From 1eec37a19270f104cf72a8f1a470632ad53de9e1 Mon Sep 17 00:00:00 2001
From: "groombook-ci[bot]" <ci@groombook.bot>
Date: Sat, 28 Mar 2026 14:40:28 +0000
Subject: [PATCH] fix(auth): skip resolveStaffMiddleware on Better-Auth routes

resolveStaffMiddleware crashed with "Cannot read properties of
undefined (reading 'sub')" on /api/auth/* requests because
authMiddleware skips those paths without setting jwtPayload.
Add the same skip so Better-Auth routes pass through cleanly.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 apps/api/src/middleware/rbac.ts | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/apps/api/src/middleware/rbac.ts b/apps/api/src/middleware/rbac.ts
index 1bc2228..78c46f2 100644
--- a/apps/api/src/middleware/rbac.ts
+++ b/apps/api/src/middleware/rbac.ts
@@ -22,6 +22,12 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
   c,
   next
 ) => {
+  // Better-Auth's own routes handle their own auth — skip staff resolution
+  if (c.req.path.startsWith("/api/auth/")) {
+    await next();
+    return;
+  }
+
   const db = getDb();
 
   if (process.env.AUTH_DISABLED === "true") {