fix(GRO-1272): address QA review items for rbac.test.ts

- Rename insertedStaff to _insertedStaff (ESLint unused var, line 49) - Rename table param to _table in insert mock (ESLint unused param, line 91) - Fix buildApp jwtPayload to prefer userLookupResult.id over staffLookupResult.userId (corrects auto-provision test failures where sub was 'unknown-sub' instead of 'ba-user-new') Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
fix(GRO-1272): fix TS2769 and test mock iterable issues
2026-05-20 13:37:49 +00:00 · 2026-05-20 13:19:23 +00:00 · 2026-05-20 13:03:46 +00:00 · 2026-05-14 19:03:09 +00:00
3 changed files with 134 additions and 24 deletions
@@ -28,6 +28,7 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 | TC-API-1.1 | Login via OIDC | POST to OIDC provider callback, verify JWT token issued | 200 OK, JWT returned with valid claims |
 | TC-API-1.2 | Session persistence | Make authenticated request, verify session token valid | 200 OK, request succeeds |
 | TC-API-1.3 | Logout | Call logout endpoint, verify token invalidated | 200 OK, subsequent requests return 401 |
+| TC-API-1.4 | Auto-provision on first OIDC login | First login as a Better-Auth user with no existing staff record | 200 OK, access granted; groomer staff record auto-created with name/email from user table |

 ### 4.2 Client Management

@@ -45,40 +45,76 @@ const GROOMER: StaffRow = {

 let staffLookupResult: StaffRow | null = null;
 let managerFallbackResult: StaffRow | null = MANAGER;
+let userLookupResult: { id: string; name: string | null; email: string | null } | null = null;
+let _insertedStaff: StaffRow | null = null;

 vi.mock("../db", () => {
-  const staff = new Proxy(
-    { _name: "staff" },
-    {
-      get(target, prop) {
-        if (prop === "_name") return "staff";
-        if (prop === "$inferSelect") return {};
-        return { table: "staff", column: prop };
-      },
-    }
-  );
+  const makeTableProxy = (name: string) =>
+    new Proxy(
+      { _name: name },
+      {
+        get(target, prop) {
+          if (prop === "_name") return name;
+          if (prop === "$inferSelect") return {};
+          return { table: name, column: prop };
+        },
+      }
+    );
+
+  const staff = makeTableProxy("staff");
+  const user = makeTableProxy("user");
+
+  const buildQuery = (result: unknown, fallback: unknown) => ({
+    [Symbol.iterator]: function* () {
+      if (result) yield result;
+    },
+    limit: (_n: number) => {
+      const item = result ?? fallback;
+      return {
+        [Symbol.iterator]: function* () { if (item) yield item; },
+        0: item,
+        length: item ? 1 : 0,
+      };
+    },
+  });

  return {
    getDb: () => ({
      select: () => ({
-        from: () => ({
-          where: () => ({
-            limit: () => {
-              // dev mode fallback to first manager
-              return managerFallbackResult ? [managerFallbackResult] : [];
-            },
-            [Symbol.iterator]: function* () {
-              if (staffLookupResult) yield staffLookupResult;
-            },
-            0: staffLookupResult,
-            length: staffLookupResult ? 1 : 0,
-          }),
+        from: (table: unknown) => ({
+          where: () => buildQuery(
+            table === staff ? staffLookupResult : userLookupResult,
+            table === staff ? managerFallbackResult : null
+          ),
+        }),
+      }),
+      insert: (_table: unknown) => ({
+        values: (vals: Record<string, unknown>) => ({
+          returning: () => {
+            const newStaff: StaffRow = {
+              id: "new-staff-id",
+              oidcSub: null,
+              userId: vals.userId as string,
+              role: vals.role as StaffRow["role"],
+              isSuperUser: false,
+              name: vals.name as string,
+              email: vals.email as string,
+              active: true,
+              icalToken: null,
+              createdAt: new Date(),
+              updatedAt: new Date(),
+            };
+            _insertedStaff = newStaff;
+            return [newStaff];
+          },
        }),
      }),
    }),
    staff,
+    user,
    eq: vi.fn((_col: unknown, _val: unknown) => ({ col: _col, val: _val })),
    and: vi.fn((..._clauses: unknown[]) => ({})),
+    sql: vi.fn((..._args: unknown[]) => ({})),
  };
 });

@@ -87,6 +123,8 @@ vi.mock("../db", () => {
 function resetMocks() {
  staffLookupResult = null;
  managerFallbackResult = MANAGER;
+  userLookupResult = null;
+  _insertedStaff = null;
 }

