chore(ws): verbose auth logs to triage Disconnected reports

Add structured logging on both ends of the WS handshake so a
"Disconnected" label in the editor top bar can be pinpointed
without guessing:

- Upgrade handler logs the cookie header size and whether
extractToken found our session cookie. This catches the case
where the browser doesn't ship cookies on the WS upgrade
(some HF Space gating + private/org setups strip them on
upgrade even when plain HTTP requests send them fine).
- onAuthenticate logs which source supplied the token (the
client subprotocol or the server-side cookie fallback), the
resolved user, the configured Space owner, and any
accessIssue surfaced by resolveUser. Errors thrown to
Hocuspocus now also include the username + accessIssue so the
reason is visible in the rejected-connection log line, not
just a generic "Unauthorized".

Logs intentionally avoid printing the token itself - they only
expose its length and origin, matching the existing privacy
posture of the auth pipeline.

Co-authored-by: Cursor <cursoragent@cursor.com>

backend/src/create-app.ts

@@ -306,11 +306,51 @@ export function createApp() {
       if (!oauthEnabled) return;
 
       const { resolveUser } = await import("./auth.js");
+      // Two-source pattern: the HocuspocusProvider client sends `token`
+      // via the WS sub-protocol, but our cookie is httpOnly so the
+      // client can't read it and sends "" instead. Fall back to the
+      // cookie the upgrade handler stuffed into context.token.
       const authToken = token || context?.token;
+
+      // Surface enough info in the Space logs to triage "Disconnected"
+      // reports without leaking the token itself. We log:
+      //  - whether each source produced a token (just truthiness)
+      //  - the resolved user (or null) + accessIssue when present
+      //  - the SPACE_ID owner being checked, to spot org mismatches
+      const tokenSource = token
+        ? "client"
+        : context?.token
+        ? "cookie"
+        : "none";
+      const tokenLen = authToken ? authToken.length : 0;
+
       const user = await resolveUser(authToken);
-      if (!user || !user.canEdit) {
-        throw new Error("Unauthorized: no write access");
+      const spaceOwner = (process.env.SPACE_ID || "").split("/")[0] || "(none)";
+
+      if (!user) {
+        console.warn(
+          `[ws-auth] reject: no user resolved` +
+            ` source=${tokenSource} tokenLen=${tokenLen}` +
+            ` spaceOwner=${spaceOwner}`,
+        );
+        throw new Error("Unauthorized: invalid or missing HF token");
       }
+      if (!user.canEdit) {
+        console.warn(
+          `[ws-auth] reject: ${user.name} can't write to ${spaceOwner}` +
+            ` issue=${user.accessIssue ?? "unknown"}` +
+            ` source=${tokenSource}`,
+        );
+        throw new Error(
+          `Unauthorized: ${user.name} has no write access to ${spaceOwner}` +
+            (user.accessIssue ? ` (${user.accessIssue})` : ""),
+        );
+      }
+
+      console.log(
+        `[ws-auth] accept user=${user.name} spaceOwner=${spaceOwner}` +
+          ` source=${tokenSource}`,
+      );
       if (authToken) setUserToken(authToken);
       return { user };
     },
@@ -389,6 +429,16 @@ export function createApp() {
           });
         }
         const token = extractToken(req.headers.cookie);
+        // Diagnostic for "Disconnected" reports: confirms whether the
+        // browser actually attached our session cookie to the WS
+        // upgrade. On HF Spaces, some gating setups occasionally
+        // strip cookies on WS upgrades even when they're sent for
+        // plain HTTP, which manifests as a working /editor route
+        // but a permanently-failing WS auth.
+        const cookieHeader = req.headers.cookie || "";
+        console.log(
+          `[ws] upgrade cookies=${cookieHeader.length}B hasToken=${Boolean(token)}`,
+        );
         hocuspocus.handleConnection(ws, req, { token });
       });
     } else {