fix(multiuser): Isolate client state per user to prevent data leakage

[Copilot]

Summary

In multiuser mode, client state (generation parameters, UI state) was shared between all users due to four critical issues:

1. Backend: The client_state table was designed with a single-row constraint (CHECK(id = 1)), forcing all users to share the same state row
2. Frontend API Calls: The driver.ts file was making fetch calls to client_state endpoints without including the Authorization header, causing all authenticated users to fall back to the 'system' user
3. Frontend State Management: When switching users in the same browser session, the previous user's generation parameters remained in memory until logout
4. State Loading on Login: The redux-remember library only loads state from the server on page mount, not when a user logs in, preventing proper state loading when switching users

Changes:

• Database Migration 26: Restructured client_state table from single shared row to per-user storage with (user_id, key) primary key
• Service Layer: Updated ClientStatePersistenceABC and ClientStatePersistenceSqlite to use user_id for isolation
• API Layer: Added optional authentication via CurrentUserOrDefault dependency - authenticated requests use the user's ID, unauthenticated requests use 'system' user for backwards compatibility
• Auth Dependencies: Added get_current_user_or_default() function with logging for debugging fallback scenarios. Fixed to include all required TokenData fields (user_id, email, is_admin)
• Frontend Driver (Critical): Added getAuthHeaders() helper to include auth token from localStorage in all fetch requests to client_state endpoints. No Content-Type header is sent because the backend expects raw string body, not JSON-parsed data. Includes safe localStorage access checks for test environment compatibility.
• Frontend State Management: Added extraReducers to paramsSlice that reset generation parameters to initial state on logout action only to prevent browser caching of previous user's data while allowing state to persist on page reload
• Login Flow: Modified login process to force a full page reload after successful authentication, ensuring redux-remember loads the new user's state from the server
• Auth Slice: Added comprehensive safe localStorage access checks (verifying window and localStorage availability) to support Node.js test environments where localStorage is undefined
• Tests: Comprehensive multiuser isolation test suite covering both authenticated and unauthenticated scenarios. All frontend tests now pass with proper localStorage mocking.

How It Works:

• Multiuser mode: Each user's browser includes their auth token in client_state requests → backend extracts user_id from token → users get isolated state stored in database
• Single-user mode: No auth token → requests use 'system' user → parameters persist correctly
• User switching: Logout resets params to initial state in browser memory → new user logs in → page automatically reloads → new user's state loads from server
• Page reload: User session is restored from localStorage → params load from server (no reset occurs)
• Test environment: All localStorage access is safely guarded with environment checks to prevent errors in Node.js test environments
• Backwards compatibility: Invalid/expired tokens fall back to 'system' user (logged for debugging)

Existing state migrates to 'system' user. Frontend remains compatible - queue_id parameter kept but ignored in favor of user_id.

Related Issues / Discussions

Resolves multiuser generation parameter leakage issue where User B would see User A's parameters on browser reload or when switching users in the same browser session.

QA Instructions

Multiuser Mode (with authentication enabled):

1. Create two users (A and B)
2. Login as User A, set generation parameters (prompt, model, steps), generate an image
3. Login as User B in different browser/incognito window
4. Set different generation parameters, generate an image
5. Reload User B's browser
6. Expected: User B sees their own parameters (no leakage)
7. Reload User A's browser
8. Expected: User A sees their own parameters

User Switching in Same Browser:

1. Login as User A, set generation parameters
2. Logout (params reset to defaults immediately)
3. Login as User B (page automatically reloads after login)
4. Expected: User B's saved parameters load from server (no cached data from User A)

Page Reload:

1. Login as User A, set generation parameters
2. Reload the page
3. Expected: Parameters persist correctly (loaded from server)

Single-User Mode (without authentication):

1. Set generation parameters and generate an image
2. Reload the browser
3. Expected: Parameters persist correctly (uses 'system' user)

API behavior verification:

# Without auth token - uses system user, returns data (not 401)
curl http://localhost:9090/api/v1/client_state/default/get_by_key?key=test

# With valid auth token - uses authenticated user's data
curl -H "Authorization: Bearer <token>" \
  http://localhost:9090/api/v1/client_state/default/get_by_key?key=test

CI/Tests:

• ✅ All backend tests pass
• ✅ All frontend tests pass (localStorage properly mocked for Node.js environment)
• ✅ ESLint checks pass
• ✅ TypeScript compilation successful
• ✅ No security vulnerabilities detected

Merge Plan

Database migration from version 25→26 runs automatically on startup. No special merge considerations - migration is idempotent and handles both new installs and upgrades.

