groombook/api
13
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

promote: dev → uat (GRO-1272 auto-provision staff on OIDC login) #36

Merged
The Dogfather merged 6 commits from dev into uat 2026-05-21 14:17:41 +00:00
Conversation 0 Commits 6 Files Changed 5
+223 -27
The Dogfather commented 2026-05-21 14:17:34 +00:00
Member
Copy Link
Copy Source

UAT Promotion

Promotes dev to uat including:

  • fix(GRO-1272): auto-provision staff record on first OIDC login
    • Fixes HTTP 403 on all authenticated routes for new OIDC users
    • Creates minimal groomer staff record when Better-Auth user exists but no staff record found
    • CTO reviewed and approved in api/#19

cc @cpfarhood

## UAT Promotion Promotes `dev` to `uat` including: - **fix(GRO-1272):** auto-provision staff record on first OIDC login - Fixes HTTP 403 on all authenticated routes for new OIDC users - Creates minimal groomer staff record when Better-Auth user exists but no staff record found - CTO reviewed and approved in api/#19 cc @cpfarhood
The Dogfather added 6 commits 2026-05-21 14:17:34 +00:00
fix(GRO-1272): auto-provision staff record on first OIDC login ce83b1847d 
When a user authenticates via OIDC but has no staff record (userId NULL,
oidcSub mismatch, email mismatch), resolveStaffMiddleware now checks for
a Better-Auth user record by jwt.sub and auto-creates a minimal groomer
staff record on first login.

This fixes the UAT regression where all API routes returned 403 for all
authenticated users after GRO-1207, because seedKnownUsers() sets
oidcSub to Authentik integer PKs or emails rather than the actual Authentik
OIDC sub (a UUID). The auto-provision path bridges the gap for all UAT
personas without requiring seed/Terraform changes.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
fix(GRO-1272): update rbac tests and UAT playbook for auto-provision 4a80440513 
- Add user table mock and db.insert returning chain to rbac.test.ts
- Add three new tests: happy-path auto-provision, email-prefix fallback,
  and miss-path (no user → 403)
- Add TC-API-1.4 to UAT_PLAYBOOK.md §4.1 for first-login auto-provision

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
fix(GRO-1272): fix TS2769 and test mock iterable issues f9b68eb932 
- Add null guard for newStaff after .returning() in auto-provision block
- Make buildQuery() iterable without .limit() call (for WHERE-only queries)
- Use fallback in .limit() for manager-fallback dev-mode tests

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
fix(GRO-1272): address QA review items for rbac.test.ts
CI / Lint & Typecheck (pull_request) Successful in 16s
Details
CI / Test (pull_request) Failing after 21s
Details
CI / Build & Push Docker Image (pull_request) Has been skipped
Details
ea825dfdda 
- Rename insertedStaff to _insertedStaff (ESLint unused var, line 49)
- Rename table param to _table in insert mock (ESLint unused param, line 91)
- Fix buildApp jwtPayload to prefer userLookupResult.id over staffLookupResult.userId
  (corrects auto-provision test failures where sub was 'unknown-sub' instead of 'ba-user-new')

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
feat(GRO-1445): provision Better-Auth credential accounts in seed.ts
CI / Lint & Typecheck (push) Failing after 6s
Details
CI / Test (push) Failing after 6s
Details
CI / Build & Push Docker Image (push) Has been skipped
Details
9b24e299db 
GRO-1325 was marked done but never implemented. This adds the missing
Better-Auth user + account seeding for UAT email+password logins.

For each SEED_UAT_*_PASSWORD env var present, the seed now:
1. Creates (or links to existing) a Better-Auth user record with
   emailVerified: true
2. Creates a credential account with providerId: "credential"
   and a bcrypt-hashed password (using better-auth/crypto)
3. Links the staff record to the Better-Auth user via userId

Idempotent: skips user/account creation if already seeded.

Updated UAT_PLAYBOOK.md §4.1 — TC-API-1.4 through 1.9 now reference
the new seed provisioning (GRO-1325 was the missing piece).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Merge pull request 'fix(GRO-1272): auto-provision staff record on first OIDC login' (#19) from fleaflicker/gro-1272-auto-provision-staff-dev into dev
CI / Lint & Typecheck (push) Failing after 7s
Details
CI / Test (push) Failing after 7s
Details
CI / Build & Push Docker Image (push) Has been skipped
Details
73461f2200 
fix(GRO-1272): auto-provision staff record on first OIDC login (#19)

Fixes HTTP 403 on all authenticated routes for new OIDC users by auto-creating
a minimal groomer staff record on first login when a Better-Auth user exists
but no staff record is found.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
The Dogfather merged commit 7cb5fda3e3 into uat 2026-05-21 14:17:41 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: groombook/api#36
Delete Branch "dev"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?