refactor: rename authId to authToken across entire codebase

Unify all auth terminology to use "authToken" consistently:
- `authId` → `authToken` in interfaces, variables, and parameters
- `clientAuthId` → `clientAuthToken` in session meta
- `CONNECTION_AUTH_ID_KEY` → `CONNECTION_AUTH_TOKEN_KEY`
- `__VITE_DEVTOOLS_CONNECTION_AUTH_ID__` → `__VITE_DEVTOOLS_CONNECTION_AUTH_TOKEN__`
- `getTempAuthId` → `getTempAuthToken`, `refreshTempAuthId` → `refreshTempAuthToken`
- `consumeTempAuthId` → `consumeTempAuthToken`
- Updated export snapshot for new human-id util

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: antfu

packages/core/src/client/webcomponents/components/views-builtin/ViewBuiltinClientAuthNotice.vue

@@ -13,7 +13,7 @@ function submitToken() {
   const value = tokenInput.value.trim()
   if (!value)
     return
-  localStorage.setItem('__VITE_DEVTOOLS_CONNECTION_AUTH_ID__', value)
+  localStorage.setItem('__VITE_DEVTOOLS_CONNECTION_AUTH_TOKEN__', value)
   window.location.reload()
 }
 </script>

packages/core/src/node/auth-revoke.ts

@@ -24,10 +24,10 @@ export async function revokeAuthToken(
   // Collect affected session IDs before modifying meta
   const affectedSessionIds = new Set<string>()
   for (const client of rpcHost._rpcGroup.clients) {
-    if (client.$meta.clientAuthId === token) {
+    if (client.$meta.clientAuthToken === token) {
       affectedSessionIds.add(client.$meta.id)
       client.$meta.isTrusted = false
-      client.$meta.clientAuthId = undefined!
+      client.$meta.clientAuthToken = undefined!
     }
   }
 

packages/core/src/node/auth-state.ts

@@ -4,7 +4,7 @@ import type { InternalAnonymousAuthStorage } from './context-internal'
 import { humanId } from '@vitejs/devtools-kit/utils/human-id'
 
 export interface PendingAuthRequest {
-  clientAuthId: string
+  clientAuthToken: string
   session: DevToolsNodeRpcSession
   ua: string
   origin: string
@@ -14,19 +14,19 @@ export interface PendingAuthRequest {
 }
 
 let pendingAuth: PendingAuthRequest | null = null
-let tempAuthId: string = generateTempId()
+let tempAuthToken: string = generateTempId()
 
 function generateTempId(): string {
   return humanId({ separator: '-', capitalize: false })
 }
 
-export function getTempAuthId(): string {
-  return tempAuthId
+export function getTempAuthToken(): string {
+  return tempAuthToken
 }
 
-export function refreshTempAuthId(): string {
-  tempAuthId = generateTempId()
-  return tempAuthId
+export function refreshTempAuthToken(): string {
+  tempAuthToken = generateTempId()
+  return tempAuthToken
 }
 
 export function getPendingAuth(): PendingAuthRequest | null {
@@ -50,28 +50,28 @@ export function abortPendingAuth(): void {
 
 /**
  * Consume the temp auth ID: verify it matches, trust the pending client, and clean up.
- * Returns the client's authId if successful, null otherwise.
+ * Returns the client's authToken if successful, null otherwise.
  */
-export function consumeTempAuthId(
+export function consumeTempAuthToken(
   id: string,
   storage: SharedState<InternalAnonymousAuthStorage>,
 ): string | null {
-  if (id !== tempAuthId || !pendingAuth) {
+  if (id !== tempAuthToken || !pendingAuth) {
     return null
   }
 
-  const { clientAuthId, session, ua, origin, resolve } = pendingAuth
+  const { clientAuthToken, session, ua, origin, resolve } = pendingAuth
 
