fix(multiuser): Isolate client state per user to prevent data leakage

[Copilot]

Summary

In multiuser mode, client state (generation parameters, UI state) was shared between all users due to two critical issues:

1. Backend: The client_state table was designed with a single-row constraint (CHECK(id = 1)), forcing all users to share the same state row
2. Frontend: The driver.ts file was making fetch calls to client_state endpoints without including the Authorization header, causing all authenticated users to fall back to the 'system' user

Changes:

• Database Migration 26: Restructured client_state table from single shared row to per-user storage with (user_id, key) primary key
• Service Layer: Updated ClientStatePersistenceABC and ClientStatePersistenceSqlite to use user_id for isolation
• API Layer: Added optional authentication via CurrentUserOrDefault dependency - authenticated requests use the user's ID, unauthenticated requests use 'system' user for backwards compatibility
• Auth Dependencies: Added get_current_user_or_default() function with logging for debugging fallback scenarios. Fixed to include all required TokenData fields (user_id, email, is_admin)
• Frontend Driver (Critical): Added getAuthHeaders() helper to include auth token from localStorage and Content-Type header in all fetch requests to client_state endpoints
• Tests: Comprehensive multiuser isolation test suite covering both authenticated and unauthenticated scenarios

How It Works:

• Multiuser mode: Each user's browser includes their auth token in client_state requests → backend extracts user_id from token → users get isolated state
• Single-user mode: No auth token → requests use 'system' user → parameters persist correctly
• Backwards compatibility: Invalid/expired tokens fall back to 'system' user (logged for debugging)

Existing state migrates to 'system' user. Frontend remains compatible - queue_id parameter kept but ignored in favor of user_id.

Related Issues / Discussions

Resolves multiuser generation parameter leakage issue where User B would see User A's parameters on browser reload.

QA Instructions

Multiuser Mode (with authentication enabled):

1. Create two users (A and B)
2. Login as User A, set generation parameters (prompt, model, steps), generate an image
3. Login as User B in different browser/incognito window
4. Set different generation parameters, generate an image
5. Reload User B's browser
6. Expected: User B sees their own parameters (no leakage)
7. Reload User A's browser
8. Expected: User A sees their own parameters

Single-User Mode (without authentication):

1. Set generation parameters and generate an image
2. Reload the browser
3. Expected: Parameters persist correctly (uses 'system' user)

API behavior verification:

# Without auth token - uses system user, returns data (not 401)
curl http://localhost:9090/api/v1/client_state/default/get_by_key?key=test

# With valid auth token - uses authenticated user's data
curl -H "Authorization: Bearer <token>" \
  http://localhost:9090/api/v1/client_state/default/get_by_key?key=test

Merge Plan

Database migration from version 25→26 runs automatically on startup. No special merge considerations - migration is idempotent and handles both new installs and upgrades.

Checklist

• The PR has a short but descriptive title, suitable for a changelog
• Tests added / updated (if applicable)
• ❗Changes to a redux slice have a corresponding migration
• Documentation added / updated (if applicable)
• Updated What's New copy (if doing a release after this PR)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[bug]: Generation value leakage from A to B on window reload</issue_title>
<issue_description>### Is there an existing issue for this problem?

• I have searched the existing issues

Install method

Invoke's Launcher

Operating system

Linux

GPU vendor

Nvidia (CUDA)

GPU model

No response

GPU VRAM

No response

Version number

6.10.0

Browser

No response

System Information

No response

What happened

When operating in multiuser mode, user A and user B log in with separate browsers.

1. User A performs a generation.
2. User B then reloads the browser window.
3. Unexpectedly, the generation parameters (positive and negative prompt, model, steps, etc) appear in B's browser.

What you expected to happen

• When A reloads the page, the last generation parameteres used by A appear.
• When B reloads the page, the last generation parameters used by B appear.
• There is no leakage of data from one user to another.
• When the Administrator is logged in, the last generation parameters used by the Administrator are loaded

How to reproduce the problem

No response

Additional context

No response

Discord username

No response</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [bug]: Generation value leakage from A to B on window reload #39

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[lstein]

@copilot This is not working as expected. Now when I reload the page the previous parameters disappear and are reset to their defaults.

