fix: address QA review feedback - null check and portal route auth

- Add null check after db.update().returning() in portal notes endpoint
- Move portal router registration before auth middleware so clients can access it
- Remove unused ENDED_SESSION variable from test file

Co-Authored-By: Paperclip <noreply@paperclip.ing>

apps/api/src/__tests__/portal.test.ts

@@ -24,14 +24,6 @@ const EXPIRED_SESSION = {
   createdAt: new Date(),
 };
 
-const ENDED_SESSION = {
-  id: SESSION_ID,
-  clientId: CLIENT_ID,
-  status: "ended" as const,
-  expiresAt: futureDate(),
-  createdAt: new Date(),
-};
-
 const APPOINTMENT = {
   id: APPOINTMENT_ID,
   clientId: CLIENT_ID,

apps/api/src/index.ts

@@ -57,6 +57,9 @@ app.get("/api/branding", async (c) => {
   });
 });
 
+// Portal routes — no staff auth required, uses impersonation session for client auth
+app.route("/api/portal", portalRouter);
+
 // Protected API routes
 const api = app.basePath("/api");
 api.use("*", authMiddleware);
@@ -108,7 +111,6 @@ api.route("/clients", clientsRouter);
 api.route("/pets", petsRouter);
 api.route("/services", servicesRouter);
 api.route("/appointments", appointmentsRouter);
-api.route("/portal", portalRouter);
 api.route("/staff", staffRouter);
 api.route("/invoices", invoicesRouter);
 api.route("/reports", reportsRouter);

apps/api/src/routes/portal.ts

@@ -64,6 +64,10 @@ portalRouter.patch(
       .where(eq(appointments.id, id))
       .returning();
 
+    if (!updated) {
+      return c.json({ error: "Not found" }, 404);
+    }
+
     return c.json({
       id: updated.id,
       customerNotes: updated.customerNotes,