Merge branch 'main' into fix/gro-302-reports-no-data

2026-03-31 19:36:30 +00:00
parent 89641d3c23 0d610f5114
commit 084a077cd3
7 changed files with 145 additions and 27 deletions
@@ -446,4 +446,73 @@ portalRouter.delete("/waitlist/:id", async (c) => {
    .returning();

  return c.json({ ok: true });
-});
+});
+
+// ─── Dev-mode session creation ──────────────────────────────────────────────
+// Allows the dev login selector to vend an impersonation session for a client
+// without requiring manager auth. Only available when AUTH_DISABLED=true.
+
+const devSessionSchema = z.object({
+  clientId: z.string().uuid(),
+});
+
+portalRouter.post(
+  "/dev-session",
+  zValidator("json", devSessionSchema),
+  async (c) => {
+    if (process.env.AUTH_DISABLED !== "true") {
+      return c.json({ error: "Not available when auth is enabled" }, 403);
+    }
+
+    const db = getDb();
+    const body = c.req.valid("json");
+
+    // Verify client exists
+    const [client] = await db
+      .select()
+      .from(clients)
+      .where(eq(clients.id, body.clientId))
+      .limit(1);
+    if (!client) {
+      return c.json({ error: "Client not found" }, 404);
+    }
+
+    // Find a staff record to associate with the dev impersonation session.
+    // Use the demo-manager if it exists (created by seed with known ID),
+    // otherwise fall back to the first active staff record.
+    // This avoids hardcoding a UUID that may not exist in all environments.
+    const DEMO_STAFF_ID = "00000000-0000-0000-0000-000000000001";
+
+    let staffId = DEMO_STAFF_ID;
+    const [demoStaff] = await db
+      .select({ id: staff.id })
+      .from(staff)
+      .where(eq(staff.id, DEMO_STAFF_ID))
+      .limit(1);
+
+    if (!demoStaff) {
+      // Fall back to any active staff member
+      const [firstStaff] = await db
+        .select({ id: staff.id })
+        .from(staff)
+        .where(eq(staff.active, true))
+        .limit(1);
+      if (!firstStaff) {
+        return c.json({ error: "No staff records found. Run the database seed." }, 500);
+      }
+      staffId = firstStaff.id;
+    }
+
+    const [session] = await db
+      .insert(impersonationSessions)
+      .values({
+        staffId,
+        clientId: body.clientId,
+        reason: "dev-mode-client-portal",
+        expiresAt: new Date(Date.now() + 24 * 60 * 60 * 1000), // 24 hours
+      })
+      .returning();
+
+    return c.json(session, 201);
+  }
+);
@@ -65,7 +65,7 @@ staffRouter.patch("/:id", zValidator("json", updateStaffSchema), async (c) => {
    const superUserCount = await db
      .select({ id: staff.id })
      .from(staff)
-      .where(eq(staff.isSuperUser, true))
+      .where(and(eq(staff.isSuperUser, true), eq(staff.active, true)))
      .limit(2); // just need count; fetch 2 to know if > 1
    if (superUserCount.length <= 1) {
      return c.json(
@@ -86,7 +86,7 @@ staffRouter.patch("/:id", zValidator("json", updateStaffSchema), async (c) => {
      const superUserCount = await db
        .select({ id: staff.id })
        .from(staff)
-        .where(eq(staff.isSuperUser, true))
+        .where(and(eq(staff.isSuperUser, true), eq(staff.active, true)))
        .limit(2);
      if (superUserCount.length <= 1) {
        return c.json(
@@ -142,7 +142,7 @@ staffRouter.delete("/:id", async (c) => {
    const superUserCount = await db
      .select({ id: staff.id })
      .from(staff)
-      .where(eq(staff.isSuperUser, true))
+      .where(and(eq(staff.isSuperUser, true), eq(staff.active, true)))
      .limit(2);
    if (superUserCount.length <= 1) {
      return c.json(