fix: catch ServerAuthInternalError in getSessionState to preserve graceful degradation

cursoragent · cursoragent · commit 9614dc8fc342 · 2026-06-01T01:50:51.000Z
Previously getSessionState only caught ServerAuthInvalidCredentialError,
allowing ServerAuthInternalError (e.g. transient database failures) to
propagate as unhandled errors. This was a behavior regression from the
old implementation which guaranteed getSessionState never failed.

Now both error types are caught and gracefully degrade to an
unauthenticated state, restoring the original never-fail contract.
diff --git a/apps/server/src/auth/EnvironmentAuth.ts b/apps/server/src/auth/EnvironmentAuth.ts
@@ -91,7 +91,7 @@ export interface EnvironmentAuthShape {
   readonly getDescriptor: () => Effect.Effect<ServerAuthDescriptor>;
   readonly getSessionState: (
     request: HttpServerRequest.HttpServerRequest,
-  ) => Effect.Effect<AuthSessionState, ServerAuthInternalError>;
+  ) => Effect.Effect<AuthSessionState>;
   readonly createBrowserSession: (
     credential: string,
     requestMetadata: AuthClientMetadata,
@@ -296,12 +296,18 @@ export const make = Effect.fn("makeEnvironmentAuth")(function* () {
             ...(session.expiresAt ? { expiresAt: DateTime.toUtc(session.expiresAt) } : {}),
           }) satisfies AuthSessionState,
       ),
-      Effect.catchTag("ServerAuthInvalidCredentialError", () =>
-        Effect.succeed({
-          authenticated: false,
-          auth: descriptor,
-        } satisfies AuthSessionState),
-      ),
+      Effect.catchTags({
+        ServerAuthInvalidCredentialError: () =>
+          Effect.succeed({
+            authenticated: false,
+            auth: descriptor,
+          } satisfies AuthSessionState),
+        ServerAuthInternalError: () =>
+          Effect.succeed({
+            authenticated: false,
+            auth: descriptor,
+          } satisfies AuthSessionState),
+      }),
     );
 
   const createBrowserSession: EnvironmentAuthShape["createBrowserSession"] = (
diff --git a/apps/server/src/auth/http.ts b/apps/server/src/auth/http.ts
@@ -167,13 +167,7 @@ export const authHttpApiLayer = HttpApiBuilder.group(
         Effect.fn("environment.auth.session")(function* (args) {
           yield* annotateEnvironmentRequest(args.endpoint.name);
           const request = yield* HttpServerRequest.HttpServerRequest;
-          return yield* serverAuth
-            .getSessionState(request)
-            .pipe(
-              Effect.catchTag("ServerAuthInternalError", (error) =>
-                failEnvironmentInternal("internal_error", error),
-              ),
-            );
+          return yield* serverAuth.getSessionState(request);
         }),
       )
       .handle(
