From 856096a5318f5e66eabdb4ec0d9531344cdac9e2 Mon Sep 17 00:00:00 2001 From: Paperclip Date: Sun, 12 Apr 2026 02:14:42 +0000 Subject: [PATCH] fix(GRO-564): remove automatic staff-user email linking Automatic linking during OOBE login is a security risk - staff records should only be linked to auth users via explicit admin action using PATCH /api/staff/:id/link-user. Co-Authored-By: Paperclip --- apps/api/src/routes/setup.ts | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/apps/api/src/routes/setup.ts b/apps/api/src/routes/setup.ts index 079636a..ab72ad7 100644 --- a/apps/api/src/routes/setup.ts +++ b/apps/api/src/routes/setup.ts @@ -1,7 +1,7 @@ import { Hono } from "hono"; import { zValidator } from "@hono/zod-validator"; import { z } from "zod/v3"; -import { and, eq, getDb, sql, staff, businessSettings, authProviderConfig, encryptSecret } from "@groombook/db"; +import { eq, getDb, staff, businessSettings, authProviderConfig, encryptSecret } from "@groombook/db"; import type { AppEnv } from "../middleware/rbac.js"; export const setupRouter = new Hono(); @@ -97,21 +97,6 @@ setupRouter.post("/", zValidator("json", setupSchema), async (c) => { } } - if (!resolvedStaff && jwt.email) { - // Try auto-link by email: staff record exists with matching email but no userId - const [byEmail] = await tx - .select() - .from(staff) - .where(and(eq(staff.email, jwt.email), sql`${staff.userId} IS NULL`)); - if (byEmail) { - await tx - .update(staff) - .set({ userId: jwt.sub }) - .where(eq(staff.id, byEmail.id)); - resolvedStaff = { ...byEmail, userId: jwt.sub }; - } - } - if (!resolvedStaff) { // Brand new user during OOBE — create staff record if (!jwt.email) {