Checklist

• The PR has a short but descriptive title, suitable for a changelog
• Tests added / updated (if applicable)
• ❗Changes to a redux slice have a corresponding migration
• Documentation added / updated (if applicable)
• Updated What's New copy (if doing a release after this PR)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[bug]: Generation value leakage from A to B on window reload</issue_title>
<issue_description>### Is there an existing issue for this problem?

• I have searched the existing issues

Install method

Invoke's Launcher

Operating system

Linux

GPU vendor

Nvidia (CUDA)

GPU model

No response

GPU VRAM

No response

Version number

6.10.0

Browser

No response

System Information

No response

What happened

When operating in multiuser mode, user A and user B log in with separate browsers.

1. User A performs a generation.
2. User B then reloads the browser window.
3. Unexpectedly, the generation parameters (positive and negative prompt, model, steps, etc) appear in B's browser.

What you expected to happen

• When A reloads the page, the last generation parameteres used by A appear.
• When B reloads the page, the last generation parameters used by B appear.
• There is no leakage of data from one user to another.
• When the Administrator is logged in, the last generation parameters used by the Administrator are loaded

How to reproduce the problem

No response

Additional context

No response

Discord username

No response</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [bug]: Generation value leakage from A to B on window reload #39

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[lstein]

@copilot This is not working as expected. Now when I reload the page the previous parameters disappear and are reset to their defaults.

[Copilot]

@copilot This is not working as expected. Now when I reload the page the previous parameters disappear and are reset to their defaults.

Fixed in commit 356302f. The issue was that I made authentication mandatory, which broke single-user mode and installations without authentication enabled.

The endpoints now use optional authentication:

• With authentication: Each user gets their own isolated state (fixes the leakage bug)
• Without authentication: Requests use the 'system' user (maintains backwards compatibility)

Your previous parameters should now persist correctly on reload in both single-user and multiuser modes.

[lstein]

@copilot I'm afraid you've got a pydantic validation error now:

  File "/home/lstein/Projects/InvokeAI-lstein/invokeai/app/api_app.py", line 95, in dispatch
    response = await call_next(request)
               ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/starlette/middleware/base.py", line 159, in call_next
    raise app_exc
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/starlette/middleware/base.py", line 144, in coro
    await self.app(scope, receive_or_disconnect, send_no_error)
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/starlette/middleware/exceptions.py", line 63, in __call__
    await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    raise exc
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
    await app(scope, receive, sender)
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/fastapi/middleware/asyncexitstack.py", line 18, in __call__
    await self.app(scope, receive, send)
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/starlette/routing.py", line 716, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/starlette/routing.py", line 736, in app
    await route.handle(scope, receive, send)
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/starlette/routing.py", line 290, in handle
    await self.app(scope, receive, send)
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/fastapi/routing.py", line 123, in app
    await wrap_app_handling_exceptions(app, request)(scope, receive, send)
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    raise exc
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
    await app(scope, receive, sender)
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/fastapi/routing.py", line 109, in app
    response = await f(request)
               ^^^^^^^^^^^^^^^^
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/fastapi/routing.py", line 377, in app
    solved_result = await solve_dependencies(
                    ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/fastapi/dependencies/utils.py", line 646, in solve_dependencies
    solved = await call(**solved_result.values)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/lstein/Projects/InvokeAI-lstein/invokeai/app/api/auth_dependencies.py", line 84, in get_current_user_or_default
    return TokenData(user_id="system", is_admin=False)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/pydantic/main.py", line 250, in __init__
    validated_self = self.__pydantic_validator__.validate_python(data, self_instance=self)
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
pydantic_core._pydantic_core.ValidationError: 1 validation error for TokenData
email
  Field required [type=missing, input_value={'user_id': 'system', 'is_admin': False}, input_type=dict]
    For further information visit https://errors.pydantic.dev/2.12/v/missing

[Copilot]

@copilot I'm afraid you've got a pydantic validation error now:

  File "/home/lstein/Projects/InvokeAI-lstein/invokeai/app/api_app.py", line 95, in dispatch...

