groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(rbac): fallback lookup for staff records predating Better-Auth userId

Browse Source 
GRO-153: /api/staff returned 403 for all staff because resolveStaffMiddleware
looked up by staff.userId (Better-Auth ID) but dev login sent staff.id (PK),
and existing staff records had userId=NULL.

Changes:
- resolveStaffMiddleware: try userId first, fall back to staff.id (dev mode)
- resolveStaffMiddleware: try userId first, fall back to oidcSub (production)
- GET /api/dev/users: include userId field for DevLoginSelector
- DevLoginSelector: send userId (not staff.id) as X-Dev-User-Id
- Migration 0018: backfill userId for known demo staff

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
groombook-engineer[bot]
2026-03-28 01:48:25 +00:00
parent e68d5a2594
commit 57e9670410
5 changed files with 50 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/web/src/pages/DevLoginSelector.tsx
+2 -1
View File
@@ -3,6 +3,7 @@ import { useNavigate } from "react-router-dom";
interface StaffUser {
id: string;
userId: string | null;
name: string;
email: string;
role: string;
@@ -66,7 +67,7 @@ export function DevLoginSelector() {
{staff.map((s) => (
<button
key={s.id}
onClick={() => selectUser("staff", s.id, s.name)}
onClick={() => selectUser("staff", s.userId ?? s.id, s.name)}
style={userButtonStyle}
>
<div style={{ fontWeight: 600, fontSize: 14 }}>{s.name}</div>