apps/api/src/middleware/rbac.ts

@@ -1,7 +1,7 @@
 import type { MiddlewareHandler } from "hono";
-import { and, eq, getDb, sql, staff } from "../db";
+import { and, eq, getDb, sql, staff, staffRoleEnum } from "../db";
 
-export type StaffRole = "groomer" | "receptionist" | "manager";
+type StaffRole = typeof staffRoleEnum.enumValues[number];
 export type StaffRow = typeof staff.$inferSelect;
 
 export interface AppEnv {
@@ -110,6 +110,27 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
       return;
     }
   }
+
+  // Auto-create staff record for authenticated OAuth users with no existing staff record
+  // This allows new OAuth users to access the app (defaults to receptionist role)
+  if (jwt.email && jwt.name) {
+    const [newStaff] = await db
+      .insert(staff)
+      .values({
+        email: jwt.email,
+        name: jwt.name,
+        userId: jwt.sub,
+        role: "receptionist",
+        active: true,
+      })
+      .returning();
+    if (newStaff) {
+      c.set("staff", newStaff);
+      await next();
+      return;
+    }
+  }
+
   return c.json(
     { error: "Forbidden: no staff record found for authenticated user" },
     403