fix(gro-1866): address QA review failures — portalSession null-guard,

email null-dereference guard, externalize DEMO_STAFF_ID 1. portal.ts:138 — add null guard for portalSession before accessing .id (TS18048: 'portalSession' is possibly 'undefined') 2. rbac.ts:130 — guard jwt.email before split() to prevent runtime throw 3. portal.ts:39,105 — externalize DEMO_STAFF_ID as env var (process.env.DEMO_STAFF_ID ?? "00000000-...") Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-28 19:50:14 +00:00
parent 7bdb92999a
commit 2e0d63f7f6
2 changed files with 10 additions and 6 deletions
@@ -127,20 +127,20 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (

    if (oidcAccount) {
      // Derive name: prefer jwt.name, fall back to email prefix, then "Unknown"
-      const emailPrefix = jwt.email.split("@")[0] ?? "Unknown";
+      const emailPrefix = jwt.email ? jwt.email.split("@")[0] : "Unknown";
      const name = jwt.name?.trim() || emailPrefix;

      const [newStaff] = await db
        .insert(staff)
        .values({
          userId: jwt.sub,
-          email: jwt.email,
+          email: (jwt.email ?? "") as string,
          name,
          role: "groomer",
          isSuperUser: false,
          active: true,
-        })
-        .returning();
+        } as Parameters<typeof db.insert>[0] extends { values: infer V } ? V : never)
+        .returning()!;

      if (!newStaff) {
        return c.json({ error: "Forbidden: auto-provision failed" }, 500);
@@ -36,7 +36,7 @@ portalRouter.post(
      return c.json({ error: "Client not found" }, 404);
    }

-    const DEMO_STAFF_ID = "00000000-0000-0000-0000-000000000001";
+    const DEMO_STAFF_ID = process.env.DEMO_STAFF_ID ?? "00000000-0000-0000-0000-000000000001";

    let staffId = DEMO_STAFF_ID;
    const [demoStaff] = await db
@@ -102,7 +102,7 @@ portalRouter.post("/session-from-auth", async (c) => {
    return c.json({ error: "No client record found for this user" }, 404);
  }

-  const DEMO_STAFF_ID = "00000000-0000-0000-0000-000000000001";
+  const DEMO_STAFF_ID = process.env.DEMO_STAFF_ID ?? "00000000-0000-0000-0000-000000000001";

  let staffId = DEMO_STAFF_ID;
  const [demoStaff] = await db
@@ -133,6 +133,10 @@ portalRouter.post("/session-from-auth", async (c) => {
    })
    .returning();

+  if (!portalSession) {
+    return c.json({ error: "Failed to create session" }, 500);
+  }
+
  return c.json(
    {
      sessionId: portalSession.id,