groombook/api

Fork 0

T

Paperclip a9ed681726

CI / Test (pull_request) Successful in 13s

Details

CI / Lint & Typecheck (pull_request) Successful in 16s

Details

CI / Build & Push Docker Images (pull_request) Successful in 1m20s

Details

fix(pets): port owner-bypass into deployed tree (GRO-2013)

The previous fix for GRO-2013 (customer cannot view own pet profile
summary) landed in apps/api/src/routes/pets.ts, which is dead code
in the Docker build path. The Dockerfile does COPY src/ + pnpm build
from the repo root, so apps/api/ is never copied into the image and
is not a pnpm-workspace member.

Port the owner-bypass into the deployed-tree handler src/routes/pets.ts:
- Add resolveImpersonationClientId(db, c) helper that reads the
  X-Impersonation-Session-Id header, validates the session is active
  and not expired, and returns its clientId (or null).
- Gate the existing groomer 403 in GET /:id/profile-summary so an
  owner (session.clientId === pet.clientId) bypasses the
  appointment-linkage check. This mirrors the already-reviewed logic
  from apps/api/src/routes/pets.ts:318-364.
- Cross-tenant access remains blocked: the bypass requires
  session.clientId === pet.clientId, and groomers with no portal
  session still 403 as before.

Tests (src/__tests__/petProfileSummary.test.ts — new file, mirroring
the dead-tree test pattern but pointing at the deployed handler):
- Customer with valid active session for pet's client → 200
- Customer with no header → 403
- Customer with session for a different client → 403
- Customer with expired session → 403
- Customer with ended (status != active) session → 403
- Customer with unknown session id → 403
- Manager does not need the impersonation header (regression)
- Groomer with linkage to pet's client still works (regression)
- Customer cannot view another client's pet (cross-tenant block)

Full @groombook/api test suite: 560 passed (39 files).

Note (out of scope): the apps/api/ duplicate tree is dead code
producing false-green coverage — recommend filing a separate tech-debt
issue to delete apps/api/ or wire it into the workspace, but not
blocking this fix on it.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

2026-06-01 19:08:28 +00:00

.gitea/workflows

fix(ci): correct typo groombok->groombook and fix Reset image cache-from indentation

2026-05-30 05:14:51 +00:00

.github/workflows

fix(ci): build all service images + upgrade Node 22 + pin packageManager (GRO-1522)

2026-05-22 02:16:49 +00:00

apps/api

fix(pets): customer can view own pet profile summary (GRO-2013)

2026-06-01 17:42:59 +00:00

packages

fix(db): register extra_large via migration 0038 (GRO-1999)

2026-06-01 14:41:27 +00:00

src

fix(pets): port owner-bypass into deployed tree (GRO-2013)

2026-06-01 19:08:28 +00:00

.ci-trigger

chore: direct push CI trigger for GRO-1757 (b61d899f) to include in dev image

2026-05-26 00:45:05 +00:00

.dockerignore

Initial extraction: groombook/api from groombook/app monorepo

2026-05-02 21:10:21 +00:00

.editorconfig

Initial extraction: groombook/api from groombook/app monorepo

2026-05-02 21:10:21 +00:00

.env.example

Initial extraction: groombook/api from groombook/app monorepo

2026-05-02 21:10:21 +00:00

.gitignore

Merge dev into gitea/migrate-workflows (allow-unrelated-histories)

2026-05-21 01:24:41 +00:00

Dockerfile

fix(docker): install pnpm via npm instead of corepack shim (GRO-1983)

2026-06-01 11:58:33 +00:00

eslint.config.js

Extract groombook/api from monorepo with CI workflow

2026-05-11 01:26:56 +00:00

package.json

merge: resolve conflicts with dev (keep Node 22 + add Gitea CI images)

2026-05-22 02:58:11 +00:00

pnpm-lock.yaml

fix: add better-auth to pnpm-lock.yaml packages/db specifiers

2026-05-22 13:11:39 +00:00

pnpm-workspace.yaml

fix(docker): add missing pnpm-workspace.yaml COPY in deps and runner stages

2026-05-14 16:50:52 +00:00

README.md

Merge dev into gitea/migrate-workflows (allow-unrelated-histories)

2026-05-21 01:24:41 +00:00

renovate.json

chore: add Renovate config

2026-05-14 17:42:22 +00:00

tsconfig.json

Extract groombook/api from monorepo with CI workflow

2026-05-11 01:26:56 +00:00

UAT_PLAYBOOK.md

fix(pets): customer can view own pet profile summary (GRO-2013)

2026-06-01 17:42:59 +00:00

vitest.config.ts

fix: correct vitest alias paths for workspace packages

2026-05-11 01:34:12 +00:00

README.md

GroomBook API

GroomBook API service — extracted from the groombook/app monorepo.

Overview

This repository contains the GroomBook API service, including:

REST API endpoints
Database schema and migrations (via Drizzle ORM)
Authentication (via Better Auth)
Background job handlers

Structure

src/             # API service source
packages/db/     # Database schema, migrations, and utilities
packages/types/  # Shared TypeScript types

Setup

pnpm install
cp .env.example .env  # Fill in required environment variables
pnpm --filter @groombook/api dev

Docker

docker build -t ghcr.io/groombook/api:latest .
docker run -p 3000:3000 ghcr.io/groombook/api:latest

License

AGPL-3.0-only