Pass sandbox management auth from server (#358)

ben-fornefeld · web-flow · commit c539a4a68d34 · 2026-06-05T16:48:31.000-07:00
diff --git a/bun.lock b/bun.lock
diff --git a/package.json b/package.json
@@ -101,7 +101,7 @@
     "cmdk": "^1.0.4",
     "date-fns": "^4.1.0",
     "date-fns-tz": "^3.2.0",
-    "e2b": "^2.14.0",
+    "e2b": "^2.27.1",
     "echarts": "^6.0.0",
     "echarts-for-react": "^3.0.2",
     "fast-xml-parser": "^5.3.5",
diff --git a/src/app/dashboard/[teamSlug]/sandboxes/[sandboxId]/filesystem/page.tsx b/src/app/dashboard/[teamSlug]/sandboxes/[sandboxId]/filesystem/page.tsx
@@ -1,14 +1,53 @@
 import { cookies } from 'next/headers'
+import { redirect } from 'next/navigation'
 import { COOKIE_KEYS } from '@/configs/cookies'
+import { AUTH_URLS, PROTECTED_URLS } from '@/configs/urls'
+import { auth } from '@/core/server/auth'
+import { getTeamIdFromSlug } from '@/core/server/functions/team/get-team-id-from-slug'
+import { createSandboxManagementAuth } from '@/core/shared/sandbox-management-auth.server'
 import SandboxInspectView from '@/features/dashboard/sandbox/inspect/view'
 
 const DEFAULT_ROOT_PATH = '/home/user'
 
-export default async function SandboxInspectPage() {
-  const cookieStore = await cookies()
+interface SandboxInspectPageProps {
+  params: Promise<{
+    sandboxId: string
+    teamSlug: string
+  }>
+}
+
+export default async function SandboxInspectPage({
+  params,
+}: SandboxInspectPageProps) {
+  const [{ teamSlug }, cookieStore, authContext] = await Promise.all([
+    params,
+    cookies(),
+    auth.getAuthContext(),
+  ])
+
+  if (!authContext) {
+    redirect(AUTH_URLS.SIGN_IN)
+  }
+
+  const teamId = await getTeamIdFromSlug(teamSlug, authContext.accessToken)
+  if (!teamId.ok) {
+    throw new Error('Failed to resolve team for sandbox filesystem')
+  }
+  if (!teamId.data) {
+    redirect(PROTECTED_URLS.DASHBOARD)
+  }
+
   const rootPath =
     cookieStore.get(COOKIE_KEYS.SANDBOX_INSPECT_ROOT_PATH)?.value ||
     DEFAULT_ROOT_PATH
 
-  return <SandboxInspectView rootPath={rootPath} />
+  return (
+    <SandboxInspectView
+      rootPath={rootPath}
+      sandboxManagementAuth={createSandboxManagementAuth(
+        authContext,
+        teamId.data
+      )}
+    />
+  )
 }
diff --git a/src/app/dashboard/[teamSlug]/team-gate.tsx b/src/app/dashboard/[teamSlug]/team-gate.tsx
@@ -3,7 +3,7 @@
 import { useQuery } from '@tanstack/react-query'
 import { DASHBOARD_TEAMS_LIST_QUERY_OPTIONS } from '@/core/application/teams/queries'
 import { DASHBOARD_USER_PROFILE_QUERY_OPTIONS } from '@/core/application/user/queries'
-import type { AuthUser } from '@/core/server/auth'
+import type { AuthUser } from '@/core/modules/auth/models'
 import { DashboardContextProvider } from '@/features/dashboard/context'
 import LoadingLayout from '@/features/dashboard/loading-layout'
 import { useTRPC } from '@/trpc/client'
diff --git a/src/app/dashboard/terminal/page.tsx b/src/app/dashboard/terminal/page.tsx
@@ -11,6 +11,7 @@ import {
 import { auth } from '@/core/server/auth'
 import { resolveUserTeam } from '@/core/server/functions/team/resolve-user-team'
 import { infra } from '@/core/shared/clients/api'
+import { createSandboxManagementAuth } from '@/core/shared/sandbox-management-auth.server'
 import { SandboxIdSchema } from '@/core/shared/schemas/api'
 import DashboardTerminal from '@/features/dashboard/terminal/dashboard-terminal'
 import { normalizeTerminalTemplate } from '@/features/dashboard/terminal/template'
@@ -110,7 +111,10 @@ export default async function TerminalPage({
         initialCommand={command}
         initialSandboxId={terminalSandboxId}
         initialTemplate={terminalTemplate}
-        teamId={team.id}
+        sandboxManagementAuth={createSandboxManagementAuth(
+          authContext,
+          team.id
+        )}
       />
     </main>
   )
diff --git a/src/core/modules/auth/models.ts b/src/core/modules/auth/models.ts
@@ -1,6 +1,16 @@
 import z from 'zod'
 import { httpUrlSchema } from '@/core/shared/schemas/url'
 
