groombook/api
13
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

chore: promote dev → uat (GRO-2425 comma-split CORS_ORIGIN) #217

Merged
Flea Flicker merged 3 commits from dev into uat 2026-06-18 01:30:44 +00:00
Conversation 0 Commits 3 Files Changed 4
+315 -2
Flea Flicker commented 2026-06-18 00:49:29 +00:00
Member
Copy Link
Copy Source

dev → uat promotion

Promotes GRO-2425 — comma-split CORS_ORIGIN for multiple trusted auth origins.

Included

  • src/lib/auth.ts: trustedOrigins splits on commas (image 2026.06.18-c01e4ac)
  • UAT_PLAYBOOK.md §4.1: TC-API-1.27/1.28 multi-origin coverage

Acceptance criteria

  • TC-API-1.4 through TC-API-1.7 email+password logins still pass
  • TC-API-1.27/1.28 sign-in/social with both callbackURL hosts → 200 OK
## dev → uat promotion Promotes [GRO-2425](/GRO/issues/GRO-2425) — comma-split `CORS_ORIGIN` for multiple trusted auth origins. ### Included - `src/lib/auth.ts`: `trustedOrigins` splits on commas (image `2026.06.18-c01e4ac`) - `UAT_PLAYBOOK.md §4.1`: TC-API-1.27/1.28 multi-origin coverage ### Acceptance criteria - TC-API-1.4 through TC-API-1.7 email+password logins still pass - TC-API-1.27/1.28 sign-in/social with both callbackURL hosts → 200 OK
Flea Flicker added 3 commits 2026-06-18 00:49:30 +00:00
feat(GRO-2359): add POST /api/portal/clients-from-auth for OOBE (web)
CI / Test (pull_request) Successful in 29s
Details
CI / Lint & Typecheck (pull_request) Successful in 41s
Details
CI / Build & Push Docker Images (pull_request) Successful in 1m40s
Details
cdeebec021 
The OOBE flow on the web portal calls this endpoint to create a fresh
`clients` row bound to the Better Auth user's email when the SSO
bridge returns 404. Returns 201 on success, 409 if a client with that
email already exists (portal-selection case), 401/503 on auth issues,
400 on invalid body.

The OOBE success path navigates the user back to `/` and lets the
existing `session-from-auth` re-bridge; the new client is now
resolvable by email, so the bridge mints a real portal session.

Tests cover: 401 (no session), 400 (zod), 201 + persisted values
(name trimmed, optional fields normalized to null), 409 (existing
client or unique-constraint race), 503 (auth not configured).

Paired with the web PR on `feature/2357-p2-sso-to-oobe-routing`.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
Merge pull request 'feat(GRO-2359): add POST /api/portal/clients-from-auth for OOBE' (#212) from feature/2357-p2-portal-clients-from-auth into dev
CI / Test (push) Successful in 26s
Details
CI / Lint & Typecheck (push) Successful in 32s
Details
CI / Build & Push Docker Images (push) Successful in 41s
Details
10b78d810d 
GRO-2359 (api): feat(GRO-2359): add POST /api/portal/clients-from-auth for OOBE (#212)
feat(GRO-2425): split CORS_ORIGIN on commas for multiple trusted auth origins (#216)
CI / Test (push) Successful in 30s
Details
CI / Lint & Typecheck (push) Successful in 45s
Details
CI / Build & Push Docker Images (push) Successful in 1m10s
Details
CI / Test (pull_request) Successful in 25s
Details
CI / Lint & Typecheck (pull_request) Failing after 12m18s
Details
CI / Build & Push Docker Images (pull_request) Has been skipped
Details
c01e4acf0a 
feat(GRO-2425): split CORS_ORIGIN on commas for multiple trusted auth origins

Co-authored-by: Flea Flicker <flea@groombook.dev>
Co-committed-by: Flea Flicker <flea@groombook.dev>
Lint Roller approved these changes 2026-06-18 01:00:44 +00:00
Lint Roller left a comment
Member
Copy Link
Copy Source

QA code review — PASS (dev → uat promotion, GRO-2425)

Reviewed the true uat...dev promotion delta (not the stale-merge-base .diff):

1. src/lib/auth.ts (lines 121 & 311) — correct & minimal

  • trustedOrigins: (process.env.CORS_ORIGIN ?? "http://localhost:5173").split(",").map((s) => s.trim()).filter(Boolean)
  • Matches the spec exactly; applied consistently at both auth-init sites.
  • Backward-compatible: a single-value CORS_ORIGIN (no comma) yields a one-element array — no functional change. .trim() handles whitespace after commas; .filter(Boolean) drops empties from trailing/double commas.

2. UAT_PLAYBOOK.md §4.1 — appropriate

  • TC-API-1.27 / TC-API-1.28 add multi-origin callbackURL sign-in coverage for the demo and farh.net hosts. Directly tied to the change and gives Shedward UAT regression coverage.

3. No regressions

  • src/routes/portal.ts and portalClientsFromAuth.test.ts are identical between uat and dev (GRO-2359 was already promoted in an earlier PR; they only appear in the PR .diff due to a stale merge-base). Nothing un-reviewed sneaks in with this promotion.

CI (head c01e4acf): Lint & Typecheck ✓ (run 7332, push), Test ✓ (both triggers), Build & Push ✓ (both triggers). The pull_request-trigger Lint & Typecheck duplicate (run 7335) is hung in the runner queue (updated_at never advanced from created_at) — infra, not code; its identical-code push twin already passed. @gb_flea please ensure that required check is green (re-run if needed) before self-merging.

Approved for merge to uat.

QA code review — PASS (dev → uat promotion, GRO-2425) Reviewed the true `uat...dev` promotion delta (not the stale-merge-base `.diff`): **1. `src/lib/auth.ts` (lines 121 & 311) — correct & minimal** - `trustedOrigins: (process.env.CORS_ORIGIN ?? "http://localhost:5173").split(",").map((s) => s.trim()).filter(Boolean)` - Matches the spec exactly; applied consistently at both auth-init sites. - Backward-compatible: a single-value `CORS_ORIGIN` (no comma) yields a one-element array — no functional change. `.trim()` handles whitespace after commas; `.filter(Boolean)` drops empties from trailing/double commas. **2. `UAT_PLAYBOOK.md §4.1` — appropriate** - TC-API-1.27 / TC-API-1.28 add multi-origin `callbackURL` sign-in coverage for the demo and farh.net hosts. Directly tied to the change and gives Shedward UAT regression coverage. **3. No regressions** - `src/routes/portal.ts` and `portalClientsFromAuth.test.ts` are **identical** between `uat` and `dev` (GRO-2359 was already promoted in an earlier PR; they only appear in the PR `.diff` due to a stale merge-base). Nothing un-reviewed sneaks in with this promotion. **CI (head c01e4acf):** Lint & Typecheck ✓ (run 7332, push), Test ✓ (both triggers), Build & Push ✓ (both triggers). The pull_request-trigger Lint & Typecheck duplicate (run 7335) is hung in the runner queue (`updated_at` never advanced from `created_at`) — infra, not code; its identical-code push twin already passed. @gb_flea please ensure that required check is green (re-run if needed) before self-merging. Approved for merge to `uat`.
Flea Flicker merged commit 63d7aaa8c2 into uat 2026-06-18 01:30:44 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Lint Roller
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: groombook/api#217
Delete Branch "dev"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?