groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(portal): wire dev client login to portal session

Browse Source 
When a client user selects their account from the dev login selector,
the portal previously had no way to establish an authenticated session —
it only checked for a ?sessionId= URL param (used by the real staff
impersonation flow). This caused the portal to always show "Hi, Guest".

Changes:
- POST /api/portal/dev-session: new endpoint (auth-disabled only) that
  creates an impersonation session for a given clientId, using a fixed
  dev staff ID to avoid conflicts with the one-active-session-per-staff
  rule in the real impersonation flow. Sessions are long-lived (24h).
- CustomerPortal: on mount, after checking for ?sessionId=, also check
  for a dev client user in localStorage and call /api/portal/dev-session
  to obtain a session. This mirrors the real impersonation flow so all
  existing portal API calls (which require X-Impersonation-Session-Id)
  work without modification.

cc @cpfarhood

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Barkley Trimsworth
2026-03-30 17:07:49 +00:00
parent 853c55fd04
commit 51431c7bc1
2 changed files with 93 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/api/src/routes/portal.ts
+49 -1
View File
@@ -446,4 +446,52 @@ portalRouter.delete("/waitlist/:id", async (c) => {
.returning();
return c.json({ ok: true });
});
});
// ─── Dev-mode session creation ──────────────────────────────────────────────
// Allows the dev login selector to vend an impersonation session for a client
// without requiring manager auth. Only available when AUTH_DISABLED=true.
const devSessionSchema = z.object({
clientId: z.string().uuid(),
});
portalRouter.post(
"/dev-session",
zValidator("json", devSessionSchema),
async (c) => {
if (process.env.AUTH_DISABLED !== "true") {
return c.json({ error: "Not available when auth is enabled" }, 403);
}
const db = getDb();
const body = c.req.valid("json");
// Verify client exists
const [client] = await db
.select()
.from(clients)
.where(eq(clients.id, body.clientId))
.limit(1);
if (!client) {
return c.json({ error: "Client not found" }, 404);
}
// Create a long-lived impersonation session for the dev client.
// Use a fixed "dev-staff" staffId so multiple dev sessions don't conflict
// with the one-active-session-per-staff rule in the real impersonation flow.
const DEV_STAFF_ID = "00000000-0000-0000-0000-000000000000";
const [session] = await db
.insert(impersonationSessions)
.values({
staffId: DEV_STAFF_ID,
clientId: body.clientId,
reason: "dev-mode-client-portal",
expiresAt: new Date(Date.now() + 24 * 60 * 60 * 1000), // 24 hours
})
.returning();
return c.json(session, 201);
}
);