+export type AuthUser = {
+  id: string
+  email: string | null
+  name: string | null
+  avatarUrl: string | null
+  providers: string[]
+  canChangeEmail: boolean
+  canChangePassword: boolean
+}
+
 export const OtpTypeSchema = z.enum([
   'signup',
   'recovery',
diff --git a/src/core/server/auth/index.ts b/src/core/server/auth/index.ts
@@ -40,5 +40,5 @@ export function createAuthForHeaders(headers: Headers): AuthProvider {
     : createSupabaseAuthForHeaders(headers)
 }
 
+export type { AuthUser } from '@/core/modules/auth/models'
 export type { AuthAdmin } from './admin'
-export type { AuthUser } from './types'
diff --git a/src/core/server/auth/types.ts b/src/core/server/auth/types.ts
@@ -1,12 +1,6 @@
-export type AuthUser = {
-  id: string
-  email: string | null
-  name: string | null
-  avatarUrl: string | null
-  providers: string[]
-  canChangeEmail: boolean
-  canChangePassword: boolean
-}
+import type { AuthUser } from '@/core/modules/auth/models'
+
+export type { AuthUser } from '@/core/modules/auth/models'
 
 export type AuthContext = {
   user: AuthUser
diff --git a/src/core/shared/sandbox-management-auth.server.ts b/src/core/shared/sandbox-management-auth.server.ts
@@ -0,0 +1,15 @@
+import 'server-only'
+
+import { SUPABASE_AUTH_HEADERS } from '@/configs/api'
+import type { AuthContext } from '@/core/server/auth/types'
+import type { SandboxManagementAuth } from './sandbox-management-auth'
+
+export function createSandboxManagementAuth(
+  authContext: AuthContext,
+  teamId: string
+): SandboxManagementAuth {
+  return {
+    headers: SUPABASE_AUTH_HEADERS(authContext.accessToken, teamId),
+    userId: authContext.user.id,
+  }
+}
diff --git a/src/core/shared/sandbox-management-auth.ts b/src/core/shared/sandbox-management-auth.ts
@@ -0,0 +1,4 @@
+export interface SandboxManagementAuth {
+  userId: string
+  headers: Record<string, string>
+}
diff --git a/src/features/dashboard/context.tsx b/src/features/dashboard/context.tsx
@@ -2,8 +2,8 @@
 
 import { createContext, type ReactNode, useContext, useEffect } from 'react'
 import { useDebounceCallback } from 'usehooks-ts'
+import type { AuthUser } from '@/core/modules/auth/models'
 import type { TeamModel } from '@/core/modules/teams/models'
-import type { AuthUser } from '@/core/server/auth'
 
 interface DashboardContextValue {
   team: TeamModel
diff --git a/src/features/dashboard/sandbox/inspect/context.tsx b/src/features/dashboard/sandbox/inspect/context.tsx
@@ -1,7 +1,6 @@
 'use client'
 
