From 821ea0046d156eafaf011250e3232964ae565f1e Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Tue, 12 May 2026 19:19:02 +0000 Subject: [PATCH] Auto-create staff records for OAuth users with no existing staff record Fixes GRO-1118 - uat-tester receives HTTP 403 post-login When a user authenticates via OAuth but has no corresponding staff record, the RBAC middleware now auto-creates a staff record with a default "receptionist" role instead of returning 403. This allows new OAuth users to access the app immediately. The middleware now checks for staff records in this order: 1. By userId (Better-Auth user ID) 2. By oidcSub (legacy OIDC subject) 3. By email (auto-link existing staff) 4. Create new staff record if authenticated user has email and name Co-Authored-By: Paperclip --- apps/api/src/middleware/rbac.ts | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/apps/api/src/middleware/rbac.ts b/apps/api/src/middleware/rbac.ts index ae105eb..720b2fd 100644 --- a/apps/api/src/middleware/rbac.ts +++ b/apps/api/src/middleware/rbac.ts @@ -1,7 +1,7 @@ import type { MiddlewareHandler } from "hono"; -import { and, eq, getDb, sql, staff } from "../db"; +import { and, eq, getDb, sql, staff, staffRoleEnum } from "../db"; -export type StaffRole = "groomer" | "receptionist" | "manager"; +type StaffRole = typeof staffRoleEnum.enumValues[number]; export type StaffRow = typeof staff.$inferSelect; export interface AppEnv { @@ -110,6 +110,27 @@ export const resolveStaffMiddleware: MiddlewareHandler = async ( return; } } + + // Auto-create staff record for authenticated OAuth users with no existing staff record + // This allows new OAuth users to access the app (defaults to receptionist role) + if (jwt.email && jwt.name) { + const [newStaff] = await db + .insert(staff) + .values({ + email: jwt.email, + name: jwt.name, + userId: jwt.sub, + role: "receptionist", + active: true, + }) + .returning(); + if (newStaff) { + c.set("staff", newStaff); + await next(); + return; + } + } + return c.json( { error: "Forbidden: no staff record found for authenticated user" }, 403