groombook/api

Fork 0

fix(GRO-1272): auto-provision staff record on first OIDC login #18

Closed

groombook-engineer[bot] wants to merge 1 commits from fleaflicker/gro-1272-v2 into main

merge into: groombook:main

groombook:main

groombook:gro-2381-agents-contributing

groombook:flea/uat-to-main-gro-2359-api

groombook:uat

groombook:dev

groombook:release/main-GRO-2342-api

groombook:release/main-GRO-2319-api

groombook:flea/promote-main-gro-2311

groombook:promote/GRO-2319-api-to-uat

groombook:feat/GRO-2319-portal-waitlist-surfacing

groombook:flea/promote-main-gro-2172

groombook:dev-to-uat-gro-2311

groombook:flea/gro-2311-seed-portal-statusbadge-appts

groombook:promote/gro-2172-pets-to-uat

groombook:fix/gro-2172-pet-extended-fields

groombook:uat-to-main-gro-2299

groombook:flea/promote-main-gro-2294

groombook:promote/dev-to-uat-gro-2299

groombook:gro-2299-redact-patch-settings

groombook:flea/promote-gro-2294-uat

groombook:flea/gro-2294-route-opt-hardening

groombook:flea/uat-to-main-gro-2157-frozen

groombook:promote/dev-to-uat-gro-2225

groombook:flea/gro-2157-navigation-export

groombook:flea/gro-2235-waitlist-duplicate-409

groombook:feat/gro-2225-uat-seed-route-cohort

groombook:flea/uat-to-main-gro-2234-api

groombook:flea/dev-to-uat-gro-2156

groombook:flea-flicker/gro-2234-portal-session-sliding-ttl

groombook:release/main-6120b96

groombook:flea/gro-2156-travel-buffer-reorder

groombook:release/main-eb92f99

groombook:fix/gro-2214-portal-waitlist-validation

groombook:fix/gro-2203-portal-pet-patch-uuid-validation

groombook:dev-to-uat-gro-2155

groombook:feat/gro-2155-route-optimize-endpoints-dev

groombook:fix/gro-2163-migrate-pre-dns-wait

groombook:fix/gro-2187-portal-photokey-hijack

groombook:dev-to-uat-gro-2154

groombook:feat/gro-2154-geocoding-endpoints-dev

groombook:flea-flicker/gro-2197-ci-api-gate

groombook:dev-to-uat-gro-2153

groombook:dev-to-uat-gro-2187

groombook:fix/gro-2187-portal-pets-patch

groombook:dev-to-uat-gro-2129

groombook:flea-flicker/gro-2123-cleanup-stale-seed-duplicate

groombook:dev-to-uat-gro-2123

groombook:flea-flicker/gro-2123-seed-advisory-lock

groombook:promote/dev-to-uat-gro-2100

groombook:flea/gro-2100-uat-groomer-pet-linkage

groombook:flea/gro-2062-owner-bypass-audit

groombook:flea/gro-2052-rbac-betterauth-user-autoprovision

groombook:dogfather/gro-2013-promote-uat

groombook:flea/gro-2013-owner-bypass-deployed-tree

groombook:flea/gro-2033-idempotent-pet-profile-migrations

groombook:fix/gro-2014-profile-summary-error-handling

groombook:flea/gro-2000-uat-password-source-doc

groombook:fix/gro-1999-uat-seed-extra-large

groombook:fix/gro-1983-seed-pnpm-baked

groombook:fix/GRO-1979-coat-type-pet-size-enum-fix

groombook:fleaflicker/GRO-1962-deterministic-testcoopper-rocky

groombook:flea/gro-1977-seed-idempotency

groombook:fix/GRO-1977-seed-credential-idempotency

groombook:promote/dev-to-uat-gro-1971

groombook:fix/gro-1971-coat-type-enum-missing-short

groombook:fix/GRO-1962-uat-seed-pet-medicalalerts

groombook:flea/GRO-1955-fix-uc-undefined-seed

groombook:fix/GRO-1909-migrate-corepack-offline

groombook:fix/GRO-1953-coat-type-short-missing

groombook:fleaflicker/gro-medical-alert-types-behavioral-skin

groombook:fleaflicker/gro-1921-uat-reset-full-seed

groombook:flea/GRO-1945-pets-visitcount-hotfix

groombook:fix/GRO-1935-uat-customer-client-seed

groombook:fix/GRO-1914-seed-typeof

groombook:feature/GRO-1898-extended-pet-profile-seed

groombook:seed/extended-profile-fields-gro-1898

groombook:fix/gro-1889-reset-demo-data-pnpm

groombook:promote/dev-to-uat-gro-1866

groombook:fix/gro-1866-qa-fixes

groombook:fix/gro-1866-sso-bridge

groombook:fix/gro-1850-pet-profile-migration

groombook:promote/dev-to-uat-gro-1790

groombook:flea-flicker/pet-profile-summary

groombook:ff/gro-1765-trigger-ci

