From 04549adba5fca5d78efc51d28587d624c4a1bf4c Mon Sep 17 00:00:00 2001 From: "groombook-ci[bot]" Date: Sat, 28 Mar 2026 15:07:53 +0000 Subject: [PATCH] fix(auth): register Better-Auth handler on api sub-app, not parent app Hono's basePath() creates a sub-app that captures /api/* requests. Route handlers on the parent app are not reachable for paths that match the sub-app's middleware. Moving the handler to the api sub-app (with path /auth/** instead of /api/auth/**) fixes the 404. Co-Authored-By: Claude Opus 4.6 --- apps/api/src/index.ts | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/apps/api/src/index.ts b/apps/api/src/index.ts index 7efab9e..dfbe3e5 100644 --- a/apps/api/src/index.ts +++ b/apps/api/src/index.ts @@ -67,20 +67,17 @@ app.get("/api/branding", async (c) => { // Public iCal calendar feed — token auth in URL, no auth middleware required app.route("/api/calendar", calendarRouter); -// Better-Auth handler — public, handles OAuth callbacks, session management -// Mounted BEFORE auth middleware so it's accessible without authentication -app.on(["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"], "/api/auth/**", async (c) => { - console.log("[better-auth] handler called:", c.req.method, c.req.path, c.req.url); - const response = await auth.handler(c.req.raw); - console.log("[better-auth] response:", response.status); - return response; -}); - // Protected API routes const api = app.basePath("/api"); api.use("*", authMiddleware); api.use("*", resolveStaffMiddleware); +// Better-Auth handler — registered on api sub-app so it shares the middleware chain +// authMiddleware and resolveStaffMiddleware both skip /api/auth/ paths +api.on(["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"], "/auth/**", (c) => { + return auth.handler(c.req.raw); +}); + // ── Role guards ──────────────────────────────────────────────────────────────── // Manager-only: admin settings, reports, invoices, impersonation // Staff CRUD: all roles may READ; manager-only for CREATE/UPDATE/DELETE