docs(UAT): add TC-API-1.16 for OIDC login Terraform-provisioned users

Updated UAT_PLAYBOOK.md §4.1 — new TC-API-1.16 covering OIDC login for Terraform-provisioned users (GRO-1509 fix, GRO-1511). Co-Authored-By: Paperclip <noreply@paperclip.ing>
fix(auth): add accountLinking trustedProviders for authentik (GRO-1509)
2026-05-21 22:44:04 +00:00 · 2026-05-21 22:24:48 +00:00 · 2026-05-21 20:16:53 +00:00
2 changed files with 5 additions and 0 deletions
@@ -38,6 +38,7 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 | TC-API-1.13 | Name fallback — user.name present | Auto-provision where Better-Auth user has name set | Staff name = user.name value from user table |
 | TC-API-1.14 | Name fallback — no name, email present | Auto-provision where Better-Auth user has name = null, email = "test@example.com" | Staff name = "test" (email prefix before @) |
 | TC-API-1.15 | Name fallback — no name, no email | Auto-provision where Better-Auth user has name = null, email = null | Staff name = "Unknown" |
+| TC-API-1.16 | OIDC login — Terraform-provisioned user | Initiate OIDC login as any UAT persona (uat-super, uat-groomer, uat-customer, uat-tester), complete authentik callback | 200 OK, session created — no account_not_linked error |

 ### 4.2 Client Management

@@ -251,6 +251,10 @@ export async function initAuth(): Promise<void> {
        },
      },
      account: {
+        accountLinking: {
+          enabled: true,
+          trustedProviders: ["authentik"],
+        },
        storeStateStrategy: "cookie" as const,
      },
      emailAndPassword: {
Author	SHA1	Message	Date
Flea Flicker	d6f7ade7bd	docs(UAT): add TC-API-1.16 for OIDC login Terraform-provisioned users CI / Lint & Typecheck (pull_request) Failing after 6s Details CI / Test (pull_request) Failing after 6s Details CI / Build & Push Docker Image (pull_request) Has been skipped Details Updated UAT_PLAYBOOK.md §4.1 — new TC-API-1.16 covering OIDC login for Terraform-provisioned users (GRO-1509 fix, GRO-1511). Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-21 22:44:04 +00:00
Flea Flicker	00dadac0a1	fix(auth): add accountLinking trustedProviders for authentik (GRO-1509) CI / Test (pull_request) Failing after 44s Details CI / Lint & Typecheck (pull_request) Failing after 52s Details CI / Build & Push Docker Image (pull_request) Has been skipped Details Betters Auth v1.5.6 link-account.mjs:22 rejects OAuth callbacks when the genericOAuth provider is not in trustedProviders AND email_verified is falsy. Adding authentik to trustedProviders bypasses this guard so OIDC login works for TF-created users whose emails were never verified through an authentik flow. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-21 22:24:48 +00:00
The Dogfather	9692476202	fix(GRO-1470): add portal PATCH /pets/:id + expand GET /pets response CI / Lint & Typecheck (push) Failing after 7s Details CI / Test (push) Failing after 7s Details CI / Build & Push Docker Image (push) Has been skipped Details	2026-05-21 20:16:53 +00:00