Compare commits
13 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Flea Flicker
|
14db60079b | ||
|
Flea Flicker
|
6af6c52f52 | ||
 The Dogfather
|
040ff4a253 | ||
|
Flea Flicker
|
a1466b44c9 | ||
 Scrubs McBarkley
|
b486c44a82 | ||
|
The Dogfather
|
b5a08a2c7e | ||
|
The Dogfather
|
06d72b5baf | ||
|
The Dogfather
|
33aa63b10f | ||
 Flea Flicker
|
e26d960046 | ||
|
The Dogfather
|
4e8c66f3ca | ||
|
The Dogfather
|
ea28095434 | ||
|
Flea Flicker
|
49f70eb74b | ||
|
Flea Flicker
|
9f2809e89b |
@@ -78,6 +78,8 @@ jobs:
|
||||
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v3
|
||||
with:
|
||||
driver-opts: network=host
|
||||
|
||||
- name: Log in to Gitea Container Registry
|
||||
uses: docker/login-action@v3
|
||||
@@ -93,6 +95,7 @@ jobs:
|
||||
file: Dockerfile
|
||||
target: runner
|
||||
push: true
|
||||
provenance: false
|
||||
tags: |
|
||||
git.farh.net/groombook/api:${{ steps.version.outputs.tag }}
|
||||
${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/api:latest' || '' }}
|
||||
@@ -106,6 +109,7 @@ jobs:
|
||||
file: Dockerfile
|
||||
target: migrate
|
||||
push: true
|
||||
provenance: false
|
||||
tags: |
|
||||
git.farh.net/groombook/migrate:${{ steps.version.outputs.tag }}
|
||||
${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/migrate:latest' || '' }}
|
||||
@@ -119,6 +123,7 @@ jobs:
|
||||
file: Dockerfile
|
||||
target: seed
|
||||
push: true
|
||||
provenance: false
|
||||
tags: |
|
||||
git.farh.net/groombook/seed:${{ steps.version.outputs.tag }}
|
||||
${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/seed:latest' || '' }}
|
||||
@@ -132,6 +137,7 @@ jobs:
|
||||
file: Dockerfile
|
||||
target: reset
|
||||
push: true
|
||||
provenance: false
|
||||
tags: |
|
||||
git.farh.net/groombook/reset:${{ steps.version.outputs.tag }}
|
||||
${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/reset:latest' || '' }}
|
||||
|
||||
@@ -41,6 +41,8 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
|
||||
| TC-API-1.8 | Email+password — invalid password | POST /api/auth/sign-in/email with wrong password | 400 Bad Request, error returned |
|
||||
| TC-API-1.9 | Email+password — unknown user | POST /api/auth/sign-in/email with non-existent email | 400 Bad Request, error returned |
|
||||
| TC-API-1.10 | Auto-provision on first OIDC login | First login as a Better-Auth user with no existing staff record | 200 OK, access granted; groomer staff record auto-created with name/email from user table |
|
||||
|
||||
> **Note (GRO-1977):** Seed credential provisioning is idempotent — re-running the seed with updated `SEED_UAT_*_PASSWORD` env vars rotates stored credential hashes. TC-API-1.4 through TC-API-1.7 now return 200 for all 4 UAT personas (previously returned 401 due to frozen-hash bug).
