groombook/api
13
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(rbac): guard noUncheckedIndexedAccess in name derivation and newStaff insert
CI / Test (push) Successful in 10s
Details
CI / Lint & Typecheck (push) Successful in 10s
Details
CI / Build & Push Docker Images (push) Successful in 43s
Details
CI / Test (pull_request) Successful in 9s
Details
CI / Lint & Typecheck (pull_request) Successful in 10s
Details
CI / Build & Push Docker Images (pull_request) Failing after 10s
Details

Browse Source 
With noUncheckedIndexedAccess:true, split("@")[0] returns string|undefined,
making `name` typed as string|undefined and failing the notNull staff.name
insert constraint. Fix by using ?? fallback on the array access.

Also add newStaff null guard after .returning() destructure — array
destructuring yields T|undefined with noUncheckedIndexedAccess enabled.
This commit is contained in:
Lint Roller
2026-05-26 01:48:12 +00:00
parent 8e8a87767c
commit 385ed10211
1 changed files with 7 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/middleware/rbac.ts
+7 -4
View File
@@ -127,15 +127,14 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
if (oidcAccount) { if (oidcAccount) {
// Derive name: prefer jwt.name, fall back to email prefix, then "Unknown" // Derive name: prefer jwt.name, fall back to email prefix, then "Unknown"
const name = const emailPrefix = jwt.email.split("@")[0] ?? "Unknown";
jwt.name?.trim() || const name = jwt.name?.trim() || emailPrefix;
(jwt.email ? jwt.email.split("@")[0] : "Unknown");
const [newStaff] = await db const [newStaff] = await db
.insert(staff) .insert(staff)
.values({ .values({
userId: jwt.sub, userId: jwt.sub,
email: jwt.email ?? "", email: jwt.email,
name, name,
role: "groomer", role: "groomer",
isSuperUser: false, isSuperUser: false,
@@ -143,6 +142,10 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
}) })
.returning(); .returning();
if (!newStaff) {
return c.json({ error: "Forbidden: auto-provision failed" }, 500);
}
console.log( console.log(
`[rbac] auto-provisioned staff record for OIDC user: ${jwt.sub} -> staff:${newStaff.id} (${name})` `[rbac] auto-provisioned staff record for OIDC user: ${jwt.sub} -> staff:${newStaff.id} (${name})`
); );