groombook/api
13
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(rbac): port Better-Auth user auto-provision into legacy ./src tree (GRO-2052)
CI / Test (pull_request) Successful in 13s
Details
CI / Lint & Typecheck (pull_request) Successful in 16s
Details
CI / Build & Push Docker Images (pull_request) Successful in 1m14s
Details

Browse Source 
PR #139 (a2b09ba) ported the GRO-2013 owner-bypass into the deployed
./src/routes/pets.ts but did NOT port the rbac auto-provision change.
As a result, on UAT (api:2026.06.01-4e9c4c5) the owner-bypass code is
unreachable for any Better-Auth email/password customer:

  ./src/middleware/rbac.ts (the deployed tree) only auto-provisions
  staff rows when account.providerId IN ('authentik','google','github')
  for jwt.sub. The UAT customer uat-customer@groombook.dev has a row in
  the Better-Auth `user` table but no row in `account` for those
  providers, so resolveStaffMiddleware falls through to:

    403 "Forbidden: no staff record found for authenticated user"

  before pets.ts ever runs.

The canonical apps/api/src/middleware/rbac.ts already has a Better-Auth
user-table fallback. This commit mirrors that branch into the deployed
./src/middleware/rbac.ts.

Behaviour
=========
- New: when no staff row exists for jwt.sub but the Better-Auth `user`
  table has a row whose id matches jwt.sub, INSERT a minimal
  role='groomer', isSuperUser=false, active=true staff row, set it on
  the request context, and continue.
- The legacy OIDC `account` branch is kept as a fallback for backwards
  compatibility with any pre-Better-Auth OIDC sessions whose user row
  may not yet exist in `user`.
- Lookup order: staff (userId) -> staff (oidcSub) -> staff (email,
  user_id IS NULL) -> Better-Auth user -> OIDC account -> 403.
- Name derivation: userRow.name -> jwt.name -> email prefix -> "Unknown".

Tests
=====
src/__tests__/rbac.test.ts:
- Mock @groombook/db rewritten to be table-aware so SELECTs from
  `user`/`account`/`staff` route to distinct lookup queues, and
  insert(staff).values(...).returning() is supported.
- buildApp() helper gains an optional jwtOverride param so tests can
  set jwt.email/name explicitly.
- 5 new cases under "resolveStaffMiddleware — auto-provision":
  1. Better-Auth user found -> staff row provisioned with role=groomer
  2. INSERT returns no row -> 500 "auto-provision failed"
  3. Better-Auth branch runs without jwt.email (regression of the
     pre-fix gate)
  4. OIDC fallback still works when user row is missing but account
     row exists
  5. Neither user nor account row -> 403 with "no staff record" message

Existing rbac.test.ts cases all keep passing (15 prior cases retained).
Full pnpm test on apps/api: 572/572 pass. pnpm typecheck: clean.

Scope
=====
- ./src/middleware/rbac.ts only — apps/api/src/middleware/rbac.ts
  already has this branch and is unchanged.
- No schema/migration changes; staff and user tables are unchanged.
- pre-existing lint error in src/__tests__/petProfileSummary.test.ts:167
  (`servicesTable` declared/assigned but never read) introduced by PR
  #139 a2b09ba is NOT addressed here — it is out of this PR's scope.

Resolves: GRO-2052
Refs: GRO-2013, GRO-2050, GRO-2035

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Flea Flicker
2026-06-02 01:43:54 +00:00
parent a2b09ba502
commit e2dc230b7f
2 changed files with 257 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/middleware/rbac.ts
+43 -2
View File
@@ -1,5 +1,5 @@
import type { MiddlewareHandler } from "hono";
import { and, eq, getDb, sql, staff, account } from "@groombook/db";
import { and, eq, getDb, sql, staff, account, user } from "@groombook/db";
export type StaffRole = "groomer" | "receptionist" | "manager";
export type StaffRow = typeof staff.$inferSelect;
@@ -111,8 +111,49 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
}
}
// Auto-provision for Better-Auth users (GRO-2052): the user signed in via
// Better-Auth (email/password, magic link, etc.), so a row exists in `user`
// for jwt.sub but no `account` provider row is required. Create a minimal
// groomer staff record on first login. This is the primary auto-provision
// path; the OIDC branch below remains as a fallback for legacy accounts
// that exist in `account` but not in `user`.
const [userRow] = await db
.select({ id: user.id, name: user.name, email: user.email })
.from(user)
.where(eq(user.id, jwt.sub))
.limit(1);
if (userRow) {
const emailPrefix = userRow.email ? userRow.email.split("@")[0] : "Unknown";
const name = userRow.name?.trim() || jwt.name?.trim() || emailPrefix;
const [newStaff] = await db
.insert(staff)
.values({
userId: jwt.sub,
email: userRow.email ?? jwt.email ?? "",
name,
role: "groomer",
isSuperUser: false,
active: true,
} as Parameters<typeof db.insert>[0] extends { values: infer V } ? V : never)
.returning()!;
if (!newStaff) {
return c.json({ error: "Forbidden: auto-provision failed" }, 500);
}
console.log(
`[rbac] auto-provisioned staff record for Better-Auth user: ${jwt.sub} -> staff:${newStaff.id} (${name})`
);
c.set("staff", newStaff);
await next();
return;
}
// Auto-provision for OIDC users: check if jwt.sub has an OAuth/OIDC account
// (e.g. authentik). If so, create a groomer staff record on the fly.
// (e.g. authentik). If so, create a groomer staff record on the fly. This
// is kept for backward compatibility with legacy OIDC sessions whose user
// row may not yet exist in the Better-Auth `user` table.
if (jwt.email) {
const [oidcAccount] = await db
.select({ id: account.id })