fix(rbac): fallback lookup for staff records predating Better-Auth userId

GRO-153: /api/staff returned 403 for all staff because resolveStaffMiddleware looked up by staff.userId (Better-Auth ID) but dev login sent staff.id (PK), and existing staff records had userId=NULL. Changes: - resolveStaffMiddleware: try userId first, fall back to staff.id (dev mode) - resolveStaffMiddleware: try userId first, fall back to oidcSub (production) - GET /api/dev/users: include userId field for DevLoginSelector - DevLoginSelector: send userId (not staff.id) as X-Dev-User-Id - Migration 0018: backfill userId for known demo staff Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-28 01:48:25 +00:00
parent e68d5a2594
commit 57e9670410
5 changed files with 50 additions and 6 deletions
@@ -127,6 +127,13 @@
      "when": 1774512000000,
      "tag": "0017_better_auth_tables",
      "breakpoints": true
+    },
+    {
+      "idx": 18,
+      "version": "7",
+      "when": 1774598400000,
+      "tag": "0018_backfill_staff_user_id",
+      "breakpoints": true
    }
  ]
 }