fix(pets): port owner-bypass into deployed tree (GRO-2013) (#139)
CI / Test (push) Successful in 13s
CI / Lint & Typecheck (push) Successful in 16s
CI / Build & Push Docker Images (push) Successful in 1m5s
CI / Test (pull_request) Successful in 16s
CI / Lint & Typecheck (pull_request) Successful in 2m25s
CI / Build & Push Docker Images (pull_request) Failing after 32s
CI / Test (push) Successful in 13s
CI / Lint & Typecheck (push) Successful in 16s
CI / Build & Push Docker Images (push) Successful in 1m5s
CI / Test (pull_request) Successful in 16s
CI / Lint & Typecheck (pull_request) Successful in 2m25s
CI / Build & Push Docker Images (pull_request) Failing after 32s
This commit was merged in pull request #139.
This commit is contained in:
+41
-1
@@ -7,6 +7,7 @@ import {
|
||||
eq,
|
||||
exists,
|
||||
getDb,
|
||||
impersonationSessions,
|
||||
or,
|
||||
pets,
|
||||
appointments,
|
||||
@@ -126,6 +127,35 @@ petsRouter.get("/:id", async (c) => {
|
||||
return c.json(row);
|
||||
});
|
||||
|
||||
/**
|
||||
* Resolves the clientId from the X-Impersonation-Session-Id header, if present and active.
|
||||
* Used by staff routes to allow a customer (auto-provisioned as a `groomer` staff row
|
||||
* by rbac.ts) to access their own pet's data when they are the rightful owner.
|
||||
*
|
||||
* Returns null when the header is missing, the session is unknown/expired/ended, or the
|
||||
* session exists but has no clientId — callers should treat null as "no owner-bypass".
|
||||
*/
|
||||
async function resolveImpersonationClientId(
|
||||
db: ReturnType<typeof getDb>,
|
||||
c: { req: { header: (name: string) => string | undefined } }
|
||||
): Promise<string | null> {
|
||||
const sessionId = c.req.header("X-Impersonation-Session-Id");
|
||||
if (!sessionId) return null;
|
||||
const [session] = await db
|
||||
.select({
|
||||
clientId: impersonationSessions.clientId,
|
||||
status: impersonationSessions.status,
|
||||
expiresAt: impersonationSessions.expiresAt,
|
||||
})
|
||||
.from(impersonationSessions)
|
||||
.where(eq(impersonationSessions.id, sessionId))
|
||||
.limit(1);
|
||||
if (!session) return null;
|
||||
if (session.status !== "active") return null;
|
||||
if (session.expiresAt <= new Date()) return null;
|
||||
return session.clientId;
|
||||
}
|
||||
|
||||
petsRouter.get("/:id/profile-summary", async (c) => {
|
||||
const db = getDb();
|
||||
const petId = c.req.param("id");
|
||||
@@ -152,8 +182,18 @@ petsRouter.get("/:id/profile-summary", async (c) => {
|
||||
const [pet] = await db.select().from(pets).where(eq(pets.id, petId));
|
||||
if (!pet) return c.json({ error: "Not found" }, 404);
|
||||
|
||||
// Groomer RBAC: check appointment linkage to this pet's client
|
||||
// Owner-bypass (GRO-2013): a customer who supplies a valid
|
||||
// X-Impersonation-Session-Id for the pet's owning client may read their
|
||||
// own pet's summary, even though rbac.ts auto-provisions them as a
|
||||
// `groomer` staff row with no appointment linkage.
|
||||
let isOwner = false;
|
||||
if (isGroomer) {
|
||||
const ownerClientId = await resolveImpersonationClientId(db, c);
|
||||
isOwner = !!ownerClientId && ownerClientId === pet.clientId;
|
||||
}
|
||||
|
||||
// Groomer RBAC: check appointment linkage to this pet's client
|
||||
if (isGroomer && !isOwner) {
|
||||
const [linkage] = await db
|
||||
.select({ id: appointments.id })
|
||||
.from(appointments)
|
||||
|
||||
Reference in New Issue
Block a user