Jackson57279 · Jackson57279 · Aug 7, 2025 · Aug 7, 2025 · Aug 7, 2025 · Aug 7, 2025
diff --git a/.claude/settings.local.json b/.claude/settings.local.json
@@ -47,7 +47,9 @@
       "Bash(vercel:*)",
       "WebFetch(domain:console.groq.com)",
       "Bash(ls:*)",
-      "Bash(sed:*)"
+      "Bash(sed:*)",
+      "Bash(echo $CLERK_JWT_ISSUER_DOMAIN)",
+      "Bash(curl:*)"
     ],
     "deny": []
   }

diff --git a/convex/rateLimit.ts b/convex/rateLimit.ts
@@ -38,6 +38,11 @@ export async function checkRateLimit(
     throw new Error("Authentication required for rate limiting");
   }
 
+  // Periodically clean up expired entries to prevent memory leaks
+  if (Math.random() < 0.01) { // 1% chance to cleanup on each call
+    cleanupExpiredRateLimits();
+  }
+
   const config = RATE_LIMITS[operation];
   const key = `${identity.subject}:${operation}`;
   const now = Date.now();
@@ -95,9 +100,9 @@ export async function enforceRateLimit(
 }
 
 /**
- * Clean up expired rate limit entries (should be called periodically)
+ * Clean up expired rate limit entries (called during rate limit checks)
  */
-export function cleanupExpiredRateLimits(): void {
+function cleanupExpiredRateLimits(): void {
   const now = Date.now();
   for (const [key, entry] of rateLimitStore.entries()) {
     if (now > entry.resetTime) {
@@ -106,9 +111,6 @@ export function cleanupExpiredRateLimits(): void {
   }
 }
 
-// Clean up expired entries every 5 minutes
-setInterval(cleanupExpiredRateLimits, 5 * 60 * 1000);
-
 /**
  * Get current rate limit status for a user and operation
  */

diff --git a/src/App.tsx b/src/App.tsx
@@ -16,14 +16,16 @@ import PrivacyPolicy from "./pages/PrivacyPolicy";
 import Chat from "./pages/Chat";
 import AuthGuard from "./components/AuthGuard";
 import UserSync from "./components/UserSync";
+import { AuthWrapper } from "./components/AuthWrapper";
 import E2BDemo from "./pages/E2BDemo";
 
 const queryClient = new QueryClient();
 
 const App = () => (
   <ConvexProviderWithClerk client={convex} useAuth={useAuth}>
     <UserSync>
-      <trpc.Provider client={trpcClient} queryClient={queryClient}>
+      <AuthWrapper>
+        <trpc.Provider client={trpcClient} queryClient={queryClient}>
         <QueryClientProvider client={queryClient}>
           <TooltipProvider>
             <div className="min-h-screen bg-background">
@@ -56,7 +58,8 @@ const App = () => (
             </div>
           </TooltipProvider>
         </QueryClientProvider>
-      </trpc.Provider>
+        </trpc.Provider>
+      </AuthWrapper>
     </UserSync>
   </ConvexProviderWithClerk>
 );

