docs(UAT_PLAYBOOK): note GRO-1977 seed idempotency fix for TC-API-1.4-1.7

Updated UAT_PLAYBOOK.md §4.1 — add note that seed credential provisioning is idempotent and TC-API-1.4 through TC-API-1.7 now return 200 for all 4 UAT personas (previously returned 401 due to frozen-hash bug). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
fix(seed): update credential password on re-run instead of skipping
2026-06-01 00:20:08 +00:00 · 2026-06-01 00:20:07 +00:00 · 2026-06-01 00:08:19 +00:00
3 changed files with 93 additions and 6 deletions
@@ -41,6 +41,8 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 | TC-API-1.8 | Email+password — invalid password | POST /api/auth/sign-in/email with wrong password | 400 Bad Request, error returned |
 | TC-API-1.9 | Email+password — unknown user | POST /api/auth/sign-in/email with non-existent email | 400 Bad Request, error returned |
 | TC-API-1.10 | Auto-provision on first OIDC login | First login as a Better-Auth user with no existing staff record | 200 OK, access granted; groomer staff record auto-created with name/email from user table |
+
+> **Note (GRO-1977):** Seed credential provisioning is idempotent — re-running the seed with updated `SEED_UAT_*_PASSWORD` env vars rotates stored credential hashes. TC-API-1.4 through TC-API-1.7 now return 200 for all 4 UAT personas (previously returned 401 due to frozen-hash bug).
 | TC-API-1.11 | Existing staff unaffected by OIDC login | Login as uat-groomer@groombook.dev (email+password), then GET /api/staff to find that record | 200 OK, staff record unchanged — no duplicate created, original role and isSuperUser preserved |
 | TC-API-1.12 | Auto-provisioned role and superUser flags | After TC-API-1.10, GET /api/staff and inspect the auto-created record | role = "groomer", isSuperUser = false, active = true |
 | TC-API-1.13 | Name fallback — user.name present | Auto-provision where Better-Auth user has name set | Staff name = user.name value from user table |
@@ -67,6 +67,7 @@ let dbAccounts: AccountRow[] = [];
 let dbStaff: StaffRow[] = [];
 let insertedUsers: UserRow[] = [];
 let insertedAccounts: AccountRow[] = [];
+let updatedAccounts: Array<{ id: string; password: string }> = [];
 let updatedStaff: Array<{ id: string; userId: string }> = [];

 const originalEnv = { ...process.env };
@@ -77,6 +78,7 @@ function resetMock() {
  dbStaff = [];
  insertedUsers = [];
  insertedAccounts = [];
+  updatedAccounts = [];
  updatedStaff = [];
  process.env = { ...originalEnv };
 }
@@ -173,7 +175,11 @@ async function seedUatCredentials(
    );

    if (existingAccount) {
-      // skip — already has credential account
+      // Idempotent update: re-hash the current env password and update the stored hash.
+      const { hashPassword } = await import("better-auth/crypto");
+      const passwordHash = await hashPassword(password);
+      existingAccount.password = passwordHash;
+      updatedAccounts.push({ id: existingAccount.id, password: passwordHash });
    } else {
      // Use Better-Auth's hashPassword so test helper matches production seed.ts
      const { hashPassword } = await import("better-auth/crypto");
@@ -312,9 +318,9 @@ describe("seedUatCredentials — credential provisioning logic", () => {
    expect(updatedStaff).toHaveLength(0);
  });

-  // ── AC-5: idempotent — skips when user already exists ───────────────────────
+  // ── AC-5: idempotent — does not insert duplicate records ───────────────────

-  it("AC-5: re-running does not duplicate user or account records (idempotent)", async () => {
+  it("AC-5: re-running does not insert duplicate user or account records", async () => {
    process.env.SEED_UAT_CUSTOMER_PASSWORD = TEST_PASSWORD;

    const preExistingUsers: UserRow[] = [
@@ -330,25 +336,96 @@ describe("seedUatCredentials — credential provisioning logic", () => {
      },
    ];

-    // First call — nothing inserted (user + account pre-exist)
    await seedUatCredentials([UAT_ACCOUNTS[2]!], {
      users: preExistingUsers,
      accounts: preExistingAccounts,
      staff: [],
    });

+    // No inserts — user and account already exist
    expect(insertedUsers).toHaveLength(0);
    expect(insertedAccounts).toHaveLength(0);
+  });
+
+  // ── AC-5b: password rotation on re-seed ─────────────────────────────────────
+
+  it("AC-5b: re-running with a new password updates the stored credential hash", async () => {
+    const OLD_PASSWORD = "old-password-abc";
+    const NEW_PASSWORD = "new-password-xyz";
+    process.env.SEED_UAT_CUSTOMER_PASSWORD = NEW_PASSWORD;
+
+    const preExistingUsers: UserRow[] = [
+      { id: "pre-existing-user", email: "uat-customer@groombook.dev", name: "UAT Customer", emailVerified: true },
+    ];
+    const preExistingAccounts: AccountRow[] = [
+      {
+        id: "pre-existing-acct",
+        accountId: "pre-existing-user",
+        providerId: "credential",
+        userId: "pre-existing-user",
+        password: await hashPassword(OLD_PASSWORD),
+      },
+    ];

