Compare commits

..

1 Commits

Author SHA1 Message Date
Chris Farhood 91af671c4e Auto-create staff records for OAuth users with no existing staff record
Fixes GRO-1118 - uat-tester receives HTTP 403 post-login

When a user authenticates via OAuth but has no corresponding staff record,
the RBAC middleware now auto-creates a staff record with a default
"receptionist" role instead of returning 403. This allows new OAuth
users to access the app immediately.

The middleware now checks for staff records in this order:
1. By userId (Better-Auth user ID)
2. By oidcSub (legacy OIDC subject)
3. By email (auto-link existing staff)
4. Create new staff record if authenticated user has email and name

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-12 19:17:37 +00:00
2 changed files with 35 additions and 10 deletions
@@ -62,6 +62,10 @@ jobs:
name: Build & Push Docker Image
runs-on: ubuntu-latest
needs: [lint-typecheck, test]
permissions:
contents: read
packages: write
id-token: write
steps:
- uses: actions/checkout@v4
@@ -79,12 +83,12 @@ jobs:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Gitea Container Registry
- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: git.farh.net
username: ${{ gitea.actor }}
password: ${{ secrets.REGISTRY_TOKEN }}
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push API image
uses: docker/build-push-action@v6
@@ -93,7 +97,7 @@ jobs:
file: Dockerfile
push: true
tags: |
git.farh.net/groombook/api:${{ steps.version.outputs.tag }}
${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/api:latest' || '' }}
cache-from: type=registry,ref=git.farh.net/groombook/cache:api
cache-to: type=registry,ref=git.farh.net/groombook/cache:api,mode=max
ghcr.io/groombook/api:${{ steps.version.outputs.tag }}
${{ github.ref == 'refs/heads/main' && 'ghcr.io/groombook/api:latest' || '' }}
cache-from: type=gha
cache-to: type=gha,mode=max
+23 -2
View File
@@ -1,7 +1,7 @@
import type { MiddlewareHandler } from "hono";
import { and, eq, getDb, sql, staff } from "@groombook/db";
import { and, eq, getDb, sql, staff, staffRoleEnum } from "@groombook/db";
export type StaffRole = "groomer" | "receptionist" | "manager";
type StaffRole = typeof staffRoleEnum.enumValues[number];
export type StaffRow = typeof staff.$inferSelect;
export interface AppEnv {
@@ -110,6 +110,27 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
return;
}
}
// Auto-create staff record for authenticated OAuth users with no existing staff record
// This allows new OAuth users to access the app (defaults to receptionist role)
if (jwt.email && jwt.name) {
const [newStaff] = await db
.insert(staff)
.values({
email: jwt.email,
name: jwt.name,
userId: jwt.sub,
role: "receptionist",
active: true,
})
.returning();
if (newStaff) {
c.set("staff", newStaff);
await next();
return;
}
}
return c.json(
{ error: "Forbidden: no staff record found for authenticated user" },
403