Updates

public/js/app.js

@@ -1,7 +1,10 @@
 // app.js — bootstrap, input handling, sidebar, attach, paste
 import { send, on } from './ws.js';
 import { isAuthenticated, logout, getTempId, getClientId } from './auth.js';
-import { createNewSession, switchSession, currentSessionId, onSessionChange } from './sessions.js';
+import {
+  createNewSession, showWelcomeScreen,
+  switchSession, currentSessionId, onSessionChange,
+} from './sessions.js';
 import { submitMessage, renderSession, setActiveSession, getIsStreaming } from './chat.js';
 import { openAuthModal, closeModal, openPasteEditor } from './modals.js';
 import { openSettings, applyTheme } from './settings.js';
@@ -17,13 +20,15 @@ function collapseSidebar(){ sidebar?.classList.remove('expanded'); sidebar?.clas
 function toggleSidebar()  { sidebar?.classList.contains('expanded') ? collapseSidebar() : expandSidebar(); }
 
 toggleBtn?.addEventListener('click', toggleSidebar);
-// Always start collapsed — user opens manually
 
-// ── New chat ──────────────────────────────────────────────────────────────
+// ── New chat — just show the welcome screen; don't create a session yet ───
 
 document.getElementById('new-chat-btn')?.addEventListener('click', () => {
-  createNewSession();
+  showWelcomeScreen();
   if (window.innerWidth < 768) collapseSidebar();
+  // Clear the center input so the user starts fresh
+  const ci = document.getElementById('center-input');
+  if (ci) { ci.value = ''; autoResize(ci, 6); }
 });
 
 // ── Session switching ─────────────────────────────────────────────────────
@@ -71,18 +76,15 @@ function triggerCenterSend() {
   if (centerInput) { centerInput.value = ''; autoResize(centerInput, 6); }
   clearFilePreviewRow();
 
-  if (!currentSessionId) {
-    // Create session first, then send after both 'created' AND 'switched' have fired
-    const pendingText = text, pendingAttach = attachments;
-    const unsub = onSessionChange((ev, s) => {
-      if (ev !== 'switched' || !s) return; // wait for switched (which sets activeSessionId)
-      unsub();
-      doSend(pendingText, pendingAttach);
-    });
-    createNewSession();
-  } else {
-    doSend(text, attachments);
-  }
+  // Always create a new session when sending from the welcome screen,
+  // then wait for 'switched' before submitting.
+  const pendingText = text, pendingAttach = attachments;
+  const unsub = onSessionChange((ev, s) => {
+    if (ev !== 'switched' || !s) return;
+    unsub();
+    doSend(pendingText, pendingAttach);
+  });
+  createNewSession();
 }
 
 // ── Bottom input (active chat) ────────────────────────────────────────────

public/js/auth.js

@@ -4,9 +4,11 @@ import { send, on } from './ws.js';
 const SUPABASE_URL      = 'https://dpixehhdbtzsbckfektd.supabase.co';
 const SUPABASE_ANON_KEY = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImRwaXhlaGhkYnR6c2Jja2Zla3RkIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NjExNDI0MjcsImV4cCI6MjA3NjcxODQyN30.nR1KCSRQj1E_evQWnE2VaZzg7PgLp2kqt4eDKP2PkpE';
 
-const AUTH_KEY     = 'ipai_auth_v1';
-const TEMP_ID_KEY  = 'ipai_temp_id';
-const CLIENT_ID_KEY= 'ipai_client_id';
+const AUTH_KEY      = 'ipai_auth_v1';
+const TEMP_ID_KEY   = 'ipai_temp_id';
+const CLIENT_ID_KEY = 'ipai_client_id';
+// Key written by oauth-callback.html so the main tab can pick it up
+const OAUTH_PENDING_KEY = 'ipai_oauth_pending';
 
 export let currentUser      = null;
 export let userProfile      = null;
@@ -71,10 +73,19 @@ export async function signUpWithEmail(email, password) {
   return data;
 }
 
