AUTHENTICATION_ISSUE.md

# Authentication Issue - Bot Appears as Anonymous

## Problem

The bot successfully authenticates via browser automation and joins the Kosmi room, but appears in the user list as an **anonymous user** (e.g., "Anonymous Donkey") instead of as the authenticated account.

## What We Know

### ✅ Working Correctly

1. **Browser authentication**: Successfully logs in and obtains JWT token
2. **Token format**: Valid JWT with correct structure and claims
3. **Token transmission**: Correct token is sent in `connection_init`
4. **Server acceptance**: Server accepts the token (returns `connection_ack`)
5. **Room joining**: Successfully joins the room (`joinRoom` mutation returns `ok: true`)

### 🔍 Investigation Results

#### Token Claims Analysis

The authenticated JWT token contains:
```json
{
  "aud": "kosmi",
  "exp": 1761874131,
  "iat": 1730338131,
  "iss": "kosmi",
  "sub": "e410acc0-e4bd-4694-8498-f20b9aa033fc",
  "typ": "access"
}
```

**Key finding**: The token **only contains the user ID** (`sub`), but **NO display name, username, or email**. This is just an authentication token, not a profile token.

#### GraphQL API Queries

Tested the following queries with the authenticated token:
- `query { me { ... } }` - ❌ Field doesn't exist
- `query { currentUser { ... } }` - ❌ Field doesn't exist
- `query { user { ... } }` - ❌ Field doesn't exist
- `query { viewer { ... } }` - ❌ Field doesn't exist

**Conclusion**: There's no GraphQL query to fetch the current user's profile.

#### WebSocket Flow

Current flow:
1. `connection_init` with authenticated token → Server accepts
2. `connection_ack` → Server acknowledges
3. Subscribe to `newMessage` → Working
4. `joinRoom` mutation → Returns `ok: true`
5. Bot appears in user list as "Anonymous [Animal]"

## Hypotheses

### 1. Missing Profile Fetch
The server might need a separate API call (REST or GraphQL) to fetch the user profile using the user ID from the token.

### 2. Missing Display Name Mutation
There might be a GraphQL mutation to set the display name after joining:
- `mutation { setDisplayName(name: "...") }`
- `mutation { updateProfile(displayName: "...") }`

### 3. Server-Side Bug
The server might not be correctly associating the authenticated token with the user profile when joining via WebSocket.

### 4. Additional WebSocket Message
The browser might be sending an additional WebSocket message after `joinRoom` that we're not aware of.

## Next Steps

1. **Check `connection_ack` payload**: See if the server returns user info
2. **Monitor browser WebSocket traffic**: Watch what messages the browser sends after successful login and room join
3. **Test GraphQL introspection**: Query the schema to see all available mutations
4. **Compare anonymous vs authenticated flow**: See if there are any differences in the WebSocket message sequence

## Logs

### Successful Authentication and Join
```
time="2025-11-01T14:48:51-04:00" level=info msg="✅ Successfully obtained token via browser automation" prefix=kosmi
time="2025-11-01T14:48:51-04:00" level=info msg="   Email used: d2bkvqnh0@mozmail.com" prefix=kosmi
time="2025-11-01T14:48:51-04:00" level=info msg="   Token (first 50 chars): eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJrb..." prefix=kosmi
time="2025-11-01T14:48:51-04:00" level=info msg="   Token user ID (sub): e410acc0-e4bd-4694-8498-f20b9aa033fc" prefix=kosmi
time="2025-11-01T14:48:51-04:00" level=info msg="   Token type (typ): access" prefix=kosmi
time="2025-11-01T14:48:51-04:00" level=info msg="✓ getToken: Using manually provided token" prefix=kosmi
time="2025-11-01T14:48:51-04:00" level=info msg="  Length: 371" prefix=kosmi
time="2025-11-01T14:48:51-04:00" level=info msg="  First 50: eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJrb..." prefix=kosmi
time="2025-11-01T14:48:51-04:00" level=info msg="Sending connection_init with token (length: 371, first 20 chars: eyJhbGciOiJIUzUxMiIs...)" prefix=kosmi
time="2025-11-01T14:48:51-04:00" level=info msg="✅ WebSocket connection established and authenticated" prefix=kosmi
time="2025-11-01T14:48:51-04:00" level=info msg="✅ Successfully joined room" prefix=kosmi
time="2025-11-01T14:48:51-04:00" level=info msg="Join response payload: {"data":{"joinRoom":{"ok":true}}}" prefix=kosmi
```

**Result**: Bot appears as "Anonymous [Animal]" in the user list despite successful authentication.

## Files Modified for Debugging

- `bridge/kosmi/browser_auth.go`: Added comprehensive token logging
- `bridge/kosmi/kosmi.go`: Added token setting confirmation
- `bridge/kosmi/graphql_ws_client.go`: Added token source and `connection_ack` payload logging
- `cmd/decode-token/main.go`: Tool to decode and analyze JWT tokens
- `cmd/test-profile-query/main.go`: Tool to test GraphQL profile queries
sync 2025-11-01 21:00:16 -04:00			`# Authentication Issue - Bot Appears as Anonymous`

