Skip to content

Freechat for guests#1585

Draft
ignaciojimenezr wants to merge 11 commits intoMCPJam:mainfrom
ignaciojimenezr:freechat-for-guests
Draft

Freechat for guests#1585
ignaciojimenezr wants to merge 11 commits intoMCPJam:mainfrom
ignaciojimenezr:freechat-for-guests

Conversation

@ignaciojimenezr
Copy link
Collaborator

@ignaciojimenezr ignaciojimenezr commented Mar 11, 2026
edited
Loading

Fix guest free chat across hosted and local runtimes

  • Inspector server creates a guest token.
  • Inspector server signs that token.
  • Inspector UI sends chat requests with that token.
  • Inspector server forwards those requests to Convex.
  • Convex verifies the token and, if valid, runs free chat.

This PR makes that flow work correctly in both places we use it:

  • hosted chat (/api/web/chat-v2)
  • local chat (/api/mcp/chat-v2)

Main changes:

  • Make the hosted chat route work for guest free chat and add direct tests for it.
  • Keep the working guest-token flow for local and dev runtimes.
  • Make guest auth setup run in electron dev too.
  • Remove the temporary guest auth and stream debug logs.
Screenshot 2026-03-11 at 10 32 24 AM Screenshot 2026-03-11 at 10 33 03 AM Screenshot 2026-03-11 at 10 34 53 AM

@chelojimenez
Copy link
Contributor

chelojimenez commented Mar 11, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

chelojimenez
chelojimenez requested changes Mar 12, 2026
View reviewed changes
Copy link
Contributor

@chelojimenez chelojimenez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Blocking issues from the auth/security pass:

  1. Shared-chat guests are no longer classified as guests. guestMode now depends on !hostedWorkspaceId, but public shared-chat pages intentionally pass hostedWorkspaceIdOverride for anonymous visitors. That flips disableForAuthentication to true and blocks submit, even though the backend guest-token path still supports this flow.

  2. The new hosted guest fallback is inconsistent across request builders. getHostedAuthorizationHeader() can prefer a guest bearer when AuthKit state is stale (hasSession=true, no workspace yet), but buildHostedServerRequest() still switches to the guest path only through isGuestMode(), which stays false in that same state. That means chat auth can recover while tools/resources/prompts/widgets still try the Convex workspace path and fail.

  3. The guest JWKS defaults are now out of sync with the companion backend PR. This PR still defaults hosted guest verification to https://api.mcpjam.com/guest/jwks, while the backend PR changes Convex's default guest JWKS URL to https://app.mcpjam.com/api/web/guest-jwks. If env overrides are missing, the two sides can validate against different key sources.

I did not find a direct auth bypass, but these auth/trust regressions are enough that I'd block merge until they're resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chelojimenez chelojimenez chelojimenez requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ignaciojimenezr @chelojimenez