+/**
+ * OAuth login via popup.
+ * The popup writes the tokens to localStorage under OAUTH_PENDING_KEY,
+ * then closes itself.  This tab listens for the storage event and picks
+ * them up — no postMessage needed (works even when opener is null, e.g.
+ * on some mobile browsers or strict sandboxes).
+ */
 export async function loginWithOAuth(provider) {
   const redirectTo = encodeURIComponent(`${location.origin}/oauth-callback.html`);
-  const url = `${SUPABASE_URL}/auth/v1/authorize?rd=https%3A%2F%2Fincognitolm-chat.hf.space%2Foauth-callback.html&provider=${provider}&redirect_to=${redirectTo}`;
-  window.open(url, '_blank', 'width=520,height=640,noopener');
+  const url = `${SUPABASE_URL}/auth/v1/authorize?provider=${provider}&redirect_to=${redirectTo}`;
+  window.open(url, '_blank', 'width=520,height=640,noopener,noreferrer');
+  // The storage listener below (window.addEventListener('storage', ...))
+  // will fire when the popup writes OAUTH_PENDING_KEY and complete the login.
 }
 
 export async function logout() {
@@ -101,7 +112,7 @@ async function handleSupabaseSession(data) {
   saveAuth({ access_token: data.access_token, refresh_token: data.refresh_token, user: data.user });
 
   return new Promise((resolve, reject) => {
-    const tempId = getTempId();
+    const tempId   = getTempId();
     const clientId = getClientId();
     send({ type: 'auth:login', accessToken: data.access_token, refreshToken: data.refresh_token,
       tempId, clientId });
@@ -170,21 +181,30 @@ on('ws:connected', async () => {
   }
 });
 
-// ── OAuth popup message ───────────────────────────────────────────────────
-
-window.addEventListener('message', async (e) => {
-  if (e.origin !== location.origin) return;
-  if (e.data?.type !== 'oauth:callback') return;
-  const { access_token, refresh_token } = e.data;
-  if (!access_token) return;
-  try { await handleSupabaseSession({ access_token, refresh_token }); }
-  catch (err) {
+// ── OAuth: localStorage-based token pickup ────────────────────────────────
+// Works for both popup and redirect flows.
+// The oauth-callback.html page writes { access_token, refresh_token } to
+// localStorage[OAUTH_PENDING_KEY] then closes/redirects.  The storage event
+// fires in all other tabs from the same origin.
+
+window.addEventListener('storage', async (e) => {
+  if (e.key !== OAUTH_PENDING_KEY || !e.newValue) return;
+  // Consume immediately so other tabs don't also try to log in
+  localStorage.removeItem(OAUTH_PENDING_KEY);
+  let tokens;
+  try { tokens = JSON.parse(e.newValue); } catch { return; }
+  if (!tokens?.access_token) return;
+  try {
+    await handleSupabaseSession(tokens);
+    import('./ui.js').then(({ showNotification }) =>
+      showNotification({ type: 'success', message: 'Signed in!', duration: 2500 }));
+  } catch (err) {
     import('./ui.js').then(({ showNotification }) =>
       showNotification({ type: 'error', message: `Sign-in failed: ${err.message}`, duration: 4000 }));
   }
 });
 
-// Also handle if page was opened after OAuth redirect (no popup)
+// Also handle same-tab redirect flow (no popup) — ?oauth=1&t=TOKEN&r=REFRESH
 (function checkOAuthRedirect() {
   const params = new URLSearchParams(location.search);
   const t = params.get('t'), r = params.get('r');
@@ -194,6 +214,19 @@ window.addEventListener('message', async (e) => {
   }
 })();
 
+// Legacy postMessage support (kept for backwards compat with old callback pages)
+window.addEventListener('message', async (e) => {
+  if (e.origin !== location.origin) return;
+  if (e.data?.type !== 'oauth:callback') return;
+  const { access_token, refresh_token } = e.data;
+  if (!access_token) return;
+  try { await handleSupabaseSession({ access_token, refresh_token }); }
+  catch (err) {
+    import('./ui.js').then(({ showNotification }) =>
+      showNotification({ type: 'error', message: `Sign-in failed: ${err.message}`, duration: 4000 }));
+  }
+});
+
 // ── Sidebar profile ────────────────────────────��──────────────────────────
 
 export function updateSidebarProfile() {
@@ -221,4 +254,4 @@ export function updateSidebarProfile() {
 }
 
 on('auth:ok', updateSidebarProfile);
-on('auth:loggedOut', updateSidebarProfile);
+on('auth:loggedOut', updateSidebarProfile);