groombook:promo/gro-1764-uat

groombook:ci/gro-1757-build

groombook:fix/gro-1757-sso-auto-provision

groombook:fix/gro-1754-uat-ci

groombook:fix/gro-1754-trigger-ci-v2

groombook:fix/gro-1752-factories-v2

groombook:fix/gro-1752-factories-only

groombook:fix/gro-1746-apply-uat-seed-to-root-src

groombook:fix/gro-1752-extended-pet-profile-fields

groombook:promo/gro-1749-uat

groombook:fix/gro-1749-uat-seed-sync

groombook:fix/gro-1743-uat-seed-data

groombook:fix/gro-1480-portal-pets-patch

groombook:fix/gro-1678-econnreset-robustness

groombook:fix/gro-1576-ci-provenance-false

groombook:fix/gro-1575-ci-provenance

groombook:fix/gro-1566-api-health-auth-bypass

groombook:fix/gro-1544-api-health-endpoint

groombook:fix/gro-1533-migration-0031-coat-type

groombook:fix/gro-1533-missing-migration-0032

groombook:fix/gro-1533-missing-migration-journal

groombook:revert/gro-1533-dockerfile-fix

groombook:fix/gro-1533-revert-dockefile-build-change

groombook:flea-flicker/gro-1531-seed-db-filter

groombook:fix/gro-1522-ci-images-node22

groombook:pr-44

groombook:flea-flicker/gro-1509-better-auth-account-not-linked

groombook:flea-flicker/gro-1162-pet-buffer-time

groombook:fix/gro-1461-uat-playbook-auto-provision

groombook:flea-flicker/pet-profile-editor

groombook:fix/gro-1441-remove-duplicate-coat-props

groombook:fix/gro-1390-pets-test-mock-hoisting

groombook:fix/gro-1395-drizzle-orm-root-dep

groombook:gitea/migrate-workflows

groombook:flea-flicker/fix-gro-1370-ts-and-test-errors

groombook:fix/api/add-devdep-drizzle-orm-fix-vitest

groombook:pr-19

groombook:flea-flicker/uat-email-password-seed

groombook:fleaflicker/gro-1272-auto-provision-staff

groombook:add-renovate-config

groombook:flea-flicker/gro-1231-pnpm-workspace-dockerfile

groombook:fix/GRO-1202-rate-limit-override

groombook:fix/typescript-errors

groombook:flea-flicker/pet-profile-extended-fields

groombook:fix/uat-tester-oidc-sub

groombook:flea-flicker/fix-authprovider-mock-path

groombook:flea-flicker/auto-create-staff-oauth-users-v2

groombook:flea-flicker/auto-create-staff-oauth-users

groombook:docs/GRO-1099-uat-playbook-api

groombook:flea-flicker/fix-ci-install-deps-v2

groombook:flea-flicker/fix-ci-install-deps

Author	SHA1	Message	Date
Chris Farhood	30268c9df7	fix(GRO-1272): auto-provision staff record on first OIDC login When a user authenticates via OIDC but has no staff record (userId NULL, oidcSub mismatch, email mismatch), resolveStaffMiddleware now checks for a Better-Auth user record by jwt.sub and auto-creates a minimal groomer staff record on first login. This fixes the UAT regression where all API routes returned 403 for all authenticated users after GRO-1207, because seedKnownUsers() sets oidcSub to Authentik integer PKs or emails rather than the actual Authentik OIDC sub (a UUID). The auto-provision path bridges the gap for all UAT personas without requiring seed/Terraform changes. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-14 18:59:48 +00:00

Author

SHA1

Message

Date

Chris Farhood

30268c9df7

fix(GRO-1272): auto-provision staff record on first OIDC login

When a user authenticates via OIDC but has no staff record (userId NULL,
oidcSub mismatch, email mismatch), resolveStaffMiddleware now checks for
a Better-Auth user record by jwt.sub and auto-creates a minimal groomer
staff record on first login.

This fixes the UAT regression where all API routes returned 403 for all
authenticated users after GRO-1207, because seedKnownUsers() sets
oidcSub to Authentik integer PKs or emails rather than the actual Authentik
OIDC sub (a UUID). The auto-provision path bridges the gap for all UAT
personas without requiring seed/Terraform changes.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

2026-05-14 18:59:48 +00:00

fix(GRO-1272): auto-provision staff record on first OIDC login #18

1 Commits