From 1c1d0dac7ba14402e12e0cdc63ea6cb47a5c607b Mon Sep 17 00:00:00 2001
From: Scrubs McBarkley <scrubs@groombook.app>
Date: Wed, 25 Mar 2026 01:45:03 +0000
Subject: [PATCH] fix: address QA review feedback - null check and portal route
 auth

- Add null check after db.update().returning() in portal notes endpoint
- Move portal router registration before auth middleware so clients can access it
- Remove unused ENDED_SESSION variable from test file

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 apps/api/src/__tests__/portal.test.ts | 8 --------
 apps/api/src/index.ts                 | 4 +++-
 apps/api/src/routes/portal.ts         | 4 ++++
 3 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/apps/api/src/__tests__/portal.test.ts b/apps/api/src/__tests__/portal.test.ts
index 3fed8ee..907d879 100644
--- a/apps/api/src/__tests__/portal.test.ts
+++ b/apps/api/src/__tests__/portal.test.ts
@@ -24,14 +24,6 @@ const EXPIRED_SESSION = {
   createdAt: new Date(),
 };
 
-const ENDED_SESSION = {
-  id: SESSION_ID,
-  clientId: CLIENT_ID,
-  status: "ended" as const,
-  expiresAt: futureDate(),
-  createdAt: new Date(),
-};
-
 const APPOINTMENT = {
   id: APPOINTMENT_ID,
   clientId: CLIENT_ID,
diff --git a/apps/api/src/index.ts b/apps/api/src/index.ts
index c940e0d..8de8e51 100644
--- a/apps/api/src/index.ts
+++ b/apps/api/src/index.ts
@@ -57,6 +57,9 @@ app.get("/api/branding", async (c) => {
   });
 });
 
+// Portal routes — no staff auth required, uses impersonation session for client auth
+app.route("/api/portal", portalRouter);
+
 // Protected API routes
 const api = app.basePath("/api");
 api.use("*", authMiddleware);
@@ -108,7 +111,6 @@ api.route("/clients", clientsRouter);
 api.route("/pets", petsRouter);
 api.route("/services", servicesRouter);
 api.route("/appointments", appointmentsRouter);
-api.route("/portal", portalRouter);
 api.route("/staff", staffRouter);
 api.route("/invoices", invoicesRouter);
 api.route("/reports", reportsRouter);
diff --git a/apps/api/src/routes/portal.ts b/apps/api/src/routes/portal.ts
index cd0f6ec..5c2b2f1 100644
--- a/apps/api/src/routes/portal.ts
+++ b/apps/api/src/routes/portal.ts
@@ -64,6 +64,10 @@ portalRouter.patch(
       .where(eq(appointments.id, id))
       .returning();
 
+    if (!updated) {
+      return c.json({ error: "Not found" }, 404);
+    }
+
     return c.json({
       id: updated.id,
       customerNotes: updated.customerNotes,