diff --git a/src/components/AuthProvider.tsx b/src/components/AuthProvider.tsx
@@ -0,0 +1,94 @@
+import React, { createContext, useContext, useEffect, useState, useCallback } from 'react';
+import { useAuth as useClerkAuth, useUser } from '@clerk/clerk-react';
+import { AuthCookies } from '@/lib/auth-cookies';
+
+interface AuthContextType {
+  isAuthenticated: boolean;
+  isLoading: boolean;
+  user: unknown;
+  token: string | null;
+  refreshAuth: () => Promise<void>;
+}
+
+const AuthContext = createContext<AuthContextType | undefined>(undefined);
+
+export const AuthProvider: React.FC<{ children: React.ReactNode }> = ({ children }) => {
+  const { getToken, isSignedIn, isLoaded } = useClerkAuth();
+  const { user } = useUser();
+  const [token, setToken] = useState<string | null>(null);
+  const [isLoading, setIsLoading] = useState(true);
+
+  const refreshAuth = useCallback(async () => {
+    setIsLoading(true);
+    try {
+      if (isSignedIn && isLoaded) {
+        const newToken = await getToken();
+        if (newToken) {
+          setToken(newToken);
+          AuthCookies.set(newToken);
+        }
+      } else {
+        setToken(null);
+        AuthCookies.remove();
+      }
+    } catch (error) {
+      console.error('Failed to refresh auth token:', error);
+      // Try to use cached token if available
+      const cachedToken = AuthCookies.get();
+      if (cachedToken && AuthCookies.isValid()) {
+        setToken(cachedToken);
+      } else {
+        setToken(null);
+        AuthCookies.remove();
+      }
+    } finally {
+      setIsLoading(false);
+    }
+  }, [isSignedIn, isLoaded, getToken]);
+
+  useEffect(() => {
+    refreshAuth();
+  }, [isSignedIn, isLoaded, user?.id, refreshAuth]);
+
+  // Periodic token refresh to prevent expiration
+  useEffect(() => {
+    if (isSignedIn) {
+      const interval = setInterval(() => {
+        refreshAuth();
+      }, 4 * 60 * 1000); // Refresh every 4 minutes
+
+      return () => clearInterval(interval);
+    }
+  }, [isSignedIn, refreshAuth]);
+
+  // Initialize token from cookie on app start
+  useEffect(() => {
+    const cachedToken = AuthCookies.get();
+    if (cachedToken && AuthCookies.isValid() && !token) {
+      setToken(cachedToken);
+    }
+    setIsLoading(false);
+  }, [token]);
+
+  const value: AuthContextType = {
+    isAuthenticated: isLoaded && isSignedIn && !!token,
+    isLoading: !isLoaded || isLoading,
+    user,
+    token,
+    refreshAuth,
+  };
+
+  return (
+    <AuthContext.Provider value={value}>
+      {children}
+    </AuthContext.Provider>
+  );
+};
+
+export const useAuthContext = () => {
+  const context = useContext(AuthContext);
+  if (context === undefined) {
+    throw new Error('useAuthContext must be used within an AuthProvider');
+  }
+  return context;
+};
diff --git a/src/components/AuthWrapper.tsx b/src/components/AuthWrapper.tsx
@@ -0,0 +1,57 @@
+import React, { useEffect } from 'react';
+import { useConvexAuth } from 'convex/react';
+import { useAuth as useClerkAuth } from '@clerk/clerk-react';
+import { AuthCookies, useAuthCookies } from '@/lib/auth-cookies';
+
+interface AuthWrapperProps {
+  children: React.ReactNode;
+}
+
+export const AuthWrapper: React.FC<AuthWrapperProps> = ({ children }) => {
+  const convexAuth = useConvexAuth();
+  const clerkAuth = useClerkAuth();
+  const { getStoredToken, clearToken } = useAuthCookies();
+
+  useEffect(() => {
+    // Handle authentication recovery on page load/refresh
+    const handleAuthRecovery = async () => {
+      // If Convex shows not authenticated but we have a valid cookie token
+      if (!convexAuth.isAuthenticated && !convexAuth.isLoading) {
+        const storedToken = getStoredToken();
+
+        if (storedToken && AuthCookies.isValid()) {
+          // Try to refresh Clerk session if needed
+          try {
+            if (clerkAuth.isSignedIn) {
+              const freshToken = await clerkAuth.getToken({ skipCache: true });
+              if (freshToken) {
+                AuthCookies.set(freshToken);
+                // Let Convex naturally re-authenticate without forcing reload
+                console.log('Auth token refreshed, waiting for Convex sync');
+              }
+            }
+          } catch (error) {
+            console.warn('Auth recovery failed:', error);
+            clearToken();
+          }
+        } else if (storedToken) {
+          // Remove invalid token
+          clearToken();
+        }
+      }
+    };
+
+    // Run recovery after initial auth check
+    const timeout = setTimeout(handleAuthRecovery, 1000);
+    return () => clearTimeout(timeout);
+  }, [convexAuth.isAuthenticated, convexAuth.isLoading, clerkAuth.isSignedIn, getStoredToken, clearToken, clerkAuth]);
+
+  // Handle sign out cleanup
+  useEffect(() => {
+    if (!clerkAuth.isSignedIn && clerkAuth.isLoaded) {
+      clearToken();
+    }
+  }, [clerkAuth.isSignedIn, clerkAuth.isLoaded, clearToken]);
+
+  return <>{children}</>;
+};
diff --git a/src/components/UserSync.tsx b/src/components/UserSync.tsx
@@ -1,14 +1,34 @@
 import { useEffect } from 'react';
 import { useConvexAuth } from 'convex/react';
-import { useUser } from '@clerk/clerk-react';
+import { useUser, useAuth as useClerkAuth } from '@clerk/clerk-react';
 import { useMutation } from 'convex/react';
 import { api } from '../../convex/_generated/api';
+import { AuthCookies } from '@/lib/auth-cookies';
 