 import Sandbox from 'e2b'
-import { useRouter } from 'next/navigation'
 import type { ReactNode } from 'react'
 import {
   createContext,
@@ -11,9 +10,7 @@ import {
   useMemo,
   useRef,
 } from 'react'
-import { SUPABASE_AUTH_HEADERS } from '@/configs/api'
-import { AUTH_URLS } from '@/configs/urls'
-import { supabase } from '@/core/shared/clients/supabase/client'
+import type { SandboxManagementAuth } from '@/core/shared/sandbox-management-auth'
 import { useSandboxInspectAnalytics } from '@/lib/hooks/use-analytics'
 import { getParentPath, normalizePath } from '@/lib/utils/filesystem'
 import { useDashboard } from '../../context'
@@ -34,11 +31,13 @@ const SandboxInspectContext = createContext<SandboxInspectContextValue | null>(
 interface SandboxInspectProviderProps {
   children: ReactNode
   rootPath: string
+  sandboxManagementAuth: SandboxManagementAuth
 }
 
 export default function SandboxInspectProvider({
   children,
   rootPath,
+  sandboxManagementAuth,
 }: SandboxInspectProviderProps) {
   const { team } = useDashboard()
   const teamId = team.id
@@ -47,7 +46,6 @@ export default function SandboxInspectProvider({
   const storeRef = useRef<FilesystemStore | null>(null)
   const sandboxManagerRef = useRef<SandboxManager | null>(null)
 
-  const router = useRouter()
   const { trackInteraction } = useSandboxInspectAnalytics()
 
   // ---------- synchronous store initialisation ----------
@@ -181,19 +179,12 @@ export default function SandboxInspectProvider({
       sandboxManagerRef.current.stopWatching()
     }
 
-    const { data } = await supabase.auth.getSession()
-
-    if (!data || !data.session) {
-      router.replace(AUTH_URLS.SIGN_IN)
-      return
-    }
-
     const sandbox = await Sandbox.connect(sandboxInfo.sandboxID, {
       domain: process.env.NEXT_PUBLIC_E2B_DOMAIN,
       // Keep inspect connections from extending sandbox TTL via SDK default connect timeout.
       timeoutMs: 1_000,
       headers: {
-        ...SUPABASE_AUTH_HEADERS(data.session.access_token, teamId),
+        ...sandboxManagementAuth.headers,
       },
     })
 
@@ -209,7 +200,7 @@ export default function SandboxInspectProvider({
       team_id: teamId,
       root_path: rootPath,
     })
-  }, [sandboxInfo, teamId, rootPath, trackInteraction, router])
+  }, [sandboxInfo, teamId, rootPath, trackInteraction, sandboxManagementAuth])
 
   // handle sandbox connection / disconnection
   useEffect(() => {
diff --git a/src/features/dashboard/sandbox/inspect/view.tsx b/src/features/dashboard/sandbox/inspect/view.tsx
@@ -1,6 +1,7 @@
 'use client'
 
 import { SANDBOX_INSPECT_MINIMUM_ENVD_VERSION } from '@/configs/versioning'
+import type { SandboxManagementAuth } from '@/core/shared/sandbox-management-auth'
 import SandboxInspectProvider from '@/features/dashboard/sandbox/inspect/context'
 import SandboxInspectFilesystem from '@/features/dashboard/sandbox/inspect/filesystem'
 import SandboxInspectViewer from '@/features/dashboard/sandbox/inspect/viewer'
@@ -11,10 +12,12 @@ import SandboxInspectIncompatible from './incompatible'
 
 interface SandboxInspectViewProps {
   rootPath: string
+  sandboxManagementAuth: SandboxManagementAuth
 }
 
 export default function SandboxInspectView({
   rootPath,
+  sandboxManagementAuth,
 }: SandboxInspectViewProps) {
   const { teamSlug } =
     useRouteParams<'/dashboard/[teamSlug]/sandboxes/[sandboxId]'>()
@@ -39,7 +42,10 @@ export default function SandboxInspectView({
   }
 
   return (
-    <SandboxInspectProvider rootPath={rootPath}>
+    <SandboxInspectProvider
+      rootPath={rootPath}
+      sandboxManagementAuth={sandboxManagementAuth}
+    >
       <div className="flex min-h-0 flex-1 gap-4 overflow-hidden p-3 md:p-6">
         <SandboxInspectFilesystem rootPath={rootPath} />
         <SandboxInspectViewer />
diff --git a/src/features/dashboard/terminal/dashboard-terminal.tsx b/src/features/dashboard/terminal/dashboard-terminal.tsx
@@ -4,6 +4,7 @@ import { Terminal as XTerm } from '@xterm/xterm'
 import type Sandbox from 'e2b'
 import type { CommandHandle } from 'e2b'
 import { useCallback, useEffect, useRef, useState } from 'react'
+import type { SandboxManagementAuth } from '@/core/shared/sandbox-management-auth'
 import {
   DEFAULT_COLS,
   DEFAULT_CWD,
@@ -38,15 +39,15 @@ interface DashboardTerminalProps {
   initialCommand?: string
   initialSandboxId?: string
   initialTemplate?: string
-  teamId: string
+  sandboxManagementAuth: SandboxManagementAuth
 }
 
