From 0ef8a0f2c9687ef4fa544e8ae52ee91e209b5b8d Mon Sep 17 00:00:00 2001
From: Anish Sarkar <104695310+AnishSarkar22@users.noreply.github.com>
Date: Wed, 24 Jun 2026 03:55:40 +0530
Subject: [PATCH] fix(zero):refresh authenticated zero context

---
 .../app/dashboard/dashboard-shell.tsx         |  5 +--
 .../components/providers/ZeroProvider.tsx     | 36 ++++++++++++-------
 surfsense_web/zero/queries/authz.ts           |  4 +--
 3 files changed, 26 insertions(+), 19 deletions(-)

diff --git a/surfsense_web/app/dashboard/dashboard-shell.tsx b/surfsense_web/app/dashboard/dashboard-shell.tsx
index 1198996b7..fc7067ca2 100644
--- a/surfsense_web/app/dashboard/dashboard-shell.tsx
+++ b/surfsense_web/app/dashboard/dashboard-shell.tsx
@@ -4,7 +4,7 @@ import { useEffect, useState } from "react";
 import { USER_QUERY_KEY } from "@/atoms/user/user-query.atoms";
 import { useGlobalLoadingEffect } from "@/hooks/use-global-loading";
 import { useSession } from "@/hooks/use-session";
-import { ensureTokensFromElectron, redirectToLogin } from "@/lib/auth-utils";
+import { redirectToLogin } from "@/lib/auth-utils";
 import { queryClient } from "@/lib/query-client/client";
 
 export function DashboardShell({ children }: { children: React.ReactNode }) {
@@ -16,9 +16,6 @@ export function DashboardShell({ children }: { children: React.ReactNode }) {
 
 	useEffect(() => {
 		async function checkAuth() {
-			if (typeof window !== "undefined" && window.electronAPI) {
-				await ensureTokensFromElectron();
-			}
 			if (session.status === "loading") return;
 			if (session.status === "unauthenticated") {
 				redirectToLogin();
diff --git a/surfsense_web/components/providers/ZeroProvider.tsx b/surfsense_web/components/providers/ZeroProvider.tsx
index 1a95c4f22..4511fe842 100644
--- a/surfsense_web/components/providers/ZeroProvider.tsx
+++ b/surfsense_web/components/providers/ZeroProvider.tsx
@@ -7,15 +7,11 @@ import {
 } from "@rocicorp/zero/react";
 import { useAtomValue } from "jotai";
 import { usePathname } from "next/navigation";
-import { useEffect, useMemo } from "react";
+import { useEffect, useMemo, useState } from "react";
 import { currentUserAtom } from "@/atoms/user/user-query.atoms";
 import { useSession } from "@/hooks/use-session";
-import {
-	getBearerToken,
-	handleUnauthorized,
-	isPublicRoute,
-	refreshAccessToken,
-} from "@/lib/auth-utils";
+import { getDesktopAccessToken } from "@/lib/auth-fetch";
+import { handleUnauthorized, isPublicRoute, refreshSession } from "@/lib/auth-utils";
 import { queries } from "@/zero/queries";
 import { schema } from "@/zero/schema";
 
@@ -36,13 +32,18 @@ function ZeroAuthSync({ isDesktop }: { isDesktop: boolean }) {
 	useEffect(() => {
 		if (connectionState.name !== "needs-auth") return;
 
-		refreshAccessToken().then((newToken) => {
-			if (!newToken) {
+		refreshSession().then(async (refreshed) => {
+			if (!refreshed) {
 				handleUnauthorized();
 				return;
 			}
 
 			if (isDesktop) {
+				const newToken = await getDesktopAccessToken();
+				if (!newToken) {
+					handleUnauthorized();
+					return;
+				}
 				zero.connection.connect({ auth: newToken });
 			} else {
 				zero.connection.connect();
@@ -95,9 +96,20 @@ function ZeroClientProvider({
 	isDesktop: boolean;
 }) {
 	const cacheURL = useMemo(() => getCacheURL(), []);
-	const auth = isDesktop ? getBearerToken() || undefined : undefined;
+	const [desktopAuth, setDesktopAuth] = useState<string | undefined>(undefined);
 	const context = useMemo(() => ({ userId: userID }), [userID]);
 
+	useEffect(() => {
+		if (!isDesktop) return;
+		let isMounted = true;
+		getDesktopAccessToken().then((token) => {
+			if (isMounted) setDesktopAuth(token || undefined);
+		});
+		return () => {
+			isMounted = false;
+		};
+	}, [isDesktop]);
+
 	const opts = useMemo(
 		() => ({
 			userID,
@@ -105,9 +117,9 @@ function ZeroClientProvider({
 			queries,
 			context,
 			cacheURL,
-			auth,
+			auth: isDesktop ? desktopAuth : undefined,
 		}),
-		[userID, context, cacheURL, auth]
+		[userID, context, cacheURL, isDesktop, desktopAuth]
 	);
 
 	return (
diff --git a/surfsense_web/zero/queries/authz.ts b/surfsense_web/zero/queries/authz.ts
index e57ce05a8..12182bcb4 100644
--- a/surfsense_web/zero/queries/authz.ts
+++ b/surfsense_web/zero/queries/authz.ts
@@ -4,14 +4,12 @@ type SpaceScopedQuery = {
 	where: (...args: unknown[]) => SpaceScopedQuery;
 };
 
-const DENIED_SPACE_ID = -1;
-
 export function canReadSpace(ctx: Context, searchSpaceId: number): boolean {
 	return !!ctx?.allowedSpaceIds?.includes(searchSpaceId);
 }
 
 export function denySpace<T extends SpaceScopedQuery>(query: T): T {
-	return query.where("searchSpaceId", DENIED_SPACE_ID) as T;
+	return query.where(({ or }: { or: (...args: unknown[]) => unknown }) => or()) as T;
 }
 
 export function constrainToAllowedSpaces<T extends SpaceScopedQuery>(query: T, ctx: Context): T {