public/js/sessions.js

@@ -62,18 +62,25 @@ on('sessions:data', (msg) => {
 on('auth:ok', (msg) => {
   sessions = msg.sessions || [];
   renderSessions();
-  if (sessions.length > 0 && !currentSessionId) {
+  // On login, show the most recent session if one exists,
+  // otherwise show the welcome screen (don't auto-create).
+  if (sessions.length > 0) {
     switchSession(sessions[0].id);
+  } else {
+    currentSessionId = null;
+    notify('switched', null);
   }
 });
 
 on('auth:guestOk', (msg) => {
   sessions = msg.sessions || [];
   renderSessions();
-  if (sessions.length === 0) {
-    createNewSession();
-  } else {
+  // Show welcome screen; session is created lazily when user sends first message.
+  if (sessions.length > 0) {
     switchSession(sessions[0].id);
+  } else {
+    currentSessionId = null;
+    notify('switched', null);
   }
 });
 
@@ -99,6 +106,21 @@ on('sessions:imported', (msg) => {
 
 // ── Actions ───────────────────────────────────────────────────────────────
 
+/**
+ * createNewSession is now "lazy" for the new-chat button:
+ * the button just navigates to the welcome screen.
+ * An actual session is only created when the user sends their first message
+ * (handled in app.js triggerCenterSend).
+ *
+ * Call createNewSession() directly when you really need the session to exist
+ * immediately (e.g. from triggerCenterSend in app.js).
+ */
+export function showWelcomeScreen() {
+  currentSessionId = null;
+  renderSessions();            // deselect active item in sidebar
+  notify('switched', null);   // app.js will show the welcome view
+}
+
 export function createNewSession() {
   send({ type: 'sessions:create' });
 }
@@ -207,7 +229,6 @@ function startInlineRename(el) {
 }
 
 function openSessionMenu(e, id) {
-  const session = sessions.find(s => s.id === id);
   const items = [
     {
       label: 'Share', icon: '🔗',
@@ -261,4 +282,4 @@ function groupByDate(sessions) {
 
 function escHtml(str) {
   return String(str).replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;').replace(/"/g,'&quot;');
-}
+}

public/oauth-callback.html

@@ -16,42 +16,67 @@
 <body>
   <div class="box">
     <div class="spinner"></div>
-    <p>Completing sign-in…</p>
+    <p id="msg">Completing sign-in…</p>
   </div>
   <script>
-    // Extract tokens from URL hash (Supabase implicit flow) or search params
+    // ── Extract tokens from URL hash (Supabase implicit flow) or search params ──
     function getTokens() {
       const hash   = new URLSearchParams(location.hash.replace('#', ''));
       const search = new URLSearchParams(location.search);
       return {
-        access_token:  hash.get('access_token')  || search.get('access_token'),
-        refresh_token: hash.get('refresh_token') || search.get('refresh_token'),
-        error:         hash.get('error')         || search.get('error'),
-        error_desc:    hash.get('error_description') || search.get('error_description'),
+        access_token:  hash.get('access_token')      || search.get('access_token'),
+        refresh_token: hash.get('refresh_token')      || search.get('refresh_token'),
+        error:         hash.get('error')              || search.get('error'),
+        error_desc:    hash.get('error_description')  || search.get('error_description'),
       };
     }
 
     const tokens = getTokens();
+    const msgEl  = document.getElementById('msg');
 
