pathname.startsWith(`${base}/.well-known/`)) {
+				if (config.AUTOMATIC_LOGIN === "true") {
+					// AUTOMATIC_LOGIN: always redirect to OAuth flow (unless already on login or healthcheck pages)
+					if (
+						!event.url.pathname.startsWith(`${base}/login`) &&
+						!event.url.pathname.startsWith(`${base}/healthcheck`)
+					) {
+						// To get the same CSRF token after callback
+						refreshSessionCookie(event.cookies, auth.secretSessionId);
+						return await triggerOauthFlow(event);
+					}
+				} else {
+					// Redirect to OAuth flow unless on the authorized pages (home, shared conversation, login, healthcheck, model thumbnails)
+					if (
+						event.url.pathname !== `${base}/` &&
+						event.url.pathname !== `${base}` &&
+						!event.url.pathname.startsWith(`${base}/login`) &&
+						!event.url.pathname.startsWith(`${base}/login/callback`) &&
+						!event.url.pathname.startsWith(`${base}/healthcheck`) &&
+						!event.url.pathname.startsWith(`${base}/r/`) &&
+						!event.url.pathname.startsWith(`${base}/conversation/`) &&
+						!event.url.pathname.startsWith(`${base}/models/`) &&
+						!event.url.pathname.startsWith(`${base}/api`)
+					) {
+						refreshSessionCookie(event.cookies, auth.secretSessionId);
+						return triggerOauthFlow(event);
+					}
 				}
+			}
+
+			event.locals.user = auth.user || undefined;
+			event.locals.token = auth.token;
 
-				const validOrigins = [
-					new URL(event.request.url).host,
-					...(config.PUBLIC_ORIGIN ? [new URL(config.PUBLIC_ORIGIN).host] : []),
-				];
+			// Update request context with user after authentication
+			if (auth.user?.username) {
+				updateRequestContext({ user: auth.user.username });
+			}
 
-				if (!validOrigins.includes(new URL(origin).host)) {
-					return errorResponse(403, "Invalid referer for POST request");
+			event.locals.isAdmin =
+				event.locals.user?.isAdmin || adminTokenManager.isAdmin(event.locals.sessionId);
+
+			// CSRF protection
+			const requestContentType = event.request.headers.get("content-type")?.split(";")[0] ?? "";
+			/** https://developer.mozilla.org/en-US/docs/Web/HTML/Element/form#attr-enctype */
+			const nativeFormContentTypes = [
+				"multipart/form-data",
+				"application/x-www-form-urlencoded",
+				"text/plain",
+			];
+
+			if (event.request.method === "POST") {
+				if (nativeFormContentTypes.includes(requestContentType)) {
+					const origin = event.request.headers.get("origin");
+
+					if (!origin) {
+						return errorResponse(403, "Non-JSON form requests need to have an origin");
+					}
+
+					const validOrigins = [
+						new URL(event.request.url).host,
+						...(config.PUBLIC_ORIGIN ? [new URL(config.PUBLIC_ORIGIN).host] : []),
+					];
+
+					if (!validOrigins.includes(new URL(origin).host)) {
+						return errorResponse(403, "Invalid referer for POST request");
+					}
 				}
 			}
-		}
 
-		if (
-			event.request.method === "POST" ||
-			event.url.pathname.startsWith(`${base}/login`) ||
-			event.url.pathname.startsWith(`${base}/login/callback`)
-		) {
-			// if the request is a POST request or login-related we refresh the cookie
-			refreshSessionCookie(event.cookies, auth.secretSessionId);
-
-			await collections.sessions.updateOne(
-				{ sessionId: auth.sessionId },
-				{ $set: { updatedAt: new Date(), expiresAt: addWeeks(new Date(), 2) } }
-			);
-		}
+			if (
+				event.request.method === "POST" ||
+				event.url.pathname.startsWith(`${base}/login`) ||
+				event.url.pathname.startsWith(`${base}/login/callback`)
+			) {
+				// if the request is a POST request or login-related we refresh the cookie
+				refreshSessionCookie(event.cookies, auth.secretSessionId);
 
-		if (
-			loginEnabled &&
-			!event.locals.user &&
-			!event.url.pathname.startsWith(`${base}/login`) &&
-			!event.url.pathname.startsWith(`${base}/admin`) &&
-			!event.url.pathname.startsWith(`${base}/settings`) &&
-			!["GET", "OPTIONS", "HEAD"].includes(event.request.method)
-		) {
-			return errorResponse(401, ERROR_MESSAGES.authOnly);
-		}
+				await collections.sessions.updateOne(
+					{ sessionId: auth.sessionId },
+					{ $set: { updatedAt: new Date(), expiresAt: addWeeks(new Date(), 2) } }
+				);
+			}
 
