fix(GRO-1757): auto-provision staff for OIDC users + UAT playbook updates #83

Merged

Scrubs McBarkley merged 1 commits from fix/gro-1757-sso-auto-provision into dev

2026-05-25 23:39:57 +00:00

Author	SHA1	Message	Date
Flea Flicker	503235df35	fix(GRO-1757): auto-provision staff for OIDC users + UAT playbook updates - Add OIDC auto-provision step to resolveStaffMiddleware in rbac.ts: query account table for OAuth provider (authentik/google/github) linked to jwt.sub, if found create groomer staff record with least-privilege defaults - Guard: only auto-provision if OIDC account exists, never superuser/manager - Name derived from jwt.name > email prefix > "Unknown" - Log auto-creation for observability - Add SSO Login Journey (TC-API-1.17 to 1.21) and OOBE Flow (TC-API-1.22 to 1.26) test cases to groombook-api UAT_PLAYBOOK.md §4.1 Updated UAT_PLAYBOOK.md §5.4.1 (SSO Login Journey) and §5.4.2 (OOBE Flow Post-Login) in groombook-web. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-25 23:36:48 +00:00

Author

SHA1

Message

Date

Flea Flicker

503235df35

fix(GRO-1757): auto-provision staff for OIDC users + UAT playbook updates

- Add OIDC auto-provision step to resolveStaffMiddleware in rbac.ts:
  query account table for OAuth provider (authentik/google/github) linked to jwt.sub,
  if found create groomer staff record with least-privilege defaults
- Guard: only auto-provision if OIDC account exists, never superuser/manager
- Name derived from jwt.name > email prefix > "Unknown"
- Log auto-creation for observability
- Add SSO Login Journey (TC-API-1.17 to 1.21) and OOBE Flow (TC-API-1.22 to 1.26) test cases
  to groombook-api UAT_PLAYBOOK.md §4.1

Updated UAT_PLAYBOOK.md §5.4.1 (SSO Login Journey) and §5.4.2 (OOBE Flow Post-Login)
in groombook-web.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

2026-05-25 23:36:48 +00:00

fix(GRO-1757): auto-provision staff for OIDC users + UAT playbook updates #83

1 Commits