From 858cde6260f7b11f06e2517d62e6bc0e4673260c Mon Sep 17 00:00:00 2001
From: "groombook-ci[bot]" <ci@groombook.bot>
Date: Sat, 28 Mar 2026 15:23:57 +0000
Subject: [PATCH] fix(auth): mount Better-Auth as sub-app via api.route()

Hono's basePath() + api.on("/auth/**") didn't match correctly.
Using api.route("/auth", authRouter) with a dedicated sub-app
ensures all /api/auth/* paths reach Better-Auth.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 apps/api/src/index.ts | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/apps/api/src/index.ts b/apps/api/src/index.ts
index 7bedaef..251c112 100644
--- a/apps/api/src/index.ts
+++ b/apps/api/src/index.ts
@@ -72,14 +72,11 @@ const api = app.basePath("/api");
 api.use("*", authMiddleware);
 api.use("*", resolveStaffMiddleware);
 
-// Debug: test if api sub-app routing works at all
-api.get("/auth-test", (c) => c.json({ test: "route works" }));
-
-// Better-Auth handler — registered on api sub-app so it shares the middleware chain
+// Better-Auth handler — mounted as sub-app to handle all /api/auth/* routes
 // authMiddleware and resolveStaffMiddleware both skip /api/auth/ paths
-api.on(["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"], "/auth/**", (c) => {
-  return auth.handler(c.req.raw);
-});
+const authRouter = new Hono();
+authRouter.all("/*", (c) => auth.handler(c.req.raw));
+api.route("/auth", authRouter);
 
 // ── Role guards ────────────────────────────────────────────────────────────────
 // Manager-only: admin settings, reports, invoices, impersonation