-		let replaced = false;
+			if (
+				loginEnabled &&
+				!event.locals.user &&
+				!event.url.pathname.startsWith(`${base}/login`) &&
+				!event.url.pathname.startsWith(`${base}/admin`) &&
+				!event.url.pathname.startsWith(`${base}/settings`) &&
+				!["GET", "OPTIONS", "HEAD"].includes(event.request.method)
+			) {
+				return errorResponse(401, ERROR_MESSAGES.authOnly);
+			}
 
-		const response = await resolve(event, {
-			transformPageChunk: (chunk) => {
-				// For some reason, Sveltekit doesn't let us load env variables from .env in the app.html template
-				if (replaced || !chunk.html.includes("%gaId%")) {
-					return chunk.html;
-				}
-				replaced = true;
-
-				return chunk.html.replace("%gaId%", config.PUBLIC_GOOGLE_ANALYTICS_ID);
-			},
-			filterSerializedResponseHeaders: (header) => {
-				return header.includes("content-type");
-			},
-		});
-
-		// Add CSP header to disallow framing if ALLOW_IFRAME is not "true"
-		if (config.ALLOW_IFRAME !== "true") {
-			response.headers.append("Content-Security-Policy", "frame-ancestors 'none';");
-		}
+			let replaced = false;
 
-		if (
-			event.url.pathname.startsWith(`${base}/login/callback`) ||
-			event.url.pathname.startsWith(`${base}/login`)
-		) {
-			response.headers.append("Cache-Control", "no-store");
-		}
+			const response = await resolve(event, {
+				transformPageChunk: (chunk) => {
+					// For some reason, Sveltekit doesn't let us load env variables from .env in the app.html template
+					if (replaced || !chunk.html.includes("%gaId%")) {
+						return chunk.html;
+					}
+					replaced = true;
 
-		if (event.url.pathname.startsWith(`${base}/api/`)) {
-			// get origin from the request
-			const requestOrigin = event.request.headers.get("origin");
+					return chunk.html.replace("%gaId%", config.PUBLIC_GOOGLE_ANALYTICS_ID);
+				},
+				filterSerializedResponseHeaders: (header) => {
+					return header.includes("content-type");
+				},
+			});
 
-			// get origin from the config if its defined
-			let allowedOrigin = config.PUBLIC_ORIGIN ? new URL(config.PUBLIC_ORIGIN).origin : undefined;
+			// Add CSP header to disallow framing if ALLOW_IFRAME is not "true"
+			if (config.ALLOW_IFRAME !== "true") {
+				response.headers.append("Content-Security-Policy", "frame-ancestors 'none';");
+			}
 
 			if (
-				dev || // if we're in dev mode
-				!requestOrigin || // or the origin is null (SSR)
-				isHostLocalhost(new URL(requestOrigin).hostname) // or the origin is localhost
+				event.url.pathname.startsWith(`${base}/login/callback`) ||
+				event.url.pathname.startsWith(`${base}/login`)
 			) {
-				allowedOrigin = "*"; // allow all origins
-			} else if (allowedOrigin === requestOrigin) {
-				allowedOrigin = requestOrigin; // echo back the caller
+				response.headers.append("Cache-Control", "no-store");
 			}
 
-			if (allowedOrigin) {
-				response.headers.set("Access-Control-Allow-Origin", allowedOrigin);
-				response.headers.set(
-					"Access-Control-Allow-Methods",
-					"GET, POST, PUT, PATCH, DELETE, OPTIONS"
-				);
-				response.headers.set("Access-Control-Allow-Headers", "Content-Type, Authorization");
+			if (event.url.pathname.startsWith(`${base}/api/`)) {
+				// get origin from the request
+				const requestOrigin = event.request.headers.get("origin");
+
+				// get origin from the config if its defined
+				let allowedOrigin = config.PUBLIC_ORIGIN ? new URL(config.PUBLIC_ORIGIN).origin : undefined;
+
+				if (
+					dev || // if we're in dev mode
+					!requestOrigin || // or the origin is null (SSR)
+					isHostLocalhost(new URL(requestOrigin).hostname) // or the origin is localhost
+				) {
+					allowedOrigin = "*"; // allow all origins
+				} else if (allowedOrigin === requestOrigin) {
+					allowedOrigin = requestOrigin; // echo back the caller
+				}
+
+				if (allowedOrigin) {
+					response.headers.set("Access-Control-Allow-Origin", allowedOrigin);
+					response.headers.set(
+						"Access-Control-Allow-Methods",
+						"GET, POST, PUT, PATCH, DELETE, OPTIONS"
+					);
+					response.headers.set("Access-Control-Allow-Headers", "Content-Type, Authorization");
+				}
 			}
-		}
-		return response;
-	}, requestId);
+			return response;
+		},
+		{ requestId, url: event.url.pathname, ip: event.getClientAddress() }
+	);
 };
 
 export const handleFetch: HandleFetch = async ({ event, request, fetch }) => {