From 00dadac0a1ba07f1342f3798a6c7db12c049d764 Mon Sep 17 00:00:00 2001
From: Flea Flicker <flea@groombook.dev>
Date: Thu, 21 May 2026 22:24:48 +0000
Subject: [PATCH 1/2] fix(auth): add accountLinking trustedProviders for
 authentik (GRO-1509)

Betters Auth v1.5.6 link-account.mjs:22 rejects OAuth callbacks when the
genericOAuth provider is not in trustedProviders AND email_verified is
falsy. Adding authentik to trustedProviders bypasses this guard so OIDC
login works for TF-created users whose emails were never verified through
an authentik flow.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 src/lib/auth.ts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index 209e9d6..9e78740 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -251,6 +251,10 @@ export async function initAuth(): Promise<void> {
         },
       },
       account: {
+        accountLinking: {
+          enabled: true,
+          trustedProviders: ["authentik"],
+        },
         storeStateStrategy: "cookie" as const,
       },
       emailAndPassword: {

From d6f7ade7bdd18e0f73ea26893bbdb7f127b49626 Mon Sep 17 00:00:00 2001
From: Flea Flicker <flea@groombook.dev>
Date: Thu, 21 May 2026 22:44:04 +0000
Subject: [PATCH 2/2] docs(UAT): add TC-API-1.16 for OIDC login
 Terraform-provisioned users
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Updated UAT_PLAYBOOK.md §4.1 — new TC-API-1.16 covering OIDC login
for Terraform-provisioned users (GRO-1509 fix, GRO-1511).

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 UAT_PLAYBOOK.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/UAT_PLAYBOOK.md b/UAT_PLAYBOOK.md
index 42a0b07..cb02d20 100644
--- a/UAT_PLAYBOOK.md
+++ b/UAT_PLAYBOOK.md
@@ -38,6 +38,7 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 | TC-API-1.13 | Name fallback — user.name present | Auto-provision where Better-Auth user has name set | Staff name = user.name value from user table |
 | TC-API-1.14 | Name fallback — no name, email present | Auto-provision where Better-Auth user has name = null, email = "test@example.com" | Staff name = "test" (email prefix before @) |
 | TC-API-1.15 | Name fallback — no name, no email | Auto-provision where Better-Auth user has name = null, email = null | Staff name = "Unknown" |
+| TC-API-1.16 | OIDC login — Terraform-provisioned user | Initiate OIDC login as any UAT persona (uat-super, uat-groomer, uat-customer, uat-tester), complete authentik callback | 200 OK, session created — no account_not_linked error |
 
 ### 4.2 Client Management