|
||||
| TC-API-1.11 | Existing staff unaffected by OIDC login | Login as uat-groomer@groombook.dev (email+password), then GET /api/staff to find that record | 200 OK, staff record unchanged — no duplicate created, original role and isSuperUser preserved |
|
||||
| TC-API-1.12 | Auto-provisioned role and superUser flags | After TC-API-1.10, GET /api/staff and inspect the auto-created record | role = "groomer", isSuperUser = false, active = true |
|
||||
| TC-API-1.13 | Name fallback — user.name present | Auto-provision where Better-Auth user has name set | Staff name = user.name value from user table |
|
||||
|
||||
@@ -67,6 +67,7 @@ let dbAccounts: AccountRow[] = [];
|
||||
let dbStaff: StaffRow[] = [];
|
||||
let insertedUsers: UserRow[] = [];
|
||||
let insertedAccounts: AccountRow[] = [];
|
||||
let updatedAccounts: Array<{ id: string; password: string }> = [];
|
||||
let updatedStaff: Array<{ id: string; userId: string }> = [];
|
||||
|
||||
const originalEnv = { ...process.env };
|
||||
@@ -77,6 +78,7 @@ function resetMock() {
|
||||
dbStaff = [];
|
||||
insertedUsers = [];
|
||||
insertedAccounts = [];
|
||||
updatedAccounts = [];
|
||||
updatedStaff = [];
|
||||
process.env = { ...originalEnv };
|
||||
}
|
||||
@@ -173,7 +175,11 @@ async function seedUatCredentials(
|
||||
);
|
||||
|
||||
if (existingAccount) {
|
||||
// skip — already has credential account
|
||||
// Idempotent update: re-hash the current env password and update the stored hash.
|
||||
const { hashPassword } = await import("better-auth/crypto");
|
||||
const passwordHash = await hashPassword(password);
|
||||
existingAccount.password = passwordHash;
|
||||
updatedAccounts.push({ id: existingAccount.id, password: passwordHash });
|
||||
} else {
|
||||
// Use Better-Auth's hashPassword so test helper matches production seed.ts
|
||||
const { hashPassword } = await import("better-auth/crypto");
|
||||
@@ -312,9 +318,9 @@ describe("seedUatCredentials — credential provisioning logic", () => {
|
||||
expect(updatedStaff).toHaveLength(0);
|
||||
});
|
||||
|
||||
// ── AC-5: idempotent — skips when user already exists ───────────────────────
|
||||
// ── AC-5: idempotent — does not insert duplicate records ───────────────────
|
||||
|
||||
it("AC-5: re-running does not duplicate user or account records (idempotent)", async () => {
|
||||
it("AC-5: re-running does not insert duplicate user or account records", async () => {
|
||||
process.env.SEED_UAT_CUSTOMER_PASSWORD = TEST_PASSWORD;
|
||||
|
||||
const preExistingUsers: UserRow[] = [
|
||||
@@ -330,25 +336,53 @@ describe("seedUatCredentials — credential provisioning logic", () => {
|
||||
},
|
||||
];
|
||||
|
||||
// First call — nothing inserted (user + account pre-exist)
|
||||
await seedUatCredentials([UAT_ACCOUNTS[2]!], {
|
||||
users: preExistingUsers,
|
||||
accounts: preExistingAccounts,
|
||||
staff: [],
|
||||
});
|
||||
|
||||
// No inserts — user and account already exist
|
||||
expect(insertedUsers).toHaveLength(0);
|
||||
expect(insertedAccounts).toHaveLength(0);
|
||||
});
|
||||
|
||||
// ── AC-5b: password rotation on re-seed ─────────────────────────────────────
|
||||
|
||||
it("AC-5b: re-running with a new password updates the stored credential hash", async () => {
|
||||
const OLD_PASSWORD = "old-password-abc";
|
||||
const NEW_PASSWORD = "new-password-xyz";
|
||||
process.env.SEED_UAT_CUSTOMER_PASSWORD = NEW_PASSWORD;
|
||||
|
||||
const preExistingUsers: UserRow[] = [
|
||||
{ id: "pre-existing-user", email: "uat-customer@groombook.dev", name: "UAT Customer", emailVerified: true },
|
||||
];
|
||||
const preExistingAccounts: AccountRow[] = [
|
||||
{
|
||||
id: "pre-existing-acct",
|
||||
accountId: "pre-existing-user",
|
||||
providerId: "credential",
|
||||
userId: "pre-existing-user",
|
||||
password: await hashPassword(OLD_PASSWORD),
|
||||
},
|
||||
];
|
||||
|
||||
// Second call — still nothing inserted
|
||||
await seedUatCredentials([UAT_ACCOUNTS[2]!], {
|
||||
users: preExistingUsers,
|
||||
accounts: preExistingAccounts,
|
||||
staff: [],
|
||||
});
|
||||
|
||||
// No new records inserted
|
||||
expect(insertedUsers).toHaveLength(0);
|
||||
expect(insertedAccounts).toHaveLength(0);
|
||||
// Password WAS updated to the new env value
|
||||
expect(updatedAccounts).toHaveLength(1);
|
||||
expect(updatedAccounts[0]!.id).toBe("pre-existing-acct");
|
||||
// New hash is valid Better-Auth format (salt:key, each hex)
|
||||
const newHashParts = updatedAccounts[0]!.password.split(":");
|
||||
expect(Buffer.from(newHashParts[0]!, "hex")).toHaveLength(16);
|
||||
expect(Buffer.from(newHashParts[1]!, "hex")).toHaveLength(64);
|
||||
});
|
||||
|
||||
// ── AC-6: missing env var skips with warning ────────────────────────────────
|
||||
|
||||
@@ -561,7 +561,14 @@ async function seedKnownUsers() {
|
||||
.limit(1);
|
||||
|
||||
if (existingAccount) {
|
||||
console.log(`✓ Credential account for '${acct.email}' already exists — skipping`);
|
||||
// Idempotent: re-hash the current env password and update the stored hash.
