Fix signal auth for authenticated desktop viewers

Author: ralyodio

apps/web/src/app/api/sessions/[sessionId]/signal/route.test.ts

@@ -206,6 +206,55 @@ describe('POST /api/sessions/[sessionId]/signal', () => {
     expect(body.error).toBe('Not authorized to send signals in this session');
   });
 
+  it('allows authenticated viewer signaling with senderId=user.id when user is an active participant', async () => {
+    const otherUserSession = { ...mockSession, host_user_id: 'host-user-id' };
+    let callCount = 0;
+
+    const mockChannel = {
+      subscribe: vi.fn().mockImplementation((callback) => {
+        callback('SUBSCRIBED');
+        return mockChannel;
+      }),
+      send: vi.fn().mockResolvedValue('ok'),
+    };
+
+    const mockFrom = vi.fn().mockReturnValue({
+      select: vi.fn().mockReturnThis(),
+      eq: vi.fn().mockReturnThis(),
+      is: vi.fn().mockReturnThis(),
+      single: vi.fn().mockImplementation(() => {
+        callCount++;
+        if (callCount === 1) {
+          // Session lookup
+          return Promise.resolve({ data: otherUserSession, error: null });
+        }
+        if (callCount === 2) {
+          // Participant lookup by signal.senderId (user.id) misses
+          return Promise.resolve({ data: null, error: { code: 'PGRST116' } });
+        }
+        // Participant lookup by user_id succeeds
+        return Promise.resolve({ data: { id: 'participant-row-id' }, error: null });
+      }),
+    });
+
+    const mockSupabase = createMockSupabaseClient({
+      from: mockFrom,
+      channel: vi.fn().mockReturnValue(mockChannel),
+      removeChannel: vi.fn().mockResolvedValue('ok'),
+    });
+    vi.mocked(createClient).mockResolvedValue(mockSupabase as never);
+    mockGetAuthenticatedUser.mockResolvedValue({ user: mockUser, error: null });
+
+    const response = await POST(createRequest('test-session-id', validSignal), {
+      params: Promise.resolve({ sessionId: 'test-session-id' }),
+    });
+    const body = await response.json();
+
+    expect(response.status).toBe(200);
+    expect(body.data.sent).toBe(true);
+    expect(mockChannel.send).toHaveBeenCalled();
+  });
+
   it('returns 400 for invalid signal type', async () => {
     const invalidSignal = {
       type: 'invalid-type',

apps/web/src/app/api/sessions/[sessionId]/signal/route.ts

@@ -88,17 +88,31 @@ export async function POST(
     const isHost = user?.id === session.host_user_id;
 
     if (!isHost) {
-      // Check if sender is a participant
-      const { data: participant } = await supabase
+      // Allow either participant-row IDs (legacy/current web paths) or authenticated user IDs
+      // (desktop SSE subscriber IDs can be the auth user ID).
+      const { data: participantById } = await supabase
         .from('session_participants')
         .select('id')
         .eq('session_id', sessionId)
         .eq('id', signal.senderId)
         .is('left_at', null)
         .single();
 
-      // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
-      if (!participant) {
+      let isAuthorizedParticipant = Boolean(participantById);
+
+      if (!isAuthorizedParticipant && user?.id && signal.senderId === user.id) {
+        const { data: participantByUserId } = await supabase
+          .from('session_participants')
+          .select('id')
+          .eq('session_id', sessionId)
+          .eq('user_id', user.id)
+          .is('left_at', null)
+          .single();
+
+        isAuthorizedParticipant = Boolean(participantByUserId);
+      }
+
+      if (!isAuthorizedParticipant) {
         return errorResponse('Not authorized to send signals in this session', 403);
       }
     }