 export default function UserSync({ children }: { children: React.ReactNode }) {
   const { isAuthenticated, isLoading } = useConvexAuth();
   const { user: clerkUser } = useUser();
+  const { getToken, isSignedIn } = useClerkAuth();
   const upsertUser = useMutation(api.users.upsertUser);
 
+  // Store auth token in cookies when user signs in
+  useEffect(() => {
+    const storeAuthToken = async () => {
+      if (isSignedIn && clerkUser) {
+        try {
+          const token = await getToken();
+          if (token) {
+            AuthCookies.set(token);
+          }
+        } catch (error) {
+          console.error('Failed to store auth token:', error);
+        }
+      }
+    };
+
+    storeAuthToken();
+  }, [isSignedIn, clerkUser?.id, getToken, clerkUser]);
+
   useEffect(() => {
     if (isAuthenticated && !isLoading && clerkUser) {
       // Validate required user data

diff --git a/src/lib/auth-cookies.ts b/src/lib/auth-cookies.ts
@@ -0,0 +1,83 @@
+import { useAuth as useClerkAuth } from '@clerk/clerk-react';
+import { useEffect } from 'react';
+
+// Cookie utilities for auth token management
+export const AuthCookies = {
+  TOKEN_KEY: 'clerk_session_token',
+
+  set(token: string, expiresInDays = 7) {
+    const expires = new Date();
+    expires.setTime(expires.getTime() + (expiresInDays * 24 * 60 * 60 * 1000));
+    document.cookie = `${this.TOKEN_KEY}=${token}; expires=${expires.toUTCString()}; path=/; secure; samesite=strict`;
+  },
+
+  get(): string | null {
+    const cookies = document.cookie.split(';');
+    for (const cookie of cookies) {
+      const [name, value] = cookie.trim().split('=');
+      if (name === this.TOKEN_KEY) {
+        return decodeURIComponent(value);
+      }
+    }
+    return null;
+  },
+
+  remove() {
+    document.cookie = `${this.TOKEN_KEY}=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;`;
+  },
+
+  isValid(): boolean {
+    const token = this.get();
+    if (!token) return false;
+
+    try {
+      // Basic JWT validation - check if it's properly formatted
+      const parts = token.split('.');
+      if (parts.length !== 3) return false;
+
+      // Decode payload to check expiration
+      const payload = JSON.parse(atob(parts[1]));
+      const now = Math.floor(Date.now() / 1000);
+
+      return payload.exp > now;
+    } catch (error) {
+      console.warn('Invalid token format:', error);
+      return false;
+    }
+  }
+};
+
+// Hook to manage auth cookies automatically
+export const useAuthCookies = () => {
+  const { getToken, isSignedIn } = useClerkAuth();
+
+  useEffect(() => {
+    const syncToken = async () => {
+      if (isSignedIn) {
+        try {
+          const token = await getToken();
+          if (token) {
+            AuthCookies.set(token);
+          }
+        } catch (error) {
+          console.error('Failed to get or set auth token:', error);
+        }
+      } else {
+        AuthCookies.remove();
+      }
+    };
+
+    syncToken();
+
+    // Set up periodic token refresh
+    const interval = setInterval(syncToken, 5 * 60 * 1000); // Every 5 minutes
+
+    return () => clearInterval(interval);
+  }, [isSignedIn, getToken]);
+
+  return {
+    getStoredToken: () => AuthCookies.get(),
+    isTokenValid: () => AuthCookies.isValid(),
+    clearToken: () => AuthCookies.remove()
+  };
+};