|
||||
// This ensures re-running the seed with a new SEED_UAT_*_PASSWORD rotates the credential.
|
||||
const { hashPassword } = await import("better-auth/crypto");
|
||||
const passwordHash = await hashPassword(password);
|
||||
await db.update(schema.account)
|
||||
.set({ password: passwordHash })
|
||||
.where(eq(schema.account.id, existingAccount.id));
|
||||
console.log(`✓ Updated credential account password for '${acct.email}'`);
|
||||
} else {
|
||||
// Use Better-Auth's own hashPassword to guarantee parameter/encoding match.
|
||||
// better-auth/crypto uses: N=16384, r=16, p=1, dkLen=64, salt as 16-byte random
|
||||
|
||||
@@ -36,6 +36,18 @@ const DEMO_PET = {
|
||||
weightKg: "30.00",
|
||||
};
|
||||
|
||||
const UAT_CLIENT = {
|
||||
name: "UAT Customer",
|
||||
email: "uat-customer@groombook.dev",
|
||||
phone: "555-0100",
|
||||
status: "active" as const,
|
||||
};
|
||||
|
||||
const UAT_PETS = [
|
||||
{ name: "Bella", species: "Dog", breed: "Poodle", coatType: "curly" as const },
|
||||
{ name: "Max", species: "Dog", breed: "Labrador Retriever", coatType: "short" as const },
|
||||
];
|
||||
|
||||
const DEMO_SERVICES = [
|
||||
{ id: "b0000001-0000-0000-0000-000000000001", name: "Bath & Brush", description: "Full bath, blow-dry, brush out, and ear cleaning", basePriceCents: 4500, durationMinutes: 45 },
|
||||
{ id: "b0000001-0000-0000-0000-000000000002", name: "Full Groom — Small", description: "Complete grooming for dogs under 25 lbs", basePriceCents: 6500, durationMinutes: 60 },
|
||||
@@ -128,6 +140,49 @@ adminSeedRouter.post("/seed", async (c) => {
|
||||
results.push(`Created pet '${DEMO_PET.name}' for Demo Client (id: ${created!.id})`);
|
||||
}
|
||||
|
||||
// ── Client: UAT Customer ──────────────────────────────────────────────────
|
||||
const [existingUatClient] = await db
|
||||
.select()
|
||||
.from(clients)
|
||||
.where(eq(clients.email, UAT_CLIENT.email));
|
||||
|
||||
let uatClientId: string;
|
||||
if (existingUatClient) {
|
||||
uatClientId = existingUatClient.id;
|
||||
results.push(`Client '${UAT_CLIENT.name}' already exists (id: ${uatClientId})`);
|
||||
} else {
|
||||
const [created] = await db.insert(clients).values(UAT_CLIENT).returning();
|
||||
uatClientId = created!.id;
|
||||
results.push(`Created client '${UAT_CLIENT.name}' (id: ${uatClientId})`);
|
||||
}
|
||||
|
||||
// ── Pets: UAT Customer Pets ───────────────────────────────────────────────
|
||||
const existingUatPets = await db
|
||||
.select()
|
||||
.from(pets)
|
||||
.where(eq(pets.clientId, uatClientId));
|
||||
|
||||
for (const uatPet of UAT_PETS) {
|
||||
const existingPet = existingUatPets.find(
|
||||
(p) => p.name === uatPet.name && p.species === uatPet.species
|
||||
);
|
||||
if (existingPet) {
|
||||
