fix(rbac): fallback lookup for staff records predating Better-Auth userId (#140)

Archived

GRO-153: /api/staff returned 403 for all staff because resolveStaffMiddleware
looked up by staff.userId (Better-Auth ID) but dev login sent staff.id (PK),
and existing staff records had userId=NULL.

Changes:
- resolveStaffMiddleware: try userId first, fall back to staff.id (dev mode)
- resolveStaffMiddleware: try userId first, fall back to oidcSub (production)
- GET /api/dev/users: include userId field for DevLoginSelector
- DevLoginSelector: send userId (not staff.id) as X-Dev-User-Id
- Migration 0018: backfill userId for known demo staff

Co-authored-by: groombook-engineer[bot] <groombook-engineer@users.noreply.github.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Co-authored-by: Barkley Trimsworth <barkley@groombook.farh.net>

This commit was merged in pull request #140.

This commit is contained in:

groombook-engineer[bot]

2026-03-28 02:50:02 +00:00

committed by

GitHub

parent d3c88ea9fb

commit 024c882e09

5 changed files with 50 additions and 6 deletions

									
										apps/api/src/routes/dev.ts
									
		+1
		
												View File
												
				@@ -20,6 +20,7 @@ devRouter.get("/users", async (c) => {

				  const staffList = await db

				    .select({

				      id: staff.id,

				      userId: staff.userId,

				      name: staff.name,

				      email: staff.email,

				      role: staff.role,