Fixed in commit 7d728de. The TokenData model requires three fields: user_id, email, and is_admin. I was missing the email field when creating the system user token. Now all fallback TokenData instances include email="system@system.invokeai" which matches the system user created in migration 25.

[lstein]

@copilot I've just tested the latest commit and the multiuser isolation is not working as expected. When user A runs a generation and user B reloads the page, B sees A's generation parameters.a

[Copilot]

@copilot I've just tested the latest commit and the multiuser isolation is not working as expected. When user A runs a generation and user B reloads the page, B sees A's generation parameters.a

Fixed in commit 80046fc. The root cause was that the frontend's driver.ts file was making fetch() calls to the client_state endpoints without including the Authorization header. This meant that even though users were authenticated, their auth tokens weren't being sent with the client_state requests, so all users fell back to the 'system' user and shared the same state.

The fix adds a getAuthHeaders() helper that retrieves the auth token from localStorage and includes it in all client_state API calls. Now:

• Authenticated users: Their token is sent → backend extracts user_id → each user gets isolated state
• Unauthenticated users: No token sent → backend uses 'system' user → state persists for single-user mode

Multiuser isolation should now work correctly.

[lstein]

@copilot It is back to a state where neither user's parameters are recalled when reloading the page. I am seeing this error on page reload:

driver.ts:148 
 POST http://localhost:5173/api/v1/client_state/default/set_by_key?key=workflowSettings 422 (Unprocessable Entity)

[Copilot]

@copilot It is back to a state where neither user's parameters are recalled when reloading the page. I am seeing this error on page reload:

driver.ts:148 ...

Fixed in commit 3c1bd71. The 422 error was caused by the Content-Type: application/json header I added. The backend's set_client_state endpoint expects the raw request body as a string (value: str = Body(...)), but when Content-Type is set to application/json, FastAPI tries to parse the body as JSON first, which fails.

Removed the Content-Type header from the getAuthHeaders() function. Now the raw JSON string is sent directly as the body, which is what the backend expects. Parameters should now persist correctly on reload for both authenticated and unauthenticated users.

[lstein]

@copilot Almost perfect! But I notice that if I am logged into a browser as user A, then log out and log in as user B, user A's last generation parameters are displayed until I refresh the page, presumably because of browser caching of the fields. Can the fields be cleared after changing the login? Or perhaps logging in should force a page reload?

[Copilot]

@copilot Almost perfect! But I notice that if I am logged into a browser as user A, then log out and log in as user B, user A's last generation parameters are displayed until I refresh the page, presu...

Fixed in commit 455cdca. Added extraReducers to the paramsSlice that resets generation parameters to initial state when users log out or log in. This follows the same pattern already used in gallerySlice for clearing board-related state.

Now when:

• User logs out: Params state is cleared immediately
• User logs in: Params state is reset to defaults, then loaded from server for that user

This prevents the browser from displaying cached params from a previous user until the page is reloaded.

[lstein]

@copilot Sorry, but the behavior is back to reverting to default parameters (empty prompt, default model) on page reload.

[Copilot]

@copilot Sorry, but the behavior is back to reverting to default parameters (empty prompt, default model) on page reload.

Fixed in commit 0ea5934. The issue was that resetting params on setCredentials was interfering with state loading on page reload.

When the app loads with an existing token, ProtectedRoute calls setCredentials to restore the user session. My previous code was resetting params at this point, preventing the saved state from loading from the server.

Now params only reset on logout, not on setCredentials:

• Page reload: setCredentials called → params stay as-is → server loads user's saved state
• User switch: Logout → params reset → new user logs in → server loads new user's state

Parameters should now persist correctly on page reload while still preventing leakage when switching users.

