fix(auth): dev login 403 — resolve staff by id, not oidcSub (GRO-150)
Merges fix for critical crash affecting all users on login. Root cause: RBAC middleware looked up staff by oidcSub but DevLoginSelector sends staff.id, causing 403 on all data endpoints and blank screen after login. Fix: eq(staff.oidcSub, devUserId) → eq(staff.id, devUserId) in rbac.ts:48 Resolves GRO-150. UAT to follow in GRO-152. Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit was merged in pull request #138.
This commit is contained in:
@@ -165,7 +165,7 @@ describe("resolveStaffMiddleware", () => {
|
|||||||
});
|
});
|
||||||
|
|
||||||
const res = await app.request("/test", {
|
const res = await app.request("/test", {
|
||||||
headers: { "X-Dev-User-Id": GROOMER.oidcSub! },
|
headers: { "X-Dev-User-Id": GROOMER.id },
|
||||||
});
|
});
|
||||||
expect(res.status).toBe(200);
|
expect(res.status).toBe(200);
|
||||||
expect(capturedStaff!.role).toBe("groomer");
|
expect(capturedStaff!.role).toBe("groomer");
|
||||||
|
|||||||
@@ -41,11 +41,11 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
|
|||||||
await next();
|
await next();
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
// Treat X-Dev-User-Id as the oidcSub
|
// Treat X-Dev-User-Id as the staff database id (the frontend stores staff.id)
|
||||||
const [row] = await db
|
const [row] = await db
|
||||||
.select()
|
.select()
|
||||||
.from(staff)
|
.from(staff)
|
||||||
.where(eq(staff.oidcSub, devUserId));
|
.where(eq(staff.id, devUserId));
|
||||||
if (!row) {
|
if (!row) {
|
||||||
return c.json(
|
return c.json(
|
||||||
{ error: "Forbidden: no staff record found for X-Dev-User-Id" },
|
{ error: "Forbidden: no staff record found for X-Dev-User-Id" },
|
||||||
|
|||||||
Reference in New Issue
Block a user