   // Trust the pending client
   storage.mutate((state) => {
-    state.trusted[clientAuthId] = {
-      authId: clientAuthId,
+    state.trusted[clientAuthToken] = {
+      authToken: clientAuthToken,
       ua,
       origin,
       timestamp: Date.now(),
     }
   })
-  session.meta.clientAuthId = clientAuthId
+  session.meta.clientAuthToken = clientAuthToken
   session.meta.isTrusted = true
 
   // Resolve the pending auth RPC call
@@ -81,7 +81,7 @@ export function consumeTempAuthId(
   abortPendingAuth()
 
   // Generate a new temp ID for next use
-  refreshTempAuthId()
+  refreshTempAuthToken()
 
-  return clientAuthId
+  return clientAuthToken
 }

packages/core/src/node/context-internal.ts

@@ -7,7 +7,7 @@ import { createStorage } from './storage'
 
 export interface InternalAnonymousAuthStorage {
   trusted: Record<string, {
-    authId: string
+    authToken: string
     ua: string
     origin: string
     timestamp: number

packages/core/src/node/rpc/anonymous/auth.ts

@@ -3,12 +3,12 @@ import process from 'node:process'
 import * as p from '@clack/prompts'
 import { defineRpcFunction } from '@vitejs/devtools-kit'
 import c from 'ansis'
-import { abortPendingAuth, getTempAuthId, refreshTempAuthId, setPendingAuth } from '../../auth-state'
+import { abortPendingAuth, getTempAuthToken, refreshTempAuthToken, setPendingAuth } from '../../auth-state'
 import { MARK_INFO } from '../../constants'
 import { getInternalContext } from '../../context-internal'
 
 export interface DevToolsAuthInput {
-  authId: string
+  authToken: string
   ua: string
   origin: string
 }
@@ -31,29 +31,29 @@ export const anonymousAuth = defineRpcFunction({
         if (!session)
           throw new Error('Failed to retrieve the current RPC session')
 
-        if (session.meta.isTrusted || storage.value().trusted[query.authId]) {
-          console.log('trusted', { isTrusted: session.meta.isTrusted, trusted: storage.value().trusted[query.authId] })
-          session.meta.clientAuthId = query.authId
+        if (session.meta.isTrusted || storage.value().trusted[query.authToken]) {
+          console.log('trusted', { isTrusted: session.meta.isTrusted, trusted: storage.value().trusted[query.authToken] })
+          session.meta.clientAuthToken = query.authToken
           session.meta.isTrusted = true
           return {
             isTrusted: true,
           }
         }
 
-        // Auto-approve if authId matches a configured auth token or the temp auth ID
+        // Auto-approve if authToken matches a configured auth token or the temp auth ID
         const tokens = (context.viteConfig.devtools?.config as any)?.clientAuthTokens as string[] ?? []
-        if (tokens.includes(query.authId) || query.authId === getTempAuthId()) {
+        if (tokens.includes(query.authToken) || query.authToken === getTempAuthToken()) {
           storage.mutate((state) => {
-            state.trusted[query.authId] = {
-              authId: query.authId,
+            state.trusted[query.authToken] = {
+              authToken: query.authToken,
               ua: query.ua,
               origin: query.origin,
               timestamp: Date.now(),
             }
           })
-          session.meta.clientAuthId = query.authId
+          session.meta.clientAuthToken = query.authToken
           session.meta.isTrusted = true
-          refreshTempAuthId()
+          refreshTempAuthToken()
           return {
             isTrusted: true,
           }
@@ -63,7 +63,7 @@ export const anonymousAuth = defineRpcFunction({
         abortPendingAuth()
 
         // Generate a fresh temp ID for the auth URL
-        const tempId = getTempAuthId()
+        const tempId = getTempAuthToken()
 