     if (tokens.error) {
-      document.querySelector('p').textContent = 'Sign-in error: ' + (tokens.error_desc || tokens.error);
+      msgEl.textContent = 'Sign-in error: ' + (tokens.error_desc || tokens.error);
     } else if (tokens.access_token) {
-      // Post to opener (main tab) and close
+      // ── Primary path: write to localStorage so the main tab picks it up
+      // via a 'storage' event listener — works even when window.opener is null
+      // (strict popup policies, mobile browsers, etc.).
+      const payload = JSON.stringify({
+        access_token:  tokens.access_token,
+        refresh_token: tokens.refresh_token || '',
+      });
+      localStorage.setItem('ipai_oauth_pending', payload);
+
+      // ── Also try postMessage to opener for fastest possible handoff ──────
       if (window.opener && !window.opener.closed) {
-        window.opener.postMessage({
-          type: 'oauth:callback',
-          access_token:  tokens.access_token,
-          refresh_token: tokens.refresh_token,
-        }, location.origin);
-        window.close();
-      } else {
-        // No opener — redirect to main page with params
-        const p = new URLSearchParams({ oauth: '1', t: tokens.access_token, r: tokens.refresh_token || '' });
-        location.replace('/?' + p.toString());
+        try {
+          window.opener.postMessage({
+            type:          'oauth:callback',
+            access_token:  tokens.access_token,
+            refresh_token: tokens.refresh_token,
+          }, location.origin);
+        } catch (_) { /* cross-origin opener — storage event is enough */ }
       }
+
+      msgEl.textContent = 'Sign-in complete! Closing…';
+      // Give localStorage a moment to propagate, then close.
+      setTimeout(() => {
+        // If we're in a popup, close it.
+        if (window.opener !== null || window.history.length <= 1) {
+          window.close();
+        }
+        // If close() didn't work (e.g. tab opened directly), redirect home.
+        setTimeout(() => {
+          const p = new URLSearchParams({
+            oauth: '1',
+            t: tokens.access_token,
+            r: tokens.refresh_token || '',
+          });
+          location.replace('/?' + p.toString());
+        }, 800);
+      }, 300);
     } else {
-      document.querySelector('p').textContent = 'No token received. Close this window.';
+      msgEl.textContent = 'No token received. You can close this window.';
     }
   </script>
 </body>
-</html>
+</html>

server/chatStream.js

@@ -1,38 +1,43 @@
 import OpenAI from "openai";
-import { Client } from "@gradio/client";
 import { LIGHTNING_BASE } from "./config.js";
 
-// ── Gradio search client singleton ─────────────────────────────────────────
-// Connect once at module load and reuse across all searches.
-// If the connection drops, gradioClient is reset to null so the next call
-// reconnects automatically rather than retrying a dead client forever.
-let gradioClient = null;
-let gradioConnecting = null; // in-flight connect promise, prevents thundering herd
-
-async function getGradioClient() {
-  if (gradioClient) return gradioClient;
-  if (gradioConnecting) return gradioConnecting;
-  gradioConnecting = Client.connect("incognitolm/Web-Search")
-    .then(c  => { gradioClient = c; gradioConnecting = null; return c; })
-    .catch(e => { gradioConnecting = null; throw e; });
-  return gradioConnecting;
-}
+// ── Web Search via direct HTTP (no Gradio WebSocket) ──────────────────────
+// The Gradio @gradio/client uses its own persistent WebSocket connection.
+// Running it inside a Node WS server caused the server's WS events to be
+// corrupted, showing "connection lost" to the browser and breaking all
+// subsequent messages.  We now call the Gradio Space's HTTP /run/predict
+// endpoint directly instead, which is stateless and has no side effects.
+
+const SEARCH_SPACE_HTTP = "https://incognitolm-web-search.hf.space";
+// Some Spaces expose /api/predict or /run/predict depending on SDK version.
+// We try /run/predict first (newer), fall back to /api/predict.
 
 async function gradioSearch(query) {
-  // Try once; if it fails reset the singleton so the next call gets a fresh connection.
-  try {
-    const client = await getGradioClient();
-    const r = await client.predict("/perform_search", { query });
-    // r.data is an array; the search results are in the first element.
-    // Accept a string, an array, or an object — normalise all to a string.
-    const raw = Array.isArray(r.data) ? r.data[0] : r.data;
-    if (!raw) throw new Error("Empty response from search endpoint");
-    return typeof raw === "string" ? raw : JSON.stringify(raw);
-  } catch (err) {
-    // Invalidate the singleton so the next search attempt reconnects.
-    gradioClient = null;
-    throw err;
+  const body = JSON.stringify({ data: [query] });
+  const headers = { "Content-Type": "application/json" };
+
+  // Try the modern endpoint first
+  for (const path of ["/run/predict", "/api/predict"]) {
+    try {
+      const res = await fetch(`${SEARCH_SPACE_HTTP}${path}`, {
+        method: "POST",
+        headers,
+        body,
+        // Give the search up to 30 s before giving up
+        signal: AbortSignal.timeout(30_000),
+      });
+      if (!res.ok) continue;
+      const json = await res.json();
+      // Gradio returns { data: [...] }
+      const raw = Array.isArray(json.data) ? json.data[0] : json.data;
+      if (!raw) throw new Error("Empty response from search endpoint");
+      return typeof raw === "string" ? raw : JSON.stringify(raw);
+    } catch (err) {
+      // Try next path
+      if (path === "/api/predict") throw err; // last option, rethrow
+    }
   }
+  throw new Error("All search endpoints failed");
 }
 