 export default function DashboardTerminal({
   autoStart = false,
   initialCommand = '',
   initialSandboxId,
   initialTemplate,
-  teamId,
+  sandboxManagementAuth,
 }: DashboardTerminalProps) {
   const [status, setStatus] = useState<TerminalStatus>('idle')
   const [activeSandboxId, setActiveSandboxId] = useState<string>()
@@ -200,8 +201,8 @@ export default function DashboardTerminal({
         const { sandbox } = await openTerminalSandbox({
           forceNewSandbox: options.forceNewSandbox,
           onStatus: appendOutput,
+          sandboxManagementAuth,
           sandboxId: options.sandboxId,
-          teamId,
           template: nextTemplate,
         })
 
@@ -270,7 +271,7 @@ export default function DashboardTerminal({
       disconnectTerminal,
       resizeTerminal,
       runCommand,
-      teamId,
+      sandboxManagementAuth,
       template,
       updateTerminalUrl,
     ]
diff --git a/src/features/dashboard/terminal/sandbox-session.ts b/src/features/dashboard/terminal/sandbox-session.ts
@@ -1,6 +1,5 @@
 import Sandbox from 'e2b'
-import { SUPABASE_AUTH_HEADERS } from '@/configs/api'
-import { supabase } from '@/core/shared/clients/supabase/client'
+import type { SandboxManagementAuth } from '@/core/shared/sandbox-management-auth'
 import { TERMINAL_SANDBOX_TIMEOUT_MS } from './constants'
 import {
   clearStoredTerminalSession,
@@ -11,26 +10,19 @@ import {
 interface OpenTerminalSandboxOptions {
   forceNewSandbox?: boolean
   onStatus: (message: string) => void
+  sandboxManagementAuth: SandboxManagementAuth
   sandboxId?: string
-  teamId: string
   template: string
 }
 
 export async function openTerminalSandbox({
   forceNewSandbox = false,
   onStatus,
+  sandboxManagementAuth,
   sandboxId,
-  teamId,
   template,
 }: OpenTerminalSandboxOptions) {
-  const { data } = await supabase.auth.getSession()
-
-  if (!data.session) {
-    throw new Error('You need to sign in before opening a terminal.')
-  }
-
-  const userId = data.session.user.id
-  const headers = SUPABASE_AUTH_HEADERS(data.session.access_token, teamId)
+  const { headers, userId } = sandboxManagementAuth
 
   if (sandboxId) {
     onStatus(`Connecting to terminal sandbox ${sandboxId}...\r\n`)
@@ -100,8 +92,6 @@ function createTerminalSandbox({
   template: string
   userId: string
 }) {
-  // The browser SDK sends the signed-in user's Supabase token so E2B can
-  // authorize sandbox ownership without a dashboard proxy endpoint.
   return Sandbox.create(template, {
     domain: process.env.NEXT_PUBLIC_E2B_DOMAIN,
     timeoutMs: TERMINAL_SANDBOX_TIMEOUT_MS,
diff --git a/tests/unit/dashboard-terminal.test.ts b/tests/unit/dashboard-terminal.test.ts

Original file line number	Diff line number	Diff line change
`@@ -40,5 +40,5 @@ export function createAuthForHeaders(headers: Headers): AuthProvider {`
`40`	`40`	`: createSupabaseAuthForHeaders(headers)`
`41`	`41`	`}`
`42`	`42`
	`43`	`+export type { AuthUser } from '@/core/modules/auth/models'`
`43`	`44`	`export type { AuthAdmin } from './admin'`
`44`		`-export type { AuthUser } from './types'`