results.push(`Pet '${uatPet.name}' already exists for UAT Customer (id: ${existingPet.id})`);
|
||||
} else {
|
||||
const [created] = await db
|
||||
.insert(pets)
|
||||
.values({
|
||||
clientId: uatClientId,
|
||||
name: uatPet.name,
|
||||
species: uatPet.species,
|
||||
breed: uatPet.breed,
|
||||
coatType: uatPet.coatType,
|
||||
})
|
||||
.returning();
|
||||
results.push(`Created pet '${uatPet.name}' for UAT Customer (id: ${created!.id})`);
|
||||
}
|
||||
}
|
||||
|
||||
return c.json({
|
||||
message: "Seed complete",
|
||||
details: results,
|
||||
|
||||
@@ -12,7 +12,7 @@ export function getDb() {
|
||||
if (_db) return _db;
|
||||
const url = process.env.DATABASE_URL;
|
||||
if (!url) throw new Error("DATABASE_URL is not set");
|
||||
const client = postgres(url, { max: 10 });
|
||||
const client = postgres(url, { max: 10, connect_timeout: 5 });
|
||||
_db = drizzle(client, { schema });
|
||||
return _db;
|
||||
}
|
||||
|
||||
+9
-4
@@ -59,6 +59,9 @@ app.use(
|
||||
);
|
||||
|
||||
// Health check — no auth required, registered on app at full path before auth middleware
|
||||
// /health: used by Dockerfile HEALTHCHECK and K8s readinessProbe/livenessProbe (port 3000 direct)
|
||||
app.get("/health", (c) => c.json({ status: "ok" }));
|
||||
// /api/health: used by Gateway HTTPRoute (/api/* → API pod)
|
||||
app.get("/api/health", (c) => c.json({ status: "ok" }));
|
||||
|
||||
// Public booking routes — no auth required, must be registered before auth middleware
|
||||
@@ -282,14 +285,16 @@ startReminderScheduler();
|
||||
|
||||
function shutdown() {
|
||||
console.log("Shutting down gracefully...");
|
||||
// SIGTERM/SIGINT → server.close() → callback → process.exit(0)
|
||||
// If graceful close takes >8s, force-exit to avoid being killed undrained
|
||||
setTimeout(() => {
|
||||
console.error("Graceful close timeout — forcing exit");
|
||||
process.exit(1);
|
||||
}, 8_000);
|
||||
server.close(() => {
|
||||
console.log("HTTP server closed");
|
||||
process.exit(0);
|
||||
});
|
||||
setTimeout(() => {
|
||||
console.error("Forced shutdown after timeout");
|
||||
process.exit(1);
|
||||
}, 10_000);
|
||||
}
|
||||
|
||||
process.on("SIGTERM", shutdown);
|
||||
|
||||
+3
-1
@@ -186,7 +186,9 @@ export async function initAuth(): Promise<void> {
|
||||
const discoveryUrlStr = `${providerConfig.issuerUrl}/.well-known/openid-configuration`;
|
||||
let oidcConfig: Record<string, string> = {};
|
||||
try {
|
||||
const discoveryRes = await fetch(discoveryUrlStr);
|
||||
const discoveryRes = await fetch(discoveryUrlStr, {
|
||||
signal: AbortSignal.timeout(5000),
|
||||
});
|
||||
if (discoveryRes.ok) {
|
||||
const discovery = await discoveryRes.json() as {
|
||||
authorization_endpoint?: string;
|
||||
|
||||
Reference in New Issue
Block a user