[Copilot]

@copilot This is not working as expected. Now when I reload the page the previous parameters disappear and are reset to their defaults.

Fixed in commit 356302f. The issue was that I made authentication mandatory, which broke single-user mode and installations without authentication enabled.

The endpoints now use optional authentication:

• With authentication: Each user gets their own isolated state (fixes the leakage bug)
• Without authentication: Requests use the 'system' user (maintains backwards compatibility)

Your previous parameters should now persist correctly on reload in both single-user and multiuser modes.

[lstein]

@copilot I'm afraid you've got a pydantic validation error now:

  File "/home/lstein/Projects/InvokeAI-lstein/invokeai/app/api_app.py", line 95, in dispatch
    response = await call_next(request)
               ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/starlette/middleware/base.py", line 159, in call_next
    raise app_exc
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/starlette/middleware/base.py", line 144, in coro
    await self.app(scope, receive_or_disconnect, send_no_error)
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/starlette/middleware/exceptions.py", line 63, in __call__
    await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    raise exc
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
    await app(scope, receive, sender)
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/fastapi/middleware/asyncexitstack.py", line 18, in __call__
    await self.app(scope, receive, send)
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/starlette/routing.py", line 716, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/starlette/routing.py", line 736, in app
    await route.handle(scope, receive, send)
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/starlette/routing.py", line 290, in handle
    await self.app(scope, receive, send)
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/fastapi/routing.py", line 123, in app
    await wrap_app_handling_exceptions(app, request)(scope, receive, send)
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    raise exc
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
    await app(scope, receive, sender)
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/fastapi/routing.py", line 109, in app
    response = await f(request)
               ^^^^^^^^^^^^^^^^
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/fastapi/routing.py", line 377, in app
    solved_result = await solve_dependencies(
                    ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/fastapi/dependencies/utils.py", line 646, in solve_dependencies
    solved = await call(**solved_result.values)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/lstein/Projects/InvokeAI-lstein/invokeai/app/api/auth_dependencies.py", line 84, in get_current_user_or_default
    return TokenData(user_id="system", is_admin=False)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/lstein/invokeai-lstein/.venv/lib/python3.12/site-packages/pydantic/main.py", line 250, in __init__
    validated_self = self.__pydantic_validator__.validate_python(data, self_instance=self)
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
pydantic_core._pydantic_core.ValidationError: 1 validation error for TokenData
email
  Field required [type=missing, input_value={'user_id': 'system', 'is_admin': False}, input_type=dict]
    For further information visit https://errors.pydantic.dev/2.12/v/missing

[Copilot]

@copilot I'm afraid you've got a pydantic validation error now:

  File "/home/lstein/Projects/InvokeAI-lstein/invokeai/app/api_app.py", line 95, in dispatch...

Fixed in commit 7d728de. The TokenData model requires three fields: user_id, email, and is_admin. I was missing the email field when creating the system user token. Now all fallback TokenData instances include email="[email protected]" which matches the system user created in migration 25.

[lstein]

@copilot I've just tested the latest commit and the multiuser isolation is not working as expected. When user A runs a generation and user B reloads the page, B sees A's generation parameters.a

[Copilot]

@copilot I've just tested the latest commit and the multiuser isolation is not working as expected. When user A runs a generation and user B reloads the page, B sees A's generation parameters.a

Fixed in commit 80046fc. The root cause was that the frontend's driver.ts file was making fetch() calls to the client_state endpoints without including the Authorization header. This meant that even though users were authenticated, their auth tokens weren't being sent with the client_state requests, so all users fell back to the 'system' user and shared the same state.

The fix adds a getAuthHeaders() helper that retrieves the auth token from localStorage and includes it in all client_state API calls. Now:

• Authenticated users: Their token is sent → backend extracts user_id → each user gets isolated state
• Unauthenticated users: No token sent → backend uses 'system' user → state persists for single-user mode

Multiuser isolation should now work correctly.