fix: resolve user ID mismatch in agent routes for device auth flow

packages/backend/src/routes/agents/delete.ts

@@ -29,7 +29,15 @@ export const deleteAgentHandler = (serviceProvider: ServiceProvider<AppServiceMa
 
       const { owner, name } = req.params;
       const { version } = req.query;
-      const userId = (req.user as { id: string }).id;
+      // Support both JWT auth (userId) and OAuth callback (id/_id)
+      const userId = req.user.userId || req.user.id || req.user._id?.toString();
+      if (!userId) {
+        return res.status(401).json({
+          success: false,
+          error: 'Unauthorized',
+          message: 'User ID not found in token',
+        });
+      }
 
       if (version) {
         logger.info('Delete agent version requested', { owner, name, version, userId });

packages/backend/src/routes/agents/get-agent.ts

@@ -18,7 +18,8 @@ export const getAgentHandler = (serviceProvider: ServiceProvider<AppServiceMap>)
       const agentService = await serviceProvider.get('agent');
 
       const { owner, name } = req.params;
-      const userId = (req.user as { id: string } | undefined)?.id;
+      // Support both JWT auth (userId) and OAuth callback (id/_id)
+      const userId = req.user?.userId || req.user?.id || req.user?._id?.toString();
 
       logger.info('Get agent requested', { owner, name, userId });
 

packages/backend/src/routes/agents/get-version.ts

@@ -19,7 +19,8 @@ export const getAgentVersionHandler = (serviceProvider: ServiceProvider<AppServi
       const agentService = await serviceProvider.get('agent');
 
       const { owner, name, version } = req.params;
-      const userId = (req.user as { id: string } | undefined)?.id;
+      // Support both JWT auth (userId) and OAuth callback (id/_id)
+      const userId = req.user?.userId || req.user?.id || req.user?._id?.toString();
 
       logger.info('Get agent version requested', { owner, name, version, userId });
 

packages/backend/src/routes/agents/list.ts

@@ -23,7 +23,8 @@ export const getListAgentsHandler = (serviceProvider: ServiceProvider<AppService
         sort: (req.query.sort as 'downloads' | 'updated' | 'created' | 'name') || 'downloads',
       };
 
-      const userId = (req.user as { id: string } | undefined)?.id;
+      // Support both JWT auth (userId) and OAuth callback (id/_id)
+      const userId = req.user?.userId || req.user?.id || req.user?._id?.toString();
 
       logger.info('List agents requested', { filters, userId });
 

packages/backend/src/routes/agents/mcp-servers.ts

@@ -19,7 +19,8 @@ export const getMcpServersHandler = (serviceProvider: ServiceProvider<AppService
 
       const page = Number(req.query.page) || 1;
       const limit = Number(req.query.limit) || 20;
-      const userId = (req.user as { id: string } | undefined)?.id;
+      // Support both JWT auth (userId) and OAuth callback (id/_id)
+      const userId = req.user?.userId || req.user?.id || req.user?._id?.toString();
 
       logger.info('List agents with MCP servers requested', { page, limit, userId });
 
@@ -62,7 +63,8 @@ export const getAgentsByMcpServerHandler = (serviceProvider: ServiceProvider<App
       const { serverName } = req.params;
       const page = Number(req.query.page) || 1;
       const limit = Number(req.query.limit) || 20;
-      const userId = (req.user as { id: string } | undefined)?.id;
+      // Support both JWT auth (userId) and OAuth callback (id/_id)
+      const userId = req.user?.userId || req.user?.id || req.user?._id?.toString();
 
       logger.info('List agents by MCP server requested', { serverName, page, limit, userId });
 

packages/backend/src/routes/agents/publish.ts

@@ -21,7 +21,15 @@ export const publishAgentHandler = (serviceProvider: ServiceProvider<AppServiceM
         });
       }
 
-      const userId = (req.user as { id: string }).id;
+      // Support both JWT auth (userId) and OAuth callback (id/_id)
+      const userId = req.user.userId || req.user.id || req.user._id?.toString();
+      if (!userId) {
+        return res.status(401).json({
+          success: false,
+          error: 'Unauthorized',
+          message: 'User ID not found in token',
+        });
+      }
 
       logger.info('Publish agent requested', { userId, name: req.body.name });
 

packages/backend/src/routes/agents/search.ts

@@ -21,7 +21,8 @@ export const searchAgentsHandler = (serviceProvider: ServiceProvider<AppServiceM
         visibility: req.query.visibility as 'public' | 'private' | 'all' | undefined,
       };
 
-      const userId = (req.user as { id: string } | undefined)?.id;
+      // Support both JWT auth (userId) and OAuth callback (id/_id)
+      const userId = req.user?.userId || req.user?.id || req.user?._id?.toString();
 
       logger.info('Search agents requested', { query, filters, userId });
 

packages/backend/src/routes/agents/update-metadata.ts

@@ -27,7 +27,15 @@ export const updateAgentMetadataHandler = (serviceProvider: ServiceProvider<AppS
       }
 
       const { owner, name } = req.params;
-      const userId = (req.user as { id: string }).id;
+      // Support both JWT auth (userId) and OAuth callback (id/_id)
+      const userId = req.user.userId || req.user.id || req.user._id?.toString();
+      if (!userId) {
+        return res.status(401).json({
+          success: false,
+          error: 'Unauthorized',
+          message: 'User ID not found in token',
+        });
+      }
 
       logger.info('Update agent metadata requested', { owner, name, userId });
 

packages/backend/src/routes/agents/versions.ts

@@ -18,7 +18,8 @@ export const getAgentVersionsHandler = (serviceProvider: ServiceProvider<AppServ
       const agentService = await serviceProvider.get('agent');
 
       const { owner, name } = req.params;
-      const userId = (req.user as { id: string } | undefined)?.id;
+      // Support both JWT auth (userId) and OAuth callback (id/_id)
+      const userId = req.user?.userId || req.user?.id || req.user?._id?.toString();
 
       logger.info('Get agent versions requested', { owner, name, userId });