fix(gro-1866): add session-from-auth portal endpoint + role scope #93

Merged

The Dogfather merged 3 commits from fix/gro-1866-sso-bridge into dev

2026-05-28 18:46:44 +00:00

Author	SHA1	Message	Date
Flea Flicker	b96b6c06fc	fix: add missing getAuth import and fix db.insert() mock chain Fixes two bugs found in QA review: - ReferenceError: getAuth not defined in beforeEach - add import - TypeError: wrong mock chain insert().into().values() vs insert().values() Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-28 15:59:41 +00:00
Flea Flicker	fa67b75b76	docs: add UAT test cases TC-API-8.8 through TC-API-8.11 for SSO bridge Adds manual test cases covering: - TC-API-8.8: valid Better Auth session → portal session (201) - TC-API-8.9: no session → 401 - TC-API-8.10: no matching client → 404 - TC-API-8.11: returned sessionId works on subsequent portal calls Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-28 15:01:24 +00:00
Flea Flicker	7e329ff72f	fix(gro-1866): add session-from-auth portal endpoint and role scope Adds POST /api/portal/session-from-auth which bridges a valid Better Auth customer session (from SSO login) to a portal impersonation session, so real SSO customers can access the client portal. The endpoint is registered before the validatePortalSession catch-all so it is not subject to that middleware. It validates the Better Auth session from request cookies, looks up the client by email, creates an active impersonation session, and returns { sessionId, clientId, clientName }. Also adds "role" to the genericOAuth scopes so Authentik propagates the role claim into Better Auth user objects (GRO-1862 root cause fix). Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-28 15:00:15 +00:00

Author

SHA1

Message

Date

Flea Flicker

b96b6c06fc

fix: add missing getAuth import and fix db.insert() mock chain

Fixes two bugs found in QA review:
- ReferenceError: getAuth not defined in beforeEach - add import
- TypeError: wrong mock chain insert().into().values() vs insert().values()

Co-Authored-By: Paperclip <noreply@paperclip.ing>

2026-05-28 15:59:41 +00:00

Flea Flicker

fa67b75b76

docs: add UAT test cases TC-API-8.8 through TC-API-8.11 for SSO bridge

Adds manual test cases covering:
- TC-API-8.8: valid Better Auth session → portal session (201)
- TC-API-8.9: no session → 401
- TC-API-8.10: no matching client → 404
- TC-API-8.11: returned sessionId works on subsequent portal calls

Co-Authored-By: Paperclip <noreply@paperclip.ing>

2026-05-28 15:01:24 +00:00

Flea Flicker

7e329ff72f

fix(gro-1866): add session-from-auth portal endpoint and role scope

Adds POST /api/portal/session-from-auth which bridges a valid Better Auth
customer session (from SSO login) to a portal impersonation session, so
real SSO customers can access the client portal.

The endpoint is registered before the validatePortalSession catch-all so it
is not subject to that middleware. It validates the Better Auth session
from request cookies, looks up the client by email, creates an active
impersonation session, and returns { sessionId, clientId, clientName }.

Also adds "role" to the genericOAuth scopes so Authentik propagates the
role claim into Better Auth user objects (GRO-1862 root cause fix).

Co-Authored-By: Paperclip <noreply@paperclip.ing>

2026-05-28 15:00:15 +00:00

fix(gro-1866): add session-from-auth portal endpoint + role scope #93

3 Commits