         // Derive the server URL for the auth link
         const serverUrl = context.viteServer?.resolvedUrls?.local?.[0]?.replace(/\/$/, '')
@@ -75,7 +75,7 @@ export const anonymousAuth = defineRpcFunction({
           '',
           `User Agent   : ${c.yellow(c.bold(query.ua || 'Unknown'))}`,
           `Origin       : ${c.yellow(c.bold(query.origin || 'Unknown'))}`,
-          `Client Token : ${c.green(c.bold(query.authId))}`,
+          `Client Token : ${c.green(c.bold(query.authToken))}`,
           '',
           `Manual Auth URL   : ${c.cyan(c.underline(authUrl))}`,
           `Manual Auth Token : ${c.cyan(c.bold(tempId))}`,
@@ -103,13 +103,13 @@ export const anonymousAuth = defineRpcFunction({
           const timeout = setTimeout(() => {
             abortController.abort()
             setPendingAuth(null)
-            console.log(c.yellow`${MARK_INFO} Auth request timed out for ${c.bold(query.authId)}`)
+            console.log(c.yellow`${MARK_INFO} Auth request timed out for ${c.bold(query.authToken)}`)
             resolve({ isTrusted: false })
           }, AUTH_TIMEOUT_MS)
 
           // Register as pending auth so auth-verify endpoint can resolve it
           setPendingAuth({
-            clientAuthId: query.authId,
+            clientAuthToken: query.authToken,
             session,
             ua: query.ua,
             origin: query.origin,
@@ -120,7 +120,7 @@ export const anonymousAuth = defineRpcFunction({
 
           // Show terminal confirm prompt with abort signal
           p.confirm({
-            message: c.bold(`Do you trust this client (${c.green(c.bold(query.authId))})?`),
+            message: c.bold(`Do you trust this client (${c.green(c.bold(query.authToken))})?`),
             initialValue: false,
             signal: abortController.signal,
           }).then((answer) => {
@@ -135,21 +135,21 @@ export const anonymousAuth = defineRpcFunction({
 
             if (answer) {
               storage.mutate((state) => {
-                state.trusted[query.authId] = {
-                  authId: query.authId,
+                state.trusted[query.authToken] = {
+                  authToken: query.authToken,
                   ua: query.ua,
                   origin: query.origin,
                   timestamp: Date.now(),
                 }
               })
-              session.meta.clientAuthId = query.authId
+              session.meta.clientAuthToken = query.authToken
               session.meta.isTrusted = true
 
-              p.outro(c.green(c.bold(`You have granted permissions to ${c.bold(query.authId)}`)))
+              p.outro(c.green(c.bold(`You have granted permissions to ${c.bold(query.authToken)}`)))
               resolve({ isTrusted: true })
             }
             else {
-              p.outro(c.red(c.bold(`You have denied permissions to ${c.bold(query.authId)}`)))
+              p.outro(c.red(c.bold(`You have denied permissions to ${c.bold(query.authToken)}`)))
               resolve({ isTrusted: false })
             }
           }).catch(() => {

packages/core/src/node/server.ts

@@ -3,7 +3,7 @@ import { DEVTOOLS_CONNECTION_META_FILENAME } from '@vitejs/devtools-kit/constant
 import { createApp, eventHandler, fromNodeMiddleware, getQuery, toNodeListener } from 'h3'
 import sirv from 'sirv'
 import { dirClientStandalone } from '../dirs'
-import { consumeTempAuthId } from './auth-state'
+import { consumeTempAuthToken } from './auth-state'
 import { getInternalContext } from './context-internal'
 import { createWsServer } from './ws'
 
@@ -27,20 +27,20 @@ function generateAuthPageHtml(): string {
     const el = document.getElementById('message')
 
     if (!id) {
-      el.textContent = '\\u26a0\\ufe0f No auth ID found. Please check your URL.'
+      el.textContent = '\\u26a0\\ufe0f No auth token found. Please check your URL.'
       el.style.color = '#df513f'
     } else {
       fetch(location.pathname.replace(/\\/$/, '') + '-verify?id=' + encodeURIComponent(id))
         .then(async (r) => {
           if (r.status !== 200) throw new Error(await r.text())
           const data = await r.json()
-          const authId = data.authId
+          const authToken = data.authToken
 
