Merge branch 'dev' of https://git.farh.net/groombook/api into dev

fix(deps): update pnpm-lock.yaml for better-auth ^1.5.6
ERR_PNPM_OUTDATED_LOCKFILE — specifiers in lockfile did not match packages/db/package.json after better-auth upgrade. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-21 22:54:47 +00:00 · 2026-05-21 22:54:01 +00:00 · 2026-05-21 22:47:25 +00:00 · 2026-05-21 22:44:04 +00:00 · 2026-05-21 22:24:48 +00:00 · 2026-05-21 20:16:53 +00:00
3 changed files with 11 additions and 2 deletions
@@ -38,6 +38,7 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 | TC-API-1.13 | Name fallback — user.name present | Auto-provision where Better-Auth user has name set | Staff name = user.name value from user table |
 | TC-API-1.14 | Name fallback — no name, email present | Auto-provision where Better-Auth user has name = null, email = "test@example.com" | Staff name = "test" (email prefix before @) |
 | TC-API-1.15 | Name fallback — no name, no email | Auto-provision where Better-Auth user has name = null, email = null | Staff name = "Unknown" |
+| TC-API-1.16 | OIDC login — Terraform-provisioned user | Initiate OIDC login as any UAT persona (uat-super, uat-groomer, uat-customer, uat-tester), complete authentik callback | 200 OK, session created — no account_not_linked error |

 ### 4.2 Client Management

@@ -28,7 +28,7 @@ importers:
        version: 0.7.6(hono@4.12.18)(zod@4.4.3)
      better-auth:
        specifier: ^1.5.6
-        version: 1.6.10(drizzle-orm@0.38.4(kysely@0.28.17)(postgres@3.4.9))(vitest@3.2.4(@types/node@22.19.18)(tsx@4.21.0))
+        version: 1.6.10(drizzle-kit@0.30.6)(drizzle-orm@0.38.4(kysely@0.28.17)(postgres@3.4.9))(vitest@3.2.4(@types/node@22.19.18)(tsx@4.21.0))
      drizzle-orm:
        specifier: ^0.38.4
        version: 0.38.4(kysely@0.28.17)(postgres@3.4.9)
@@ -84,6 +84,9 @@ importers:

  packages/db:
    dependencies:
+      better-auth:
+        specifier: ^1.5.6
+        version: 1.6.10(drizzle-kit@0.30.6)(drizzle-orm@0.38.4(kysely@0.28.17)(postgres@3.4.9))(vitest@3.2.4(@types/node@22.19.18)(tsx@4.21.0))
      drizzle-orm:
        specifier: ^0.38.4
        version: 0.38.4(kysely@0.28.17)(postgres@3.4.9)
@@ -3927,7 +3930,7 @@ snapshots:

  balanced-match@4.0.4: {}

-  better-auth@1.6.10(drizzle-orm@0.38.4(kysely@0.28.17)(postgres@3.4.9))(vitest@3.2.4(@types/node@22.19.18)(tsx@4.21.0)):
+  better-auth@1.6.10(drizzle-kit@0.30.6)(drizzle-orm@0.38.4(kysely@0.28.17)(postgres@3.4.9))(vitest@3.2.4(@types/node@22.19.18)(tsx@4.21.0)):
    dependencies:
      '@better-auth/core': 1.6.10(@better-auth/utils@0.4.0)(@better-fetch/fetch@1.1.21)(better-call@1.3.5(zod@4.4.3))(jose@6.2.3)(kysely@0.28.17)(nanostores@1.3.0)
      '@better-auth/drizzle-adapter': 1.6.10(@better-auth/core@1.6.10(@better-auth/utils@0.4.0)(@better-fetch/fetch@1.1.21)(better-call@1.3.5(zod@4.4.3))(jose@6.2.3)(kysely@0.28.17)(nanostores@1.3.0))(@better-auth/utils@0.4.0)(drizzle-orm@0.38.4(kysely@0.28.17)(postgres@3.4.9))
@@ -3947,6 +3950,7 @@ snapshots:
      nanostores: 1.3.0
      zod: 4.4.3
    optionalDependencies:
+      drizzle-kit: 0.30.6
      drizzle-orm: 0.38.4(kysely@0.28.17)(postgres@3.4.9)
      vitest: 3.2.4(@types/node@22.19.18)(tsx@4.21.0)
    transitivePeerDependencies:
@@ -251,6 +251,10 @@ export async function initAuth(): Promise<void> {
        },
      },
      account: {
+        accountLinking: {
+          enabled: true,
+          trustedProviders: ["authentik"],
+        },
        storeStateStrategy: "cookie" as const,
      },
      emailAndPassword: {
Author	SHA1	Message	Date
Flea Flicker	c9e176f08c	Merge branch 'dev' of https://git.farh.net/groombook/api into dev CI / Lint & Typecheck (push) Failing after 14s Details CI / Test (push) Failing after 20s Details CI / Build & Push Docker Image (push) Has been skipped Details	2026-05-21 22:54:47 +00:00
Flea Flicker	0cab1522cf	fix(deps): update pnpm-lock.yaml for better-auth ^1.5.6 ERR_PNPM_OUTDATED_LOCKFILE — specifiers in lockfile did not match packages/db/package.json after better-auth upgrade. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-21 22:54:01 +00:00
The Dogfather	2a27e8bee2	Merge pull request 'fix(auth): add accountLinking trustedProviders for authentik (GRO-1509)' (#42 ) from flea-flicker/gro-1509-better-auth-account-not-linked into dev CI / Lint & Typecheck (push) Failing after 5s Details CI / Test (push) Failing after 6s Details CI / Build & Push Docker Image (push) Has been skipped Details fix(auth): add accountLinking trustedProviders for authentik (GRO-1509) Merged-by: The Dogfather (CTO) QA-approved-by: Lint Roller (GRO-1510)	2026-05-21 22:47:25 +00:00
Flea Flicker	d6f7ade7bd	docs(UAT): add TC-API-1.16 for OIDC login Terraform-provisioned users CI / Lint & Typecheck (pull_request) Failing after 6s Details CI / Test (pull_request) Failing after 6s Details CI / Build & Push Docker Image (pull_request) Has been skipped Details Updated UAT_PLAYBOOK.md §4.1 — new TC-API-1.16 covering OIDC login for Terraform-provisioned users (GRO-1509 fix, GRO-1511). Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-21 22:44:04 +00:00
Flea Flicker	00dadac0a1	fix(auth): add accountLinking trustedProviders for authentik (GRO-1509) CI / Test (pull_request) Failing after 44s Details CI / Lint & Typecheck (pull_request) Failing after 52s Details CI / Build & Push Docker Image (pull_request) Has been skipped Details Betters Auth v1.5.6 link-account.mjs:22 rejects OAuth callbacks when the genericOAuth provider is not in trustedProviders AND email_verified is falsy. Adding authentik to trustedProviders bypasses this guard so OIDC login works for TF-created users whose emails were never verified through an authentik flow. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-21 22:24:48 +00:00
The Dogfather	9692476202	fix(GRO-1470): add portal PATCH /pets/:id + expand GET /pets response CI / Lint & Typecheck (push) Failing after 7s Details CI / Test (push) Failing after 7s Details CI / Build & Push Docker Image (push) Has been skipped Details	2026-05-21 20:16:53 +00:00