fix: replace DB-based auth with JWT identity in queries

[Israeltheminer]

Summary

• Queries using authComponent.getAuthUser() perform 2 cross-component DB queries (session + user lookup) that consume 800-1000ms on cold starts, exceeding the 1s Convex query limit and triggering full error pages on the client (GlitchTip: TALE-PROJECT-A, TALE-PROJECT-L)
• Created getAuthUserIdentity() helper that uses ctx.auth.getUserIdentity() — reads from the already-validated JWT with 0 DB queries instead of 2
• Replaced authComponent.getAuthUser() with getAuthUserIdentity() across all 13 query files (27 handlers total)
• Organization membership checks via getOrganizationMember() are preserved — access control still enforced via DB
• Mutations remain unchanged with full DB session validation via authComponent.getAuthUser()

Before vs After (per query call)

Step	Before	After
Auth check	2 cross-component DB queries (~800ms on cold start)	JWT read (0 DB queries, <1ms)
Org membership	1 cross-component DB query	1 cross-component DB query (unchanged)
Business logic	indexed DB query	indexed DB query (unchanged)
Total	3+ DB queries, ~800-1000ms	1 DB query, <200ms

Test plan

• Verify queries return correct data for authenticated users
• Verify queries return null/empty for unauthenticated users
• Verify org membership checks still reject unauthorized users
• Monitor GlitchTip for timeout errors after deploy
• Verify integrations settings page loads without error page

🤖 Generated with Claude Code

Summary by CodeRabbit

Refactor

• Updated authentication handling mechanisms across multiple backend query services for improved consistency.
• Consolidated identity retrieval into centralized utility functions, reducing code duplication and simplifying authorization checks across the platform.
• Streamlined how user credentials are passed to authorization verification functions, enhancing code maintainability and reducing redundant patterns.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR refactors authentication handling across Convex query and mutation handlers by introducing a centralized getAuthUserIdentity(ctx) utility function. The function replaces scattered authComponent.getAuthUser(ctx) calls across approximately 15 files in the convex directory. The authenticated user object is now passed in full to getOrganizationMember instead of constructing separate { userId, email, name } objects. Additionally, user ID references are updated from authUser._id to authUser.userId where applicable.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• chore: fix OData escaping and consistent userId in auth #374: Modifies authentication field usage in the same Convex handlers, changing which authUser field is referenced (authUser._id vs authUser.userId)
• refactor ui components #72: Refactors the Convex RLS auth layer including changes to authenticated user identity retrieval and organization member lookups
• refactor(convex): DRY up backend, separate internals, and harden authorization #397: Performs the same cross-cutting auth/RLS refactor replacing authComponent with getAuthUserIdentity and updating getOrganizationMember call patterns

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: replace DB-based auth with JWT identity in queries' clearly and specifically describes the main change: replacing database-based authentication with JWT identity verification in query handlers.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/query-auth-timeout

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

services/platform/convex/approvals/queries.ts (1)

44-66: ⚠️ Potential issue | 🟠 Major

Thread ownership must be validated in approval queries.

The three thread-scoped approval queries (getPendingIntegrationApprovalsForThread, getWorkflowCreationApprovalsForThread, getHumanInputRequestsForThread) authenticate the user but do not verify thread ownership. An authenticated user can call these queries with an arbitrary threadId and retrieve approvals for another user's thread, bypassing intended access boundaries.

The approvals table has organizationId and the codebase defines RLS rules for organization-scoped access control (rls_rules.ts:385-399), but these queries use standard query() instead of queryWithRLS(), which disables RLS enforcement. Either:

1. Switch to queryWithRLS() to leverage existing RLS rules, or
2. Manually fetch the thread, validate ownership/organization, and validate organization membership before querying approvals—consistent with the pattern in submitHumanInputResponse.