-    // Second call — still nothing inserted
    await seedUatCredentials([UAT_ACCOUNTS[2]!], {
      users: preExistingUsers,
      accounts: preExistingAccounts,
      staff: [],
    });

+    // No new records inserted
    expect(insertedUsers).toHaveLength(0);
    expect(insertedAccounts).toHaveLength(0);
+    // Password WAS updated to the new env value
+    expect(updatedAccounts).toHaveLength(1);
+    expect(updatedAccounts[0]!.id).toBe("pre-existing-acct");
+    // New hash is valid Better-Auth format (salt:key, each hex)
+    const newHashParts = updatedAccounts[0]!.password.split(":");
+    expect(Buffer.from(newHashParts[0]!, "hex")).toHaveLength(16);
+    expect(Buffer.from(newHashParts[1]!, "hex")).toHaveLength(64);
+  });
+
+  // ── AC-8: existing account password IS updated (not frozen at first-seed) ──
+
+  it("AC-8: re-seeding with a changed password env var updates the stored hash", async () => {
+    const ORIGINAL_PASSWORD = "original-password";
+    const ROTATED_PASSWORD = "rotated-password-456";
+
+    process.env.SEED_UAT_CUSTOMER_PASSWORD = ROTATED_PASSWORD;
+
+    const preExistingUsers: UserRow[] = [
+      { id: "pre-existing-user", email: "uat-customer@groombook.dev", name: "UAT Customer", emailVerified: true },
+    ];
+    // Account was created with the original password on first seed
+    const originalHash = await hashPassword(ORIGINAL_PASSWORD);
+    const preExistingAccounts: AccountRow[] = [
+      {
+        id: "pre-existing-acct",
+        accountId: "pre-existing-user",
+        providerId: "credential",
+        userId: "pre-existing-user",
+        password: originalHash,
+      },
+    ];
+
+    // Re-seed with the rotated password env var
+    await seedUatCredentials([UAT_ACCOUNTS[2]!], {
+      users: preExistingUsers,
+      accounts: preExistingAccounts,
+      staff: [],
+    });
+
+    // No new user or account created
+    expect(insertedUsers).toHaveLength(0);
+    expect(insertedAccounts).toHaveLength(0);
+
+    // The pre-existing account's password WAS updated (not frozen at first-seed).
+    // hashPassword uses a random salt so we verify by format + that it is a new,
+    // different valid hash from the original.
+    const updatedAcct = preExistingAccounts[0]!;
+    expect(updatedAcct.password).toBeDefined();
+    expect(updatedAcct.password).toMatch(/^[a-f0-9]{32}:[a-f0-9]{128}$/);
+    expect(updatedAcct.password).not.toBe(originalHash); // it actually changed
  });

  // ── AC-6: missing env var skips with warning ────────────────────────────────
@@ -594,7 +594,15 @@ async function seedKnownUsers() {
      .limit(1);

    if (existingAccount) {
-      console.log(`✓ Credential account for '${acct.email}' already exists — skipping`);
+      // Re-hash and update the password so that re-seeding rotates credentials
+      // when the env var changes (e.g. after a password rotation).  Previously
+      // this branch skipped entirely, freezing the hash at first-seed.
+      const { hashPassword } = await import("better-auth/crypto");
+      const passwordHash = await hashPassword(password);
+      await db.update(schema.account)
+        .set({ password: passwordHash })
+        .where(eq(schema.account.id, existingAccount.id));
+      console.log(`✓ Updated credential account password for '${acct.email}'`);
    } else {
      // Use Better-Auth's own hashPassword to guarantee parameter/encoding match.
      // better-auth/crypto uses: N=16384, r=16, p=1, dkLen=64, salt as 16-byte random
Author	SHA1	Message	Date
Flea Flicker	73205bdc18	docs(UAT_PLAYBOOK): note GRO-1977 seed idempotency fix for TC-API-1.4-1.7 CI / Test (pull_request) Successful in 13s Details CI / Lint & Typecheck (pull_request) Successful in 15s Details CI / Build & Push Docker Images (pull_request) Successful in 1m17s Details Updated UAT_PLAYBOOK.md §4.1 — add note that seed credential provisioning is idempotent and TC-API-1.4 through TC-API-1.7 now return 200 for all 4 UAT personas (previously returned 401 due to frozen-hash bug). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-01 00:20:08 +00:00
Flea Flicker	24104b3105	fix(seed): update credential password on re-run instead of skipping - seed.ts: existingAccount branch now re-hashes the current SEED_UAT_*_PASSWORD env value and updates the stored credential. Re-running the seed now properly rotates credentials. - seed-uat-credentials.test.ts: AC-5 updated to reflect update (not insert) behavior on existing accounts. AC-5b added to verify password rotation when re-seeded with a new env password. Fixes GRO-1977. Unblocks GRO-1969. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-01 00:20:07 +00:00
The Dogfather	b928acf5d6	fix(seed): update credential password on existing accounts — not skip (GRO-1977) (#120 ) CI / Test (push) Successful in 13s Details CI / Lint & Typecheck (push) Successful in 15s Details CI / Build & Push Docker Images (push) Successful in 37s Details	2026-06-01 00:08:19 +00:00