-          localStorage.setItem('__VITE_DEVTOOLS_CONNECTION_AUTH_ID__', authId)
+          localStorage.setItem('__VITE_DEVTOOLS_CONNECTION_AUTH_TOKEN__', authToken)
 
           try {
             const bc = new BroadcastChannel('vite-devtools-auth')
-            bc.postMessage({ type: 'auth-update', authId: authId })
+            bc.postMessage({ type: 'auth-update', authToken: authToken })
           } catch {}
 
           el.textContent = '\\u2705 Authorized! You can close this window now.'
@@ -74,14 +74,14 @@ export async function createDevToolsMiddleware(options: CreateWsServerOptions) {
       return event.node.res.end('Missing id parameter')
     }
 
-    const clientAuthId = consumeTempAuthId(id, contextInternal.storage.auth)
-    if (!clientAuthId) {
+    const clientAuthToken = consumeTempAuthToken(id, contextInternal.storage.auth)
+    if (!clientAuthToken) {
       event.node.res.statusCode = 403
-      return event.node.res.end('Invalid or expired auth ID')
+      return event.node.res.end('Invalid or expired auth token')
     }
 
     event.node.res.setHeader('Content-Type', 'application/json')
-    return event.node.res.end(JSON.stringify({ authId: clientAuthId }))
+    return event.node.res.end(JSON.stringify({ authToken: clientAuthToken }))
   }))
 
   h3.use('/auth', eventHandler((event) => {

packages/core/src/node/ws.ts

@@ -52,16 +52,16 @@ export async function createWsServer(options: CreateWsServerOptions) {
       }
       else if (authToken && contextInternal.storage.auth.value().trusted[authToken]) {
         meta.isTrusted = true
-        meta.clientAuthId = authToken
+        meta.clientAuthToken = authToken
       }
       else if (authToken && ((context.viteConfig.devtools?.config as any)?.clientAuthTokens ?? []).includes(authToken)) {
         meta.isTrusted = true
-        meta.clientAuthId = authToken
+        meta.clientAuthToken = authToken
       }
 
       wsClients.add(ws)
       const color = meta.isTrusted ? c.green : c.yellow
-      console.log(color`${MARK_INFO} Websocket client connected. [${meta.id}] [${meta.clientAuthId}] (${meta.isTrusted ? 'trusted' : 'untrusted'})`)
+      console.log(color`${MARK_INFO} Websocket client connected. [${meta.id}] [${meta.clientAuthToken}] (${meta.isTrusted ? 'trusted' : 'untrusted'})`)
     },
     onDisconnected: (ws, meta) => {
       wsClients.delete(ws)

packages/kit/src/client/rpc-ws.ts

@@ -7,7 +7,7 @@ import { parseUA } from 'ua-parser-modern'
 import { promiseWithResolver } from '../utils/promise'
 
 export interface CreateWsRpcClientModeOptions {
-  authId: string
+  authToken: string
   connectionMeta: ConnectionMeta
   events: EventEmitter<RpcClientEvents>
   clientRpc: DevToolsClientRpcHost
@@ -25,7 +25,7 @@ export function createWsRpcClientMode(
   options: CreateWsRpcClientModeOptions,
 ): DevToolsRpcClientMode {
   const {
-    authId,
+    authToken,
     connectionMeta,
     events,
     clientRpc,
@@ -44,7 +44,7 @@ export function createWsRpcClientMode(
     {
       preset: createWsRpcPreset({
         url,
-        authId,
+        authToken,
         ...wsOptions,
       }),
       rpcOptions,
@@ -76,7 +76,7 @@ export function createWsRpcClientMode(
     ].filter(i => i).join(' ')
 
     const result = await serverRpc.$call('vite:anonymous:auth', {
-      authId,
+      authToken,
       ua,
       origin: location.origin,
     })