From 624bb14ccbe2a5c910589460d513f76d141f568a Mon Sep 17 00:00:00 2001
From: "groombook-engineer[bot]"
 <3141748+groombook-engineer[bot]@users.noreply.github.com>
Date: Fri, 3 Apr 2026 07:43:44 +0000
Subject: [PATCH] fix(GRO-391): remove clientSecret from test schema; use
 internalBaseUrl

Test connection was always 400 because testAuthProviderSchema required
clientSecret, but OIDC discovery only needs issuer/internal URLs.
Aligned admin test endpoint with setup.ts behavior:
- Drop providerId, clientId, clientSecret from schema
- Add optional internalBaseUrl; use it for discovery URL when set
- Frontend now sends issuerUrl + internalBaseUrl (when populated)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 apps/api/src/routes/admin/authProvider.ts | 10 +++++-----
 apps/web/src/pages/Settings.tsx           |  3 +--
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/apps/api/src/routes/admin/authProvider.ts b/apps/api/src/routes/admin/authProvider.ts
index e8acd15..311fef1 100644
--- a/apps/api/src/routes/admin/authProvider.ts
+++ b/apps/api/src/routes/admin/authProvider.ts
@@ -124,10 +124,8 @@ authProviderRouter.put(
 // ─── POST /api/admin/auth-provider/test ─────────────────────────────────────
 
 const testAuthProviderSchema = z.object({
-  providerId: z.string().min(1).max(100),
   issuerUrl: z.string().url(),
-  clientId: z.string().min(1),
-  clientSecret: z.string().min(1),
+  internalBaseUrl: z.string().url().nullable().optional(),
 });
 
 authProviderRouter.post(
@@ -135,10 +133,12 @@ authProviderRouter.post(
   requireSuperUser(),
   zValidator("json", testAuthProviderSchema),
   async (c) => {
-    const { issuerUrl } = c.req.valid("json");
+    const { issuerUrl, internalBaseUrl } = c.req.valid("json");
 
     // Fetch OIDC discovery document
-    const discoveryUrl = `${issuerUrl.replace(/\/$/, "")}/.well-known/openid-configuration`;
+    const discoveryUrl = internalBaseUrl
+      ? `${internalBaseUrl.replace(/\/$/, "")}/application/o/.well-known/openid-configuration`
+      : `${issuerUrl.replace(/\/$/, "")}/.well-known/openid-configuration`;
 
     let metadata: Record<string, unknown> | null = null;
     let errorMessage: string | null = null;
diff --git a/apps/web/src/pages/Settings.tsx b/apps/web/src/pages/Settings.tsx
index 16b8ff2..7b41c0e 100644
--- a/apps/web/src/pages/Settings.tsx
+++ b/apps/web/src/pages/Settings.tsx
@@ -235,9 +235,8 @@ export function SettingsPage() {
         method: "POST",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({
-          providerId: authForm.providerId,
           issuerUrl: authForm.issuerUrl,
-          clientId: authForm.clientId,
+          ...(authForm.internalBaseUrl ? { internalBaseUrl: authForm.internalBaseUrl } : {}),
         }),
       });
       const data = await res.json();