Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 3b9e82adff | |||
| b796d36aed | |||
| d9ba6045ad | |||
| b83a793de4 |
+1
-1
@@ -1 +1 @@
|
|||||||
GRO-1757+GRO-1764 CI trigger 2026-05-26
|
GRO-1757 direct push CI trigger - 2026-05-26T00:15:41Z
|
||||||
|
|||||||
@@ -96,7 +96,6 @@ jobs:
|
|||||||
file: Dockerfile
|
file: Dockerfile
|
||||||
target: runner
|
target: runner
|
||||||
push: true
|
push: true
|
||||||
provenance: false
|
|
||||||
tags: |
|
tags: |
|
||||||
git.farh.net/groombook/api:${{ steps.version.outputs.tag }}
|
git.farh.net/groombook/api:${{ steps.version.outputs.tag }}
|
||||||
${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/api:latest' || '' }}
|
${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/api:latest' || '' }}
|
||||||
@@ -111,7 +110,6 @@ jobs:
|
|||||||
file: Dockerfile
|
file: Dockerfile
|
||||||
target: migrate
|
target: migrate
|
||||||
push: true
|
push: true
|
||||||
provenance: false
|
|
||||||
tags: |
|
tags: |
|
||||||
git.farh.net/groombook/migrate:${{ steps.version.outputs.tag }}
|
git.farh.net/groombook/migrate:${{ steps.version.outputs.tag }}
|
||||||
${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/migrate:latest' || '' }}
|
${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/migrate:latest' || '' }}
|
||||||
@@ -126,7 +124,6 @@ jobs:
|
|||||||
file: Dockerfile
|
file: Dockerfile
|
||||||
target: seed
|
target: seed
|
||||||
push: true
|
push: true
|
||||||
provenance: false
|
|
||||||
tags: |
|
tags: |
|
||||||
git.farh.net/groombook/seed:${{ steps.version.outputs.tag }}
|
git.farh.net/groombook/seed:${{ steps.version.outputs.tag }}
|
||||||
${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/seed:latest' || '' }}
|
${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/seed:latest' || '' }}
|
||||||
@@ -141,7 +138,6 @@ jobs:
|
|||||||
file: Dockerfile
|
file: Dockerfile
|
||||||
target: reset
|
target: reset
|
||||||
push: true
|
push: true
|
||||||
provenance: false
|
|
||||||
tags: |
|
tags: |
|
||||||
git.farh.net/groombook/reset:${{ steps.version.outputs.tag }}
|
git.farh.net/groombook/reset:${{ steps.version.outputs.tag }}
|
||||||
${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/reset:latest' || '' }}
|
${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/reset:latest' || '' }}
|
||||||
|
|||||||
+11
-8
@@ -22,7 +22,7 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
|
|||||||
c,
|
c,
|
||||||
next
|
next
|
||||||
) => {
|
) => {
|
||||||
// Better-Auth's own routes handle their own auth — skip staff resolution
|
// Better-Auth\'s own routes handle their own auth — skip staff resolution
|
||||||
// OOBE setup routes also handle their own auth — staff record is created during setup
|
// OOBE setup routes also handle their own auth — staff record is created during setup
|
||||||
if (c.req.path.startsWith("/api/auth/") || c.req.path.startsWith("/api/setup")) {
|
if (c.req.path.startsWith("/api/auth/") || c.req.path.startsWith("/api/setup")) {
|
||||||
await next();
|
await next();
|
||||||
@@ -120,22 +120,21 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
|
|||||||
.where(
|
.where(
|
||||||
and(
|
and(
|
||||||
eq(account.userId, jwt.sub),
|
eq(account.userId, jwt.sub),
|
||||||
sql`${account.providerId} IN ('authentik', 'google', 'github')`
|
sql`${account.providerId} IN (\'authentik\', \'google\', \'github\')`
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
.limit(1);
|
.limit(1);
|
||||||
|
|
||||||
if (oidcAccount) {
|
if (oidcAccount) {
|
||||||
// Derive name: prefer jwt.name, fall back to email prefix, then "Unknown"
|
// Derive name: prefer jwt.name, fall back to email prefix, then "Unknown"
|
||||||
const name =
|
const emailPrefix = jwt.email.split("@")[0] ?? "Unknown";
|
||||||
jwt.name?.trim() ||
|
const name = jwt.name?.trim() || emailPrefix;
|
||||||
(jwt.email ? jwt.email.split("@")[0] : "Unknown");
|
|
||||||
|
|
||||||
const [newStaff] = await db
|
const [newStaff] = await db
|
||||||
.insert(staff)
|
.insert(staff)
|
||||||
.values({
|
.values({
|
||||||
userId: jwt.sub,
|
userId: jwt.sub,
|
||||||
email: jwt.email ?? "",
|
email: jwt.email,
|
||||||
name,
|
name,
|
||||||
role: "groomer",
|
role: "groomer",
|
||||||
isSuperUser: false,
|
isSuperUser: false,
|
||||||
@@ -143,6 +142,10 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
|
|||||||
})
|
})
|
||||||
.returning();
|
.returning();
|
||||||
|
|
||||||
|
if (!newStaff) {
|
||||||
|
return c.json({ error: "Forbidden: auto-provision failed" }, 500);
|
||||||
|
}
|
||||||
|
|
||||||
console.log(
|
console.log(
|
||||||
`[rbac] auto-provisioned staff record for OIDC user: ${jwt.sub} -> staff:${newStaff.id} (${name})`
|
`[rbac] auto-provisioned staff record for OIDC user: ${jwt.sub} -> staff:${newStaff.id} (${name})`
|
||||||
);
|
);
|
||||||
@@ -177,7 +180,7 @@ export function requireRole(
|
|||||||
if (!(allowedRoles as string[]).includes(staffRow.role)) {
|
if (!(allowedRoles as string[]).includes(staffRow.role)) {
|
||||||
return c.json(
|
return c.json(
|
||||||
{
|
{
|
||||||
error: `Forbidden: role '${staffRow.role}' is not permitted to access this resource`,
|
error: `Forbidden: role \'${staffRow.role}\' is not permitted to access this resource`,
|
||||||
},
|
},
|
||||||
403
|
403
|
||||||
);
|
);
|
||||||
@@ -210,7 +213,7 @@ export function requireRoleOrSuperUser(
|
|||||||
{
|
{
|
||||||
error: hasAllowedRole
|
error: hasAllowedRole
|
||||||
? "Forbidden: super user privileges required"
|
? "Forbidden: super user privileges required"
|
||||||
: `Forbidden: role '${staffRow.role}' is not permitted`,
|
: `Forbidden: role \'${staffRow.role}\' is not permitted`,
|
||||||
},
|
},
|
||||||
403
|
403
|
||||||
);
|
);
|
||||||
|
|||||||
Reference in New Issue
Block a user