fix(rbac): port Better-Auth user auto-provision into legacy ./src tree (GRO-2052) (#143)
CI / Test (push) Successful in 11s
CI / Lint & Typecheck (push) Successful in 15s
CI / Test (pull_request) Successful in 9s
CI / Lint & Typecheck (pull_request) Successful in 14s
CI / Build & Push Docker Images (push) Successful in 36s
CI / Build & Push Docker Images (pull_request) Successful in 26s
CI / Test (push) Successful in 11s
CI / Lint & Typecheck (push) Successful in 15s
CI / Test (pull_request) Successful in 9s
CI / Lint & Typecheck (pull_request) Successful in 14s
CI / Build & Push Docker Images (push) Successful in 36s
CI / Build & Push Docker Images (pull_request) Successful in 26s
fix(rbac): port Better-Auth user auto-provision into legacy ./src tree (GRO-2052) Ports the Better-Auth user-table auto-provision branch from canonical apps/api into the deployed ./src/middleware/rbac.ts so the owner-bypass in pets.ts is reachable for Better-Auth email/password customers. OIDC account branch retained as backward-compat fallback. Adds 5 rbac.test.ts cases and UAT_PLAYBOOK pre-condition docs. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Co-authored-by: Flea Flicker <flea@groombook.dev> Co-committed-by: Flea Flicker <flea@groombook.dev>
This commit was merged in pull request #143.
This commit is contained in:
+43
-2
@@ -1,5 +1,5 @@
|
||||
import type { MiddlewareHandler } from "hono";
|
||||
import { and, eq, getDb, sql, staff, account } from "@groombook/db";
|
||||
import { and, eq, getDb, sql, staff, account, user } from "@groombook/db";
|
||||
|
||||
export type StaffRole = "groomer" | "receptionist" | "manager";
|
||||
export type StaffRow = typeof staff.$inferSelect;
|
||||
@@ -111,8 +111,49 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
|
||||
}
|
||||
}
|
||||
|
||||
// Auto-provision for Better-Auth users (GRO-2052): the user signed in via
|
||||
// Better-Auth (email/password, magic link, etc.), so a row exists in `user`
|
||||
// for jwt.sub but no `account` provider row is required. Create a minimal
|
||||
// groomer staff record on first login. This is the primary auto-provision
|
||||
// path; the OIDC branch below remains as a fallback for legacy accounts
|
||||
// that exist in `account` but not in `user`.
|
||||
const [userRow] = await db
|
||||
.select({ id: user.id, name: user.name, email: user.email })
|
||||
.from(user)
|
||||
.where(eq(user.id, jwt.sub))
|
||||
.limit(1);
|
||||
if (userRow) {
|
||||
const emailPrefix = userRow.email ? userRow.email.split("@")[0] : "Unknown";
|
||||
const name = userRow.name?.trim() || jwt.name?.trim() || emailPrefix;
|
||||
|
||||
const [newStaff] = await db
|
||||
.insert(staff)
|
||||
.values({
|
||||
userId: jwt.sub,
|
||||
email: userRow.email ?? jwt.email ?? "",
|
||||
name,
|
||||
role: "groomer",
|
||||
isSuperUser: false,
|
||||
active: true,
|
||||
} as Parameters<typeof db.insert>[0] extends { values: infer V } ? V : never)
|
||||
.returning()!;
|
||||
|
||||
if (!newStaff) {
|
||||
return c.json({ error: "Forbidden: auto-provision failed" }, 500);
|
||||
}
|
||||
|
||||
console.log(
|
||||
`[rbac] auto-provisioned staff record for Better-Auth user: ${jwt.sub} -> staff:${newStaff.id} (${name})`
|
||||
);
|
||||
c.set("staff", newStaff);
|
||||
await next();
|
||||
return;
|
||||
}
|
||||
|
||||
// Auto-provision for OIDC users: check if jwt.sub has an OAuth/OIDC account
|
||||
// (e.g. authentik). If so, create a groomer staff record on the fly.
|
||||
// (e.g. authentik). If so, create a groomer staff record on the fly. This
|
||||
// is kept for backward compatibility with legacy OIDC sessions whose user
|
||||
// row may not yet exist in the Better-Auth `user` table.
|
||||
if (jwt.email) {
|
||||
const [oidcAccount] = await db
|
||||
.select({ id: account.id })
|
||||
|
||||
Reference in New Issue
Block a user