			`## Problem`

			`The bot successfully authenticates via browser automation and joins the Kosmi room, but appears in the user list as an anonymous user (e.g., "Anonymous Donkey") instead of as the authenticated account.`

			`## What We Know`

			`### ✅ Working Correctly`

			`1. Browser authentication: Successfully logs in and obtains JWT token`
			`2. Token format: Valid JWT with correct structure and claims`
			3. Token transmission: Correct token is sent in `connection_init`
			4. Server acceptance: Server accepts the token (returns `connection_ack`)
			5. Room joining: Successfully joins the room (`joinRoom` mutation returns `ok: true`)

			`### 🔍 Investigation Results`

			`#### Token Claims Analysis`

			`The authenticated JWT token contains:`
			```json
			`{`
			`"aud": "kosmi",`
			`"exp": 1761874131,`
			`"iat": 1730338131,`
			`"iss": "kosmi",`
			`"sub": "e410acc0-e4bd-4694-8498-f20b9aa033fc",`
			`"typ": "access"`
			`}`
			```

			Key finding: The token only contains the user ID (`sub`), but NO display name, username, or email. This is just an authentication token, not a profile token.

			`#### GraphQL API Queries`

			`Tested the following queries with the authenticated token:`
			- `query { me { ... } }` - ❌ Field doesn't exist
			- `query { currentUser { ... } }` - ❌ Field doesn't exist
			- `query { user { ... } }` - ❌ Field doesn't exist
			- `query { viewer { ... } }` - ❌ Field doesn't exist

			`Conclusion: There's no GraphQL query to fetch the current user's profile.`

			`#### WebSocket Flow`

			`Current flow:`
			1. `connection_init` with authenticated token → Server accepts
			2. `connection_ack` → Server acknowledges
			3. Subscribe to `newMessage` → Working
			4. `joinRoom` mutation → Returns `ok: true`
			`5. Bot appears in user list as "Anonymous [Animal]"`

			`## Hypotheses`

			`### 1. Missing Profile Fetch`
			`The server might need a separate API call (REST or GraphQL) to fetch the user profile using the user ID from the token.`

			`### 2. Missing Display Name Mutation`
			`There might be a GraphQL mutation to set the display name after joining:`
			- `mutation { setDisplayName(name: "...") }`
			- `mutation { updateProfile(displayName: "...") }`

			`### 3. Server-Side Bug`
			`The server might not be correctly associating the authenticated token with the user profile when joining via WebSocket.`

			`### 4. Additional WebSocket Message`
			The browser might be sending an additional WebSocket message after `joinRoom` that we're not aware of.

			`## Next Steps`

			1. Check `connection_ack` payload: See if the server returns user info
			`2. Monitor browser WebSocket traffic: Watch what messages the browser sends after successful login and room join`
			`3. Test GraphQL introspection: Query the schema to see all available mutations`
			`4. Compare anonymous vs authenticated flow: See if there are any differences in the WebSocket message sequence`

			`## Logs`

			`### Successful Authentication and Join`
			```
			`time="2025-11-01T14:48:51-04:00" level=info msg="✅ Successfully obtained token via browser automation" prefix=kosmi`
			`time="2025-11-01T14:48:51-04:00" level=info msg=" Email used: d2bkvqnh0@mozmail.com" prefix=kosmi`
			`time="2025-11-01T14:48:51-04:00" level=info msg=" Token (first 50 chars): eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJrb..." prefix=kosmi`
			`time="2025-11-01T14:48:51-04:00" level=info msg=" Token user ID (sub): e410acc0-e4bd-4694-8498-f20b9aa033fc" prefix=kosmi`
			`time="2025-11-01T14:48:51-04:00" level=info msg=" Token type (typ): access" prefix=kosmi`
			`time="2025-11-01T14:48:51-04:00" level=info msg="✓ getToken: Using manually provided token" prefix=kosmi`
			`time="2025-11-01T14:48:51-04:00" level=info msg=" Length: 371" prefix=kosmi`
			`time="2025-11-01T14:48:51-04:00" level=info msg=" First 50: eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJrb..." prefix=kosmi`
			`time="2025-11-01T14:48:51-04:00" level=info msg="Sending connection_init with token (length: 371, first 20 chars: eyJhbGciOiJIUzUxMiIs...)" prefix=kosmi`
			`time="2025-11-01T14:48:51-04:00" level=info msg="✅ WebSocket connection established and authenticated" prefix=kosmi`
			`time="2025-11-01T14:48:51-04:00" level=info msg="✅ Successfully joined room" prefix=kosmi`
			`time="2025-11-01T14:48:51-04:00" level=info msg="Join response payload: {"data":{"joinRoom":{"ok":true}}}" prefix=kosmi`
			```

			`Result: Bot appears as "Anonymous [Animal]" in the user list despite successful authentication.`

			`## Files Modified for Debugging`

			- `bridge/kosmi/browser_auth.go`: Added comprehensive token logging
			- `bridge/kosmi/kosmi.go`: Added token setting confirmation
			- `bridge/kosmi/graphql_ws_client.go`: Added token source and `connection_ack` payload logging
			- `cmd/decode-token/main.go`: Tool to decode and analyze JWT tokens
			- `cmd/test-profile-query/main.go`: Tool to test GraphQL profile queries