[lstein]

@copilot Ok, and now we're back to the state in which when I log out as user A and log in again as user B, I don't see user B's saved parameters unless I reload the page.

[Copilot]

@copilot Ok, and now we're back to the state in which when I log out as user A and log in again as user B, I don't see user B's saved parameters unless I reload the page.

Fixed in commit d13bdaa. The issue was that redux-remember doesn't automatically reload state from the server when a different user logs in - it only loads state when the page initially mounts.

Changed the login flow to force a full page reload after successful login (window.location.href = '/'). This ensures:

• All user-specific state is loaded from the server for the newly logged-in user
• No cached state from the previous user remains in memory
• The redux-remember driver properly loads the new user's saved parameters

Now when switching users:

1. User A logs out → params reset immediately
2. User B logs in → page reloads → User B's saved parameters load from server

[lstein]

@copilot The user isolation is working as expected now. However, I'm getting errors on the frontend-tests:

 ✓  TS  src/features/nodes/types/common.test-d.ts (17 tests)
 ✓  TS  src/features/nodes/types/workflow.test-d.ts (3 tests)


 FAIL  src/features/stylePresets/util/getViewModeChunks.test.ts [ src/features/stylePresets/util/getViewModeChunks.test.ts ]
ReferenceError: localStorage is not defined
 ❯ src/features/auth/store/authSlice.ts:25:22
     23| 
     24| const initialState: AuthState = {
     25|   isAuthenticated: !!localStorage.getItem('auth_token'),
       |                      ^
     26|   token: localStorage.getItem('auth_token'),
     27|   user: null,
 ❯ src/features/controlLayers/store/paramsSlice.ts:9:1


 FAIL  src/features/controlLayers/components/StagingArea/shared.test.ts [ src/features/controlLayers/components/StagingArea/shared.test.ts ]
 FAIL  src/features/controlLayers/components/StagingArea/state.test.ts [ src/features/controlLayers/components/StagingArea/state.test.ts ]
ReferenceError: localStorage is not defined
 ❯ src/features/auth/store/authSlice.ts:25:22
     23| 
     24| const initialState: AuthState = {
     25|   isAuthenticated: !!localStorage.getItem('auth_token'),
       |                      ^
     26|   token: localStorage.getItem('auth_token'),
     27|   user: null,
 ❯ src/features/controlLayers/store/paramsSlice.ts:9:1



 Test Files  3 failed | 25 passed (28)
      Tests  488 passed (488)
Type Errors  no errors
   Start at  04:09:56
   Duration  52.38s (transform 2.06s, setup 0ms, collect 10.92s, tests 5.13s, environment 7ms, prepare 3.81s, typecheck 52.24s)


Error: ReferenceError: localStorage is not defined
 ❯ src/features/auth/store/authSlice.ts:25:22
 ❯ src/features/controlLayers/store/paramsSlice.ts:9:1



Error: ReferenceError: localStorage is not defined
 ❯ src/features/auth/store/authSlice.ts:25:22
 ❯ src/features/controlLayers/store/paramsSlice.ts:9:1



Error: ReferenceError: localStorage is not defined
 ❯ src/features/auth/store/authSlice.ts:25:22
 ❯ src/features/controlLayers/store/paramsSlice.ts:9:1


 ELIFECYCLE  Command failed with exit code 1.
Error: Process completed with exit code 1.

[Copilot]

@copilot The user isolation is working as expected now. However, I'm getting errors on the frontend-tests:

...

Fixed in commits 475b25b and 8cce16c.

Test failures: Added safe localStorage access checks in authSlice.ts. The code now checks if window and localStorage are available before accessing them, preventing errors in Node.js test environment.

ESLint errors:

1. Changed HeadersInit to Record<string, string> in driver.ts (ESLint doesn't recognize TypeScript DOM types)
2. Removed unused navigate dependency from LoginPage useCallback (we use window.location.href instead)

Tests and linting should now pass.

[lstein]

Everything is working to spec.