4 Commits

Author	SHA1	Message	Date
Flea Flicker	7e329ff72f	fix(gro-1866): add session-from-auth portal endpoint and role scope ... Adds POST /api/portal/session-from-auth which bridges a valid Better Auth customer session (from SSO login) to a portal impersonation session, so real SSO customers can access the client portal. The endpoint is registered before the validatePortalSession catch-all so it is not subject to that middleware. It validates the Better Auth session from request cookies, looks up the client by email, creates an active impersonation session, and returns { sessionId, clientId, clientName }. Also adds "role" to the genericOAuth scopes so Authentik propagates the role claim into Better Auth user objects (GRO-1862 root cause fix). Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-28 15:00:15 +00:00
Scrubs McBarkley	b486c44a82	fix(api): add timeouts for OIDC discovery fetch and DB connection (#66)	2026-05-24 20:11:44 +00:00
Flea Flicker	00dadac0a1	fix(auth): add accountLinking trustedProviders for authentik (GRO-1509) ... Betters Auth v1.5.6 link-account.mjs:22 rejects OAuth callbacks when the genericOAuth provider is not in trustedProviders AND email_verified is falsy. Adding authentik to trustedProviders bypasses this guard so OIDC login works for TF-created users whose emails were never verified through an authentik flow. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-21 22:24:48 +00:00
Chris Farhood	abac9dfe6c	Extract groombook/api from monorepo with CI workflow ... - Add source code from apps/api - Add packages/db and packages/types workspace dependencies - Add GitHub Actions CI workflow (lint, typecheck, test, docker) - Generate pnpm-lock.yaml - Add .gitignore Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-11 01:26:56 +00:00