feat(GRO-2425): split CORS_ORIGIN on commas for multiple trusted auth origins (#216 )

feat(GRO-2425): split CORS_ORIGIN on commas for multiple trusted auth origins Co-authored-by: Flea Flicker <flea@groombook.dev> Co-committed-by: Flea Flicker <flea@groombook.dev>
Merge pull request 'feat(GRO-2359): add POST /api/portal/clients-from-auth for OOBE' (#212 ) from feature/2357-p2-portal-clients-from-auth into dev
2026-06-18 00:46:29 +00:00 · 2026-06-11 16:34:34 +00:00 · 2026-06-11 16:17:16 +00:00
2 changed files with 6 additions and 2 deletions
@@ -108,6 +108,8 @@ Expected: one row, `role = 'groomer'`. If zero rows return, the request hit the
 | TC-API-1.24 | Complete setup creates super user | POST /api/setup with business name (after TC-API-1.23) | First user becomes super user, setup completes | Setup errors, 403 on admin endpoints |
 | TC-API-1.25 | Super user accesses admin features | After TC-API-1.24, GET /api/staff/me and verify isSuperUser: true | isSuperUser: true, admin endpoints accessible | 403 on admin, isSuperUser: false |
 | TC-API-1.26 | Auto-provision skipped during OOBE | During fresh setup (needsSetup: true), complete OIDC login — verify no duplicate staff record created before setup completes | No duplicate staff, OOBE completes successfully | Duplicate staff record, 403 before setup, auto-provision interferes with OOBE |
 | TC-API-1.27 | Multi-origin CORS — demo host sign-in | `POST /api/auth/sign-in/social` with `callbackURL=https://demo.groombook.dev` | 200 OK, no origin-mismatch error | 400/403 "Origin mismatch" |
 | TC-API-1.28 | Multi-origin CORS — farh.net host sign-in | `POST /api/auth/sign-in/social` with `callbackURL=https://groombook.farh.net` | 200 OK, no origin-mismatch error | 400/403 "Origin mismatch" |
 ### 4.2 Client Management
@@ -118,7 +118,8 @@ export async function initAuth(): Promise<void> {
          updateAge: 60 * 60 * 24,
          cookieCache: { enabled: false },
        },
-        trustedOrigins: [process.env.CORS_ORIGIN ?? "http://localhost:5173"],
+        trustedOrigins: (process.env.CORS_ORIGIN ?? "http://localhost:5173")
          .split(",").map((s) => s.trim()).filter(Boolean),
      });
      return;
    }
@@ -308,7 +309,8 @@ export async function initAuth(): Promise<void> {
          maxAge: 5 * 60, // 5 minutes
        },
      },
-      trustedOrigins: [process.env.CORS_ORIGIN ?? "http://localhost:5173"],
+      trustedOrigins: (process.env.CORS_ORIGIN ?? "http://localhost:5173")
        .split(",").map((s) => s.trim()).filter(Boolean),
    });
  })();
Author	SHA1	Message	Date
Flea Flicker	c01e4acf0a	feat(GRO-2425): split CORS_ORIGIN on commas for multiple trusted auth origins (#216 ) CI / Test (push) Successful in 30s Details CI / Lint & Typecheck (push) Successful in 45s Details CI / Build & Push Docker Images (push) Successful in 1m10s Details CI / Test (pull_request) Successful in 25s Details CI / Lint & Typecheck (pull_request) Failing after 12m18s Details CI / Build & Push Docker Images (pull_request) Has been skipped Details feat(GRO-2425): split CORS_ORIGIN on commas for multiple trusted auth origins Co-authored-by: Flea Flicker <flea@groombook.dev> Co-committed-by: Flea Flicker <flea@groombook.dev>	2026-06-18 00:46:29 +00:00
Flea Flicker	10b78d810d	Merge pull request 'feat(GRO-2359): add POST /api/portal/clients-from-auth for OOBE' (#212 ) from feature/2357-p2-portal-clients-from-auth into dev CI / Test (push) Successful in 26s Details CI / Lint & Typecheck (push) Successful in 32s Details CI / Build & Push Docker Images (push) Successful in 41s Details GRO-2359 (api): feat(GRO-2359): add POST /api/portal/clients-from-auth for OOBE (#212)	2026-06-11 16:34:34 +00:00
Flea Flicker	cdeebec021	feat(GRO-2359): add POST /api/portal/clients-from-auth for OOBE (web) CI / Test (pull_request) Successful in 29s Details CI / Lint & Typecheck (pull_request) Successful in 41s Details CI / Build & Push Docker Images (pull_request) Successful in 1m40s Details The OOBE flow on the web portal calls this endpoint to create a fresh `clients` row bound to the Better Auth user's email when the SSO bridge returns 404. Returns 201 on success, 409 if a client with that email already exists (portal-selection case), 401/503 on auth issues, 400 on invalid body. The OOBE success path navigates the user back to `/` and lets the existing `session-from-auth` re-bridge; the new client is now resolvable by email, so the bridge mints a real portal session. Tests cover: 401 (no session), 400 (zod), 201 + persisted values (name trimmed, optional fields normalized to null), 409 (existing client or unique-constraint race), 503 (auth not configured). Paired with the web PR on `feature/2357-p2-sso-to-oobe-routing`. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-11 16:17:16 +00:00