 /** Build a minimal Hono app with jwtPayload pre-set, then apply a middleware. */
@@ -96,7 +134,7 @@ function buildApp(
 ) {
  const app = new Hono<AppEnv>();
  app.use("*", async (c, next) => {
-    c.set("jwtPayload", { sub: staffLookupResult?.userId ?? "unknown-sub" });
+    c.set("jwtPayload", { sub: userLookupResult?.id ?? staffLookupResult?.userId ?? "unknown-sub" });
    await next();
  });
  app.use("*", middleware);
@@ -202,6 +240,50 @@ describe("resolveStaffMiddleware", () => {
    const body = await res.json();
    expect(body.error).toMatch(/no staff records found/i);
  });
+
+  it("auto-provision: creates groomer staff record on first login when Better-Auth user exists", async () => {
+    staffLookupResult = null;
+    userLookupResult = { id: "ba-user-new", name: "New User", email: "newuser@example.com" };
+    let capturedStaff: StaffRow | null = null;
+    const app = buildApp(resolveStaffMiddleware, (c) => {
+      capturedStaff = c.get("staff");
+      return c.json({ ok: true });
+    });
+
+    const res = await app.request("/test");
+    expect(res.status).toBe(200);
+    expect(capturedStaff).not.toBeNull();
+    expect(capturedStaff!.role).toBe("groomer");
+    expect(capturedStaff!.userId).toBe("ba-user-new");
+    expect(capturedStaff!.name).toBe("New User");
+    expect(capturedStaff!.email).toBe("newuser@example.com");
+    expect(capturedStaff!.isSuperUser).toBe(false);
+  });
+
+  it("auto-provision: falls back to email prefix when user has no name", async () => {
+    staffLookupResult = null;
+    userLookupResult = { id: "ba-user-noname", name: null, email: "firstlogin@example.com" };
+    let capturedStaff: StaffRow | null = null;
+    const app = buildApp(resolveStaffMiddleware, (c) => {
+      capturedStaff = c.get("staff");
+      return c.json({ ok: true });
+    });
+
+    const res = await app.request("/test");
+    expect(res.status).toBe(200);
+    expect(capturedStaff!.name).toBe("firstlogin");
+  });
+
+  it("auto-provision: returns 403 when no staff record and no Better-Auth user exists", async () => {
+    staffLookupResult = null;
+    userLookupResult = null;
+    const app = buildApp(resolveStaffMiddleware);
+
+    const res = await app.request("/test");
+    expect(res.status).toBe(403);
+    const body = await res.json();
+    expect(body.error).toMatch(/no staff record found for authenticated user/i);
+  });
 });

 // ─── requireRole tests ────────────────────────────────────────────────────────
@@ -1,5 +1,5 @@
 import type { MiddlewareHandler } from "hono";
-import { and, eq, getDb, sql, staff } from "../db/index.js";
+import { and, eq, getDb, sql, staff, user } from "../db/index.js";

 export type StaffRole = "groomer" | "receptionist" | "manager";
 export type StaffRow = typeof staff.$inferSelect;
@@ -110,6 +110,33 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
      return;
    }
  }
+  // Auto-provision: no staff record exists for this user at all, but a valid
+  // Better-Auth user session exists (jwt.sub = user.id from user table).
+  // Create a minimal groomer staff record on first login.
+  const [userRow] = await db
+    .select({ id: user.id, name: user.name, email: user.email })
+    .from(user)
+    .where(eq(user.id, jwt.sub))
+    .limit(1);
+  if (userRow) {
+    const [newStaff] = await db
+      .insert(staff)
+      .values({
+        name: userRow.name ?? jwt.email?.split("@")[0] ?? "Unknown",
+        email: userRow.email ?? jwt.email ?? "",
+        userId: jwt.sub,
+        role: "groomer",
+        isSuperUser: false,
+        active: true,
+      })
+      .returning();
+    if (!newStaff) {
+      return c.json({ error: "Internal error: staff record creation failed" }, 500);
+    }
+    c.set("staff", newStaff);
+    await next();
+    return;
+  }
  return c.json(
    { error: "Forbidden: no staff record found for authenticated user" },
    403
Author	SHA1	Message	Date
Chris Farhood	746b0fb9c6	fix(GRO-1272): address QA review items for rbac.test.ts CI / Lint & Typecheck (pull_request) Failing after 15s Details CI / Test (pull_request) Failing after 20s Details CI / Build (pull_request) Has been skipped Details CI / Build & Push Docker Images (pull_request) Has been skipped Details CI / Update Infra Image Tags (pull_request) Has been skipped Details - Rename insertedStaff to _insertedStaff (ESLint unused var, line 49) - Rename table param to _table in insert mock (ESLint unused param, line 91) - Fix buildApp jwtPayload to prefer userLookupResult.id over staffLookupResult.userId (corrects auto-provision test failures where sub was 'unknown-sub' instead of 'ba-user-new') Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-20 13:37:49 +00:00
Chris Farhood	5bbbcceabf	fix(GRO-1272): fix TS2769 and test mock iterable issues CI / Lint & Typecheck (pull_request) Failing after 14s Details CI / Test (pull_request) Failing after 20s Details CI / Build (pull_request) Has been skipped Details CI / Build & Push Docker Images (pull_request) Has been skipped Details CI / Update Infra Image Tags (pull_request) Has been skipped Details - Add null guard for newStaff after .returning() in auto-provision block - Make buildQuery() iterable without .limit() call (for WHERE-only queries) - Use fallback in .limit() for manager-fallback dev-mode tests Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-20 13:19:23 +00:00
Chris Farhood	1674a7df4a	fix(GRO-1272): update rbac tests and UAT playbook for auto-provision CI / Lint & Typecheck (pull_request) Failing after 13s Details CI / Test (pull_request) Failing after 20s Details CI / Build (pull_request) Has been skipped Details CI / Build & Push Docker Images (pull_request) Has been skipped Details CI / Update Infra Image Tags (pull_request) Has been skipped Details - Add user table mock and db.insert returning chain to rbac.test.ts - Add three new tests: happy-path auto-provision, email-prefix fallback, and miss-path (no user → 403) - Add TC-API-1.4 to UAT_PLAYBOOK.md §4.1 for first-login auto-provision Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-20 13:03:46 +00:00
Chris Farhood	09187ca277	fix(GRO-1272): auto-provision staff record on first OIDC login When a user authenticates via OIDC but has no staff record (userId NULL, oidcSub mismatch, email mismatch), resolveStaffMiddleware now checks for a Better-Auth user record by jwt.sub and auto-creates a minimal groomer staff record on first login. This fixes the UAT regression where all API routes returned 403 for all authenticated users after GRO-1207, because seedKnownUsers() sets oidcSub to Authentik integer PKs or emails rather than the actual Authentik OIDC sub (a UUID). The auto-provision path bridges the gap for all UAT personas without requiring seed/Terraform changes. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-14 19:03:09 +00:00