THU-507: Device ID standardization

[raivieiraadriano92]

Summary

• Add X-Device-ID and X-Device-Name headers to createAuthenticatedClient() so every authenticated request to our backend includes device identity automatically (URL-prefix guard prevents headers from leaking to external APIs like Google/Microsoft OAuth)
• Create getAuthenticatedHeaders() in src/lib/auth-token.ts as the single source of truth for authenticated headers, used by the PowerSync connector (which requires raw fetch())
• Remove duplicate header builders: authHeaders() from src/api/encryption.ts and buildHeaders() from src/db/powersync/connector.ts

Test plan

• TypeScript compiles with no errors
• All frontend tests pass (2173/2173)
• All backend tests pass (742/742)
• ESLint: 0 errors
• Encryption API calls include X-Device-ID + X-Device-Name via HTTP client hook
• PowerSync token/upload include device headers via getAuthenticatedHeaders()
• External API calls (Google, Microsoft OAuth) do NOT receive device headers
• New tests for device header injection, getAuthenticatedHeaders(), and connector header verification

Closes THU-507

---

Note

Medium Risk
Touches request authentication/identity plumbing by auto-injecting X-Device-ID/X-Device-Name and centralizing header construction; mistakes could break backend auth flows or leak headers if the URL guard is wrong.

Overview
Standardizes device identity propagation by automatically attaching X-Device-ID and X-Device-Name to authenticated requests made to the app backend (via createAuthenticatedClient), with a prefix/URL guard to avoid leaking these headers to external APIs.

Centralizes raw-fetch auth header creation in getAuthenticatedHeaders() (used by the PowerSync connector) and removes duplicated per-API header builders from the encryption API client and PowerSync connector. Tests are updated/added to assert device header injection, external-API non-injection, and connector/encryption calls including the new headers.

^{Reviewed by Cursor Bugbot for commit f90df9d. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Semgrep Security Scan

No security issues found.

[github-actions]

PR Metrics

Metric	Value
Lines changed (prod code)	+46 / -78
JS bundle size (gzipped)	🟢 1.02 MB → 1.02 MB (-4.6 KB, -0.4%)
Test coverage	🟢 71.27% → 71.31% (+0.0%)
Performance (preview)	Preview not ready — Render deploy may have timed out
Accessibility	—
Best Practices	—
SEO	—

Updated Mon, 11 May 2026 20:45:24 GMT · run #1463

[github-actions]

Preview environment deployed 🚀

Service	URL
Marketing / blog / docs	https://thunderbolt-pr-856.preview.thunderbolt.io
App	https://app-pr-856.preview.thunderbolt.io
API	https://api-pr-856.preview.thunderbolt.io
Keycloak	https://auth-pr-856.preview.thunderbolt.io
PowerSync	https://powersync-pr-856.preview.thunderbolt.io

Stack: preview-pr-856 · Commit: f90df9d78b7ad75f432b4b911b9c558e1d1fbc19

Auto-destroys on PR close/merge. Login via the bundled Keycloak realm — demo@thunderbolt.io / demo by default.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit f90df9d. Configure here.}

[cursor]

Device header logic duplicated across two files

Low Severity

The device identity header building logic (getDeviceId() + getDeviceDisplayName() → X-Device-ID / X-Device-Name) is independently implemented in both http.ts (the hook) and getAuthenticatedHeaders() in auth-token.ts. The PR describes getAuthenticatedHeaders() as the "single source of truth for authenticated headers," but http.ts reimplements the same logic with its own direct imports of getDeviceId and getDeviceDisplayName. If a new device header is added or a header name changes, both locations need updating independently, creating a risk of inconsistency.

Additional Locations (1)

• src/lib/auth-token.ts#L56-L61

 

^{Reviewed by Cursor Bugbot for commit f90df9d. Configure here.}