 const SYSTEM_PROMPT =

server/sessionStore.js

@@ -51,16 +51,37 @@ export const sessionStore = {
   },
   deleteTempSession(t, id) { tempStore.get(t)?.sessions.delete(id); },
   deleteTempAll(t)         { tempStore.get(t)?.sessions.clear(); },
+
+  /**
+   * Copy temp sessions into the user's account on login.
+   * We intentionally do NOT delete from tempStore so the guest session
+   * remains usable if the user logs out again (and so the WS client's
+   * tempId still resolves while the tab is open).
+   * Sessions that already exist in the user account (same id) are skipped
+   * to avoid overwriting newer server data.
+   */
   async transferTempToUser(tempId, userId, accessToken) {
-    const d = tempStore.get(tempId); if (!d || !d.sessions.size) return;
-    const uc = userClient(accessToken);
+    const d = tempStore.get(tempId);
+    if (!d || !d.sessions.size) return;
+
+    const uc   = userClient(accessToken);
     const user = this._ensureUser(userId);
+
     for (const s of d.sessions.values()) {
-      user.sessions.set(s.id, s);
-      await this._persist(uc, userId, s).catch(() => {});
+      // Skip sessions that are empty (never actually used)
+      if (!s.history || s.history.length === 0) continue;
+
+      // Skip if the user already has a session with the same id
+      if (user.sessions.has(s.id)) continue;
+
+      // Deep-clone so mutations to the user copy don't affect temp copy
+      const copy = JSON.parse(JSON.stringify(s));
+      user.sessions.set(copy.id, copy);
+      await this._persist(uc, userId, copy).catch(err =>
+        console.error('transferTempToUser persist error:', err.message));
     }
-    tempStore.delete(tempId);
   },
+
   // ── USERS ────────────────────────────────────────────────────────────────
   _ensureUser(uid) {
     if (!userCache.has(uid)) userCache.set(uid, { sessions: new Map(), online: new Set() });
@@ -93,28 +114,19 @@ export const sessionStore = {
     return s;
   },
   async deleteUserSession(userId, accessToken, id) {
-    // ① Remove the .catch() from the query chain
-    // ② Use try/catch to surface any unexpected errors
     try {
-      // Remove the session from the in‑memory cache
       userCache.get(userId)?.sessions.delete(id);
-  
-      // Perform the actual DB delete
       const { error } = await userClient(accessToken)
         .from('web_sessions')
         .delete()
         .eq('id', id)
         .eq('user_id', userId);
-  
-      if (error) {
-        console.error('Supabase delete error:', error.message);
-      }
+      if (error) console.error('Supabase delete error:', error.message);
     } catch (ex) {
       console.error('Unexpected deleteUserSession error:', ex);
     }
   },
   async deleteAllUserSessions(userId, accessToken) {
-    // Clear the in‑memory store first
     const u = userCache.get(userId);
     if (u) {
       u.sessions.clear();
@@ -122,17 +134,12 @@ export const sessionStore = {
       console.log('No user for ' + userId);
       return null;
     }
-  
-    // Delete everything from Supabase
     try {
       const { error } = await userClient(accessToken)
         .from('web_sessions')
         .delete()
         .eq('user_id', userId);
-  
-      if (error) {
-        console.error('Supabase bulk delete error:', error.message);
-      }
+      if (error) console.error('Supabase bulk delete error:', error.message);
     } catch (ex) {
       console.error('Unexpected deleteAllUserSessions error:', ex);
     }
@@ -190,4 +197,4 @@ export const deviceSessionStore = {
     const s = devSessions.get(token); if (!s || !s.active) return null;
     s.lastSeen = new Date().toISOString(); return s;
   },
-};
+};