groombook/api
13
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(gro-1866): address QA review failures — portalSession null-guard,
CI / Test (push) Successful in 32s
Details
CI / Lint & Typecheck (push) Successful in 34s
Details
CI / Build & Push Docker Images (push) Successful in 2m34s
Details

Browse Source 
email null-dereference guard, externalize DEMO_STAFF_ID

1. portal.ts:138 — add null guard for portalSession before accessing .id
   (TS18048: 'portalSession' is possibly 'undefined')
2. rbac.ts:130 — guard jwt.email before split() to prevent runtime throw
3. portal.ts:39,105 — externalize DEMO_STAFF_ID as env var
   (process.env.DEMO_STAFF_ID ?? "00000000-...")

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Flea Flicker
2026-05-28 19:50:14 +00:00
parent 7bdb92999a
commit 2e0d63f7f6
2 changed files with 10 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/middleware/rbac.ts
+4 -4
View File
@@ -127,20 +127,20 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
if (oidcAccount) { if (oidcAccount) {
// Derive name: prefer jwt.name, fall back to email prefix, then "Unknown" // Derive name: prefer jwt.name, fall back to email prefix, then "Unknown"
const emailPrefix = jwt.email.split("@")[0] ?? "Unknown"; const emailPrefix = jwt.email ? jwt.email.split("@")[0] : "Unknown";
const name = jwt.name?.trim() || emailPrefix; const name = jwt.name?.trim() || emailPrefix;
const [newStaff] = await db const [newStaff] = await db
.insert(staff) .insert(staff)
.values({ .values({
userId: jwt.sub, userId: jwt.sub,
email: jwt.email, email: (jwt.email ?? "") as string,
name, name,
role: "groomer", role: "groomer",
isSuperUser: false, isSuperUser: false,
active: true, active: true,
}) } as Parameters<typeof db.insert>[0] extends { values: infer V } ? V : never)
.returning(); .returning()!;
if (!newStaff) { if (!newStaff) {
return c.json({ error: "Forbidden: auto-provision failed" }, 500); return c.json({ error: "Forbidden: auto-provision failed" }, 500);
src/routes/portal.ts
+6 -2
View File
@@ -36,7 +36,7 @@ portalRouter.post(
return c.json({ error: "Client not found" }, 404); return c.json({ error: "Client not found" }, 404);
} }
const DEMO_STAFF_ID = "00000000-0000-0000-0000-000000000001"; const DEMO_STAFF_ID = process.env.DEMO_STAFF_ID ?? "00000000-0000-0000-0000-000000000001";
let staffId = DEMO_STAFF_ID; let staffId = DEMO_STAFF_ID;
const [demoStaff] = await db const [demoStaff] = await db
@@ -102,7 +102,7 @@ portalRouter.post("/session-from-auth", async (c) => {
return c.json({ error: "No client record found for this user" }, 404); return c.json({ error: "No client record found for this user" }, 404);
} }
const DEMO_STAFF_ID = "00000000-0000-0000-0000-000000000001"; const DEMO_STAFF_ID = process.env.DEMO_STAFF_ID ?? "00000000-0000-0000-0000-000000000001";
let staffId = DEMO_STAFF_ID; let staffId = DEMO_STAFF_ID;
const [demoStaff] = await db const [demoStaff] = await db
@@ -133,6 +133,10 @@ portalRouter.post("/session-from-auth", async (c) => {
}) })
.returning(); .returning();
if (!portalSession) {
return c.json({ error: "Failed to create session" }, 500);
}
return c.json( return c.json(
{ {
sessionId: portalSession.id, sessionId: portalSession.id,