From b25fd9557ddc3809a4f0f05b5d1571ed8c146bc5 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Wed, 20 May 2026 12:57:00 +0000
Subject: [PATCH 1/2] fix(backend): use user uid (not fingerprint uid) when
 blocking/unblocking
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

FingerprintStore.Block and Unblock retrieve the user record via
GetByFingerprint to find the user's uid, but then sent
UserStoreMessages.Update with `uid: fp.uid`, which is the fingerprint
id — so the wrong record (or no record) was being updated. Pass the
user's uid instead.
---
 packages/backend/src/actors/FingerprintStore.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/backend/src/actors/FingerprintStore.ts b/packages/backend/src/actors/FingerprintStore.ts
index e987f73..9dc4f4b 100644
--- a/packages/backend/src/actors/FingerprintStore.ts
+++ b/packages/backend/src/actors/FingerprintStore.ts
@@ -73,7 +73,7 @@ export class FingerprintStore extends SubscribableActor<Fingerprint, Fingerprint
 						this.storeEntity({...fp, blocked: true});
 						this.updateSubscribers({...fp, blocked: true})
 						if (uid)
-							this.send("actors://recapp-backend/UserStore", UserStoreMessages.Update({ uid: fp.uid, active: false }));
+							this.send("actors://recapp-backend/UserStore", UserStoreMessages.Update({ uid, active: false }));
 						return unit();
 					},
 					() => {
@@ -89,7 +89,7 @@ export class FingerprintStore extends SubscribableActor<Fingerprint, Fingerprint
 						this.storeEntity({...fp, blocked: false});
 						this.updateSubscribers({...fp, blocked: false})
 						if (uid)
-							this.send("actors://recapp-backend/UserStore", UserStoreMessages.Update({ uid: fp.uid, active: true }));
+							this.send("actors://recapp-backend/UserStore", UserStoreMessages.Update({ uid, active: true }));
 						return unit();
 					},
 					() => {

From 526c7f1a6d107ded388ec2e801b804080663c2ac Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Wed, 20 May 2026 13:09:16 +0000
Subject: [PATCH 2/2] fix(backend): await session-store update before
 completing WS handshake
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The WS authentication middleware previously did

  system.send(SessionStore, StoreSession({ uid, actorSystem }));
  next(undefined);

— a fire-and-forget that returned the HTTP 101 to the client before the
SessionStore's clientIndex had been updated with the new actorSystem ↔
uid mapping. The browser would then immediately ask actors that resolve
the caller's role via determineRole → SessionStore.GetSessionForClient,
which would miss in clientIndex and return "Unknown client session".

This produced a ~30 second Dashboard reload spinner: the frontend's
afterStart asks (UserAdminActor.GetAll, FingerprintStore.GetMostRecent,
LocalUserActor.GetOwn) would hit timeouts (5s each + 5s sweep) before
the system Promise could resolve and the spinner could clear.

Converting send → ask makes the handshake wait until clientIndex is
populated, so the very first ask the new client sends resolves its
session correctly.
---
 packages/backend/src/middlewares/authMiddleware.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/backend/src/middlewares/authMiddleware.ts b/packages/backend/src/middlewares/authMiddleware.ts
index e20ddb4..28a201f 100644
--- a/packages/backend/src/middlewares/authMiddleware.ts
+++ b/packages/backend/src/middlewares/authMiddleware.ts
@@ -35,12 +35,12 @@ export const authenticationMiddleware = (request: IncomingMessage, next: (err: E
 		.map(bearerValid)
 		.orElse(Promise.resolve("" as Id)) as Promise<Id>;
 	tokenValid
-		.then(uid => {
+		.then(async uid => {
 			if (!uid) {
 				next(authorizationError());
 				return;
 			}
-			Container.get<ActorSystem>("actor-system").send(
+			await Container.get<ActorSystem>("actor-system").ask(
 				createActorUri("SessionStore"),
 				SessionStoreMessages.StoreSession({ uid, actorSystem })
 			);