Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 503235df35 |
@@ -1 +0,0 @@
|
||||
GRO-1757 direct push CI trigger - 2026-05-26T00:15:41Z
|
||||
@@ -96,6 +96,7 @@ jobs:
|
||||
file: Dockerfile
|
||||
target: runner
|
||||
push: true
|
||||
provenance: false
|
||||
tags: |
|
||||
git.farh.net/groombook/api:${{ steps.version.outputs.tag }}
|
||||
${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/api:latest' || '' }}
|
||||
@@ -110,6 +111,7 @@ jobs:
|
||||
file: Dockerfile
|
||||
target: migrate
|
||||
push: true
|
||||
provenance: false
|
||||
tags: |
|
||||
git.farh.net/groombook/migrate:${{ steps.version.outputs.tag }}
|
||||
${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/migrate:latest' || '' }}
|
||||
@@ -124,6 +126,7 @@ jobs:
|
||||
file: Dockerfile
|
||||
target: seed
|
||||
push: true
|
||||
provenance: false
|
||||
tags: |
|
||||
git.farh.net/groombook/seed:${{ steps.version.outputs.tag }}
|
||||
${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/seed:latest' || '' }}
|
||||
@@ -138,6 +141,7 @@ jobs:
|
||||
file: Dockerfile
|
||||
target: reset
|
||||
push: true
|
||||
provenance: false
|
||||
tags: |
|
||||
git.farh.net/groombook/reset:${{ steps.version.outputs.tag }}
|
||||
${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/reset:latest' || '' }}
|
||||
|
||||
@@ -46,7 +46,7 @@ const UAT_CLIENT = {
|
||||
|
||||
const UAT_PETS = [
|
||||
{ name: "Bella", species: "Dog", breed: "Poodle", coatType: "curly" as const, weightKg: "20.00" },
|
||||
{ name: "Max", species: "Dog", breed: "Labrador Retriever", coatType: "smooth" as const, weightKg: "30.00" },
|
||||
{ name: "Max", species: "Dog", breed: "Labrador Retriever", coatType: "short" as const, weightKg: "30.00" },
|
||||
];
|
||||
|
||||
const DEMO_SERVICES = [
|
||||
|
||||
+8
-11
@@ -22,7 +22,7 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
|
||||
c,
|
||||
next
|
||||
) => {
|
||||
// Better-Auth\'s own routes handle their own auth — skip staff resolution
|
||||
// Better-Auth's own routes handle their own auth — skip staff resolution
|
||||
// OOBE setup routes also handle their own auth — staff record is created during setup
|
||||
if (c.req.path.startsWith("/api/auth/") || c.req.path.startsWith("/api/setup")) {
|
||||
await next();
|
||||
@@ -120,21 +120,22 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
|
||||
.where(
|
||||
and(
|
||||
eq(account.userId, jwt.sub),
|
||||
sql`${account.providerId} IN (\'authentik\', \'google\', \'github\')`
|
||||
sql`${account.providerId} IN ('authentik', 'google', 'github')`
|
||||
)
|
||||
)
|
||||
.limit(1);
|
||||
|
||||
if (oidcAccount) {
|
||||
// Derive name: prefer jwt.name, fall back to email prefix, then "Unknown"
|
||||
const emailPrefix = jwt.email.split("@")[0] ?? "Unknown";
|
||||
const name = jwt.name?.trim() || emailPrefix;
|
||||
const name =
|
||||
jwt.name?.trim() ||
|
||||
(jwt.email ? jwt.email.split("@")[0] : "Unknown");
|
||||
|
||||
const [newStaff] = await db
|
||||
.insert(staff)
|
||||
.values({
|
||||
userId: jwt.sub,
|
||||
email: jwt.email,
|
||||
email: jwt.email ?? "",
|
||||
name,
|
||||
role: "groomer",
|
||||
isSuperUser: false,
|
||||
@@ -142,10 +143,6 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
|
||||
})
|
||||
.returning();
|
||||
|
||||
if (!newStaff) {
|
||||
return c.json({ error: "Forbidden: auto-provision failed" }, 500);
|
||||
}
|
||||
|
||||
console.log(
|
||||
`[rbac] auto-provisioned staff record for OIDC user: ${jwt.sub} -> staff:${newStaff.id} (${name})`
|
||||
);
|
||||
@@ -180,7 +177,7 @@ export function requireRole(
|
||||
if (!(allowedRoles as string[]).includes(staffRow.role)) {
|
||||
return c.json(
|
||||
{
|
||||
error: `Forbidden: role \'${staffRow.role}\' is not permitted to access this resource`,
|
||||
error: `Forbidden: role '${staffRow.role}' is not permitted to access this resource`,
|
||||
},
|
||||
403
|
||||
);
|
||||
@@ -213,7 +210,7 @@ export function requireRoleOrSuperUser(
|
||||
{
|
||||
error: hasAllowedRole
|
||||
? "Forbidden: super user privileges required"
|
||||
: `Forbidden: role \'${staffRow.role}\' is not permitted`,
|
||||
: `Forbidden: role '${staffRow.role}' is not permitted`,
|
||||
},
|
||||
403
|
||||
);
|
||||
|
||||
@@ -46,7 +46,7 @@ const UAT_CLIENT = {
|
||||
|
||||
const UAT_PETS = [
|
||||
{ name: "Bella", species: "Dog", breed: "Poodle", coatType: "curly", weightKg: "20.00" },
|
||||
{ name: "Max", species: "Dog", breed: "Labrador Retriever", coatType: "smooth", weightKg: "30.00" },
|
||||
{ name: "Max", species: "Dog", breed: "Labrador Retriever", coatType: "short", weightKg: "30.00" },
|
||||
];
|
||||
|
||||
const DEMO_SERVICES = [
|
||||
|
||||
Reference in New Issue
Block a user